AlterPath OnBoard Administrator’s Guide Software Version 1.1.0 Cyclades Corporation 3541 Gateway Boulevard Fremont, CA 94538 USA 1.888.CYCLADES (292.5233) 1.510.771.6100 1.510.771.6200 (fax) http://www.cyclades.
© 2006 Cyclades Corporation, all rights reserved Information in this document is subject to change without notice. The following are registered or registration-pending trademarks of Cyclades Corporation in the United States and other countries: Cyclades and AlterPath.
Contents Before You Begin ................................................. xxxi Audience ......................................................................................... xxxi Document Organization ................................................................. xxxii Related Documents ....................................................................... xxxiv Typographic and Other Conventions ............................................. xxxv Additional Resources ..............................
Message Filtering Levels ................................................................ 33 Syslog Servers ................................................................................ 33 Tasks for Configuring Syslog Messages ........................................ 33 Ethernet Ports on the OnBoard .......................................................... 34 Private Ethernet Ports ..................................................................... 34 Public Ethernet Ports ............................
Chapter 2: Administration Tasks Not Done in the Web Manager............................................................ 61 Using MindTerm to Create an SSH Tunnel ....................................... 63 Specifying the Location for the OTP Databases ................................ 64 How Users are Registered with OTP and Obtain OTP Passwords .... 68 Configuring SSH or Bidilink Instead of Telnet for Device Connections 72 Replacing the Self-Signed Certificate With an SSL Certificate for HTTPS ..............
Chapter 4: Web Manager Wizard .......................... 113 Using the Wizard .............................................................................. 114 Changing the Administrative User’s Password—Wizard ................ 116 Selecting a Security Profile—Wizard .............................................. 117 Secured ......................................................................................... 120 Open .....................................................................................
Configuring Over Current Protection for an IPDU ...................... 162 Configuring Users to Manage Power Outlets on a Connected IPDU 164 Configuring Names and Power Up Intervals for Outlets on a Connected IPDU ........................................................................... 167 Configuring PCMCIA Cards ............................................................ 169 Inserting a PCMCIA Card ............................................................ 170 Ejecting a PCMCIA Card ................
Configuring a NIS Authentication Server .................................... 217 Configuring a Radius Authentication Server ............................... 218 Configuring an SMB Authentication Server ................................ 220 Configuring a TACACS+ Authentication Server ......................... 222 Configuring an Authentication Method for the OnBoard ............ 224 Configuring Notifications ................................................................
Configuring Primary and Secondary Ethernet Ports ................. 266 Configuring Firewall Rules for OnBoard Packet Filtering .............. 268 Adding a Rule ............................................................................... 269 Configuring Hosts ............................................................................ 271 Configuring Static Routes ................................................................ 273 Configuring VPN Connections ..............................................
cycli Options ................................................................................. 305 cycli Parameters and Arguments .................................................. 305 Entering Values With Parameters ................................................ 307 Entering a Command in Interactive Mode ................................... 307 Entering a Command in Command Mode .................................... 307 Entering a Command in Batch Mode ...........................................
Device Type Differences .............................................................. 348 Additional Reasons for Creating Custom Expect Scripts ......... 351 Assigning a Command Template to a New Device ...................... 352 Command Templates .................................................................... 357 Issues Affecting the Configuration of RSA-Type Service Processors 361 The onbdtemplate Utility .............................................................. 361 OnBoard Expect Scripts .....
Appendix B: Advanced Boot and Backup Configuration Information..................................... 407 Boot File Location ............................................................................ 408 Downloading a New Software Version ............................................ 409 Changing the Boot Image ................................................................. 410 Changing the Boot Image in U-Boot Monitor Mode ................... 412 U-Boot Network Boot Options and Caveats ...................
Figures Figure 1-1: Figure 1-2: Figure 2-1: Figure 2-2: Figure 3-1: Figure 3-2: Figure 3-3: Figure 4-1: Figure 4-2: Figure 4-3: Figure 4-4: Figure 4-5: Figure 4-6: Figure 4-7: Figure 4-8: Figure 4-9: Figure 4-10: Figure 4-11: Figure 4-12: Figure 4-13: Recommended Device Configuration ......................... 47 IP Addressing Example............................................... 49 Default /etc/menu.ini File .................................... 93 One-time Password Menu Option Added to menu.ini .........
Figure 4-14: “Configure Primary Ethernet Connection:” Figure 4-15: Figure 4-16: Figure 4-17: Figure 4-18: Figure 4-19: Figure 4-20: Figure 4-21: Figure 4-22: Figure 5-1: Figure 5-2: Figure 5-3: Figure 5-4: Figure 5-5: Figure 5-6: Figure 6-1: Figure 6-2: Figure 6-3: Figure 6-4: Figure 6-5: Figure 6-6: Figure 6-7: Figure 6-8: Figure 6-9: xiv Enabled With DHCP ................................................. 127 “Configure Primary Ethernet Connection” Screen: Static IP ......................................
Figure 6-10: Settings -> IPDU Screen Without AUX Port Figure 6-11: Figure 6-12: Figure 6-13: Figure 6-14: Figure 6-15: Figure 6-16: Figure 6-17: Figure 6-18: Figure 6-19: Figure 6-20: Figure 6-21: Figure 6-22: Figure 6-23: Figure 6-24: Figure 6-25: Figure 6-26: Figure 6-27: Figure 6-28: Figure 6-29: Figure 6-30: Figure 6-31: Figures Configuration ............................................................ 161 Settings IPDU General Screen ..................................
Figure 6-32: Settings -> PCMCIA -> Configure WIreless Figure 6-33: Figure 6-34: Figure 6-35: Figure 6-36: Figure 6-37: Figure 6-38: Figure 6-39: Figure 6-40: Figure 6-41: Figure 7-1: Figure 7-2: Figure 7-3: Figure 7-4: Figure 7-5: Figure 7-6: Figure 7-7: Figure 7-8: Figure 7-9: Figure 7-10: Figure 7-11: Figure 7-12: Figure 7-13: Figure 7-14: Figure 7-15: Figure 7-16: Figure 7-17: xvi LAN Dialog Without DHCP .....................................
Figure 7-18: Config -> Authentication: Radius ............................. 218 Figure 7-19: Config -> Authentication: SMB................................ 220 Figure 7-20: Config -> Authentication: TACACS+ ...................... 222 Figure 7-21: Default Config -> Authentication Screen .................
Figure 7-41: Config -> Device SNMP Settings Dialog With V3 Figure 7-42: Figure 7-43: Figure 7-44: Figure 7-45: Figure 7-46: Figure 7-47: Figure 7-48: Figure 7-49: Figure 7-50: Figure 7-51: Figure 7-52: Figure 8-1: Figure 8-2: Figure 8-3: Figure 8-4: Figure 8-5: Figure 8-6: Figure 8-7: Figure 8-8: Figure 8-9: Figure 8-10: Figure 8-11: Figure 8-12: Figure 8-13: xviii Selected ..................................................................... 246 Config -> SNMP: Add Trap Forwarding ..................
Figure 8-14: Network -> Private Subnets Screen .......................... 279 Figure 8-15: Network -> Private Subnets: Add Subnet Dialog ..... 280 Figure 8-16: Network -> Private Subnets: Add Subnet Dialog ..... 281 Figure 8-17: Network -> Private Subnets: Virtual Network Configuration Fields ................................................. 282 Figure 9-1: “Info” Menu Options................................................. 286 Figure 9-2: Info -> Session Status Screen....................................
Figure A-10: Example 2: Configuration for a User Account Figure A-11: Figure A-12: Figure A-13: Figure A-14: Figure A-15: Figure A-16: Figure A-17: Figure A-18: Figure B-1: xx Authorized for Native IP Access to All Configured Devices................................................... 384 Example 2: IPSec Connection Configuration for Access to sub1 Private Subnet and “sp1” and “sp2” Devices ..................................................... 387 PPTP VPN Configuration Example: Address Pools...........
Tables Table P-1: Table P-2: Table P-3: Table P-4: Table 1-1: Table 1-2: Table 1-3: Table 1-4: Table 1-5: Table 1-6: Table 1-7: Table 1-8: Table 1-9: Table 1-10: Table 1-11: Table 1-12: Table 1-13: Table 1-14: Table 1-15: Table 1-16: Table 1-17: Table 1-18: Table 1-19: Document Organization .......................................... xxxii Related Documentation.......................................... xxxiv Typographic Conventions ....................................... xxxv Other Terms and Conventions...
Table 1-20: Table 1-21: Table 1-22: Table 1-23: Table 1-24: Table 1-25: Table 1-26: Table 1-27: Table 2-1: Table 2-2: Table 2-3: Table 2-4: Table 3-1: Table 4-1: Table 4-2: Table 4-3: Table 4-4: Table 4-5: Table 5-1: Table 6-1: Table 6-2: Table 6-3: Table 6-4: Table 7-1: Table 7-2: xxii Modem and Phone Card Field and Menu Definitions................................................................... 38 Tasks for Configuring Power Management ................ 41 Tasks for Configuring Routes ................
Table 7-3: Table 7-4: Table 7-5: Table 7-6: Table 7-7: Table 7-8: Table 8-1: Table 8-2: Table 8-3: Table 8-4: Table 8-5: Table 8-6: Table 9-1: Table 9-2: Table 9-3: Table 9-4: Table 9-5: Table 9-6: Table 10-1: Table 10-2: Table 10-3: Table A-1: Table A-2: Table A-3: Table A-4: Tables Values for Configuring Any Type of Notification ............................................................... 226 Fields for Configuring a Pager Notification.............. 229 Fields for Configuring an Email Notification ..
Table A-5: Table A-6: Table A-7: Table A-8: Table A-9: Table A-10: Table A-11: Table A-12: Table A-13: Table B-1: xxiv Default Device Types and Corresponding Expect Scripts........................................................................ 365 Custom Device Types and Corresponding Expect Scripts........................................................................ 365 Expect Script Related Application Notes.................. 367 Expect Script Exit Codes ..........................................
Procedures Chapter 2: Administration Tasks Not Done in the Web Manager............................................................ 61 T T T T T T T T T T T T T T T T T T T To Use MindTerm to Create an SSH Tunnel............................................. 63 To Configure a PCMCIA Compact Flash Card for OTP Database Storage ....................................................................................................... 65 To Configure a NFS-mounted Directory for OTP Database Storage ........
T T To Disable Web Manager Timeouts ........................................................ 102 To Sort the Device List Alphabetically ................................................... 103 Chapter 3: Web Manager Introduction for Administrative Users ............................................. 105 T To Log Into the Web Manager for the Administrative User ................... 108 Chapter 4: Web Manager Wizard ..........................
T T T T T T T T To Configure a Modem or GSM PCMCIA Card..................................... 176 To Configure an Ethernet PCMCIA Card ............................................... 178 To Configure a Wireless LAN Card ........................................................ 180 To Configure a Compact Flash PCMCIA Card....................................... 182 To Configure System Date and Time ...................................................... 184 To Configure OnBoard Boot ............................
T T T T T T T To Configure a Device’s SNMP Settings ................................................ 246 To Configure a Device’s SNMP Access Settings.................................... 247 To Configure SNMP Trap Forwarding.................................................... 249 To Configure the Syslog Destination and Message Filtering .................. 251 To Configure Event Logging for Connected Service Processors ............ 253 To Select or Customize the OnBoard’s Security Profile ...................
Appendix A: Advanced Device Configuration ... 345 T T T T T To Find Out if An Existing Command Template Works With a New Device 353 To Use the onbdtemplate Utility to Create a New Template................... 354 To Use the onbdtemplate Utility to Test a Template............................... 356 To Create a Custom IPMI Expect Script ................................................. 369 To Create a Custom Expect Script...........................................................
xxx AlterPath OnBoard Administrator’s Guide
Before You Begin This AlterPath OnBoard Administrator’s Guide provides information and procedures for configuring and managing the Cyclades™ AlterPath™ OnBoard. It describes what the administrator needs to know and to do in order to securely control access to management services provided by connected service processors and other connected servers and devices. Audience This manual is intended for system administrators of the OnBoard.
Document Organization The document contains the chapters listed in the following table. Table P-1: Document Organization Chapter Number and Title Description 1: Introduction Describes what OnBoard administrators need to know in order to perform configuration and maintenance tasks while enforcing the organization’s security policies.
Table P-1: Document Organization (Continued) Chapter Number and Title Description 7: Web Manager “Config” Menu Options Describes and provides procedures for how to use the Web Manager menu options that are available to administrative users under the “Config” top menu option. 8: Web Manager “Network” Menu Options Describes and provides procedures for how to use the Web Manager menu options that are available to administrative users under the “Network” top menu option.
Related Documents The following table lists the AlterPath OnBoard documents. As indicated, the QuickStart Guide is printed, and it is also included with the other AlterPath OnBoard documents in PDF format on the Documentation CD that is shipped with the product. The documents are also at http://www.cyclades.com/docs under “AlterPath OnBoard.
Printed versions of this document and all the above listed documents can be ordered from a Cyclades sales representative. Documents for the AlterPath PM mentioned in this guide are also on the Documentation CD shipped with the product, and they are also available at: http://www.cyclades.com/support/downloads.php under the product’s name. Updated versions of this document will be posted at the Cyclades website when Cyclades releases new versions of the software.
The following table describes other terms and conventions. Table P-4: Other Terms and Conventions Term or Convention Meaning Examples Hot keys When hot keys are shown, a plus (+) appears between two keys that must be pressed at the same time, and a space appears between two keys that must be pressed sequentially. • Ctrl+k p entered while the user is connected to a KVM port brings up an IPDU power management screen. Ctrl and k must be pressed at the same time followed by p pressed by itself.
Additional Resources The following sections describe how to get technical support, training, and software upgrades. Cyclades Technical Support Cyclades offers free technical support. To find out how to contact the support center in your region, go to: http://www.cyclades.com/support/ technical_support.php. Cyclades Technical Training To learn about Cyclades Technical Training Center and courses offered, visit http:www.cyclades.com/training, call 1-888-292-5233, or send an email to training@cyclades.com.
xxxviii AlterPath OnBoard Administrator’s Guide
Chapter 1 Introduction The administrator configures the OnBoard to enable controlled access to connected devices and also performs maintenance activities such as upgrading the OnBoard software. This chapter describes what OnBoard administrators need to know in order to perform configuration and maintenance tasks while enforcing the organization’s security policies.
2 Power Management Options on the OnBoard Page 40 Routing on the OnBoard Page 42 OnBoard Notifications Page 43 OnBoard Sensor Alarms Page 45 Device Configuration Page 46 Private Subnets on the OnBoard Page 54 Tasks for Configuring IP Addresses Page 55 Example and Demo Scripts and Application Notes Page 55 Data Buffering on the OnBoard Page 55 Firewall/Packet Filtering on the OnBoard Page 56 How Configuration Changes Are Handled Page 60 AlterPath OnBoard Administrator’s Guide
Overview of OnBoard Features for Administrators Overview of OnBoard Features for Administrators The OnBoard mediates between authorized users (who may be either local or remote users on the public network) and devices that are connected to the OnBoard’s private Ethernet ports. Connected devices are almost always isolated on a private network that cannot be accessed except by going through the OnBoard.
OnBoard Authentication Options Table 1-1: Security Features and Where Documented (Continued) Security Feature Where Documented Security profiles and other means for controlling which network services are turned on or blocked and for setting other security parameters • “OnBoard Security Profiles” on page 16 • “OnBoard Services” on page 21 Logging, notifications, and alarms that can alert remote administrators about problems, and data buffering to capture and monitor user activity.
OnBoard Authentication Options • • • • The AuthType/Local and AuthType/DownLocal authorization methods are referred to as authentication methods with local fallback options. Administrators can specify separate authentication types for OnBoard logins and for connected devices. Local and OTP authentication methods and the authentication methods that have local fallback options require user accounts configured on the OnBoard.
OnBoard Authentication Options authentication methods that are used by SNMP, PPTP, IPSec, or PPP are described in the related sections. The following table lists the supported authentication methods and indicates which methods are available for the OnBoard and which are available for connected devices. When a table cell is blank, the authentication method is not supported. Table 1-2: Supported Authentication Types (Sheet 1 of 3) 6 Type Description OnBoard Device None No login required.
OnBoard Authentication Options Table 1-2: Supported Authentication Types (Sheet 2 of 3) Type Description OnBoard Device Local/LDAP Uses LDAP authentication if local authentication fails X X NIS Uses user/password configured on the NIS authentication server. No logins allowed if NIS server is down or NIS authentication fails. X X NIS Down/Local Uses local authentication if NIS server is down. X X NIS/Local Uses local authentication if NIS authentication fails.
OnBoard Authentication Options Table 1-2: Supported Authentication Types (Sheet 3 of 3) 8 Type Description OnBoard Device SMB Uses user/password configured on the SMB authentication server (for Microsoft Windows NT/2000/2003 Domain). No logins allowed if SMB server is down or SMB authentication fails. X X SMB Down/Local Uses local authentication if the SMB server is down. X X SMB/Local Uses local authentication if SMB authentication fails.
OnBoard Authentication Options An administrative user can use the Web Manager, and any administrator can use the cycli utility for configuring an authentication method for the OnBoard and for connected devices and for configuring authentication servers.
One-time Password Authentication on the OnBoard Table 1-3: Tasks for Configuring Authentication (Continued) Task Where Documented Configure either an external modem connected to an AUX port, or a modem or GSM or CDMA phone PCMCIA card for dial-in logins with OTP authentication, and give users the OTP information they need to be authenticated for dial--ins.
One-time Password Authentication on the OnBoard Table 1-4: Tasks for Configuring OTP Authentication for Dial-ins (Continued) Task Where Documented Configure OTP for various types of access, as desired. The following procedures that use the Web Manager provide a step for configuring OTP authentication for dialins: • “To Configure an AUX Port for Modem Access” on page 159 • “To Configure a Modem or GSM PCMCIA Card” on page 176 The following procedures must be done manually.
OnBoard User and Group Configuration Options Table 1-4: Tasks for Configuring OTP Authentication for Dial-ins (Continued) Task Where Documented • Register each user yourself and give the OTP username and OTP secret pass phrase to each user. AND • “To Register and Generate OTP Passwords for Users” on page 69 • Generate the needed OTP passwords on behalf of the each user and give them to each user.
OnBoard User and Group Configuration Options Parameters for Configuring User Accounts The OnBoard administrator configures user accounts by assigning parameters that are described in the following table. Where more information is needed, the table provides links to where the parameters are described in more detail. Table 1-5: User Configuration Settings Settings Notes Username Login name required for the user account. Full name Administratively-defined name to identify the user (the UNIX GECOS).
OnBoard User and Group Configuration Options Planning Access to Connected Devices Planning should include the following tasks: • • • • • Create a list of servers and other devices to connect to the OnBoard. For devices that are going to be plugged into power outlets on connected IPDUs, make a note of the outlet numbers to supply when configuring IPDU power management. Create a list of user accounts that specifies which type of access each user needs to which connected devices and to which IPDU outlets.
OnBoard User and Group Configuration Options Table 1-6: User and Group Configuration Tasks (Continued) Task Where Documented Create user groups and authorize them for device management the user to an administrativelyconfigured group.
OnBoard Security Profiles OnBoard Security Profiles An important part of configuring the OnBoard is selecting a security profile that helps enforce the security policies of the organization where the OnBoard is being used. Each OnBoard has a security profile defined during initial configuration.
OnBoard Security Profiles Table 1-7: Moderate Security Profile Services/ Features (Continued) Enabled Services/Features Disabled Services/Features Default authentication type to access devices set to Local Table 1-7 describes the “Secured” security profile Table 1-8: Secured Security Profile Services/Features Enabled Services/Features Disabled Services/Features HTTPS HTTP SSH v2 ICMP Default authentication type to access devices set to Local IPSEC PPTP RPC SNMP v1 SNMP v2c SNMP v3 SSH v1 Telnet to
OnBoard Security Profiles Table 1-9: Open Security Profile Services/Features (Continued) Enabled Services Disabled Services/Features IPSec PPTP RPC SNMP v1 SNMP v2 SNMP v3 SSH v1 SSH v2 Telnet to OnBoard Default authentication type to access devices set to Local Table 1-10 describes the services and other functionality that the administrator can select in the “Custom” security profile.
OnBoard Security Profiles Table 1-10: Services and Other Functions in the “Custom” Security Profile (Sheet 2 of 3) Option SSH Options • Allow root login using SSH • SSH v1, SSH v2 (allow or disallow) • SSH Port (Assign an alternate port to SSH) HTTP & HTTPS Options • • • • • Redirect HTTP to HTTPS HTTP (allow or disallow) HTTP port number (Assign an alternate port to HTTP) HTTPS (allow or disallow) HTTPS port number (Assign an alternate port to HTTPS) Override authorization—enable access based on authent
OnBoard Security Profiles Table 1-10: Services and Other Functions in the “Custom” Security Profile (Sheet 3 of 3) Option Default authentication type1 to access devices (applies to devices configured subsequently): • • • • • • • • • • • • • • • • • • • • • • • • • • None Local Kerberos Kerberos Down/Local Kerberos/Local Local/Kerberos LDAP LDAP Down / Local LDAP/Local Local/LDAP NIS NIS Down/Local NIS/Local Local/NIS Radius Radius Down / Local Radius/Local Local/Radius SMB SMB Down / Local SMB/Local Local
OnBoard Services OnBoard Services A network service is available on the OnBoard if one of the two following conditions are true: • The security profile enables the service. OR • The administrator has enabled the service through the Web Manager, or by using cycli or regular UNIX commands. Administrators can turn services on and off by using the Web Manager Config → Services page or by using either the cycli utility or regular Linux commands.
OnBoard Services Table 1-11: Services That Require Additional Configuration (Continued) Service Where Documented PPTP “VPN on the OnBoard” on page 32 “Configuring Users and Groups” on page 200 “PPTP VPN Connections” on page 86 NTP “Configuring System Date and Time” on page 183 SNMP “SNMP on the OnBoard” on page 26. Syslog “Firewall/Packet Filtering on the OnBoard” on page 56 Telnet “Telnet on the OnBoard” on page 23.
Telnet on the OnBoard Telnet on the OnBoard By default, Telnet is configured as follows: • A Telnet server is present but not enabled, and, by default, users cannot use the Telnet service to connect to the OnBoard or through the OnBoard to connected devices. • The OnBoard uses an active Telnet client to connect to devices on behalf of authorized users. The following table shows the tasks for changing the default telnet configuration with links to where the tasks are documented.
HTTPS on the OnBoard command line. telnetd can be enabled by an administrative user on the Web Manager Config → Services page or by the root user, who can use normal Linux commands to start telnetd on the command line. Caution! Because Telnet is not secure and not encrypted, allowing its use by users for directly connecting to devices or to the OnBoard is strongly discouraged. See “Configuring the OnBoard’s Services” on page 259.
DHCP on the OnBoard DHCP Server A DHCP server (dhcpd) is present but disabled on the OnBoard by default. The OnBoard administrator may want to enable the DHCP server to provide fixed IP addresses for connected devices that are running DHCP client software. The fixed IP addresses use the following DHCP features: • • • Persistent leases, which allow the device on the private side of the OnBoard to keep the same IP address even after the OnBoard or the device is powered down and up again.
SNMP on the OnBoard Considerations When Deciding Whether to Use DHCP to Configure Device Addresses Before deciding whether to use the DHCP server to configure addresses for connected devices, the OnBoard administrator should understand the available options for assigning IP addresses to connected devices, which are described in “Address Configuration for Connected Devices” on page 372.
SNMP on the OnBoard Caution! The snmpd running on OnBoard allows access to proxied data using the v1 and 2c protocols without the creation of a VPN tunnel, but the lack of security inherent in these protocols means this option should be used with caution if it is used at all. • The access method agent which supports version 3 is via a local NetSNMP snmp daemon. The proxying of traps is not supported by Net_SNMP. Forwarding of traps is supported, with filtering by source address.
SNMP on the OnBoard Traps are handled the three following ways: • • • When access is through a VPN tunnel, the public-side computer directly receives SNMP traps from the connected device. SNMP traps can be forwarded to SNMP agents based on the source address of the trap. Locally, traps are sent to the syslog facility, which may use the information to send notifications.
SNMP on the OnBoard Table 1-13: Values for Configuring SNMP (Continued) Values Description Community For SNMP v1 and v2c only the community name is used for authentication. An arbitrary string, with a maximum length of 256 characters. Does not need to match the community name used on the public side or be unique on the private side. Must match the community string expected by the device, often “public.” Source For SNMP v1 and v2c only.
SNMP on the OnBoard Strings are defined as case-sensitive ASCII, not beginning with a hash and delimited by a space, form-feed ('\f'), newline ('\n'), carriage return ('\r'), horizontal tab ('\t'), vertical tab ('\v'), or null ('\0'). Any character may be included if it is escaped with a backslash ('\'). Two backslashes are interpreted as one. Views can created to define sections of an OID tree that are included and excluded from access.
SNMP on the OnBoard The following table describes the values used for configuring SNMP traps. Table 1-15: Values for Configuring an SNMP Trap Notification For configuring SNMP traps only: coldStart Generic trap type warmStart linkDown linkUp authenticationFailure egpNeighbor Loss enterpriseSpecific Server The IP address or DNS name of the SNMP manager Body The text you want sent in the trap message.
VPN on the OnBoard VPN on the OnBoard As described in the AlterPath OnBoard User’s Guide, for security reasons an authorized user must establish a trusted connection with the OnBoard before gaining native IP access to native management features on connected service processors. (In the user’s guide, see “Native IP” for details about the service processor management actions that require a trusted connection using VPN.
Message Logging (With Syslog) on the OnBoard Message Filtering Levels Messages can be filtered according to their severity, based on any or all of the levels that the administrator can select from the following list. • • • • • • • • 0 - EMERG (Emergency) 1 - ALERT 2 - CRIT (Critical) 3 - ERROR 4 - WARNING 5 - NOTICE 6 - INFO 7 - DEBUG Syslog Servers Syslog servers run on operating systems that support system logging services, usually UNIX-based servers with the syslogd configured.
Ethernet Ports on the OnBoard Table 1-17: Tasks for Configuring Syslog Messages (Continued) Task Where Documented Specify overcurrent alerts to be sent as syslog messages “To Enable Overcurrent Protection for an AlterPath PM IPDU” on page 164 Ethernet Ports on the OnBoard The OnBoard’s two public Ethernet ports are used for connecting to the public (or management) network.
Ethernet Ports on the OnBoard The secondary Ethernet port on the OnBoard can optionally be configured for failover, which is also referred to as bonding. Failover is important for highavailability environments where constant accessibility is required to support mission-critical applications. Failover automatically redirects traffic from the primary Ethernet port to the secondary Ethernet port if the primary interface fails.
Dial-in and Callback Access to the OnBoard Tasks for Configuring Ethernet Ports The following table lists the tasks the administrator must do to configure Ethernet ports on the OnBoard with links to sections that describe how to perform that tasks using the Web Manager.
Dial-in and Callback Access to the OnBoard The following table lists the modem and phone card configuration tasks, with links to where they are documented Table 1-19: Tasks for Configuring Dial-ins and Installing Modems Modem Type Where Documented External modem • “To Connect an External Modem to an AUX Port” in the AlterPath OnBoard Installation Guide • “Configuring the AUX Port for a Modem” on page 157 PCMCIA modem card • “To Install a PCMCIA Card in the Front Card Slot” in the AlterPath OnBoard In
Dial-in and Callback Access to the OnBoard Figure 1-20 shows the configuration options that apply whether a modem or phone card is being configured through the Web Manager or the cycli utility. Table 1-20: Modem and Phone Card Field and Menu Definitions (Sheet 1 of 2) Field or Menu Option/ cycli parameter Options/cycli parameter Notes Access Type/type • • • • • Autodetection means that either type of access (PPP or Login) may be automatically detected.
Dial-in and Callback Access to the OnBoard Table 1-20: Modem and Phone Card Field and Menu Definitions (Sheet 2 of 2) Field or Menu Option/ cycli parameter Options/cycli parameter Notes Modem Initialization/ initchat A modem initialization string (or chat string) of AT commands used to configure the modem or phone when it is turned on or when the communications software dials out to another modem or phone.
Power Management Options on the OnBoard Power Management Options on the OnBoard Authorized users and OnBoard administrators can power off, power on, and reboot devices in two different ways.
Power Management Options on the OnBoard Tasks for Configuring Power Management The following table lists the tasks for configuring power management and where they are described.
Adding Options to the User’s Console Login Menu Adding Options to the User’s Console Login Menu As described under “Using SSH with the OnBoard” in the AlterPath OnBoard User’s Guide, regular users are configured with /usr/bin/rmenush as their default login shell. All users with rmenush as their login shell see the same menu whenever they log into the OnBoard’s console.
OnBoard Notifications Tasks for Configuring Routes The following table lists the tasks for configuring route and provides links to where the tasks are documented.
OnBoard Notifications Supported operators are “and,” “or,” and “not.” The following line shows the syntax for a match function. Supported functions are shown in the following list with their supported criteria: facility(comma-separated_facility_names); Facilities are categories: auth, auth-priv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, and local0 through local7. For example, in the default syslog-ng.
OnBoard Sensor Alarms The following example shows the two match functions filtering for logins and excluding messages that have the user name francisco; the functions are connected by the not operator. match(‘[Ll]ogin”) and not match(“francisco’); For more information, see syslog-ng v1.6 reference manual at http:// www.balabit.com/products/syslog-ng/reference-1.6/ syslog-ng.html/index.html#filterfunc.
Device Configuration Table 1-23: Values for Configuring Sensor Alarms (Continued) Values Description Condition • Trigger when value is >INSIDE< range • Trigger when value is range • Trigger when value CHANGES Range Applies to the INSIDE and OUTSIDE conditions. The low and high thresholds can be any numeric value, including floats. For example, for a fan whose average reading is 1470 RPR, you might want to specify a low threshold of 1000 and a high threshold of 1600.
Device Configuration • Connect the OnBoard’s primary Ethernet port (eth0) to a local management network and usually to the Internet, which extends the management network to remote users whose access to devices is controlled by the OnBoard. Caution! If a device has a single Ethernet port, that port would need to be attached to the production network, and the OnBoard would be need to be configured to communicate with the device over the production network.
Device Configuration Internet Production network Server Ethernet port SP Ethernet port Server Ethernet port SP Ethernet port eth0 (Primary Ethernet port) Private network AlterPath OnBoard Figure 1-1: Recommended Device Configuration Preparing an Addressing Scheme Before configuring any connected devices, the OnBoard administrator must plan and implement an IP addressing scheme that reflects the needs of the organization.
Device Configuration The following Figure 1-2 shows some example IP addresses assigned: • A managed public IP address is assigned the OnBoard’s eth0 Ethernet port: 203.1.2.3 The OnBoard requires only one managed public IP address assigned to its primary Ethernet port. The OnBoard’s secondary Ethernet port (eth1) can optionally be used as described under “Ethernet Ports on the OnBoard” on page 34. • A private subnet IP address is assigned to each service processor’s dedicated Ethernet port (192.168.49.
Device Configuration Internet SP IP: 192.168.49.61 SP IP: 192.168.49.60 OnBoard side IP: 192.168.49.254 OnBoard public IP: 203.1.2.3 AlterPath OnBoard Figure 1-2: IP Addressing Example See “Address Configuration for Connected Devices” on page 372 for the details needed for planning and implementing IP addresses.
Device Configuration Parameters for Configuring Devices The OnBoard administrator configures connected devices by assigning parameters that are described in the following table. Where more information is needed, the table provides links to where the parameters are described in more detail. Table 1-24: Device Configuration Parameters (Sheet 1 of 3) Parameter Description Name Also referred to as an alias.
Device Configuration Table 1-24: Device Configuration Parameters (Sheet 2 of 3) Parameter Description Data buffering Options for data buffering for the device are “Yes,” “No,” or “Default.” Private subnet Used by the OnBoard to communicate with devices on the private network. See “Private Subnets on the OnBoard” on page 54 and “Why Define Private Subnets?” on page 375 for more information about planning and implementing subnets and assigning them to devices.
Device Configuration Table 1-24: Device Configuration Parameters (Sheet 3 of 3) Parameter Description Authentication type The authentication method to be used whenever a user accesses the device. Can be different from the authentication method used for the OnBoard, unless SSH tunneling is used to create a secure path for users who are authorized for Native IP access. When an SSH tunnel is used, the OnBoard and the device must be using the same authorization method.
Private Subnets on the OnBoard Private Subnets on the OnBoard Connected devices should be isolated (as recommended under “Device Configuration” on page 46) on a management network that is separate from the production network and from the public network. With the recommended configuration, the OnBoard administrator must create at least one private subnet for communicating with connected devices.
Tasks for Configuring IP Addresses Tasks for Configuring IP Addresses See “OnBoard-specific Tasks for Configuring New Devices” on page 346. Example and Demo Scripts and Application Notes The following helps are available for OnBoard administrators: • • • Configuration example scripts in /libexec/example_scripts Demo scripts in/libexec/demo_scripts Application notes in /usr/share/docs/OnBoard/ Application_Notes with future updates to be posted at http:// www.cyclades.com/support/downloads.
Firewall/Packet Filtering on the OnBoard Firewall/Packet Filtering on the OnBoard Packet filtering on the OnBoard is controlled by chains and rules that are configured in iptables. (For more details about the predefined chains and rules, see “Chains” on page 56 and “Rules” on page 57.
Firewall/Packet Filtering on the OnBoard The OnBoard comes with a number of built-in chains with hidden rules that are preconfigured to control communications between devices that are connected to the OnBoard’s private Ethernet ports and devices on the public side of the OnBoard. The default chains are defined in “filter” and “nat” iptables. The “mangle” table is not used. The built-in chains are named according to the type of packets they handle, as shown in the following lists.
Firewall/Packet Filtering on the OnBoard Add Rule and Edit Rule Options When you add or edit a rule you can define any of the options described in the following table. Table 1-25: Filter Options for Packet Filtering Rules Filter Options Description Protocol You can select a protocol for filtering from one of the following options: • • • • • • • ALL TCP UDP ICMP GRE ESP AH Source IP/mask Destination IP/mask A host IP address or subnetwork IP address in the form: hostIPaddress or networkIPaddress/NN.
Firewall/Packet Filtering on the OnBoard Table 1-25: Filter Options for Packet Filtering Rules (Continued) Filter Options Description Rule target • Accept • Drop • Reject Any of the options in Table 1-25 can be given the inverted flag, so that the target action is performed on packets that do not match any of the specified criteria.
How Configuration Changes Are Handled How Configuration Changes Are Handled The OnBoard handles changes to configuration files and backups of configuration file changes differently from other Cyclades AlterPath products.
How Configuration Changes Are Handled The following table shows tasks for administrators to save changes to configuration files and back up configuration files and provides links to where they are documented.
How Configuration Changes Are Handled 62 AlterPath OnBoard Administrator’s Guide
Chapter 2 Administration Tasks Not Done in the Web Manager This chapter describes configuration and maintenance tasks that are performed by an administator either on the Linux command line, using the cycli utility, or in the U-Boot monitor mode. See also “Advanced Device Configuration” on page 345. The following table lists the topics in this chapter.
Adding New Files to Be Backed Up and Restored Page 101 Changing Web Manager Timeouts Page 102 Changing the Sort Order of Device Listings Page 103 The following table lists the procedures in this chapter.
Using MindTerm to Create an SSH Tunnel Using MindTerm to Create an SSH Tunnel The AlterPath OnBoard User’s Guide describes how a regular user can create an SSH tunnel to allow access to a native web application on a device using an SSH client on the user’s workstation. This section and the following procedure describe how an administrative user can create an SSH tunnel using the MindTerm applet that comes up when any user connects to the OnBoard console using the Web Manager.
Specifying the Location for the OTP Databases The tunnel is created and the dialog appears similar to the following screen example. Specifying the Location for the OTP Databases One-time password authentication (OTP) is introduced in “One-time Password Authentication on the OnBoard” on page 10. On the Onboard, OTP expects its user databases to reside in /mnt/opie/etc/. The OnBoard’s resident flash memory does not provide a directory for the OTP databases.
Specifying the Location for the OTP Databases • • Creates the file /mnt/opie/etc/opiekeys Sets the permissions of the file to mode 0644, the owner of file to “root,” and the group to “bin” • Creates the directory /mnt/opie/etc/opielocks for the OPIE lock files • Sets the permissions of this directory to 0700 and the owner and group to “root” See “To Configure a PCMCIA Compact Flash Card for OTP Database Storage” on page 65.
Specifying the Location for the OTP Databases The following screen example uses nfs_server.cyclades.com as the NFS server name and /home/opie as the exported directory’s name. [root@OnBoard /]# mount -t nfs nfs_server.cyclades.com:/home/ opie /mnt/opie 5. Do the following to create the /etc directory on the mounted directory and to create an opiekeys file.
Specifying the Location for the OTP Databases OTP password succeeds, you can safely change the method for ssh logins as described in Step 3. [root@OnBoard /]# ln -sf /etc/pam.d/otp login OR [root@OnBoard /]# ln -sf /etc/pam.d/otplocal login 3. To specify OTP for ssh logins, change the target of the symbolic link sshd to otp or otplocal [root@OnBoard /]# ln -sf /etc/pam.d/otp sshd OR [root@OnBoard /]# ln -sf /etc/pam.
How Users are Registered with OTP and Obtain OTP Passwords 4. Save and quit the file. :wq How Users are Registered with OTP and Obtain OTP Passwords All users who need to use OTP authentication must have a local account on the OnBoard, must be registered with the OTP system, and must be able to obtain OTP passwords.
How Users are Registered with OTP and Obtain OTP Passwords The following procedure shows an example of an administrator logging in locally through the console port, registering a user, and generating OTP passwords for the user. The example shows using cycli to add the user, but any of the tools available for adding users, including the Web Manager, may be used to configure the user account beforehand.
How Users are Registered with OTP and Obtain OTP Passwords See the following screen example. cli> add onboard user joe OK cli> exit [root@OnBoard /]# c. If you are using the cycli utility, commit the changes. cli> commit OK cli> exit [root@OnBoard /]# 3. Enter the opiepasswd command to register the user. The following screen example shows using opiepasswd with the -c option while logged in locally through the OnBoard’s CONSOLE port.
How Users are Registered with OTP and Obtain OTP Passwords In the example, the opiepasswd command generates a default OPIE sequence number of 499 and a creates a seed (or key) from the first two letters of the hostname and a pseudo random number, in the example on93564. [root@OnBoard /]# opiepasswd -c joe Adding joe Reminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password.
Configuring SSH or Bidilink Instead of Telnet for Device Connections 6. Save the changes. [root@OnBoard /]# saveconf Configuring SSH or Bidilink Instead of Telnet for Device Connections Telnet is not encrypted, so security can only be guaranteed if the service processors are on a private network. If the service processors must be on the public network for a pressing reason, then telnet should be replaced with SSH or bidilink.
Configuring SSH or Bidilink Instead of Telnet for Device Connections For example, to use TCP without telnet commands being intercepted, you would need to uncomment and modify the line that defines the bidilink PORT. The following screen example shows the line to change. # spawn bidilink tcp-client::PORT This example shows the comment (#) sign removed and changes PORT to 3301. spawn bidilink tcp-client::3301 c. When you are done editing the appropriate options, save and quit the file. 4.
Replacing the Self-Signed Certificate With an SSL Certificate for HTTPS 8. Save and quit the file. 9. Assign the new custom type to the appropriate service processors. For example, if you have created a talk_custom1.exp for iLO service processors, configure the iLO service processors as custom1 type. If you are substituting bidilink, you are done. 10. If you are substituting ssh, set up host keys for every service processor configured to use ssh by doing the following steps. a.
Replacing the Self-Signed Certificate With an SSL Certificate for HTTPS T To Replace the Self-Signed Certificate With One From a Certificate Authority 1. Log into the OnBoard console as root. 2. Use openssl with the req parameter to create a private key and a public CSR (certificate signing request). Use the command line shown in the following screen example. Note: The command line in the screen example is broken into two lines because of space limitations.
Replacing the Self-Signed Certificate With an SSL Certificate for HTTPS Submit the CSR request to the certificate authority (CA). After receiving the certificate from the CA, do the remaining steps. 3. Copy the private key into /etc/httpd/conf/ssl.key/server.key. [root@OnBoard /] cat private.key > /etc/httpd/conf/ssl.key/server.key 4. Copy the certificate into /etc/httpd/conf/ssl.crt/server.crt. The following screen example uses cert.
Configuring the DHCP Server Configuring the DHCP Server To enable DHCP to configure IP address for connected devices, the administrator must perform DHCP configuration manually. The root user logs into the OnBoard command line and does the following steps. • • • • Enables the dhcpd by editing /etc/dhcpd.sh. Makes the appropriate configuration changes and specifies fixed addresses for all devices in the /etc/dhcpd.conf file. Saves the configuration file changes in the firmware using the saveconf command.
Configuring the DHCP Server 4. Remove the comment (#) signs at the beginning of the lines. # ######## SAMPLE CONFIGURATION ############### subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.110 192.168.0.119; default-lease-time 86400; max-lease-time 172800; option broadcast-address 192.168.0.255; option routers 192.168.0.10; option subnet-mask 255.255.255.0; option domain-name-servers 192.168.0.11; option domain-name “cyclades.com.
Configuring the DHCP Server For example, see the following edited host entry. host sp1 { hardware ethernet 00:60:2e:bb:aa:aa; fixed-address 192.168.0.21; } # ############################################## d. Copy and paste the three lines that define the IP address for a device as many times as needed and then make the edits to specify the desired IP address for each device. 6. Make other changes as appropriate for your environment, removing the comment (#) signs at the beginning of all edited lines. 7.
Configuring the DHCP Server 8. Open the /etc/dhcpd.sh file for editing. # This file defines the dhcpd service configuration ENABLE=NO # Must be "NO" or "YES" (uppercase) DNAME=dhcpd # daemon name DPATH=/usr/sbin # daemon path ShellInit= initialization # Performs any required ConfigFiles=/etc/dhcpd.
Configuring VPN Connections Configuring VPN Connections This section describes what the administrator must do to enable VPN on the OnBoard side to enable users to create VPN tunnels to the OnBoard, which are required for a user to obtain native IP access through the Web Manager or through entering ssh with the nativeipon device management command. For an introduction to this topic, see “VPN on the OnBoard” on page 32 The OnBoard administrator must do the tasks shown in the following table.
Configuring VPN Connections • Before attempting to access the “Native IP” feature on the OnBoard, the user must create the VPN tunnel from the user’s computer. The OnBoard listens for the connection attempt from the IP addresses specified in its connection profiles and grants the access. VPN Client System Requirements and Limitations The following table describes the VPN client system requirements and limitations tor different platforms and VPN services.
Configuring VPN Connections IPSec VPN Connections For a user to access native IP functionality on a connected service processor, the user needs to create a VPN connection to the OnBoard; launching an IPSec VPN connection requires the user to have IPSec running on the computer being used to manage OnBoard-connected devices. The ESP and AH authentication protocols (also called “encapsulation methods”) are supported. RSA Public Keys and Shared Secret are also supported.
Configuring VPN Connections Table 2-4: IPSec VPN Configuration Information for Administrators and Users (Continued) Value Name Description Next hop Leave blank if the user’s workstation and the OnBoard are able to exchange packets. If a route must be set up to enable communications, enter the IP address of a host or network, so the IPSec can use the IP address to set up the needed route. Requires the “Add and route” boot option to also be selected. Subnet Leave blank.
Configuring VPN Connections The OnBoard administrator must do the following tasks: • • Make sure that the IPSec service is enabled. Configure an IPSec VPN connection profile on the OnBoard. • Give the user a copy of the parameters used to configure the IPSec connection profile on the OnBoard. The OnBoard administrator can send a copy of the relevant portions of the ipsec.conf file after the changes are saved and applied in the Web Manager for the user to insert into the ipsec.
Configuring VPN Connections PPTP VPN Connections For an authorized user to access native IP functionality on a connected service processor, the user needs to create a VPN connection to the OnBoard. An authorized user can create PPTP VPN connections from Linux, Windows, or Macintosh operating systems.
Configuring Dial-ins Using cycli • • • • • Enter the ifconfig or ipconfig command on the command line of the user’s workstation to discover the IP address assigned to the OnBoard’s end of the PPTP link. Enter the OnBoard’s PPTP-assigned address either in a browser or with ssh on the command line to access the OnBoard. Create a static route to inform the workstation that the devices to be contacted are at the other end of the point-to-point link at the OnBoard’s PPTP-assigned address.
Configuring Dial-ins Using cycli 4. Set the access type for the modem to be “autoppp,” “login,” “ppp, or “otplogin.” The following screen example sets the modem access type to ppp. cli> set auxport modem type ppp OK 5. Configure the common parameters by performing the following steps. a. Set or accept the default speed for the modem. The following screen example sets the modem speed to 4800. cli> set auxport modem speed 4800 OK b. Set or accept the default flow control (data-flow) option for the modem.
Configuring Dial-ins Using cycli a. Enable authentication as a requirement for PPP connections through the modem, if desired, by using the auth parameter followed by yes. The following screen example enables authentication. cli> set auxport modem ppp auth yes OK b. Accept the default local IP address or set another by using the iplocal parameter. cli> set auxport modem ppp iplocal local_ip_address OK c. Accept the default remote IP address or set another by using the ipremote parameter.
Configuring Dial-ins Using cycli f. Accept the default PPP options or set another by using the options parameter followed by the desired options in quotes. cli> set auxport modem ppp options “options” OK g. Commit the changes and quit.
Configuring Dial-ins Using cycli The default is 9600. The following screen example sets the modem speed to 4800. cli> set cards modem0 speed 4800 OK b. Set or accept the default flow control (data-flow). The following screen example sets the data-flow to both. cli> set cards modem0 data-flow both OK c. Set the chat initialization AT commands (initchat). Put quotes before and after the chat string, and put backslashes (\) before any quotes that are part of the chat string.
Configuring Dial-ins Using cycli c. Accept the default remote IP address or set another by using the iplocal parameter. cli> set cards modem0 ppp ipremote remote_ip_address OK d. Accept the default maximum transmission unit or set another by using the mtu parameter. cli> set cards modem0 ppp mtu 1200 OK e. Accept the default maximum receive unit or set another by using the mru parameter. cli> set cards modem0 ppp mru 1200 OK f.
Configuring the User’s Console Login Menu Configuring the User’s Console Login Menu As described under “Using SSH with the OnBoard” in the AlterPath OnBoard User’s Guide, regular users are configured with /usr/bin/rmenush as their default login shell. All users with rmenush as their login shell see the same menu whenever they log into the OnBoard’s console.
Configuring the User’s Console Login Menu Caution! If changing the default menu, the administrator needs to ensure that any added programs do not introduce security vulnerabilities. The administrator needs to know the following about the behavior of rmenush before configuring any changes to the menu: • If the called program exits with a return code indicating an error, rmenush prompts the user to press any key to continue.
Configuring the User’s Console Login Menu In the following screen example, the “One-time_ Password” menu option is added with the keyword opie, which is used to define the submenu that provides options for running commands. # $Id: menu.ini,v 1.1 2005/06/23 21:37:07 scott Exp $ # Default menu for restricted shells [main] Access_Servers = /bin/onbdshell Change_Password = /usr/bin/passwd One-time_Password_Menu = opie ...
Configuring the User’s Console Login Menu See “New User Login Menu Item Example” on page 94. 1. Log into the OnBoard’s console as root. 2. Use a text editor to open the /etc/menu.ini file for editing. 3. Find the [main] menu definition and insert a new option for the onetime password submenu. For example, you could add One-time_Password_Menu as the name of the option that brings up the submenu and use opie as the keyword that identifies the submenu. 4.
Configuring Routes With cycli 2. Open the /etc/menu.ini file for editing. 3. Add new menus and menu items as desired, using underscores (_) to indicate spaces between words. 4. Save and quit the file. Configuring Routes With cycli The following procedures give examples for using the cycli utility for configuring the following types of routes and assigning them to interfaces or to gateways.
Configuring Routes With cycli 5. Add a host route, if desired, by entering the host’s IP address after the add network st_routes command. cli> add network st_routes 192.168.1.12 OK 6. Add a network route, if desired, by entering the network address after the add network st_routes command in the form 1.2.3.4/24. cli> add network st_routes 192.168.1.0/24 OK 7.
Saving Configuration Changes Saving Configuration Changes As described in “How Configuration Changes Are Handled” on page 59, the Web Manager and the cycli utility do not save changes as they are made. The following procedures show the steps administrators need to take to save changes to configuration files in different environments on the OnBoard.
Backing Up Configuration Files Backing Up Configuration Files OnBoard administrators can create a compressed backup of all configuration files and store the backup in /mnt/hda3/backup/ configuration_files.gz. Any compressed configuration file that already resides in the directory is overwritten. The following procedures show how administrators can back up configuration files in different environments on the OnBoard. T To Backup Configuration Files 1.
Restoring Factory Default Configuration Files Restoring Factory Default Configuration Files The administrator can restore the factory default configuration files from the factory_default_files.gz file by performing the following procedure while logged in as root through the console, via telnet, or via any ssh session to restore the configuration files to the state they were in when the OnBoard shipped.
Changing Web Manager Timeouts 4. Add the pathname of the new file to the list. /etc/ypbind.conf /etc/yp.conf /etc/localtime /etc/timezone /pathname/to/new/file 5. Save and quit the file. :wq Changing Web Manager Timeouts An OnBoard adminsitrator can manually change the timeout value for Web Manager logins by editing a configuration file. The default timeout value is 1800 seconds (30 minutes). The value can be changed to any number of seconds up to 213, which would disable timeouts up to sixty years.
Changing the Sort Order of Device Listings 6. Either restart the OnBoard or enter killall cacpd on the command line, as shown in the following screen example. [root@onboard etc/cacpd]# killall cacpd Changing the Sort Order of Device Listings The names of devices are listed in the Web Manager and by onbdshell in the order in which they were configured. An OnBoard administrator can configure device lists to appear in alphabetical order using the cycli utility. T To Sort the Device List Alphabetically 1.
Changing the Sort Order of Device Listings 104 AlterPath OnBoard Administrator’s Guide
Chapter 3 Web Manager Introduction for Administrative Users This chapter provides an overview of the Web Manager features for the administrative user. The information is provided in the following sections. Logging Into the Web Manager Page 106 Features of Administrator’s Screens Page 109 Overview of Web Manager Menus Page 111 This chapter provides the procedure listed in the following table.
Logging Into the Web Manager Logging Into the Web Manager Two types of administrative users can access all the Web Manager functions described in this guide: • An administrator who knows the password for the “admin” account, which is configured by default • An optionally-added administrative user (a regular user whose account is in the “admin” group) For more details about the differences between user types, see “Types of Users” in the AlterPath OnBoard User’s Guide.
Logging Into the Web Manager Only one administrative user can connect to the Web Manager at a time. The message shown in the following screen example appears if an another administrative user is currently logged in. The dialog provides the option either to cancel the login attempt or to log out the currently-logged-in administrative user.
Logging Into the Web Manager T To Log Into the Web Manager for the Administrative User This procedure assumes you know the admin password or the username and password for an administrative user account and that you have one of the following types of access to the OnBoard: • • A network connection to the OnBoard A dialup connection over a phone line 1. Enter the IP address of the OnBoard in a supported browser. Refer to the AlterPath OnBoard User’s Guide for a list of supported browsers, if needed.
Features of Administrator’s Screens Features of Administrator’s Screens Callouts in the following figure indicate unique features of the Web Manager that appear when an administrative user logs in.
Features of Administrator’s Screens An option in the left menu (such as “IPDU” in Figure 3-2) often has several related screens associated with it. The related screens are accessed as tabs. Selecting a tab brings up the related screen. The following table describes the six additional buttons that appear at the bottom of the administrative user’s screen that are not available for a regular user.
Overview of Web Manager Menus Figure 3-3: Example Dialog: Devices Configuration—in Wizard Mode Overview of Web Manager Menus The following figure shows all the top and left menu options available to the administrative user.
Overview of Web Manager Menus 112 AlterPath OnBoard Administrator’s Guide
Chapter 4 Web Manager Wizard This chapter describes how an administrative user can use the Wizard to perform basic configuration. For an overview of all the Web Manager features and menu options that are available for administrative users, see Chapter 3, “Web Manager Introduction for Administrative Users,” if needed. This chapter covers the topics in the following sections.
Using the Wizard Using the Wizard The Wizard screen displays a list of options in the left menu, as shown in the following figure. An administrative user can use the menu options to perform basic configuration of the OnBoard. Highlighted menu option Next button Cancel Wizard button Figure 4-1: Wizard Screen The “Cancel Wizard” button shown in Figure 4-1 appears only in Wizard mode. A “Next” button appears on all Wizard pages in a series except the last.
Using the Wizard Figure 4-2: “Cancel Wizard” Button Dialog The dialog shown in Figure 4-2 offers the following choices: • • Press the “Cancel” button to return to the Wizard, where the administrative user can click the “Save and apply changes” button to save the changes before cancelling the Wizard again. Press “OK” to exit the Wizard and lose any unsaved changes. After the “Next” button is clicked on the last screen of the Wizard, the screen shown in the following figure appears.
Changing the Administrative User’s Password—Wizard The following table lists the tasks the administrative user can perform using the Wizard with links to where the tasks are described.
Selecting a Security Profile—Wizard Caution! If the default password “cyclades” is still in effect, changing the password now is essential to reduce the risk of intrusion. Leaving the password unchanged leaves a security breach that makes all connected equipment vulnerable. T To Change the Administrative User’s Password—Wizard 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Click the “Wizard” button.
Selecting a Security Profile—Wizard Figure 4-5: Config → Security Profile Screen With the “Moderate” Profile Enabled Clicking the “Proceed” button on the Security Profile Caution screen brings up the Security Profile configuration dialog like the one shown in the following figure, which shows the moderate profile selected.
Selecting a Security Profile—Wizard The screens for the three other security profile are described in the following sections: • • • “Secured” on page 120 “Open” on page 121 “Custom” on page 122 After the administrative user chooses a preconfigured security profile or creates a custom profile and clicks “OK,” the red “Unsaved changes” button blinks, and the Security Profile screen reappears showing the newly-selected security profile’s name.
Selecting a Security Profile—Wizard Secured The following figure shows the lists of enabled and disabled features in the dialog for the “Secured” security profile. Figure 4-8: Secured Profile Dialog Note: Follow the reminder at the bottom of the screen shown in Figure 4-8 by making sure to notify all users that they must use HTTPS when bringing up the Web Manager, because HTTP is disabled by the secured security profile.
Selecting a Security Profile—Wizard Open The following figure shows the lists of enabled and disabled features in the dialog for the “Open” security profile. Figure 4-9: Open Security Profile Dialog The features in the “Open” security profile are described in Table 1-9, “Open Security Profile Services/Features,” on page 17.
Selecting a Security Profile—Wizard Custom The following figure shows the features that can be enabled and disabled in the dialog for the “Custom” security profile. Figure 4-10:Custom Security Profile Dialog The options that can be configured in a custom security profile are described in Table 1-10, “Services and Other Functions in the “Custom” Security Profile,” on page 18. T To Select or Configure a Security Profile— Wizard 1. Log into the Web Manager as an administrative user.
Configuring Network Interfaces—Wizard 3. Click the “Proceed” button. 4. Select a security profile from the “Security Level” pull-down menu. 5. If you select the “Custom” profile, make sure the checkboxes are checked next to services and features you want to be enabled and make sure the checkboxes are clear next to services and features you want to be disabled. 6. Click “OK.” The security profile confirmation screen appears. 7. Click the “Save and apply changes” button. 8.
Configuring Network Interfaces—Wizard Table 4-2: Network Interfaces Configuration Values (Continued) Settings Notes Primary DNS server IP address for a primary DNS server on the same subnet as the OnBoard Secondary DNS server IP address for an optional secondary DNS server on the same subnet as the OnBoard Failover Selecting “enabled” from the pull-down menu configures failover from the primary to the secondary Ethernet port if the primary port goes down.
Configuring Network Interfaces—Wizard Table 4-3: Ethernet Port Settings Settings Notes Broadcast IP The reserved broadcast IP address. Configuring Routes Configuring the network interfaces sets up a default route for the OnBoard. When the DHCP checkbox is checked on any of the network interface screens, the DHCP server assigns the OnBoard a default route.
Configuring Network Interfaces—Wizard entered in the fields on the screen shown in Figure 4-12 apply to the single bond0 interface. Configuring Primary and Secondary Ethernet Ports If failover is disabled, the administrative user can configure each Ethernet port separately in the following ways: • • • Enable or disable each Ethernet port Enable or disable DHCP If DHCP is disabled, configure each port for static IP addressing.
Configuring Network Interfaces—Wizard Figure 4-14:“Configure Primary Ethernet Connection:” Enabled With DHCP Figure 4-15 shows the screen for configuring the primary Ethernet connection with the additional fields that appear when the “DHCP” button is not checked. The administrative user enters the required information on this screen for configuring the OnBoard to use a static IP address.
Configuring Network Interfaces—Wizard T To Configure OnBoard Network Interfaces— Wizard 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Click the “Wizard” button. Click the “Network interfaces” option in the left menu bar. 3. Modify the name in the “Host name” field, if desired. 4. Enter or modify an existing DNS domainname in the “Domain name” field. 5.
Configuring Network Interfaces—Wizard 10. If desired, configure the selected Ethernet port to use a static IP address by performing the following steps. a. Disable DHCP by making sure the “DHCP” checkbox is not checked. b. Enter or modify the IP address in the “IP address” field. c. Enter or modify the netmask in the “Network mask” field. d. Enter or modify the IP address for a network gateway in the “Gateway IP” field. e.
Configuring Private Subnets and Virtual Addresses—Wizard Configuring Private Subnets and Virtual Addresses—Wizard Figure 4-16 shows the “Configure subnets” screen that appears when the administrative user selects the “Subnets” option from the Wizard menu.
Configuring Private Subnets and Virtual Addresses—Wizard On this screen, the administrative user can also configure a virtual network based on Destination Network Address Translation (DNAT).
Configuring Private Subnets and Virtual Addresses—Wizard The following table defines the information that the administrative user must supply in the fields that define a subnet. Table 4-4: Fields on the Private Subnet Configuration Dialog Field Definition Private subnet name Any meaningful name chosen by the administrator. OnBoard side IP address Devices use this address when communicating with the OnBoard. The OnBoard uses this address when communicating with devices.
Configuring Private Subnets and Virtual Addresses—Wizard Since the broadcast address in the example is 192.168.0.255 (by convention) and the OnBoard’s address is 192.168.0.254, the administrator can assign an IP address out of the remaining available IP addresses between 192.168.0.1 and 192.168.0.253 when configuring a connected device. Multiple private subnets may be needed if IP addresses are already assigned to connected devices’ Ethernet ports and if the IP addresses are not in the same range.
Configuring Private Subnets and Virtual Addresses—Wizard 4. Click the “Edit” button for the entry for the private subnet you want to change. 5. Accept or change the name of the private subnet in the “Private subnet name” field. 6. Accept or change the IP address in the “Onboard side IP address” field. 7. Accept or change the netmask for the subnet in the “Subnet netmask” field. 8. Click OK. 9. Click “Save and apply changes.” 10. Click the “Next” button, if desired, to go to the next Wizard step.
Configuring Devices—Wizard The following table defines the information that must be supplied in the fields that define a virtual network: Table 4-5: Fields on the Private Subnet Virtual Network Configuration Dialog Field Description Address IP address to assign to the OnBoard from the virtual network. For example, if the virtual IP address of the network is 10.0.0.0, 10.0.0.254 would a valid IP address for the OnBoard that could be entered here.
Configuring Devices—Wizard • • “Edit” and Delete” buttons next to each device’s entry. The “Add new device” button Data Buffering Default menu Delete button Edit button Add new device button Figure 4-20:“Configure Devices” Screen—Wizard Clicking the “Add new device” button or the “Edit” button next to the entry for an existing device brings up the dialog shown in the following figure.
Configuring Regular Users —Wizard Caution! All devices connected to the private Ethernet ports of the OnBoard must have a previously-configured private subnet name assigned. The Caution at the top of the dialog shown in Figure 4-21 is a reminder that if no subnet is assigned, the default route is used; with a default route assigned, the device can only be accessed if it is connected to the public interface of the OnBoard, a highly unlikely scenario, and one that is not recommended.
Configuring Regular Users —Wizard Selecting PPP or PPTP for the user causes the two additional fields to display for setting the PPP or PPTP password, as shown in the following screen example: Caution! The caution at the top of the screen shown in Figure 4-22 is a reminder that configuring device management actions for a user gives the user the same device management authorizations for all configured devices.
Configuring Regular Users —Wizard 9. Select one of the options from the PPP/PPTP access menu. With any option other than “None” selected, additional fields appear for entering the PPP or PPTP password. 10. If you selected any option other than “None,” do the following steps. a. Enter a password in the “PPP/PPTP password” field. b. Retype the password in the “Retype password” field. 11. Click “Save and apply changes.” 12. Click the “Next” button, to go to the Confirm Changes” screen. 13.
Configuring Regular Users —Wizard 140 AlterPath OnBoard Administrator’s Guide
Chapter 5 Web Manager “Access” Menu Options This chapter describes the menu options available to administrative users under the “Access” top menu option. For an overview of all the Web Manager features and menu options that are available for administrative users, see Chapter 3, “Web Manager Introduction for Administrative Users,” if needed. This chapter covers the topics in the following sections.
“Access” Options Only for Administrative Users “Access” Options Only for Administrative Users When the administrative user clicks the “Access” option in the top menu of the Web Manager, four options appear in the left menu, as shown in the following figure.
Accessing the OnBoard Console Through the Web Manager For the tasks only the administrative user can do under “Access,” see the following sections: • • • “Accessing the OnBoard Console Through the Web Manager” on page 143 “Viewing IPDU Status and Managing IPDUs” on page 144 “Upgrading AlterPath PM IPDU Software” on page 145 Accessing the OnBoard Console Through the Web Manager After an administrative user clicks the OnBoard option under Access on the Web Manager, enters the correct password and is authen
Viewing IPDU Status and Managing IPDUs b. Press the “Yes” button. The login prompt for the OnBoard appears. 4. Log into the OnBoard. 5. As desired, do any of the following: • • • Run the cycli utility to perform command line configuration. Run the onbdshell utility to access devices. Run other commands that do not require root to succeed.
Upgrading AlterPath PM IPDU Software Access to the first two tabs listed above is the same for administrative and authorized users; how to use the first two tabs is described in the AlterPath OnBoard User’s Guide under the following headings: • “Managing IPDU Power” • “Viewing IPDU Information” For how administrative users can use the Outlets Manager tab to upgrade software on any connected AlterPath PM IPDUs, see “Upgrading AlterPath PM IPDU Software” on page 145.
Upgrading AlterPath PM IPDU Software Note: Daisy-chaining only works if all daisy-chained IPDUs are running the same version of the PM software. The OnBoard administrator must ensure that all connected AlterPath PM IPDUs have the most recent version of the PM software.
Upgrading AlterPath PM IPDU Software Pressing OK on the dialog shown in Figure 5-5 brings up the “Software Upgrade” screen, which displays the new software version for the selected IPDU.
Upgrading AlterPath PM IPDU Software After downloading the software onto the OnBoard by following this procedure, the administrative user needs to perform the procedure under “To Upgrade Software on a Connected IPDU” on page 150 to update the software on connected AlterPath PM IPDU(s). 1. Log into the OnBoard’s console as an administrative user. 2. Change to the /tmp directory into which the software needs to be downloaded. [admin@OnBoard admin]# cd /tmp 3. Enter the ftp command to access ftp.cyclades.com.
Upgrading AlterPath PM IPDU Software 5. Change directories to /pub/cyclades/alterpath/pm/ released and list the directories it contains. ftp> cd /pub/cyclades/alterpath/pm/released ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing.
Upgrading AlterPath PM IPDU Software As shown in the previous screen example, the directory contains a binary file (PM_version_number.BIN) for the latest software version, a checksum file (PM_version_number.md5sum), and a doc directory, which contains PDFs of the latest AlterPath PM documentation. 7. Use the get command to get the binary file (for example: PM_180.BIN) and enter pmfirmware as the destination filename ftp> get PM_180.BIN pmfirmware local: pmfirmware remote: PM_180.
Upgrading AlterPath PM IPDU Software filename pmfirmware. For the procedure, see “To Download AlterPath PM IPDU Software From Cyclades” on page 147. 1. Bring up the Web Manager and log in as an administrative user. 2. Go to Access → IPDU → Software Upgrade. The Software Upgrade screen displays. 3. Click the “Refresh” button.
Upgrading AlterPath PM IPDU Software 152 AlterPath OnBoard Administrator’s Guide
Chapter 6 Web Manager “Settings” Menu Options This chapter describes the menu options available to administrative users under the “Settings” top menu option. For an overview of the Web Manager features that are available only for administrative users and for how to use the configuration wizard, see Chapter 3, “Web Manager Introduction for Administrative Users,” if desired. This chapter covers the topics listed the following table.
Options Under “Settings” To Configure an Alias and a Power Up Interval for an IPDU Outlet Page 168 To Begin Configuring a PCMCIA Card Page 172 To Configure a Modem or GSM PCMCIA Card Page 176 To Configure an Ethernet PCMCIA Card Page 178 To Configure a Wireless LAN Card Page 180 To Configure a Compact Flash PCMCIA Card Page 182 To Configure System Date and Time Page 184 To Configure OnBoard Boot Page 188 To Configure an Email Recipient for OnBoard System Email Page 189 To Specify a New Lo
Configuring the AUX Port for Modem Access or for Power Management The following table lists the options that appear when an administrative user clicks “Settings” and provides links to where the options are described.
Configuring the AUX Port for Modem Access or for Power Management The administrative user can use the Settings → AUX port screen to configure either of the following types of optional devices, if they are connected to the AUX port: • • One or more AlterPath PM IPDUs An external modem For how to connect IPDUs and external modems, see the “Advanced Procedures” chapter in the AlterPath OnBoard Installation Guide.
Configuring the AUX Port for Modem Access or for Power Management Configuring the AUX Port for a Modem Selecting “Modem” or “GSM” from the “Profile” pull-down menu on the Settings → AUX port screen cause the fields and menu option shown in the following figure to appear. Figure 6-4: Settings → AUX Port → Modem An administrative user can use this dialog to configure an external modem connected to the AUX port for dial-in using PPP or login access.
Configuring the AUX Port for Modem Access or for Power Management Modem Access Type Menu Options If “Autodetect” is selected from the “Modem Access” pull-down menu, the fields, menus, and checkbox shown in Figure 6-4 appear. Because autodetection can detect either a PPP or Login access attempt, the screen has fields and pull-down menus for configuring all the parameters that apply to both options.
Configuring the AUX Port for Modem Access or for Power Management Figure 6-7: Settings → AUX Port → Modem → Login If “OTP” is selected from the “Access Type” pull-down menu, the fields, the menu, and the checkbox shown in the following figure appear. Figure 6-8: Settings → AUX Port → Modem → OTP T To Configure an AUX Port for Modem Access This procedure assumes that an external modem is connected to the AUX port of the OnBoard.
Configuring the AUX Port for Modem Access or for Power Management 4. Choose “Login,” “Autodetect,” “PPP,” or “OTP” from the “Modem access” menu. 5. Select a baud rate from the “Baud Rate” pull-down menu. 6. If you chose either “Login” or “Autodetect,” select an option from the “Flow Control” menu. 7. Enter a modem chat string in the “Modem Initialization” field. 8. If you chose PPP or Autodetect, do the following: a. Enter a local IP address or accept the default provided in the “Local IP address” field.
Configuring IPDU Power Management Configuring IPDU Power Management When an administrative user clicks the “IPDU” option under “Settings,” a screen like the one shown in the following figure appears. Figure 6-9: Settings → IPDU Screen As shown in Figure 6-9, when the AUX port is configured for power management, three tabs appear for configuring one or more connected IPDU(s).
Configuring IPDU Power Management The following table lists the tabs on the Settings → IPDU screen with links to the sections where they are described. Table 6-2: Options Under Settings → IPDU Option Where Described General “Configuring Over Current Protection for an IPDU” on page 162. Users “Configuring Users to Manage Power Outlets on a Connected IPDU” on page 164.
Configuring IPDU Power Management • • exists), the OnBoard generates an alarm. The type of alarm depends on whether “Enable syslog” or “Enable buzzer” or both are checked. Checking “Enable syslog” causes syslog messages to be sent to the console if the maximum current is exceeded. Checking “Enable buzzer” causes a buzzer to sound on the AlterPath PM if the maximum current is exceeded. Checking the “Enable Over Current Protection” checkbox brings up the table like the one in the following screen example.
Configuring IPDU Power Management T To Enable Overcurrent Protection for an AlterPath PM IPDU 1. Log into the Web Manager as an administrative user. 2. Go to Settings → IPDU → General. 3. Check “Enable Over Current Protection,” then do the following steps. a. Click the “Edit” button next to the IPDU on which you want to set alarm threshold. The “Edit Alarm Threshold for IPDU Dialog” appears. b. Enter the appropriate number of Amps for the selected type of AlterPath PM in the “Alarm Threshold” field. c.
Configuring IPDU Power Management Figure 6-14:Settings → IPDU → Users Screen Clicking “Add” brings up the dialog shown in the following figure, where an administrative user can specify one or more comma-separated user names and one or more outlets. Figure 6-15:Settings → IPDU → Users → Add User Dialog Use a comma to separate outlet numbers, and use a hyphen to indicate a range of outlets (for example: 1, 3, 5, 6-8).
Configuring IPDU Power Management After a user is added and the OK button is clicked, the user’s name is added to the list on the Users Manager form along with the numbers of the outlets the user is authorized to manage, as shown in the following figure. Figure 6-16:Settings → IPDU → Users With a User Added T To Configure a User to Manage Power Outlets on a Connected IPDU This procedure assumes the following prerequisites: • • • An AlterPath PM IPDU is connected to the AUX port of the OnBoard.
Configuring IPDU Power Management Configuring Names and Power Up Intervals for Outlets on a Connected IPDU On the Outlets screen under Settings → IPDU, an administrative user can assign a name to a power outlet and change the number of seconds that must elapse between when the selected outlet is turned on and another outlet can be turned on. The following figure shows the default screen. The Name column is empty because no names have been configured for any outlets. The default power up interval of 0.
Configuring IPDU Power Management Figure 6-19:Outlet Power Up Interval Dialog Intervals can be specified using numbers or numbers followed by decimals, such as 10 or 7.5. Clicking OK saves the entries. T To Configure an Alias and a Power Up Interval for an IPDU Outlet 1. Log into the Web Manager as an administrative user. 2. Go to Settings → IPDU → Outlets. 3. To assign or change an outlet name, do the following steps. a. Click the “Edit” button in the outlet’s Name column.
Configuring PCMCIA Cards Configuring PCMCIA Cards When an administrative user clicks the PCMCIA option under “Settings,” a screen appears like the one shown in the following figure. Figure 6-20:Settings → PCMCIA Screen Figure 6-20 shows the screen’s appearance when no card has been inserted or configured in either slot.
Configuring PCMCIA Cards See the AlterPath OnBoard Installation Guide for a list of supported cards. Also check the release notes at the Cyclades website for additions to the list of supported cards. As shown in Figure 6-20, three buttons appear under the Action column in the PCMCIA table. The following table shows how the buttons are used and provides links to related procedures.
Configuring PCMCIA Cards Figure 6-22:Example: PCMCIA Ethernet Card inserted in Slot 1 Ejecting a PCMCIA Card Clicking an “Eject” button brings up a screen like the one shown in the following figure. Figure 6-23:Eject PCMCIA Dialog Clicking OK ejects the card in preparation for physical ejection.
Configuring PCMCIA Cards Configuring a PCMCIA Card The following procedure describes the configuration steps to begin configuring any PCMCIA card and includes links to procedures for configuring specific types of cards. T To Begin Configuring a PCMCIA Card 1. Log into the Web Manager as an administrative user. 2. Go to Settings → PCMCIA. The PCMCIA screen appears. 3. Click the “Insert” button on the line for the slot in which you are installing the PCMCIA card. 4.
Configuring PCMCIA Cards To Configure an Ethernet PCMCIA Card Page 178 Configuring a Compact Flash PCMCIA Card Page 181 To Configure a Compact Flash PCMCIA Card Page 182 Configuring a Modem or GSM PCMCIA Card Selecting either “Modem” or “GSM” from the “Card Type” pull-down menu on the “PCMCIA card configuration” dialog cause the fields, menu options, and check box shown in the following figure to appear.
Configuring PCMCIA Cards Figure 6-25:Settings → PCMCIA → Configure Modem or GSM Callback Access Type Menu Options If “Autodetect” is selected, from the “Access Type” pull-down menu, the fields, menus, and a checkbox shown in Figure 6-26 appear.
Configuring PCMCIA Cards Figure 6-27:Settings → PCMCIA → Configure Modem or GSM → PPP If “OTP” is selected from the “Access Type” pull-down menu, the fields, the menu, and the checkbox shown in the following figure appear. Figure 6-28:Settings → PCMCIA → Configure Modem or GSM → OTP Note: OTP authentication is only supported for login access to the modem or GSM card.
Configuring PCMCIA Cards T To Configure a Modem or GSM PCMCIA Card This procedure assumes that a modem or GSM PCMCIA card is inserted into a slot on the OnBoard and the steps under “To Begin Configuring a PCMCIA Card” on page 172 are complete. See Table 1-20, “Modem and Phone Card Field and Menu Definitions,” on page 38 for the values that an administrative user needs to select or to enter for modem configuration, if needed. 1. Log into the Web Manager as an administrative user. 2. Go to Settings → PCMCIA.
Configuring PCMCIA Cards f. Enter PPP options as desired in the “PPP Options” field. 8. Enable callback, if desired, by doing the following steps. a. Check the “Callback” checkbox. b. Enter a callback phone number in the “Callback Number” field. 9. Click OK. 10. Click “Save and apply changes.
Configuring PCMCIA Cards The dialog for configuring an Ethernet card displays additional fields when the DHCP checkbox is not checked, as shown in Figure 6-30, Figure 6-30:Settings → PCMCIA → Configure Ethernet Dialog → Without DHCP T To Configure an Ethernet PCMCIA Card This procedure assumes that an Ethernet card is inserted into a PCMCIA slot on the OnBoard and the steps under “To Begin Configuring a PCMCIA Card” on page 172 are complete. 1.
Configuring PCMCIA Cards Configuring a Wireless LAN PCMCIA Card When an administrative user selects “Wireless LAN” from the “Card Type” pull-down menu on the “PCMCIA card configuration” dialog, the dialog appears as shown in the following figure when the DHCP checkbox is checked.
Configuring PCMCIA Cards As shown in Figure 6-32, the dialog for configuring the Wireless LAN card displays additional fields when the DHCP checkbox is not checked. Figure 6-32:Settings → PCMCIA → Configure WIreless LAN Dialog Without DHCP T To Configure a Wireless LAN Card This procedure assumes that a wireless LAN card is inserted into a PCMCIA slot on the OnBoard and the steps under “To Begin Configuring a PCMCIA Card” on page 172 are complete. 1.
Configuring PCMCIA Cards 5. Enter a channel in the “Channel” field. 6. Select either “Managed” or “Ad-hoc” from the “Managed” pull-down menu. 7. Click OK. 8. Click “Save and apply changes.” Configuring a Compact Flash PCMCIA Card When a compact flash card is inserted in the selected slot, clicking the “Configure” button on the Settings → PCMCIA screen brings up a dialog like the one shown in the following figure.
Configuring PCMCIA Cards Figure 6-34:Settings → PCMCIA → Configure Compact Flash Dialog The three options on the “File System” pull-down menu are listed here: • • • Auto Vfat Ext2 T To Configure a Compact Flash PCMCIA Card This procedure assumes that a compact flash card is inserted into a PCMCIA slot on the OnBoard and the steps under “To Begin Configuring a PCMCIA Card” on page 172 are complete. 1.
Configuring System Date and Time Configuring System Date and Time When an administrative user clicks the Date/time option under Settings, a screen appears like the one shown in the following figure. Figure 6-35:Settings → Date/time Screen When Disable is selected from the Network Time Protocol menu, Date and Time configuration fields appear, as shown in Figure 6-35, for an administrative user to enter the date and time manually.
Configuring System Date and Time Figure 6-36:Settings → Date/time Screen: Timezone Pull-down When Enable is selected from the “Network Time Protocol” pull-down menu, the “NTP server IP” field appears. An administrative user needs to specify the IP address of an NTP server in the NTP server field, as shown in Figure 6-37. Figure 6-37:Settings → Date/time Screen With NTP Fields T To Configure System Date and Time 1. Select a timezone from the “Timezone” pull-down menu. 2.
Configuring the Boot File Location a. Enter the month, day, and year in the “Month,” “Day,” and “Year” fields. b. Enter the hour, minute, and second in the “Hour,” “Minute,” and “Second” fields. c. Click the “Refresh time” button. 4. Click OK. 5. Click “Save and apply changes.” Configuring the Boot File Location When an administrative user selects the Boot configuration option under Settings, a screen appears like the one shown in the following figure.
Configuring the Boot File Location Specifying the Boot File Location The “Unit boot from” pull-down menu lists the “Network” option for booting from a TFTP boot server on the network along with one or two boot images that reside on the OnBoard. Two options appear (“Network” and “Image1”), as shown in the following figure, if only one boot image is found on the OnBoard.
Configuring the Boot File Location After a software upgrade, the boot file location choices are: • • • Network Image1:image_filename Image2:image_filename The word “image” is followed by the number, followed by a colon (:), followed by the name of the file, including the version number. The menu item has the following format: image1:zvmppconb.vversion_number The entry for the first release of the software, which is installed in the image1 area, is: image1:zvmppconb.
Configuring the Boot File Location Boot Fields and Menu Options The fields and menu options for boot configuration are described in the following table. Table 6-4: Boot Configuration Fields and Options Field or Value Name Description OnBoard IP address A new IP address for the OnBoard. Watchdog timer Whether the watchdog timer is active. Choices are: • InActive • Active If the watchdog timer is active, the OnBoard reboots if the software crashes.
Configuring Outbound Email 5. If configuring network boot, do the following steps. a. Accept or change the filename of the network boot program in the “Network boot file name” field. The file must be in the /tftpboot directory on the TFTP server specified in Step b. b. Enter the IP address of the TFTP server in the “Server’s IP address” field. c. Select a console speed from the “Console speed” pull-down menu. 6. Click “Save and apply changes.
Configuring an Alternate Help File Location 3. Enter the email address in the “System email forwarding address” field. 4. Enter the DNS name or the IP address for the SMTP server. 5. Click “Save and apply changes.” Configuring an Alternate Help File Location When an administrative user selects the Help option under Settings, a screen appears like the one shown in the following figure.
Configuring an Alternate Help File Location 2. Extract the files and put them into the desired directory under the web server’s root directory on a publicly accessible web server. For example the following command line would work on a computer running a UNIX-based operating system. # cd $WEB_SERVER_ROOT/ # gunzip OnBoard_online_hlp.zip By default, the online help files are expanded into a directory onboard directory under the directory where the zip file is located.
Configuring an Alternate Help File Location 192 AlterPath OnBoard Administrator’s Guide
Chapter 7 Web Manager “Config” Menu Options This chapter describes the menu options available to administrative users under the “Config” top menu option. For an overview of all the Web Manager features and menu options that are available for administrative users, see Chapter 3, “Web Manager Introduction for Administrative Users,” if needed. This chapter covers the topics in the following sections.
194 To Modify a User’s Account Page 206 To Create and Authorize User Groups for Device Management Page 207 To Configure Device Groups Page 209 To Configure a Kerberos Authentication Server Page 213 To Configure an LDAP Authentication Server Page 216 To Configure a NIS Authentication Server Page 217 To Configure a Radius Authentication Server Page 219 To Configure an SMB Authentication Server Page 221 To Configure a TACACS+ Authentication Server Page 223 To Configure an Authentication Meth
Options Under “Config” To Select or Customize the OnBoard’s Security Profile Page 258 To Configure Services Page 259 Options Under “Config” When an administrative user clicks the “Config” option in the top menu of the Web Manager, twelve options appear in the left menu, as shown in the following figure. Figure 7-1: “Config” Menu Options The following table lists the options that appear when an administrative user clicks “Config” and provides links to where the options are described.
Options Under “Config” Table 7-1: Options Under “Config” (Continued) Option Where Described Sensor alarms “Configuring Sensor Alarms” on page 233 SNMP “Configuring SNMP” on page 240 Syslog “Configuring Logging of System Messages (Syslogs)” on page 250 Event log backend “Configuring the Event Log Backend” on page 252 Security profile “Selecting or Configuring a Security Profile” on page 254 Services “Configuring the OnBoard’s Services” on page 259 196 AlterPath OnBoard Administrator’s Guide
Configuring Devices Configuring Devices When an administrative user goes to Config → Devices, a screen appears like the one shown in the following figure. As shown, entries appear for any configured devices, and “Edit” and Delete” buttons appear next to each device’s entry. The “Add new device” button always appears on the screen.
Configuring Devices Figure 7-3: Fields in the “Add New Device” or “Edit” Dialog Caution! All devices connected to the private Ethernet ports of the OnBoard must have a previously-configured private subnet name assigned. The Caution at the top of the dialog shown in Figure 7-3 is a reminder that if the default route is assigned instead of a private subnet, the device can only be accessed if it is connected to the public interface of the OnBoard, a highly unlikely scenario and not recommended.
Configuring Devices find out if a default command template works with the new device and to create a new command template if needed. • You know the username and password pair that are used for logging into the service processor or device. 1. Log into the Web Manager as an administrative user. 2. Go to Config → Devices. 3. Click the “Add new device” button. 4. Enter a descriptive name for service processor or other type of connected device in the “Name” field. 5.
Configuring Users and Groups Configuring Users and Groups When an administrative user goes to Config → Users and groups, a screen like the one shown in the following figure appears. Figure 7-4: Config → Users and Groups Screen The administrative user can use the “Config → Users and groups” screen for adding users and groups and for authorizing users and groups to access devices through the OnBoard.
Configuring Users and Groups Configuring Users Clicking the “Add new user” or “Edit” buttons shown in Figure 7-4 brings up a screen with the fields shown in the following figure. Figure 7-5: Add New User or Edit Dialog See Table 1-5 for descriptions of the parameters that can be set on the dialogs that appear when the “Add a regular user” or “Edit” options are selected.Clicking the “Delete” button shown in Figure 7-4 deletes the user without bringing up a confirmation dialog.
Configuring Users and Groups If no configured devices remain to be assigned to the user, the “Add new device” button does not appear. Clicking the “Add new device” or “Edit” buttons brings up a screen with the fields and menu options shown in the following figure.
Configuring Users and Groups Configuring Groups Clicking the “Add new group” button or clicking the “Edit” button for an existing group brings up a screen with the fields shown in the following figure. Figure 7-8: Add New Group or Edit Dialog Clicking the “Delete” button shown in Figure 7-9 deletes the group without bringing up a confirmation dialog.
Configuring Users and Groups Figure 7-10:Add or Edit a Group’s Device Access Dialog If no configured devices remain to be assigned to the group, the “Add new device” button shown in Figure 7-10 does not appear. Clicking the “Add new device” button brings up a screen with the fields and menu options shown in the following figure.
Configuring Users and Groups T To Create and Authorize a User for Device Management 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Go to Config → Users and groups. 3. To add a user, do the following steps. a. Click the “Add new user” button. b. Enter a username in the “User Name” field. c. Enter an identifying name and optional job description in the “Full Name” field. d.
Configuring Users and Groups 6. Click “Save and apply changes.” T To Modify a User’s Account 1. Log into the Web Manager as an administrative user and go to Config → Users and groups. 2. Modify the user’s name, role, description, and PPP/PPTP access by performing the following steps. a. Click the “Edit” button. b. If desired, change the username in the “User Name” field. c. If desired, change which radio button(s) is selected: “Administrator” or “Normal user.” d.
Configuring Users and Groups The “Edit username’s device access privileges” screen appears. 4. Click OK. 5. Click “Save and apply changes.” T To Create and Authorize User Groups for Device Management 1. Log into the Web Manager as an administrative user and go to Config → Users and groups. 2. Add a group by performing the following steps. a. Click the “Add a new group” button. b. Enter a group name in the “Group Name” field. c. Enter one or more members in the “Members” field. d.
Configuring Device Groups Configuring Device Groups When an administrative user goes to “Config → Device groups,” a screen like the one shown in the following figure appears. Delete button Edit button Add new group button Figure 7-12:Config → Devices Screen The administrative user can use the “Config → Device groups” screen for configuring optional device groups. If device groups are added, an administrator can add a device to a group during configuration. See “Configuring Devices” on page 197.
Configuring Device Groups Figure 7-13:Fields in the “Add New Group” or “Edit” Dialog T To Configure Device Groups 1. Log into the Web Manager as an administrative user and go to Config → Device groups. 2. Add or modify a device group by performing the following steps. a. Enter or modify the group name. b. Enter or modify the description. c. Click OK. 3. Click “Save and apply changes.
Configuring Authentication Configuring Authentication The administrative user must decide whether to require authentication for logins into the OnBoard or into connected devices. If any other method than local is chosen, the administrative user must configure an authentication server for each method. The following table lists the tasks for configuring authentication and where the tasks are documented using the Web Manager.
Configuring Authentication Configuring Authentication Servers The administrative user can use the Config → Authentication screen to configure all authentication servers to be used by the OnBoard or connected devices. When an administrative user goes to Config → Authentication, the screen shown in the following figure appears with the menu options shown for configuring authentication servers.
Configuring Authentication Configuring a Kerberos Authentication Server When the administrative user goes to Config → Authentication and selects Kerberos from the “Authentication Type” pull-down menu, the fields shown in the following figure appear. If a Kerberos authentication server has not previously been configured, the fields are empty.
Configuring Authentication T To Configure a Kerberos Authentication Server Perform this procedure to configure an authentication server when the OnBoard or any of its connected devices is to use the Kerberos authentication method or any of its variations (Kerberos, Local/Kerberos, Kerberos/Local, or Kerberos Down/Local).
Configuring Authentication vi. Click “Save and apply changes.” 3. Make sure that timezone and time and date settings are synchronized between the OnBoard and on the Kerberos server. Note: Kerberos authentication depends on time synchronization. Time and date synchronization is most easily achieved by setting both the OnBoard and the Kerberos server to use the same NTP server. a. Follow the procedure under “To Configure System Date and Time” on page 184 to set the timezone, date, and time. b.
Configuring Authentication Configuring an LDAP Authentication Server When an administrative user goes to Config → Authentication and selects LDAP from the “Authentication Type” pull-down menu, the fields shown in the following figure appear. Figure 7-16:Config → Authentication: LDAP If an LDAP authentication server has not previously been configured, the fields are empty. If an LDAP authentication server has previously been configured, the fields are filled in.
Configuring Authentication The domain name is specified as shown in the following example. For the LDAP domain name cyclades.com, the correct entry would be: dc=cyclades,dc=com. • Secure LDAP pull-down menu. Options are “Off,” “On,” “Start TLS.
Configuring Authentication 5. Replace the default domain name with the name of your LDAP domain. 6. Pick an option from the Secure LDAP pull-down menu. 7. Enter an optional username in the “LDAP User Name” field. 8. Enter an optional password in the “LDAP Password” field. 9. Enter an optional login attribute in the “LDAP Login Attribute” field. 10. Click “Save and apply changes.” The changes are stored in /etc/ldap.conf on the OnBoard.
Configuring Authentication OnBoard and connected devices know the passwords assigned to the accounts: • • • An account for “admin” If NIS authentication is specified for the OnBoard, accounts for all users who need to log into the OnBoard. If NIS authentication is specified for devices, accounts for users who need access to the connected devices. 1. Log into the Web Manager as an administrative user. 2. Go to Config → Authentication and select NIS from the “Authentication Type” pull-down menu.
Configuring Authentication The administrative user must obtain the needed information about the Radius server from the server’s administrator and configure the server by filling in these fields that display when the Radius authentication type is selected: • • • • • • • First Authentication Server Second Authentication Server First Accounting Server Second Accounting Server Secret Timeout(s) Retries T To Configure a Radius Authentication Server Perform this procedure to identify the authentication server
Configuring Authentication 6. Enter one or more timeout values in the “Timeout” field. 7. Enter a number of retries in the “Retries” field. 8. Click “Save and apply changes.” Configuring an SMB Authentication Server When the administrative user goes to Config → Authentication and selects SMB from the “Authentication Type” pull-down menu, the fields shown in the following figure appear.
Configuring Authentication T To Configure an SMB Authentication Server Perform this procedure to identify the authentication server when the OnBoard or any of the connected devices is to use the SMB authentication method or any of its variations (Local/SMB, SMB/Local, or SMB Down/ Local).
Configuring Authentication Configuring a TACACS+ Authentication Server When the administrative user goes to Config → Authentication and selects TACACS+ from the “Authentication Type” pull-down menu, the fields shown in the following figure appear. Figure 7-20:Config → Authentication: TACACS+ The administrative user must obtain the needed information about the TACACS+ server from the server’s administrator.
Configuring Authentication T To Configure a TACACS+ Authentication Server Perform this procedure to identify the authentication server when the OnBoard or any of the connected devices is to use the TACACS+ authentication method or any of its variations (Local/TACACS+, TACACS+/ Local, or TACACS+ Down/Local).
Configuring Authentication Configuring an Authentication Method for the OnBoard When an administrative user goes to Config → Unit Authentication, the screen shown in the following figure appears. The administrative user uses this screen to configure the authentication method that applies when anyone attempts to log into the OnBoard.
Configuring Authentication By default Local authentication is in effect, and no configuration is required. The following figure shows the authentication methods available for OnBoard logins. Figure 7-22:Default Config → Unit Authentication Screen With Menu Options T To Configure an Authentication Method for OnBoard Logins Perform this procedure to configure an authentication method for logins into the OnBoard.
Configuring Notifications Configuring Notifications When an administrative user goes to Config → Notifications, the screen shown in the following figure appears. The administrative user can use this screen for defining alarm triggers to generate notifications when the specified events occur. The syslogd filters what kinds of messages and takes the specified action based on the content of the messages.
Configuring Notifications Table 7-3: Values for Configuring Any Type of Notification (Continued) Checkbox, Field, or Menu Name Description Name The name for the trigger Alarm trigger A function and a regular expression in syslog-ng format. Use the format: function(‘regular_expression’); For example, the following example searches system messages for “Denied,” “denied,” “Fail,” and “fail.” match(‘[Dd]enied | [Ff]ail’); For more information, see “OnBoard Notifications” on page 43.
Configuring Notifications application, such as HP Openview, Novell NMS, IBM NetView, or Sun Net Manager. The values for SNMP trap notifications are defined in Table 7-3 and in Table 1-13. T To Configure SNMP Trap Notifications Perform this procedure to configure an alarm trigger and a SNMP trap notification to be sent if the specified alarm trigger occurs. See “OnBoard Notifications” on page 43 for trigger syntax. 1. Log into the Web Manager as an administrative user and go to Config → Notifications. 2.
Configuring Notifications iii. If “Auth & crypt” is selected, select an option from the “Encryption” menu. iv. Enter an optional password in the “Crypt password” field. 11. Enter an SNMP server IP address or DNS name in the “SNMP server” field. 12. Enter any desired text in the “Body” field. 13. Click OK. 14. Click “Save and apply changes.
Configuring Notifications Table 7-4: Fields for Configuring a Pager Notification (Continued) Field or Menu Name Notes Text The text to be sent in the trap message SMS username The Short Message Services (SMS) user name SMS server The SMS server’s IP address or DNS name SMS port The SMS port number T To Configure Pager Notifications Perform this procedure to configure an alarm trigger and a pager notification to be sent if the specified alarm trigger occurs. See “OnBoard Notifications” on page 43.
Configuring Notifications Configuring Email Notifications The following figure shows the fields that appear when the Email option is selected and the Add button is clicked. Figure 7-26:Default Config → Notifications: Email Add Dialog For Email notifications, the administrative user needs to configure the values in Table 7-5, in addition to the values in Table 7-3.
Configuring Notifications Table 7-5: Fields for Configuring an Email Notification (Continued) Field or Menu Name Notes From The sender’s email address Subject Summary text to describe the event triggering the email Body Description of the event T To Configure an Email Notification Perform this procedure to configure an alarm trigger and an email notification to be sent if the specified alarm trigger occurs. See “OnBoard Notifications” on page 43. 1.
Configuring Sensor Alarms Configuring Sensor Alarms When an administrative user goes to Config → Sensor alarms, the screen shown in the following figure appears. The administrative user can use this screen to configure the OnBoard to check sensor readings from service processors and to configure alarms to be sent if the sensor readings are not within certain specified values. See “OnBoard Sensor Alarms” on page 44 for an introduction and values needed to configure sensor alarms.
Configuring Sensor Alarms T To Begin Configuring a Sensor Alarm Perform this procedure to monitor a sensor on a specific devices and configure an alarm trigger and a notification to be sent if the specified alarm trigger occurs. See “OnBoard Notifications” on page 43. 1. Log into the Web Manager as an administrative user and go to Config → Sensor Alarms. 2. Click the “Add new alarm” button. The add sensor alarm dialog appears. 3. Select a device from the “Device” pull-down menu. 4.
Configuring Sensor Alarms Figure 7-29:Config → Sensor Alarms Syslog Message Fields The following items • • Priority levels are listed in “Message Filtering Levels” on page 33. The Body field can include any desired text to include with the syslog message T To Configure a Syslog Message Sensor Alarm Action 1. Perform Step 1 through Step 9 in the procedure “To Begin Configuring a Sensor Alarm” on page 234, selecting “Syslog message” from the “Action” menu in Step 8. 2.
Configuring Sensor Alarms Figure 7-30:Config → Sensor Alarms SNMP Trap Fields for V1 and V2c The fields that appear when SNMP v1 and v2 are selected are the same, but when SNMP v3 is selected other fields appear, as shown in Figure 7-31. Figure 7-31:Config → Sensor Alarms SNMP Trap Fields for V3 See “SNMP on the OnBoard” on page 26 for values to define SNMP traps. T To Configure an SNMP Trap Sensor Alarm Action 1.
Configuring Sensor Alarms 5. If either v1 or v2 is selected in Step 4, enter the name of a community in the “Community” field. 6. If v3 is selected in Step 4, perform the following steps. a. Enter the username required for authentication in the “User” field. b. Select an authentication level from the “Auth Level” pull-down menu. c. If “Auth” or “Auth & Crypt” are selected, select an authentication method from the “Auth Method” pull-down menu. d.
Configuring Sensor Alarms Configuring a “Pager” Sensor Alarm Action The following figure shows the fields that appear when “Pager” is selected on the “Action” menu on the Config → Sensor Alarms screen that is shown in Figure 7-28. Figure 7-32:Config → Sensor Alarms Pager Message Fields The following table describes the fields in Figure 7-29. Table 7-6: Fields for Configuring Syslog Message Sensor Alarms Field or Menu Name Notes Pager/phone number Pager or phone number. SMS username SMS user name.
Configuring Sensor Alarms 3. Enter the user name required for authentication in the “SMS username” field. 4. Enter the IP address of the SMS server in the “SMS server” field. 5. Enter the SMS port number in the “SMS port” field. 6. Enter any desired message in the “Message” field. 7. Click OK. 8. Click “Save and apply changes.
Configuring SNMP Table 7-7: Fields for Configuring Email Sensor Alarms (Continued) Field or Menu Name Notes Subject: Identifies the source of the message, for example: “Alarm: Sensor Error from rack1_dev2_ilo.” Body Any desired text to include with the email message. T To Configure an Email Sensor Alarm Action 1. Perform Step 1 through Step 9 in the procedure “To Begin Configuring a Sensor Alarm” on page 234, selecting “Email” from the “Action” menu in Step 8. 2.
Configuring SNMP Figure 7-34:Config → SNMP Configuration Screen Note: For SNMP to work you need to need to ensure that the selected security profile enables the SNMP service (by checking Config → Security profile screen) or that the SNMP service is active (by checking the Config → Services screen). (If the security profile in effect enables SNMP, you do not need to activate SNMP on the Services screen.) The following table lists the tasks for configuring SNMP in the Web Manager.
Configuring SNMP Configuring SNMP Information Settings Under the “OnBoard information settings” heading on the Config → SNMP screen shown in Figure 7-34, clicking the “Edit” button enables the administrative user to change the configured values. The “Edit” button brings up the screen shown in the following figure. Figure 7-35:Config → SNMP: Edit OnBoard Information Settings T To Configure OnBoard SNMP Information See Table 1-13, “Values for Configuring SNMP,” on page 28. 1.
Configuring SNMP Configuring SNMP for Devices As shown in Figure 7-36, the names of all configured devices and the OnBoard itself are listed under the “Servers SNMP configuration” heading on the Config → SNMP screen. Figure 7-36:Config → SNMP: SNMP Configure Screen Pressing the “SNMP Configure” button next to the name of a device brings up a screen like the one shown in the following figure.
Configuring SNMP The administrative user can use the screen shown in Figure 7-37 to configure the following: • How the OnBoard authenticates itself to a device when proxying SNMP functionality for the device See “Configuring Device SNMP Settings” on page 244. • How the users on the public side authenticate themselves to the OnBoard, whether they are using SNMP functionality on the OnBoard itself or SNMP functionality proxied from a device.
Configuring SNMP Figure 7-39:Config → SNMP: Device SNMP Access Dialog With V3 Selected Configuring SNMP Device Access Settings When the administrative user clicks the “Add Access” button under the “Service Processor SNMP setting” heading shown in Figure 7-37, a screen appears like the one in the following figure.
Configuring SNMP The fields on the screen shown in Figure 7-40 vary according to which SNMP protocol type is selected. Figure 7-40 shows the fields when v1 or v2 is selected. Figure 7-41 shows the fields when v3 is selected from the “SNMP version” menu. Figure 7-41:Config → Device SNMP Settings Dialog With V3 Selected T To Begin Configuring SNMP for a Device 1. Log into the Web Manager as an administrative user. 2. Go to Config → SNMP. 3.
Configuring SNMP The “Device devicename SNMP settings” dialog appears. 3. Enter the identifier for the object to be managed in the OID field. 4. Select a version from the SNMP version pull-down menu. 5. If either the v1 or v2c version is selected in Step 4, enter a community name in the “Community field. 6. If the v3 version is selected in Step 4, do the following steps. a. Enter the user name required for authentication in the “User name” field. b.
Configuring SNMP d. If a view has been configured, select a “Read view” and “Write view” from the “Security level” pull-down menus. 5. If the v3 version is selected in Step 3, configure users as desired by clicking the “Add user” button and doing the following steps. The “User configuration” dialog appears. a. Click the “Add user” button. The “User settings” dialog appears. b. Enter a username in the “User name” field. c. Select an authentication method from the “Auth method” menu. d.
Configuring SNMP a. Select a read view and write view from the “Auth” menus under the “Read view” and “Write view” columns. a. Select a read view and write view from the “Auth & crypt” menus under the “Read view” and “Write view” columns. b. Click OK. 8. Click OK. 9. Click “Save and apply changes.
Configuring Logging of System Messages (Syslogs) 2. Go to Config → SNMP. 3. Click the “Add trap” button under the “Trap forward configuration” heading. 4. Enter an optional IP address in the “Source IP address” field. 5. Enter the IP address of the SNMP server to receive the trap in the “Destination IP address” field. 6. Enter the OID of the device in the “OID” field. 7. Click OK. 8. Click “Save and apply changes.
Configuring Logging of System Messages (Syslogs) See “Message Logging (With Syslog) on the OnBoard” on page 32 for more details. Syslog Destination The administrative user can use the Config → Syslog screen to tell the OnBoard to send syslog messages to one or all of the following: • • • Console Root user (if the root user is configured to receive syslog messages, make sure to configure an email address under Network -> Outbound email).
Configuring the Event Log Backend 4. On the “Filter system log messages by level” screen, specify which types of system log messages are forwarded by clicking the checkboxes next to the desired severity levels. 5. Click “Save and apply changes.” Configuring the Event Log Backend When an administrative user goes to Config → Event log backend, a screen appears like the one shown in the following figure. An entry appears for each configured device with an “Edit” button next to each device’s entry.
Configuring the Event Log Backend Figure 7-45:Config → Event Log Backend: Edit Dialog T To Configure Event Logging for Connected Service Processors 1. Log into the Web Manager as an administrative user. 2. Go to Config → Event log backend. The Event log backend profile screen displays. 3. Click the “Edit” button to edit event logging for a device. The “Edit OnBoard Event Log Settings for Device” displays. 4.
Selecting or Configuring a Security Profile Selecting or Configuring a Security Profile When an administrative user goes to Config → Security profile, a screen like the one shown in the following figure appears. Figure 7-46:Config → Security Profile Screen The screen identifies the name of the security profile currently in effect. For more details about the services and features configured by default security profiles and what you can change in a custom profile, see “OnBoard Security Profiles” on page 16.
Selecting or Configuring a Security Profile Figure 7-47:Config → Security Profile Dialog With the “Moderate” Profile Enabled An administrative user can use the Config → Security profile screen to select one of the default security profiles or configure a custom security profile for the OnBoard. The features in the “Moderate” security profile are described in Table 1-7, “Moderate Security Profile Services/ Features,” on page 16.
Selecting or Configuring a Security Profile Figure 7-48:Config → Security Profile Message After a New Profile is Selected Secured The following figure shows the lists of enabled and disabled features in the dialog for the “Secured” security profile.
Selecting or Configuring a Security Profile Note: Follow the reminder at the bottom of the screen shown in Figure 7-49 by making sure to notify all users that they must use HTTPS when bringing up the Web Manager, because HTTP is disabled by the secured security profile. The features in the “Secured” security profile are described in Table 1-8, “Secured Security Profile Services/Features,” on page 17.
Selecting or Configuring a Security Profile Custom The following figure shows the features that can be enabled and disabled in the dialog for the “Custom” security profile. Figure 7-51:“Custom” Security Profile Dialog The options that can be configured in a custom security profile are described in Table 1-10, “Services and Other Functions in the “Custom” Security Profile,” on page 18. T To Select or Customize the OnBoard’s Security Profile 1. Log into the Web Manager as an administrative user. 2.
Configuring the OnBoard’s Services 5. If you select the “Custom” profile, make sure the checkboxes are checked next to services and features you want to be enabled and make sure the checkboxes are clear next to services and features you want to be disabled. 6. Click “OK.” The security profile confirmation screen appears. 7. Click the “Save and apply changes” button. Configuring the OnBoard’s Services When an administrative user goes to Config → Services, the screen shown in the following figure appears.
Configuring the OnBoard’s Services 260 AlterPath OnBoard Administrator’s Guide
Chapter 8 Web Manager “Network” Menu Options This chapter describes the menu options available to administrative users under the “Network” top menu option. For an overview of all the Web Manager features and menu options that are available for administrative users, see Chapter 3, “Web Manager Introduction for Administrative Users,” if needed. This chapter covers the topics in the following sections.
Options Under “Network” To Configure a Virtual Network Page 283 Options Under “Network” When an administrative user clicks the “Network” option in the top menu of the Web Manager, seven options appear in the left menu, as shown in the following figure. Figure 8-1: “Network” Menu Options The options under “Network” are described in the sections listed in the following table.
Configuring Network Interfaces Table 8-1: Options Under “Network” Option Where Described VPN connection “Configuring VPN Connections” on page 275 Private subnets “Configuring Private Subnets and Virtual Networks” on page 279 Configuring Network Interfaces When an administrative user clicks the “Host settings” option under “Network,” a screen like the one shown in the following figure appears.
Configuring Network Interfaces The screen shown in Figure 8-2 allows the administrative user to set or change the parameters in the following table. Table 8-2: Network Interfaces Configuration Values Settings Notes Failover Selecting “enabled” from the pull-down menu configures failover from the primary to the secondary Ethernet port if the primary port goes down. See “Configuring Failover” on page 265.
Configuring Network Interfaces Configuring Routes Configuring the network interfaces sets up a default route for the OnBoard. When the DHCP checkbox is checked on any of the network interface screens, the DHCP server assigns the OnBoard a default route. If the DHCP checkbox is not checked, the gateway IP specified by the administrative user in the “Gateway IP” field is used to create a default route for the interface.
Configuring Network Interfaces Configuring Primary and Secondary Ethernet Ports If failover is disabled, the administrative user can configure each Ethernet port separately in the following ways: • • • Enable or disable each Ethernet port Enable or disable DHCP If DHCP is disabled, configure each port for static IP addressing.
Configuring Network Interfaces T To Configure OnBoard Network Interfaces 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Go to Network → Host settings. 3. Modify the name in the “Host name” field, if desired. 4. Enable or disable failover by selecting the desired option from the “Failover” pull-down menu. 5. Enable DHCP, if desired, by making sure the “DHCP” checkbox is checked. 6.
Configuring Firewall Rules for OnBoard Packet Filtering Configuring Firewall Rules for OnBoard Packet Filtering When an administrative user clicks the “Firewall” option under “Network,” a screen appears like the one shown in the following figure. The administrative user can use this screen to configure packet filtering as described in this section. See “Firewall/Packet Filtering on the OnBoard” on page 55 for background information, if needed.
Configuring Firewall Rules for OnBoard Packet Filtering Figure 8-5 shows the six built-in chains. The rules for the built-in chains are hidden. The top three chains are defined in the iptables “filter” table and the bottom three chains are defined in the iptables “nat” table. Also as shown, an “Add new table_name chain_name rule” button appears under the entry for each chain, for example, “Add new NAT prerouting rule.
Configuring Firewall Rules for OnBoard Packet Filtering T To Add a New Packet Filtering (Firewall) Rule 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Go to Network → Firewall. 3. Click the “Add new table_name chainname rule” button underneath the entry for the chain to which you wish to add a rule. 4. Configure one or more of the following filtering options, as desired. a.
Configuring Hosts a. Select or accept the protocol selected from the “Protocol” pull-down menu. b. Accept or change the value entered in the Source IP/mask field, using the form: hostIPaddress or networkIPaddress/NN, where NN is the subnet length. c. Accept or change the value entered in the Destination IP/mask in the form: hostIPaddressr networkIPaddress/NN, where NN is the subnet length. d.
Configuring Hosts • Edit the host’s configuration • Delete host entries The following figure shows the dialog that appears when the administrative user clicks the “Add new host” button on the screen shown in Figure 8-7. Figure 8-8: Network → Host Table: Add New Host Dialog When adding a host, the administrative user must enter the information in the top two bullets below: • IP address • Name • Alias The “Alias” is optional T To Add a New Host 1. Log into the Web Manager as an administrative user.
Configuring Static Routes Configuring Static Routes When an administrative user clicks the “Static routes” option under “Network,” a screen like the one shown in the following figure appears. Figure 8-9: Network → Static Routes Screen The administrative user can use the Static routes screen to manually add a static route or to edit or delete existing static routes.
Configuring Static Routes The following table describes the fields and menu options that appear when you select the “Edit” or “Add” buttons. Table 8-3: Fields and Menus for Configuring Static Routes Field or Menu Name Definition Network Address Enter the IP address of the destination host or specify a network in the form networkIPaddress/mask_length (also referred to as prefix/length). Note:To set a default route, go to Network → Host Settings. Type Pull-down menu choices are “Gateway” or “Interface.
Configuring VPN Connections Configuring VPN Connections An administrative user must configure VPN connections in order to enable authorized users to access native IP management features on an SP. See the AlterPath OnBoard User’s Guide for background information about how users create a VPN connection from their remote computers to enable access native IP features on an SP. Also see “Example 2: Two Private Subnets and VPN Configuration” on page 381.
Configuring VPN Connections Configuring IPSec VPN Connections Selecting “Add new connection” on the VPN connections screen under the IPSec heading brings up the screen shown in the following figure. Figure 8-12:IPSec VPN Connection Configuration Dialog The administrative user can define multiple IPSec VPN connections. T To Configure IPSec VPN Make sure that the IPsec service is enabled.
Configuring VPN Connections 6. Select either ESP or “AH” from the “Authentication protocol” pull-down menu. 7. Select “Shared Secret” or “RSA public keys” from the “Authentication method” pull-down menu. 8. If “Shared secret” is selected, enter the shared secret in the “Pre-Shared key” field. 9. Set up the right and left hosts by doing the following steps. a. Enter the name of the OnBoard (left host) or the remote computer (right host) in the “ID” field. b.
Configuring VPN Connections Figure 8-13:PPTP VPN Connection Configuration Fields The following table describes the fields for configuring a PPTP profile. Specify a pool of addresses in the form 10.0.0.100-110. Table 8-4: Fields for Configuring a PPTP Profile Field Purpose PPTP local address pool Assign an OnBoard IP address or range of addresses to be used whenever a user creates a PPTP VPN connection to the OnBoard.
Configuring Private Subnets and Virtual Networks 6. Make sure that users who are authorized for native IP are also authorized for PPTP connections. Configuring Private Subnets and Virtual Networks The administrative user performs configuration on the Network → Private subnets screen after deciding which addressing scheme to use, as discussed here and in more detail in Appendix , ‘Advanced Device Configuration” on page 345.” For introductory information, see also “Device Configuration” on page 46.
Configuring Private Subnets and Virtual Networks Internet via the OnBoard’s public IP address. Any number of private subnets may be configured. Note: The OnBoard attempts to reach a device that does not have a private subnet assigned by attempting to contact it through the OnBoard’s default route. Therefore, unless the OnBoard administrator defines a public subnet and assigns it to each device, the device cannot be reached unless the device is on the public side of the OnBoard.
Configuring Private Subnets and Virtual Networks The OnBoard derives the range of addresses in the subnet from the OnBoardside IP address and the subnet mask. The OnBoard uses the specified information to create a route to the subnet in the OnBoard’s routing table. The example in Figure 8-16 shows a private subnet name of “net1,” an OnBoard side IP address of 192.168.0.254, and a subnet netmask of 255.255.255.0.
Configuring Private Subnets and Virtual Networks • multiple address ranges and it is not feasible to change previously-defined device IP addresses. When it is important to hide the addresses of the connected devices from users by the use of virtual IP addresses The fields under “Virtual Network (DNAT) configuration” on the Network → Private Subnets screen appear as shown in the following screen example.
Configuring Private Subnets and Virtual Networks 6. Click OK. 7. Click “Save and apply changes.” T To Configure a Virtual Network 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Under “Virtual Network (DNAT) configuration,” enter a virtual IP address to assign to the OnBoard from the virtual network’s address range in the “Address” field. 3. Enter the netmask for the virtual network in the “Netmask” field. 4.
Configuring Private Subnets and Virtual Networks 284 AlterPath OnBoard Administrator’s Guide
Chapter 9 Web Manager “Info” and “Mgmt” Menu Options This chapter describes the menu options available to administrative users under the “Info” and “Mgmt” top menu options. For an overview of all the Web Manager features and menu options that are available for administrative users, see Chapter 3, “Web Manager Introduction for Administrative Users,” if needed. This chapter covers the topics in the following sections.
Options Under “Info” Options Under “Info” When an administrative user clicks the “Info” option in the top menu of the Web Manager, three options appear in the left menu, as shown in the following figure. Figure 9-1: “Info” Menu Options The options that appear when an administrative user clicks “Info” are described in the sections listed below.
Options Under “Info” Viewing Status Information About Active Sessions When an administrative user goes to Info → Session status, a screen appears like the one shown in the following figure. Figure 9-2: Info → Session Status Screen The following table lists the headings on the Info → Session status screen.
Options Under “Info” Viewing System Information When an administrative user goes to Info → System information, a screen appears like the one shown in the following figure.
Options Under “Info” The following table lists the types of information available on the system information screen.
Options Under “Info” Table 9-3: Information on the System Information Screen (Continued) Heading Listed Information Memory Information MemTotal MemFree MemShared Buffers Cached SwapCached Active InActive HighTotal HighFree LowTotal LowFree SwapTotal SwapFree Committed_AS VmallocTotal VmallocUsed VmallocChunk PCMCIA Information Socket 0 – Ident[ity] Socket 0 – Config Socket 0 – Status Socket 1 – Ident[ity] Socket 1 – Config Socket 1 – Status 290 AlterPath OnBoard Administrator’s Guide
Options Under “Info” Table 9-3: Information on the System Information Screen (Continued) Heading Listed Information RAM Disk Usage Lists information about the partitions under the following headings Viewing Information About Detected Devices When an administrative user goes to Info → Detected devices, a screen appears like the one shown in the following figure. Figure 9-4: Info → Detected Devices Screen The following table describes the information provided on the Info → Detected devices screen.
Options Under “Info” Table 9-4: Information on the Info → Detected Devices Screen (Continued) Heading Name Description DHCP Client? If the OnBoard DHCP server is enabled (as described in “Configuring the DHCP Server” on page 77) and if the detected device obtained a dynamically allocated (instead of fixed) IP address from the OnBoard, YES appears in this column. In all other cases, the column is empty.
Options Under “Mgmt” Options Under “Mgmt” Clicking the “Mgmt” (Management) option brings up the left menu options shown in the following screen example. Figure 9-5: “Mgmt” Options The following table describes the Menu Options under “Mgmt” and provides links to procedures.
Options Under “Mgmt” Table 9-5: Tasks Performed Under the Web Manager “Mgmt” Tab (Continued) Task Option Where Documented Upgrade the OnBoard’s operating system, configuration files, and applications from an ftp server Firmware upgrade “Upgrading OnBoard Firmware (Operating System Kernel, Configuration Files, and Applications)” on page 296 Restart (reboot) the OnBoard Restart “Restarting the OnBoard” on page 300 Backing Up or Restoring Configuration Files When an administrative user goes to Mgmt →
Options Under “Mgmt” T To Back Up Configuration Files 1. Bring up the Web Manager and log in. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Go to Mgmt → Backup/restore. 3. Click the “Save” button to back up the current state of the configuration files. 4. Click the “Save and apply changes” button. T To Restore Backed-up Configuration Files 1. Bring up the Web Manager and log in. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed.
Options Under “Mgmt” Upgrading OnBoard Firmware (Operating System Kernel, Configuration Files, and Applications) When an administrative user goes to the Mgmt → Firmware upgrade screen, the screen shown in the following figure appears. Figure 9-7: Mgmt → Firmware Upgrade Screen An administrative user can use the screen to upgrade the OnBoard’s operating system kernel and applications, which are collectively referred to as “firmware” in Cyclades management interfaces.
Options Under “Mgmt” Information Needed for Firmware Upgrades The screen collects information used to automatically download software from an FTP server and to install the software on the OnBoard. The following table defines the information you need to supply on the form. Table 9-6: Firmware Upgrade Screen Fields Field/Menu Name Definition FTP site The DNS name or IP address of the FTP server where the firmware is located. You can use any ftp server if you download the firmware onto it first.
Options Under “Mgmt” Special Considerations if the Last Boot Was a Network Boot If the OnBoard was last booted over the network from a TFTP server, the message shown in the following figure appears. Figure 9-8: Mgmt → Firmware Upgrade Screen With Net Boot Message If the last boot was a network boot from a TFTP server, clicking the “Upgrade Now” button writes the currently-running image from the RAM memory into the flash memory.
Options Under “Mgmt” For more details about how images are stored in the OnBoard and about configuration file backups, see Appendix B, “Advanced Boot and Backup Configuration Information. T To Upgrade the OnBoard’s Operating System, Applications, and Configuration Files See Table 9-6, “Firmware Upgrade Screen Fields,” on page 297 if needed for the values to supply in the fields.
Options Under “Mgmt” Restarting the OnBoard When an administrative user goes to Mgmt → Restart, the screen shown in the following figure appears. Figure 9-9: Mgmt → Restart Screen T To Restart the OnBoard 1. Log into the Web Manager as an administrative user. See “To Log Into the Web Manager for the Administrative User” on page 108, if needed. 2. Go to Mgmt → Restart. 3. Click the “Restart” button.
Chapter 10 Using the cycli Utility This chapter describes the cycli configuration utility that is available for OnBoard administrators to use on the OnBoard’s command line. This chapter covers the topics shown in the following table.
Accessing the Command Line Accessing the Command Line As described in the AlterPath OnBoard User’s Guide, administrators can access the OnBoard command line in any of the following three ways. 302 • By local logins through the console port Local OnBoard root users can access the command line by logging in through the console port using a terminal or computer running a terminal emulation program, as illustrated in the following figure.
cycli Utility Overview cycli Utility Overview An administrator (root or admin) can configure the OnBoard using the cycli utility. Only one administrator (root or admin) can run the cycli utility at a time. While in the cycli utility, the administrator can escape to the shell and when finished can return to the cycli utility.
Execution Modes Command Line Mode Command line mode refers to when the cycli utility is invoked on the Linux command line with options, commands, and parameters and values. The cycli utility performs the specified commands, displays any values requested by a command (such as the “get” command), and returns the shell prompt. To commit the changes made in command line mode, make sure to use the -C option as part of the command line. See “Entering a Command in Command Mode” on page 307.
cycli Options cycli Options Administrators can invoke the cycli command with a number of different options shown in the following table. Table 10-1: cycli Utility Options Option Description -1 When entered either in command line or in batch mode with commands that act on a single parameter, speeds up response time. -C Commits changes when quitting. -f file Reads commands from file. Used for running commands in batch mode. -F Forces login (terminate an existing configuration session, if any).
cycli Parameters and Arguments etc/param.conf file. Table 10-2 on page 313 shows branches of the tree that let you add parameters to them. The following diagram illustrates one parameter in the OnBoard cycli parameter tree. As shown in the example in Figure 10-1, each branch in the parameter tree is made up of one or more parameters, one nested below the other.
cycli Parameters and Arguments Entering Values With Parameters Enter values that contain spaces within double quotes (“). To set a value that contains double quotes, precede the double quote within a double quote with a backslash (\), which is achieved by typing two backslashes.
cycli Parameters and Arguments Entering a Command in Batch Mode Based on the example in Figure 10-1, you could use batch mode to turn on Ethernet failover as shown in the following examples You could put the command in a script that calls /usr/bin/cycli with the -CF options, as shown in the following screen example. #!/usr/bin/cycli -CF set network interface failover yes You could then make the script executable and execute it on the command line, as shown in the following screen example.
cycli Parameters and Arguments If you want to run multiple cycli commands from a script that is also running other Linux commands, you could add the multiple cycli commands as shown in the following example:. #!/bin/bash ... /usr/bin/cycli << EOF set network interface failover yes set network hostname frutabaga commit EOF You could then make the script executable and execute it on the command line, as shown in the following screen example. [root@onboard root]# chmod 777 scriptname2 [root@onboard root]# .
Autocompletion Autocompletion Autocompletion can be used to find out what commands and parameters are available. Pressing the Tab key displays all the commands at the top level, as shown in the following screen example. cli> add commit cd delete exit get list quit rename revert set show shell version Typing any of the commands such as add or set then pressing Tab twice displays all the top level parameters, as shown in the following screen example.
cycli Commands Example: cli> s set shell show cli> se cli> set n network notifications ntp cli> set ne cli> set network hostname hosts interface resolv smtp st_routes cli> set network i cli> set network interface eth0 active address broadcast gateway method mtu netmask cli> set network interface eth0 ac cli> set network interface eth0 active enable or disable eth0 with yes or no cli> set network interface eth0 active cli> set n
cycli Commands The add command is used instead of set when multiple parameters of the same type can exist. For example, add network hosts IP address makes an entry for a host with the specified IP address in the hosts list. In that case, add is used because multiple hosts can exist. In contrast, the set command (set network interface eth0 IP address) is used to specify the IP address for one of the Ethernet interfaces. In that case, the set command is used because each interface has only one IP address.
cycli Commands The following table shows the parameters that can be added using the add command. If a parameter is shown in the Parameter Level 2 column, both the first and the second words must be entered with the add command. Table 10-2: Parameters That Work With the cycli add Command (Sheet 1 of 9) Parameter Level 1 Parameter Level 2 Add a group to the list of local groups: add group groupname. The group name is automatically assigned a gid.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 2 of 9) Parameter Level 1 Parameter Level 2 Configures iptables3 nat|filter Add chainname to the list of chains: add iptables nat|filter chainname. By default, a set of chains is defined but no rules are configured: For NAT, the predefined chains are: PREROUTING, POSTROUTING, OUTPUT. For filter, the predefined chains are: INPUT, OUTPUT, FORWARD.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 3 of 9) Parameter Level 1 Parameter Level 2 Configures network4 hosts Add an IP address for a host: add network hosts IPaddress. Then use the set command to set the following for the host: a hostname [name], an optional alias [alias]. st_routes Add to the list of static route targets a subnet or host (networks in the form 1.2.3.4/ 255.255.0.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 4 of 9) Parameter Level 1 notifications (continued) Parameter Level 2 Configures If MAIL is set, then use set notifications MAIL with the recipient email address [to email_address]; sender email address [from email_address]; Subject: line in quotes [subject”subject of the notification email”]; email message body in quotes [body “body of the email message”]; mail server IP address [mail_server IP_address].
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 5 of 9) Parameter Level 1 Parameter Level 2 Configures onboard server Add a managed device (SP, server, or device): add server device_name.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 6 of 9) Parameter Level 1 Parameter Level 2 Configures onboard (continued) user|group Add the name of a user or group authorized to access the device: add onboard user username | group groupname. Add a device for an existing user or group when the device_name has been added as described under onboard server: add onboard user | group device_name.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 7 of 9) Parameter Level 1 Parameter Level 2 Configures snmpd6 rwcommunity | rocommunity Add a read-write community [rwcommunity] or a read-only community [rwcommunity]: add snmpd rwcommunity | rocommunity community_name. Then use the set command to set the source IP [source] and OID [oid]. rwuser | rouser Add a read-write user [rwuser] or a readonly user [rouser]: add snmpd rwuser | rouser user_name.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 8 of 9) Parameter Level 1 Parameter Level 2 Configures snmpd (continued) access Adds an access type. add snmpd access type.
cycli Commands Table 10-2: Parameters That Work With the cycli add Command (Sheet 9 of 9) Parameter Level 1 Parameter Level 2 Configures user8 Note: Do not use. Add a user or users to the list of local users; add user username.
cycli Commands Example: cli> cd network network> get hostname dingo network> set hostname kookaburra OK network> cd interface eth0 network interface eth0> set active address alias broadcast gateway method mtu netmask ip address for interface eth0 netmask for interface eth0 network interface eth0> set address 192.168.160.10 netmask 255.255.255.0 OK network interface eth0> cd .. network interface> cd eth1 network interface eth1> set address 192.168.50.
cycli Commands Some parameters cannot be deleted. Parameters that can be added can be deleted. Example: cli> get network hosts 192.168.160.11 network hosts 192.168.160.11 name fruitbat alias fbat cli> delete network hosts 192.168.160.11 OK cli> set network hosts 192.168.160.11 name: fruitbat ERR result=5 No such file or directory cli> get network hosts 192.168.160.11 alias: fbat ERR result=5 No such file or directory exit See “quit | exit” on page 326. get | show Get the value assigned to a parameter.
cycli Commands Example: cli > get network network interface failover: no network interface eth0 active: yes network interface eth0 method: dhcp network interface eth0 address: 192.168.160.10 network interface eth0 netmask: 255.255.255.0 network interface eth0 broadcast: 192.168.160.
cycli Commands If the system assigns default values, default values are shown next to the automatically added parameter name, as in the following example, which was entered on the OnBoard before any configuration has been done. Example: cli> get network interface eth0 network interface eth0 active: yes network interface eth0 method: dhcp network interface eth0 address: 192.168.160.10 network interface eth0 netmask: 255.255.255.0 network interface eth0 broadcast: 192.168.160.
cycli Commands quit | exit Quit cycli. (Ctrl+d also quits the cycli utility.) If changes have not been committed, the user is prompted to commit the changes or quit without committing. Example: cli> set network hostname frutabaga OK cli> quit You have made changes but haven't committed them yet. To commit the changes, use the “commit” command. To revert all changes and quit without committing, use “quit!”. cli> commit cli> quit quit! Quit the cycli utility, discarding any uncommitted changes.
cycli Commands Example: cli> get network hosts 192.168.160.11 network hosts name: fruitbat alias cli> rename network hosts 192.168.160.11 192.168.160.222 OK cli> get network hosts 192.168.160.11 ERR No such file or directory cli> get network hosts 192.168.160.222 name fruitbat alias revert Discard changes and revert to previously committed state.
cycli Commands Example: cli> set network resolv dns0 10.0.0.1 OK cli> set network interface eth1 active yes address 10.0.0.3 netmask \ 255.255.255.0 broadcast 10.0.0.255 OK cli> set network interface eth0 active yes eth1 active yes ERR sanity check failed The set command is used to set an existing value, in contrast to add which is used to add something to the parameter tree. For example, the set command is used to specify the IP address for an Ethernet interface: set network interface eth0 IP address.
Summary of How to Configure the Top Level Parameters Summary of How to Configure the Top Level Parameters The following table is a brief overview of how to configure the top level parameters. Typing any of the commands such as add or set then pressing Tab twice displays all the top level parameters, as shown in the following screen example.
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 2 of 9) Parameter Command auxport • Use the set command to configure the AUX port for a connected modem or ipdu (set auxport profile modem | ipdu).
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 3 of 9) Parameter Command ipdu • Use the set command to configure an IPDU (set ipdu s1 shows the configuration parameters to set) • Use the set command to configure the outlets (set ipdu s1 shows the configuration parameters to set) • Use the add command to add users who can configure outlets (add ipdu s1 users username) • Use the set command to configure whic
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 4 of 9) Parameter Command network hostname • Use the set command to configure the OnBoard hostname (set network hostname OnBoard_hostname) network hosts • Use the add command to add a host to the hosts table (add network hosts IP_address).
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 5 of 9) Parameter Command notifications • Use the add command to add a notification (add notifications name).
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 6 of 9) Parameter Command onboard global strict subnet Use the set command to configure whether or not sanity checks are made for the subnet IP and netmasks. If set to no, overlapping subnets are allowed.
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 7 of 9) Parameter Command onboard user • Use the add onboard user command to configure a user (add onboard user username) • Use the set user command to configure the normal Linux user’s parameters such as passwd (set user username shows the parameters to set).
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 8 of 9) Parameter Command sensoralarm • Use the add sensoralarm command to configure a sensor alarm (add sensoralarm alarm_ID) • Use the set sensoralarm command to configure the parameters (set sensoralarm alarm_ID shows the parameters to set).
Summary of How to Configure the Top Level Parameters Table 10-3: Top Level cycli Parameters With Set or Add Commands (Sheet 9 of 9) Parameter Command user • Do not use this command to add a user. Use add onboard user username first. • Use the set user command to configure the normal Linux user’s parameters such as the passwd (set user username shows the parameters to set).
Summary of How to Configure the Top Level Parameters 338 AlterPath OnBoard Administrator’s Guide
Chapter 11 Troubleshooting This chapter provides information related to troubleshooting the OnBoard. This chapter covers the topics in the following sections. Connection Methods for Troubleshooting Page 340 Recovering From Login Failure Page 340 Restarting the Web Manager Page 342 Replacing a Boot Image for Troubleshooting Page 342 Using the create_cf Command When Troubleshooting Page 343 This chapter also provides the troubleshooting procedures shown in the following sections.
Connection Methods for Troubleshooting Connection Methods for Troubleshooting This section summarizes how to connect to the OnBoard for troubleshooting in the event of an IP network failure.
Recovering From Login Failure T To Recover From Login Failure 1. Boot the OnBoard in the U-Boot monitor mode. See “To Boot in U-Boot Monitor Mode” on page 412. The U-Boot monitor prompt appears as shown in the following screen example. [root@OnBoard root]# reboot ... Hit any key to stop autoboot: 0 => => 2. Boot in single-user mode. => hw_boot single 3. When single user mode comes up, use the passwd command to change the root or admin user’s password.
Restarting the Web Manager Restarting the Web Manager If the Web Manager stops responding you can perform the following procedure to restart the Apache web server. T To Restart the Web Manager 1. Enter the http -k start command as shown in the following screen example. [root@OnBoard root]# /usr/local/apache2/bin/httpd -k start 2. Enter the ps command with the -ef option and look for a line with apache, as shown in the following screen example.
Using the create_cf Command When Troubleshooting Using the create_cf Command When Troubleshooting You can use the create_cf command when troubleshooting problems with the boot image, as described under “To Upgrade to a Boot Image From a Network Boot in U-Boot Monitor Mode” on page 414. Use it carefully as described in the referenced section.
Using the create_cf Command When Troubleshooting 344 AlterPath OnBoard Administrator’s Guide
Appendix A Advanced Device Configuration This appendix provides detailed information needed to understand how to configure a new device. The following table lists the sections in this appendix OnBoard-specific Tasks for Configuring New Devices Page 346 How the OnBoard Manages Communications With Devices Page 347 Address Configuration for Connected Devices Page 372 This appendix also provides the procedures listed in the following table.
OnBoard-specific Tasks for Configuring New Devices OnBoard-specific Tasks for Configuring New Devices The following device configuration requirements are unique to the OnBoard: • • • During device configuration, the OnBoard administrator must assign a command template to each device. The OnBoard administrator must also assign each device a private subnet, except in exceptional cases.
How the OnBoard Manages Communications With Devices Table A-1: OnBoard-specific Tasks for Configuring New Devices (Continued) Configuration Parameter Where Documented Creating and assigning IP addresses of the following types: • “Address Configuration for Connected Devices” on page 372 • “Using Reserved IP Addresses for Private IP Addressing” on page 374 • “Why Define Private Subnets?” on page 375 • “Configuring a Private Subnet” on page 376 • “Routing Requirements for Native IP Access” on page 377 • “E
How the OnBoard Manages Communications With Devices The device models and firmware in the release notes have been proven to work with the default set of command templates and Expect scripts. The default command templates do not always work for all devices of the same type because service processors of the same type often do not use the same syntax for their commands.
How the OnBoard Manages Communications With Devices docs/OnBoard/Application_Notes/ Service_Processor_Related. Also see the Readme.txt file. Table A-2: Device Type Differences Protocol Device Type Differences DRAC DRAC III/XT is the only version tested and proven to work with the default DRAC Expect script and command template. Compatibility with DRAC II or IV service processors is not guaranteed.
How the OnBoard Manages Communications With Devices Table A-2: Device Type Differences (Continued) Protocol Device Type Differences RSA II The RSA II card uses a text-based interface. The card can be used in multiple IBM server platforms, and it requires a different firmware version or each platform. Simple features, such as switching power on and off, may not function if a card does not have the correct firmware version for the server in which it resides.
How the OnBoard Manages Communications With Devices Additional Reasons for Creating Custom Expect Scripts The following table lists some of the reasons an administrator might want to create a custom Expect script. Table A-3: Reasons for Customizing Expect Scripts Purpose Notes Change the device access method from telnet to ssh, or to some other program.
How the OnBoard Manages Communications With Devices Custom scripts can also be deployed for the following purposes: • • • To handle changes in service processor firmware on a supported service processor type To provide some limited functionality with other types of devices, including Sun ALOM, ILOM, and RSC, and IBM BladeCenter and RILOe To provide access to new service processor types Assigning a Command Template to a New Device When configuring a new device, the OnBoard administrator should not assign
How the OnBoard Manages Communications With Devices T To Find Out if An Existing Command Template Works With a New Device 1. Check the release notes to see if the device is in the list of tested devices, and if the device is listed, to see if the device’s firmware level is also listed. a. Navigate to http://www.cyclades.com/support/ downloads and click on the product name “AlterPath OnBoard.” b. Scroll down to the section heading “Firmware,” then find and click the “Release Notes” link. c.
How the OnBoard Manages Communications With Devices 6. If the device is an RSA II type device, if you cannot run power commands on the device using the rsa.default template, assign the device the rsa.limited.default template. 7. If you can run power commands on the device, test the rest of the device management commands that are supported on the device. If they work, you are done. 8. If you cannot run one or more of the supported commands on the device, attempt to connect to the service processor console.
How the OnBoard Manages Communications With Devices 1. Log into the OnBoard’s console as an administrator and run the onbdtemplate utility. 2. Select New from the menu. 3. Enter a template name, such as rsa.new. The editor brings up a template for a new command template assigning it the name you specified. 4. Enter the device type in the form “type = device_type.” Using the syntax supported on the device, perform the following steps to fill in the commands supported by the service processor.
How the OnBoard Manages Communications With Devices 15. Enter the command to read the system event log (SEL) in the form “sel_cmd = sel_cmd.” 16. Enter the command to clear the SEL in the form “clearsel_cmd = clearsel_cmd.” 17. Enter the command to access the device console in the form “devconsole_cmd = devconsole_cmd.” 18. Enter the escape sequence used to escape from the console in the form “devconsole_esc = devconsole_esc_sequence.
How the OnBoard Manages Communications With Devices 3. At the prompt, confirm that you want to continue by entering “y.” A list of templates appears. 4. Select a template to test. A list of configured devices appears. 5. Select a device to test the template against. The editor runs the commands in the specified template and returns debugging information that you can record for making command changes in a new template. 6. Choose a command to test. 7.
How the OnBoard Manages Communications With Devices Table A-4: Default Command Templates Template Type of Device no template • IPMI 1.5 type devices • Any type device when only Native IP access is being configured All templates in the onboard_template.ini file are listed in the Web Manager in the Config → Devices “Command template” pull-down menu.
How the OnBoard Manages Communications With Devices [rack1_dev2_compaq_ilo] type = ilo ip = 10.0.0.2 real_ip = 192.168.0.2 virtual_ip = 10.0.0.2 authtype = local group = fremont databuf = default subnet = privnet1 description = Compaq Proliant iLO 1.82 server template = ilo.default [rack1_dev3_dell_drac] type = drac ip = 10.0.0.3 real_ip = 172.10.0.1 virtual_ip = 10.0.0.3 authtype = local group = fremont databuf = default subnet = privnet2 description = Dell DRAC III/XT server template = drac.
How the OnBoard Manages Communications With Devices [au_rack1_dev4_newisys_ipmi] type = ipmi_1.5 ip = 10.0.0.4 real_ip = 172.10.0.2 virtual_ip = 10.0.0.4 authtype = local group = brisbane databuf = default subnet = privnet3 description = Newisys IPMI 1.5 server template = [au_rack1_dev5_cisco_router] type = devconsole ip = 10.0.0.5 real_ip = 172.10.0.3 virtual_ip = 10.0.0.5 authtype = local group = brisbane databuf = default subnet = privnet3 template = devconsole.
How the OnBoard Manages Communications With Devices Issues Affecting the Configuration of RSA-Type Service Processors RSA I devices work differently from RSA II devices and recognize different commands. A RSA I type device may be made to work if the administrator copies the talk_rsa_I.exp file to a custom script named talk_custom_N.exp, modifies it as instructed in the script, and assigns the customN type to the RSA I type device.
How the OnBoard Manages Communications With Devices The default editor used by onbdtemplate is vi. You can substitute nano for vi before invoking the onbdtemplate utility, as shown in the following screen example. [root@OnBoard /] export EDITOR=/bin/nano After being invoked, the onbdtemplate utility displays the action menu shown in the following screen example.
How the OnBoard Manages Communications With Devices If “Test” is selected, after the administrator selects a template, a list of devices that use the selected template appears, like the list shown in the following screen example Select Service Processor to test against: -rack1_ibm_e360_rsa_II rack2_ibm_e360_rsa_II After the administrator selects a template and a device to test, a list of commands to test displays like the one shown in the following screen example.
How the OnBoard Manages Communications With Devices “Introduction” under on “OnBoard Authentication Options” on page 4” and “OnBoard User and Group Configuration Options” on page 12. See the following examples: • • • • The OnBoard uses local authentication, and the administrator logs into the OnBoard using the OnBoard username and password pair: root/ root_password. The administrator tests the rsa.
How the OnBoard Manages Communications With Devices OnBoard Expect Scripts The Expect scripts are located in the /libexec/onboard directory identified with the .exp suffix. The following table lists each of the defined device types with the name of the associated Expect script. Table A-5: Default Device Types and Corresponding Expect Scripts Device Type Expect Script iLO talk_ilo.exp RSA II talk_rsa_II.exp DRAC talk_drac.exp IPMI 1.5 talk_ipmi_1.5.exp device console talk_devconsole.
How the OnBoard Manages Communications With Devices All Expect scripts reside in /libexec/onboard, as shown in the following listing. [root@OnBoard /] cd /libexec/onboard/ [root@OnBoard /]# ls bidi_login.exp sensors.exp talk_generic_ipmi.exp common.exp ssh_login.exp gen_logrotate.sh talk_custom1.exp local_log.exp talk_custom2.exp locking.exp talk_custom3.exp onbdauth talk_devconsole.exp onbdunesc talk_drac.exp poll_sensors.sh talk_generic.exp talk_ilo.exp talk_ipmi_1.5.exp talk_rsa_I.exp talk_rsa_II.
Application Notes Related to Expect Scripts • • *_login.exp scripts are special extension scripts that can be used to change how service processors are accessed from using telnet to another access method. Script templates are named talk_generic.exp and talk_generic_ipmi.exp. • An example custom script (for the unsupported RSA I type), is named talk_rsa_I.exp.
Application Notes Related to Expect Scripts Table A-7: Expect Script Related Application Notes Subdirectory name Topic Troubleshooting More details about finding out what command template to use for a new device and creating a new template if needed. After this document is finalized, more application notes may be created and installed in the Service_Processor_Related directory. For more details, see the /usr/share/docs/OnBoard/ Application_Notes/Service_Processor_Related/ Readme.txt file.
Application Notes Related to Expect Scripts T To Create a Custom IPMI Expect Script 1. Log into the OnBoard command line as root. 2. Go to the /libexec/onboard directory. 3. Copy the contents of talk_generic_ipmi.exp into the talk_custom1.exp file. 4. Follow the instructions in the file for how to get a list of ipmitools command options that you can use. 5. Save and quit the file. 6. Make sure the permissions are still 755.
Application Notes Related to Expect Scripts action The action specifies the action for the script to take. The actions are listed below. Not all service processor/device types implement all of the listed actions. For example, the iLO type does not have a sensors reading feature, so the sensors action is not supported for iLO-type servers. See “SP/Device Expect Script Exit Codes” on page 371 for the correct way to handle an unexpected action argument.
Application Notes Related to Expect Scripts spconsole The native command line of the service processor. Enters interactive passthrough mode. The script authenticates with the service processor, then connects the service processor output directly to its standard output and its standard input to the service processor input. Note: ssh must be invoked with the -t option when this mode is used.
Address Configuration for Connected Devices T To Create a Custom Expect Script 1. Access the command line of the OnBoard as an administrator. 2. Go to the /libexec/onboard directory. 3. Open one of the talk_customN.exp script files for editing. Note: Use “talk_custom1.exp” for the first custom script, “talk_custom2.exp” for a second, and so on, up to a total of three scripts. 4. Copy the contents of a template or an existing script into the talk_customN.exp script file. 5. Edit the script as desired. 6.
Address Configuration for Connected Devices Table A-9: Tasks for Creating Addresses to Assign to Connected Devices (Sheet 2 of 3) Task Where Described Private subnet(s) should use IP addresses from one of the three IP address ranges reserved for use on internal networks.
Address Configuration for Connected Devices Table A-9: Tasks for Creating Addresses to Assign to Connected Devices (Sheet 3 of 3) Task Where Described Any user who needs native IP access to the OnBoard needs to create a named VPN connection profile, then to create a VPN tunnel to the OnBoard before enabling native IP. The requirements for creating the VPN tunnel and the IP addresses to use vary depending on whether IPSec or PPTP is being used.
Address Configuration for Connected Devices For recommendations about which ranges to use for various sizes of organizations and for avoiding address conflicts, see http:// www.rhebus.com/techinfo/iprange.htm#ip1. The number of IP address available on a network may be restricted by a subnet mask. For a simple example, the subnet mask 255.255.255.0 provides 256 IP addresses.
Address Configuration for Connected Devices • • When the connected devices’ addresses are already configured in multiple ranges and the addresses cannot be changed, or when for some other reason, connected devices must have addresses in multiple address ranges, multiple private subnets must be created. (To simplify routing for PPTP VPN connections, multiple private subnets may also require configuration of a virtual network, as described in “Why Define Virtual (DNAT) Addresses?” on page 393.
Address Configuration for Connected Devices The range of IP addresses is derived from the information shown in the following table, which the administrator supplies to define a private subnet: Table A-11: Values for Configuring a Private Subnet Field Definition Private subnet name Any meaningful name chosen by the administrator, such as privnet1. OnBoard side IP address Devices use this address when communicating with the OnBoard. The OnBoard uses this address when communicating with devices.
Address Configuration for Connected Devices Any routes needed for IPSec VPN can be configured as part of the IPSec connection by setting the “nexthop” to the IP address of the desired network or host route and setting the boot action to “Add and route.” Any route(s) needed for PPTP must be configured manually.
Address Configuration for Connected Devices In Figure A-2, two devices are connected to the OnBoard. The public Ethernet port on the OnBoard has a public IP address of 203.1.2.3. The administrator plans to assign the following: • • Two private IP addresses within the 192.168.49.0 network range to the devices on the OnBoard’s private network: 192.168.49.60 and 192.168.49.61, A third private IP address within the same range to the OnBoard: 192.168.49.254.
Address Configuration for Connected Devices the Web Manager → Config Devices screen, as part of the implementation of the configuration shown in Figure A-2. Figure A-4: Example 1: Device Configuration Example As shown in the following screen example, the new private subnet name and the OnBoard-side IP address and subnet mask from Figure A-3 are assigned to the priv0 interface. priv0:privnet Link encap:Ethernet HWaddr 00:60:2E:BB:AA:AA inet addr:192.168.49.254 Bcast:192.168.49.255 Mask:255.255.255.
Address Configuration for Connected Devices Example 2: Two Private Subnets and VPN Configuration Figure A-6 shows an example with four devices. Two subnets must be created because the devices “sp3” and “sp4” have IP addresses that cannot be changed, and their addresses are not in the same network range as the other two devices. Configuration details follow, including how to set up VPN connections. Internet sp3 sp1 SP IP: 192.168.4.21 SP IP: 192.168.1.2 sp4 sp2 SP IP: 192.168.4.22 SP IP: 192.168.1.
Address Configuration for Connected Devices Two Private Subnets and User Configuration for Example 2 Configuration of the private subnets shown in Figure A-6 is described in the following bulleted list: • • • The primary Ethernet port is configured with IP address 203.1.2.3 and subnet mask 255.255.255.0. A default route is automatically created using a gateway IP 203.1.2.254, which the administrator assigned when configuring the primary Ethernet port.
Address Configuration for Connected Devices As shown in the example output from the ifconfig command on the OnBoard in the following figure, both private subnet names are assigned as aliases to the priv0 interface, and the OnBoard-side IP addresses and subnet masks from Figure A-7 are assigned to the each alias.: priv0:sub1 Link encap:Ethernet HWaddr 00:60:2E:BB:AA:AA inet addr:192.168.1.1 Bcast:192.168.0.255 Mask:255.255.255.
Address Configuration for Connected Devices Figure A-9: Example 2: Four Devices Configured on the Web Manager Config → Devices Screen The OnBoard administrator must do the following to configure the user to be able to create the VPN tunnel: • Make sure the user who needs the VPN access has an account that is authorized for native IP access to the devices.
Address Configuration for Connected Devices A VPN connection must exist before a user can access native IP management features on a device. The following table lists examples that show how the VPN connections can be created using IPSec or PPTP. For these examples, the IP address of the user’s workstation is 12.34.56.78.
Address Configuration for Connected Devices • • • • When configuring “connSub1” for access to sub1: Left subnet: 192.168.1.0/24 When configuring “connSub2” for access to sub2: Left subnet: 192.168.4.0/22 Right ID: @workstation Right IP address: the IP address of the user’s workstation: 12.34.56.78 • Right nexthop: leave blank if the user’s workstation and the OnBoard are able to exchange packets.
Address Configuration for Connected Devices Figure A-11:Example 2: IPSec Connection Configuration for Access to sub1 Private Subnet and “sp1” and “sp2” Devices In addition, the OnBoard administrator must do the following to enable the IPSec client to access the subnets where the devices reside.: • Give the user a copy of the parameters used to configure the IPSec connection profiles on the OnBoard. The OnBoard administrator can send a copy of the relevant portions of the ipsec.
Address Configuration for Connected Devices creates the routes needed to get packets flowing through the tunnel, so neither the user nor the administrator need to create routes to support IPSec access to devices. • Enable native IP and access the device’s native features. See “Enabling Native IP and Accessing a Device’s Native Features Using Real IP Addresses for Example 2” on page 391.
Address Configuration for Connected Devices Note: The address pools’ IP addresses can be assigned arbitrarily. Make sure that none of the addresses assigned here are being used elsewhere on your network. • Make sure the following are done for the user who needs the PPTP VPN access: • The user’s account is authorized for native IP access to “sp1,” “sp2,” “sp3,” and “sp4” as shown in Figure A-10. • The user’s account is configured for PPTP access to the OnBoard as shown in Figure A-13.
Address Configuration for Connected Devices The authorized user must do the following: • Make sure the user’s workstation can exchange packets with the OnBoard. The user can test whether the user’s workstation can access the OnBoard by entering the OnBoard’s public IP address in a browser to try to bring up the Web Manager. • If a network or host route is needed to enable communications with the OnBoard, configure the route.
Address Configuration for Connected Devices • To communicate with “sp3” and “sp4,” a route would needed to “sub2,” which has the network IP address 192.168.4.0 as shown below: route add -net 192.168.4.0 mask 255.255.255.0 via 192.168.2.1 • Enable native IP and access the device’s native features. See “Enabling Native IP and Accessing a Device’s Native Features Using Real IP Addresses for Example 2” on page 391.
Address Configuration for Connected Devices • Select “Enable native IP” from the list of management actions the user is authorized to perform on the device. OR • Use ssh to execute the nativeipon command directly using the device alias: ssh username:device_alias@192.168.1.
Address Configuration for Connected Devices OR • In the Web Manager on the OnBoard, clicking the “Service Processor Console” link on the Access Devices screen. AND • • Bringing the management application up from the service processor’s command line. The console of the server on which the service processor resides, in one of the following two ways:. • Invoking ssh with the devconsole command in the following format ssh -t allSPs:sp2@192.168.1.
Address Configuration for Connected Devices network would map the IP addresses from the three private subnets to virtual IP addresses in the same virtual network range. The following table describes the information that defines a virtual network. Table A-13: Information Defining a Virtual (DNAT) Network Field Description Address IP address to assign to the OnBoard from the virtual network address range. For example, if the virtual IP address of the network is 10.0.0.0, 10.0.0.
Address Configuration for Connected Devices As stated elsewhere, users who have the following types of access to a device cannot be prevented from seeing the real IP address of the device: • • • Native IP Device console Service processor console The following figure (Figure A-14) shows the same configuration as Figure A-6, but with the addition of virtual IP addresses.
Address Configuration for Connected Devices Internet sp3 sp1 IP: 192.168.1.2 => Virtual IP 172.20.0.2 sp2 IP: 192.168.1.3 => Virtual IP 172.20.0.3 IP: 192.168.4.21 => Virtual IP 172.20.0.4 sp4 IP: 192.168.4.22 => Virtual IP 172.20.0.2 OnBoard side IP:192.168.4.1 Primary Ethernet port (eth0) IP: 203.1.2.3 Subnet mask:255.255.255.0 OnBoard side IP:192.168.1.1 AlterPath OnBoard Private subnet (sub1): 192.168.1.0 Subnet mask 255.255.255.0 Private subnet (sub2): 192.168.4.0 Subnet mask 255.255.252.
Address Configuration for Connected Devices Virtual Network and Device Configuration for Example 3 To hide the real addresses of the devices from users according to the ongoing example, the OnBoard administrator would need to do the following configuration: • • • • Assign the device named “sp1” a virtual IP of 172.20.0.2. Assign the device named “sp2” a virtual IP of 172.20.0.3. Assign the device named “sp3” a virtual IP of 172.20.0.4. The device named “sp4” with IP 192.168.4.
Address Configuration for Connected Devices Figure A-16:Example 1: Device Configuration Example Figure A-17 shows the entries on the Devices screen for the devices shown in Figure A-14. Note that the IP addresses for “sp1,” “sp2,” and “sp3” are hidden, and the user can only see the devices’ virtual IP addresses. Because “sp4” does not work with virtual IPs and no virtual IP was configured for “sp4,” the user sees “sp4”’s real IP address.
Address Configuration for Connected Devices IPSec VPN Configuration for Example 3 After the private subnets, device, and user account configuration in “Virtual Network and Device Configuration for Example 3” on page 397 is completed, a VPN connection must be created. With a virtual network, only one IPSec VPN connection must be configured to create the IPSec VPN tunnel from the user’s workstation to “sp1,” “sp2,” and “sp3,” which are on both private subnets in example 3.
Address Configuration for Connected Devices As in the earlier example, the OnBoard administrator must do the following to enable the IPSec client to access the subnets where the devices reside: • Give the user a copy of the parameters used to configure the IPSec connection profiles on the OnBoard. The OnBoard administrator can send a copy of the relevant portions of the ipsec.conf file after the changes are saved and applied in the Web Manager for the user to insert into the ipsec.
Address Configuration for Connected Devices This first set of bullets are a review of the steps for obtaining the PPTP address assigned to the OnBoard: • Enter the ifconfig or ipconfig command on the command line of the user’s workstation to discover the IP address assigned to the OnBoard’s end of the PPTP VPN tunnel. • Enter the OnBoard’s PPTP-assigned address either in a browser or with ssh on the command line to access the OnBoard. In this example the address is 192.168.2.1.
Address Configuration for Connected Devices Enabling Native IP and Accessing a Device’s Native Features Using Virtual Network Addresses for Example 3 After creating the VPN tunnel as described in “IPSec VPN Configuration for Example 3” on page 399 or “PPTP VPN Configuration for Example 3” on page 400, the user enables native IP and accesses a device’s native features.
Address Configuration for Connected Devices Accessing Native Features for Example 3 After enabling native IP access, the user can access one of the desired native features that may be available on the device, including: • A native web application, which may be accessed in one of the following ways: • In the Web Manager on the OnBoard, clicking the “Go to native web interface” link on the Access Devices screen. • On the user’s workstation, entering the virtual IP address of the device in a browser.
Address Configuration for Connected Devices • • Bringing the management application up from the service processor’s command line. The console of the server on which the service processor resides, in one of the following two ways:. • Invoking ssh with the devconsole command in the following format ssh -t allSPs:sp2@172.20.0.1 devconsole OR • In the Web Manager on the OnBoard, clicking the “Device Console” link on the Access Devices screen.
Address Configuration for Connected Devices address in the dhcp.conf file, as described in “Configuring the DHCP Server” on page 77. Additional Network Address Configuration Examples Refer to PDF files about network address configuration in /usr/share/ docs/OnBoard/Application_Notes/Network: • • • • • NativeIP.pdf VirtualIP.pdf priv-to-pub.pdf ssh_tunnel.pdf tftp.
Address Configuration for Connected Devices 406 AlterPath OnBoard Administrator’s Guide
Appendix B Advanced Boot and Backup Configuration Information This appendix provides information related to configuring boot file locations and managing configuration file changes on the AlterPath OnBoard. The following table lists the sections in this appendix.
Boot File Location Boot File Location How the OnBoard boots is introduced at a high level in “Configuring the Boot File Location” on page 185 in the section on configuring boot in the Web Manager. The additional information in this section is to give an administrator who has the root password enough background to be able to boot from an alternate image if the need arises and if the Web Manager is not available.
Downloading a New Software Version Refer to the following text and figure explaining partition numbers if needed for understanding the instructions about boot configuration As illustrated in the following figure, the first partition for each image contains the Linux kernel, the second partition contains the root-mounted filesystem (which is mounted read only), and the third partition (which is mounted read write) contains the configuration files.
Changing the Boot Image currentimage is changed so that the system boots from the new image. • Do a network boot from the image and then save it onto the removable flash The U-Boot monitor command net_boot boots the image from the TFTP server specified in the environment variables. After the image is downloaded by network boot, the root filesystem is in the RAMDISK, and the image can run even if no removable flash card is inserted.
Changing the Boot Image 2. Enter the cycli command. # cycli The cli> prompt appears. cli> 3. Enter the get bootconf command to check the current configuration to find out which boot command and boot image are being used. In the screen example, hw_boot is defined as the bootcmd and image2 is defined as the image. cli> get bootconf ... bootconf bootcmd: hw_boot ... bootconf image: 2 4. To boot from a TFTP boot server over the network, do the following steps. a. Set the bootcmd to net_boot.
Changing the Boot Image Changing the Boot Image in U-Boot Monitor Mode You can access U-Boot monitor mode in one of the following two ways: • During boot, when the “Hit any key to stop autoboot” prompt appears, pressing any key before the timer expires brings the OnBoard to U-Boot monitor mode. • If boot fails, the OnBoard automatically enters U-Boot monitor mode. The U-Boot hw_boot command boots from either the first or second image according to the value of the currentimage environment variable.
Changing the Boot Image T To Boot From an Alternate Image in U-Boot Monitor Mode 1. Go to U-Boot monitor mode. See "To Boot in U-Boot Monitor Mode" if needed. 2. Set the current image environment variable to the number of the image you want to boot. => setenv currentimage N For example, to boot from image2 enter the number 2, as shown in the following screen example. => setenv currentimage 2 3. Enter the boot command. => hw_boot T To Boot in Single User Mode From U-Boot Monitor Mode 1.
U-Boot Network Boot Options and Caveats U-Boot Network Boot Options and Caveats When a network boot is performed with the U-boot net_boot command, the OnBoard boots from the specified image on the TFTP server. The image uses the RAM as the root file system. Network boots are useful for troubleshooting because the net-booted image can run even if there the OnBoard’s flash memory is not usable. Network boots are recommended only for troubleshooting and must not be used for normal operation of the OnBoard.
U-Boot Network Boot Options and Caveats 2. Set the “bootfile,” “serverip,” and “ipaddr” environment variables using the boot filename, the TFTP boot server’s IP address, and the IP address of the OnBoard to use for network booting. The format of the boot filename is: zImage_onb_version_number.bin. In the following example, the filename zImage_onb_v120.bin is used.
Options for the create_cf Command The following command example shows using the --factory_default argument to restore the factory default configuration files at the same time. [root@OnBoard root]# create_cf --doformat --factory_default Note: Be aware that the --doformat option erases the flash memory and installs the boot image into the image1 area. See “Options for the create_cf Command” on page 416 for other options. 7. The following text appears when the operation completes.
Options for the create_cf Command Note: Use the --image[1|2]option to save the image that is currently in RAM into a specific image area, without reformatting the partitions that contain the other image. The following table provides more information about the create_cf command options, which you can view from the Linux command line by entering the name of the command. Table B-1: Options for the create_cf command Option Description none Not recommended. Checks if a boot image is already on the device.
Options for the create_cf Command Table B-1: Options for the create_cf command (Continued) Option Description --dontformat Does not format the compact flash. The sizes of partitions hda1-3 and 5-8 are checked. If the partition sizes are not smaller than 2, 2, 5, 51, 51, 6, and 6 Mbytes respectively, the image is installed in the specified image area. --imageN Creates/replaces imageN, when n=1 | 2. Use this option to replace only the specified image without erasing both images.
Options for the restoreconf Command Options for the restoreconf Command As described in other sections of this appendix, you may need to use the restoreconf command while troubleshooting. All the restoreconf subcommands are shown in the following screen example.
Options for the restoreconf Command 420 AlterPath OnBoard Administrator’s Guide
Glossary 1U One rack unit (also referred to as 1RU). A standard measurement equal to 1.75” (4.45 cm) of vertical space on a rack or cabinet that is used for mounting computer equipment. 3DES Triple Data Encryption Standard, an encrypting algorithm (cipher) that encrypts data three times, using a unique key each time, to prevent unauthorized viewers from viewing or changing the data.
alias An easy-to-remember, usually-short, usually-descriptive name used instead of a full name or IP address. For example, on some Cyclades products, port names contain numbers by default (as in Port_1) but the administrator can assign an alias (such as SunBladeFremont that describes which server is connected to the ports. Aliases make it easier for users to understand which devices are connected.
is one of the security features provided on Cyclades products to enable customers to enforce their data center security policies. A user who is authorized to access a device or software function is referred to as an authorized user. See also authentication and encryption. authorized user One who is given permission to access a controlled resource, which must be granted by administrative action.
BIOS (basic input/output system Pronounced “bye-ose.” Instructions in the onboard flash memory that start up (boot) a computer without the need to access programs from a disk. Sometimes used for the name of the memory chip where the start-up instructions reside. BIOS access is available even during disk failures. Administrators often need to access the BIOS while troubleshooting, for example, to temporarily change the location from which the system boots in case of a corrupted operating system kernel.
CDMA (code division multiple access) A mobile data service available to users of CDMA mobile phones. CHAP (challenge handshake authentication protocol) An authentication protocol used for PPP authentication. See MS-CHAP. checksum Software posted at the Cyclades download site is accompanied by a checksum (*.md5) file generated using the MD5 algorithm. The checksum of a downloaded file must be the same as the checksum in the file.
CLI parameter tree Each version of the Cyclades CLI utility has a set of commands and parameters nested in the form of a tree. The CLI for the AlterPath OnBoard and other products use the Cyclades Application Configuration Protocol (CACP) daemon (cacpd). The cacpd uses the param.conf file, which defines a different CLI parameter tree for each product.
Cyclades A corporation founded in 1989 to provide unique networking solutions. Named after the ground-breaking French packet-switching network created in 1970, which was named after the Greek province of Cyclades. Cyclades in Greece is made up of many islands that when viewed on a map resemble a diagram of nodes in a computer network. decryption Decoding of data that has been encrypted using an encryption method.
DNS (domain name service or system) A service that translates domain names (such as cyclades.com) to network IP addresses (192.168.00.0) and that translates host names (such as “onboard”) to host IP addresses (192.168.44.11). To enable the use of this service, administrators need to configure one or more DNS servers when configuring AlterPath devices.
encryption Translation of data into a secret format using a series of mathematical functions so that only the recipient can decode it. Designed to protect unauthorized viewing or modification of data, even when the encrypted data is travelling over unsecure media (such as the Internet). See 3DES and SSH. As an example, a remote terminal session using secure shell SSH usually encrypts data using 3DES or better algorithms.
Expect script A script written using expect, a scripting language based on Tcl, the Tool Command Language. Can be written to perform automation and testing operations that are not possible with other scripting languages. Cyclades uses expect scripts in some of its AlterPath products, and users can customize some of the default expect scripts. For example administrators of the AlterPath OnBoard can customize the Expect scripts that handle conversations with service processors and other supported devices.
HTTP (hypertext transfer protocol) Protocol defining the rules for communication between Web servers and browser across the Internet. HTTPS (secure HTTP over SSL) Protocol enabling the secure transmission of Web pages by encrypting data using SSL encryption. URLs that require an SSL connection start with https. IETF (Internet Engineering Task Force) Main standards organization for the Internet. Working groups create Internet Drafts that may become RFCs.
IPDU (intelligent power distribution unit) A device with multiple power inlets into which IIT assets can be plugged for remote power management. Cyclades supports a family of AlterPath PM IPDUs that can be remotely managed when they are connected to AlterPath devices, such as the AlterPath KVM/net or AlterPath OnBoard. IPMI (Intelligent Platform Management Interface) An open standards vendor-independent service processor currently adopted by many major server platform vendors.
secure. Supported on many AlterPath products. In tunnel mode, IPSec is used to form a VPN connection, creating a secure tunnel between either an individual host or a subnet on one end and the AlterPath device on the other end. Has two modes, transport and tunnel mode. Tunnel mode encrypts the entire packet. Transport mode encrypts application headers, TCP or UDP headers, and packet data, but not the IP header.
Cyclades AlterPath KVM analog switches are one component of the out-ofband infrastructure. LDAP (lightweight directory access protocol) A directory service protocol used for authentication. One of many standard authentication protocols supported on Cyclades devices. MAC address Also called the Ethernet address. A number that uniquely identifies a computer that has an Ethernet interface. Cyclades equipment displays MAC addresses on a label on the bottom.
MIB Each SNMP device has one or more MIBs (management information bases), which describes the device’s manageable objects and attributes. The MIB name tree for Cyclades starts at 1.3.6.1.4.1.4413. MIIMON A value set when configuring Ethernet failure to specify how often the active interface is inspected for link failures. A value of zero (0) disables MII link monitoring. A value of 100 is a good starting point, according to SourceForce bonding documentation.
native command interface (See NCI) native IP A management option that the OnBoard administrator can enable when configuring a service processor. Because this option provides full access to all features supported by the service processor, the user must be a trusted user who is specifically authorized to use the option. A VPN connection must be made before the user is allow to access the native IP option.
resistance, electromagnetic capability, electrical safety, and manufacturing component characteristics, among other attributes. network time protocol (See NTP) netmask The dotted-decimal expression that determines which portion of an IP address represents the network IP address and which is used for host IP addresses, for example, 255.0.0.0. NIS (Network Information Service) A directory service protocol used for authentication in UNIX systems.
authorized to perform on that server’s service processor. Accessed by administrators by typing/usr/bin/onbdshell on the OnBoard’s command line; the administrators’ version of the menu lists all configured devices. OOBI (Out-of-band Infrastructure) An integrated systems approach to remote administration. Consists of components that provide secure, out of band access to connect to and manage an organization’s production network.
an intelligent power management device (IPDU), a KVM port, or a service processor. point to point protocol (See PPP) point to point tunneling protocol (See PPTP) PPP (point to point protocol) A method that creates a connection between a remote computer and a Cyclades device and enables a remote user access using the Web Manager or the command line. Supports the use of the PAP, SPAP, CHAP, MS-CHAP, and EAP authentication methods.
remote supervisor adapter II (See RSA II) remote system control (See RSC) rmenush The default login shell for users (/usr/bin/rmenush), which allows users only a limited set of menu options, including: access to management actions on devices for which they are authorized; the ability to change the user’s password; and the ability to logout. The OnBoard administrator may modify the menu options and commands.
center security policies while providing out-of-band access to managed systems. SEL (See event log) serial over LAN (See SoL) service processor (See SP) service processor console The console on a service processor whose dedicated Ethernet port is connected to one of the OnBoard’s private Ethernet ports. Sometimes referred to as NCI (for native command interface).
simple mail transfer protocol (See SMTP) SMB (server message block) A protocol used for file sharing and other communications between Windows computers. Microsoft uses this protocol along with NTML authentication protocol used to authenticate a client on a server. SMTP (simple mail transfer protocol) The most-commonly-used protocol used to send email.
SNMP server (See SNMP manager) SoL (serial over LAN) Access to the console of a server or other device that supports redirection of serial server data to a dedicated Ethernet port. Permits access to and control of the BIOS and operating system console over the LAN or Internet. Eliminates the need for the device to have a serial port and the need for serial cabling to enable console access.
SSH Secure shell, developed by SSH Communications Security, Ltd., is a UNIXbased shell and protocol that provides strong authentication and secure communications over unsecured channels. Unlike telnet, ftp, and the rcp/rsh/remsh programs, SSH encrypts everything it sends over the network. Many Cyclades products support SSH version 1 and SSH version 2.
trap An operation started by an SNMP agent in response to an event of interest on a managed-object in a device, which sends an alert to the SNMP manager. The administrator of certain Cyclades device can configure which types of events generate trap messages and trap destinations. Also known as SNMP messages or as “PDUs”—protocol data units.
446 AlterPath OnBoard Administrator’s Guide
Index A accessing connected devices controlling 3 planning 14 activity, capturing 4 adding rules for IP filtering chains 57 addressing scheme for devices 47 planning 130 administrative users configuring interfaces 264 using the Wizard 113 Wizard options 114 administrators 106 AH authentication protocol 83 alarms as a security feature 4 configuring 42, 43, 44 triggers, configuring email notifications 232 pager notifications 230 SNMP trap notifications 228 ALERT syslog severity level 33 alerts 4 AlterPath PM
AUX ports configuring for IPDU power management 41 connecting IPDUs to 40 unsaved changes 99 C CA B backing up configuration files 100 backup partition 409 backups configuring for added files 101 how OnBoard handles differently from other Cyclades products 59 basic network parameters, configuring 266 baud rate, modem 38 /bin/do_create_cf_ext2 script 64 blade manager, connecting 34 bogomips information 289 bond0 35 bonding See failover boot action, configuring for IPSec VPN 83 configuration fields and opt
command templates (continued) creating 348 table showing devices to which they apply 357 tasks for configuring a new device 347 testing 348 when not to use 360 commands commit 99 create_cf utility 343, 416, 417 curses 349 cycli utility 9, 12, 40, 55, 99 daemon.
Cyclades downloading updates from 147 downloading updates from ftp server for 297 cycli utility add command 311, 321 adding a user 69 adding/editing iptables rules 58 commands 311 commit command 322 configuring alarms 42, 43, 44 authentication 9, 55 data buffering 54 IPDU power management 40 modems 37, 38 rules for IP filtering 55 services 21 users 12 delete command 322 detecting services starting and stopping 21 example scripts 54 exit command 323, 326 list command 325 not displaying OTP authentication 67
device management 3 actions event log 349 power 349 service processor console 349 device types 347 differences 348 devices 3 accessing native IP features on 85 assigning an authentication method to with vi 67 with Web Manager or cycli 9 assigning private subnets to 53 communicating with the OnBoard 347 configuring OnBoard unique tasks 346 Wizard 116, 136 configuring new 345–405 connecting 46 console access through dedicated Ethernet ports 46 controlling access to 3 default authentication method 17 detected
/etc/config_files file adding a new file to be backed up/ restored 101 certificate files pre-added to 76 /etc/httpd/conf/ssl.key/ server.key file 76 /etc/menu.ini login shell configuration file 93 /etc/onboard_templates.ini file 356, 357 /etc/pam.d/login file 66 /etc/pam.d/otp file 66 /etc/pam.d/otplocal file 66 /etc/pam.
flash memory partitions 416 PCMCIA card 418 saving the boot image on 417 unusable, recovering from 414 upgrading software on 298 flow control 38 format storage media, while creating a boot image 417 FORWARD packet filtering chain 56 FTP site, for downloading OnBoard firmware 297 FTPD 22 G gateway configuring in Web Manager 267 configuring in Wizard 124 groups configuring with cycli 334 configuring with Web Manager 200 H hdc.
ipmitool command 352 IPSec authentication methods 6 in the Moderate security profile 16 service requiring additional configuration 21 VPN configuration tasks 85 configuring in Web Manager 276 connections 83 iptables introduction 55–58 local administrators, troubleshooting 340 authentication 6 fallback options 5 logging, system 4 login shell 42, 93 rmenush 42, 93 logins 4, 9 212 FAILED LOGIN error message 340 anonymous to ftp.cyclades.
modems (continued) initialization string 39 introduction 36–39 PCMCIA card configuration form 169 Web Manager configuration screen 169 supported types 36 tasks for configuring 37 used for troubleshooting 340 moderate security profile 16, 118 MS-CHAPv2 82 MTU 124, 267 N native IP command template for any device type network interfaces configuring 263 a default route 42, 125, 265 Web Manager 264 Wizard 116, 123 network route 42 NIS authentication server configuring 216, 217, 219, 221, 223, 228, 230, 232,
OnBoard (continued) system events generating syslog messages 32 understanding authentication on 4 unique device configuration requirements 346 unique security features 3 one time password authentication method See OTP authentication method one time passwords in everything See OPIE open security profile 17 openssl utility 75 OpenSWAN 82 operating system, OnBoard, upgrading 296 opiekey command generating passwords for users 68, 71 opiepasswd command registering users 68, 70 organization, document xxxii OTP au
user configuration settings 13 using to access the Web Manager 106 PPTP 6, 13, 16, 22, 81, 82 client 82, 86, 389 password 86 VPN connections 86 pptp-linux 82 preshared key (PSK) 82 primary Ethernet port 46 configuring, Web Manager 264 priv0 34, 375 private Ethernet ports 34, 46 private IP addresses, configuring 372 private network 3, 34 private subnets caution when changing or deleting 130 configuration example 378, 381 configuring, Wizard 116, 130 device configuration task 346, 347 parameters for configuri
routing for the OnBoard, understanding 42 specifying the OnBoard’s default route 42, 125, 265 RPC 16, 22 RSA I devices 349 issues when configuring 361 RSA_I.txt application note 349 RSA II devices default command template for 357 differences between devices of the same type 348 issues affecting configuration of 361 table of differences 350 RSA public keys 82, 83 rsa.default command template 354, 357, 361 rsa.limited.
servers authentication, configuring LDAP 216 NIS 217 RADIUS 219 SMB 221 TACACS+ 223 syslog 33 service processors connecting multiple to a single private Ethernet port 34 connecting to OnBoard multiple to a single private Ethernet port 34 connecting to OnBoard, illustrated 46 console 354 access usually available 354 management actions on RSA 1 cards 349 dedicated Ethernet ports on 46 hiding vulnerable protocols used by 3 IBM console management action 349 management features 3 power management 40 services co
syslog (continued) message logging with 32 message notifications 44 servers 32, 33 service 22 severity levels 33 syslogd 33 syslogging See syslog system information 286, 288, 289, 291 T TACACS+ authentication method 8, 82 TACACS+ authentication server, configuring in Web Manager 222 talk_customN.exp Expect script 349 talk_generic_ipmi.exp Expect script 349 talk_rsa_I.
users (continued) configuring for power management 41 in Wizard 116, 137 planning device and IPDU outlet access for 14 providing username and password information to 9 /usr/bin/rmenush login shell configuring 42, 93 Wizard 113 web server replacing autogenerated SSL certificate V X vendor, CPU, information 289 virtual IP addresses assigning to a new device 346 configuring in Web Manager 134 creating as a device configuration task X.
462 AlterPath OnBoard Administrator’s Guide
