No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

MM910 Management Module V100R001 User Guide 24

This document provides the product description, installation and configuration methods, and common operations of the E9000 server chassis management module MM910.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Account Management

Account Management

User Domains

GUI

Function

Table 7-81 describes the user account management functions on the MM910 web user interface (WebUI).

Table 7-81 Function description

Item

Function Description

User Domains

  • Add an MM910 user domain.
  • Set the description of MM910 user domains and the manageable components.
  • Delete an MM910 user domain.

Note: The root user is the super domain administrator of the system by default and has the permission to add, modify, and delete user domains.

Adding an MM910 User Domain
  1. Choose Account Management > User Domains.
  2. Click Add.

    The Add User Domain dialog box is displayed.

  3. Set user domain parameters.

    Table 7-82 describes the parameters.

    Table 7-82 MM910 user domain parameters

    Parameter

    Description

    Current user password

    Enter the password of the user who has logged in to the MM910 WebUI. You can view the user name in the upper right corner of the page.

    Domain name

    The value can contain a maximum of 32 characters, including digits, letters, and underscores (_).

    Alias

    Defines the properties of a user domain.

    Managed Objects

    Manageable components include compute nodes and switch modules.

  4. Click OK.

MM Users

GUI

Function

Table 7-83 describes the user account management functions on the MM910 web user interface (WebUI).

Table 7-83 Function description

Item

Function Description

MM Users

  • Add an MM910 user.
  • Change the password or user group of an MM910 user.
  • Delete an MM910 user.
  • Add a public key.

Note:

  • Only the users in the super user domain have the permission to select a user domain for a new user.
  • Only an administrator has permission to delete a user and change the user group to which a user belongs. For the root user, an administrator can change its password but cannot delete it or change its user group.
Adding an MM910 User
  1. Choose Account Management > MM Users.
  2. In the User Management area, click Add.

    The Add User dialog box is displayed. See Figure 7-31. Table 7-84 lists the user parameters.

    Figure 7-31 Add User dialog box

    NOTE:
    • For security purposes, cancel the root user's access permission to all interfaces by deselecting all options of User Interface in Figure 7-31.
    • Administrators without permission to access an interface cannot modify other users' permission to access the interface.
    • If all superdomain administrators do not have the permission to access an interface, they can assign the permission to access the interface to other users only by logging in over the serial port and running the userintfauth command. For details about how to log in over the serial port, see Logging In to the Server Over a Serial Port by Using the PuTTY.
    Table 7-84 MM910 user parameters

    Parameter

    Description

    Current user password

    Password of the user who has logged in to the MM910 WebUI. You can view the user name in the upper right corner of the page.

    NOTE:

    If an incorrect password is entered for a specified number of times, the current user will be logged out.

    User Name

    Name of the user to be added.

    The user name must meet the following requirements:

    • The value cannot exceed 31 characters.
    • The following characters are allowed:
    • Lowercase letters a to z
    • Uppercase letters A to Z
    • Digits 0 to 9
    • Special characters _-.$
    • The user name cannot start with hyphen (-) or dollar sign ($).
    • The dollar sign ($) can only be the last character of the user name if used.

    Domain

    Domain to which the new user belongs.

    The user has the permission to manage the components in the assigned domain. Only the system administrator is authorized to assign a domain for a new user.

    Role

    Role to which the new user belongs.

    The MM910 supports a maximum of 64 users. The users can be classified into the following roles:

    • Administrator: Users in this role can perform all operations.
    • Operator: Users in this role can query and set data, but cannot perform advanced operations, such as stateless computing, user management, security management, information collection, and master/slave-chassis management.
    • Common user: Users in this role can query information and change their own passwords.

    Login interfaces

    Interfaces over which the suer can access the system. The following interfaces are supported:

    • Web: A user can use a web browser to access the system.
    • SNMP: A user can access the system over SNMP.
    • SFTP: A user can access the system over SFTP.
    • SSH/Telnet: A user can access the system over SSH or TELNET. SSH supports IPv4 and IPv6.
    • KVM: A user can access the KVM.
    • Redfish: A user can access the system over Redfish.

    By default, no interface type is selected.

    NOTE:
    • When SSH/Telnet or SNMP is selected, SFTP is selected by default. If you deselect SFTP, "The function of uploading downloaded files cannot be used" will be displayed.
    • You cannot select only SFTP. If you select only SFTP, "Select SSH/TELNET or SNMP" will be displayed.

    Login rules

    Rules for user login.

    For details, see System Management > System Settings > Security.

    NOTE:

    A user who complies with one of the login rules can log in to the MM910 WebUI or CLI.

    New password

    Password of the user to be added.

    The password varies depending on whether password complexity check is enabled.

    • If password complexity check is disabled, the password must be a string of 8 to 32 characters.
    • If password complexity check is enabled, the password must meet the following requirements:
    • Contain 8 to 32 characters.
    • Contain a space or one of the following special characters:
    • `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
    • Contain at least two types of the following characters:
    • Uppercase letters A to Z
    • Lowercase letters a to z
    • Digits 0 to 9
    • Cannot be the same as the user name or the user name in reverse order.
    NOTICE:
    • The password complexity check is enabled by default.
    • For security purposes, do not disable the password complexity check.

    Confirm password

    Password entered again for confirmation.

    Password validity (days)

    Validity period (in days) of the password.

    Value range: 0 to 365. The value 0 indicates that the password never expires.

    Default value: 180

    NOTE:

    When a user password is about to expire in 9 days or less, the system automatically reminds the user to change the password.

    Emergency login user

    A user who can log in to the HMM WebUI irrespective of the password validity period or login rules.

    The user can log in to the MM910 WebUI in case of emergency.

    Default value: root

    NOTE:

    An emergency login user must be an administrator.

  3. Click OK.

    Figure 7-32 shows the new users. Table 7-85 lists the user parameters.

    Figure 7-32 New users
    Table 7-85 MM910 user parameters

    Parameter

    Description

    Operation

    Allows users to perform operations on a profile.

    • Click to change a user.
    • Click to delete a user.

Add a Public Key
  1. Choose Account Management > MM Users.
  2. In the SSH Public Key Management area, click Add.

    The Add Public Key dialog box is displayed. Table 7-86 describes the parameters.

    Table 7-86 Parameter description

    Parameter

    Description

    Current user password

    Enter the password of the user who has logged in to the MM910 WebUI. You can view the user name in the upper right corner of the page.

    User name

    Enter the user name.

    Public key

    The public key must be in the SSH2 format. The key type is RSA or DSA.

    • When the public key type is RSA, the key length is 2048 bits.
    • When the public key type is DSA, the key length is 1024 bits or 2048 bits.

    Figure 7-33 shows a configuration example.

    Figure 7-33 Add Public Key dialog box
    NOTE:
    • The public key of the root user can be added by the root user only.
    • The public key can be used to log in to the MM910 only when the user password has not expired.

  3. Click OK.

    Table 7-87 lists the public key parameters.

    Table 7-87 SSH public key management parameters

    Parameter

    Description

    Fingerprint

    Indicates a hexadecimal character string after MD5 hash is performed for the public key.

    Operation

    Allows users to perform operations on a profile.

    : deletes the public key.

Compute Node Users

GUI

Function

Table 7-88 describes the user account management functions on the MM910 web user interface (WebUI).

Table 7-88 Function description

Item

Function Description

Compute Node Users

  • Add a compute node user.
  • Change the password or user group of a compute node user.
  • Delete a compute node user.
Adding a Compute Node User
  1. Choose Account Management > Compute Node Users.
  2. Click Add.

    The Add User dialog box is displayed.

  3. Set user parameters.

    Table 7-89 describes the parameters.

    Table 7-89 Compute node user parameters

    Parameter

    Description

    Compute Node

    Specifies the slot number of a compute node.

    Current user password

    Enter the password of the user who has logged in to the MM910 WebUI. You can view the user name in the upper right corner of the page.

    User name

    The value can contain a maximum of 16 characters, including digits, letters, underscores (_) and (@).

    Role

    A compute node has a maximum of 16 users, which are classified into the following types by role:

    • Administrator
    • Operator
    • Common user
    • No permission
    NOTE:

    Operators among node users on HMM Web correspond to operators or customized users on the iBMC WebUI. To check whether an operator corresponds to an iBMC operator or customized user, visit the iBMC WebUI. Other node users on HMM Web do not correspond to customized users on the iBMC WebUI.

    New password

    You are required to edit passwords with different complexities based on whether the password complexity function is enabled.

    • When the password complexity function is disabled, the password must be a string of 8 to 20 characters.
    • When the password complexity function is enabled, the password must meet the following requirements:
      • Contain 8 to 20 characters.
      • Contain a space or one of the following special characters:
      • `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
      • Contain at least two types of the following characters:
      • Uppercase letters A to Z
      • Lowercase letters a to z
      • Digits 0 to 9
      • Cannot be the same as the user name or the user name in reverse order.
    NOTICE:
    • The password complexity function is enabled by default.
    • Disabling password complexity function reduces the system security. Do not disable the function.

    Confirm password

    Enter the new password again for confirmation.

  4. Click OK.

Online Users

GUI

Function

Table 7-90 describes the user account management functions on the MM910 web user interface (WebUI).

Table 7-90 Function description

Item

Function Description

Online Users

View the users who logged in to the MM910.

NOTE:

When both the master and slave chassis are installed, you cannot view the login users on the slave chassis.

My Login History

View information about the current login user. The information is about the current login, last login success, last login failure, number of login attempts of the last login failure, and remaining password validity period.

LDAP

GUI

Function

Table 7-91 describes the user account management functions on the MM910 web user interface (WebUI).

Table 7-91 Function description

Item

Function Description

LDAP

Query or configure domain user information on Lightweight Directory Access Protocol (LDAP) pages when you manage domain users by using the Active Directory (AD) server.

LDAP is a protocol for accessing online directory services.

LDAP Configuration
NOTE:

When both the master and slave chassis are installed, you can set the LDAP function on only the chassis to which the function belongs. You cannot set the LDAP function of the slave chassis from the master chassis, and vice versa.

  1. Choose Account Management > LDAP.

    Log in to the LDAP server in the sequence of Alternate Domain Server > Alternate Domain Server 1 > Alternate Domain Server 2 > Alternate Domain Server 3 until the login is successful. Each domain server needs to be configured separately.

  2. In the LDAP Server Settings area, click Edit.
  3. Set LDAP parameters.

    Table 7-92 describes the parameters.

    Table 7-92 Parameter description

    Parameter

    Description

    LDAP

    • On: indicates that LDAP is enabled. If you select On, you need to set Certificate verification, Domain controller address, User domain, and other parameters.
    • Off: indicates that LDAP is disabled.

    Certificate verification

    Specifies whether to enable certificate verification for the remote LDAP server.

    • On: Enable certificate verification.
    • Off: Disable certificate verification.
    NOTE:

    You are advised to enable certificate verification for security purposes. When certificate verification is enabled, you need to set the domain controller address to a domain name and import the LDAP root certificate.

    Certificate verification level

    Specifies the check to be performed on the certificate.

    Value:

    • Allow: The session proceeds normally even if no certificate is provided or the certificate provided is incorrect.
    • Demand: A valid certificate must be provided; otherwise the session is immediately terminated.

    Default value: Demand

    Protocol

    • LDAP: indicates Lightweight Directory Access Protocol.
    • LDAPS: indicates LDAP over SSL, which is a protocol with secure, encrypted transmission.

    Port

    Specifies the LDAP server port number, which ranges from 1 to 65535. Each domain server can have an independent port number. The default port number is 389 for LDAP and 636 for LDAPS.

    Domain controller address

    Specifies the IP address or domain name of the AD server.

    The domain name can contain a maximum of 255 characters, including digits, letters, and special characters.

    User domain

    Specifies the user domain that has been configured in the AD and is used for logging in to the HMM WebUI.

    The value can contain a maximum of 255 characters. If the OU name contains the special character backslash (\) or comma (,), the escape character backslash needs to be added to the group domain. For example, if the OU name is "IT\Services,Training" and the domain name is "example.com", specify the group domain as "OU=IT\\Services\,Training,DC=example,DC=com".

  4. In the Root Certificate area, click Browse next to Upload, select the existing certificate file, and click Submit.

    The certificate file must be ended with .cer, .crt, or .pem in base64 format.

    After the certificate file is uploaded, its status and information are displayed. The information contains the user name, issuer name, valid date, and serial number.

  5. In the LDAP Groups area, click Add.

    The Add LDAP Group dialog box is displayed.

    You can configure 1 to 32 role groups. Each role group must be unique.

  6. Configure the newly added role group.

    NOTE:

    The configuration applies to both the added role group and the role groups under the group. Up to 20 levels of role groups are supported.

    Table 7-93 describes the parameters.

    Table 7-93 Parameter description

    Parameter

    Description

    Current user password

    Enter the password of the user who has logged in to the MM910 WebUI. You can view the user name in the upper right corner of the page.

    Group name

    Identifies a group domain in the MM910. You can set a group name as required. The group name is unrelated to the domain controller.

    The value can contain a maximum of 32 characters, including digits, letters, and underscores (_).

    LDAP group folder

    Specifies the role group domain that has been configured in the AD and is used for logging in to the HMM WebUI.

    The value can contain a maximum of 255 characters. If the OU name contains the special character backslash (\) or comma (,), the escape character backslash needs to be added to the group domain. For example, if the OU name is "IT\Services,Training" and the domain name is "example.com", specify the group domain as "OU=IT\\Services\,Training,DC=example,DC=com".

    Domain

    Indicates the user domain of a new role group, corresponding to the components of the user domain.

    Role

    Specifies the permission level that all users in a group domain have for the MM910.

    The permission levels include the following:

    • Administrator: Users in this group can perform all operations.
    • Operator: Users in this group can query and set data, but cannot perform advanced operations, such as stateless computing, user management, security management, information collection, and master/slave-chassis management.
    • Common user: Users in this group can query information and change their own passwords.

    Login rules

    Specifies rules for user login.

    For details, see System Management > System Settings > Security.

    NOTE:

    A user who meets one of the selected rules can log in to the MM910 WebUI or CLI.

  7. Click OK.

    Figure 7-34 shows the new role groups. Table 7-94 lists the role group parameters.

    Figure 7-34 New role groups
    Table 7-94 New role group parameters

    Parameter

    Description

    Operation

    Allows users to perform operations on a profile.

    • Click to change a role group.
    • Click to delete a role group.

  8. After LDAP information is correctly configured, you can log in over LDAP. See Figure 7-35.

    The login parameters are described as follows:

    • User name: Enter a user name of a user domain of the domain controller. The user name can be an LDAP user name or login user name. The LDAP user name cannot contain comma (,) or back slash (\).
    • Password: Enter the password of the user.
    • Domain: Select LDAP.
      Figure 7-35 Login over LDAP

Weak Password Management

GUI

Function

The MM910 provides weak password dictionary management to improve system security.

Table 7-95 Function description

Item

Function Description

Import

Import the weak password dictionary file into the MM910. Users cannot set their passwords to any of the weak passwords.

Export

Export the weak password dictionary from the MM910 to local PC.

Delete

Delete the weak password dictionary from the MM910.

Two-Factor Authentication

Screenshot

Function Description

Two-factor authentication is optional function that enhances security for the MM910. Two-factor authentication requires login users to have certain documents (certificates) and information (passwords). Certificates are stored in browsers. After two-factor authentication is enabled, web or Redfish authentication verifies only user documents (certificates) and does not require password input on any page.

NOTE:
  • Before enabling two-factor authentication, ensure that the current chassis is configured as an independent chassis under the Chassis Management menu and at least one super domain administrator with the web or Redfish access permission has been associated with a user certificate.
  • Only super domain administrators can edit the basic settings and CA certificates of two-factor authentication. All administrators can edit user certificates.
  • If a CA certificate or user certificate expires, an alarm is generated on the WebUI.
  • If two-factor authentication is enabled, user logins are not limited by the password validity. That is, users can log in to the WebUI even if the passwords have expired.
Table 7-96 Parameter description

Section

Description

Basic Settings

Two-factor authentication

  • ON: Enabling two-factor authentication will disable the SSH, SNMP, and LCD interfaces and log out all users who have logged in.
  • OFF: Disabling two-factor authentication will enable the SSH, SNMP, and LCD interfaces. Two-factor authentication is disabled by default.

OCSP

  • ON: Enabling Online Certificate Status Protocol (OCSP) will check whether the user certificates are valid.
NOTE:

Before enabling OCSP, check that the following conditions are met:

  • The OCSP server communicates properly with the MM910. If OCSP is enabled and the OCSP server cannot be connected, the WebUI cannot be accessed.
  • If the OCSP server port is port 80 (default); otherwise, the MM910 cannot connect to the OCSP server.
  • OFF: OCSP is disabled by default.

CA certificate

  • Import: A maximum of 64 CA certificates can be imported. The certificate files must be in the .cert, crt, or .pem format and each cannot exceed 10 KB.
  • View: shows certificate details, including the certificate version, serial number, signature algorithm, hash algorithm, issuer, validity period, subject (entity to which the certificate is issued), and public key algorithm.
  • : deletes the certificate. Only super domain administrators can perform the operation. If two-factor authentication is enabled, ensure that the MM910 WebUI has at least one super domain administrator certificate.

User Certificate

  • Import: A maximum of 64 user certificates can be imported. The certificate files must be in the .cert, crt, or .pem format. Each user certificate must have a corresponding CA certificate; otherwise, the import will fail. Each user can be configured with one certificate.
  • View: shows certificate details, including the certificate version, serial number, signature algorithm, hash algorithm, issuer, validity period, subject (entity to which the certificate is issued), and public key algorithm.
  • : deletes the certificate. Only administrators can perform the operation.
Configuring Two-Factor Authentication
  1. Import a CA certificate.

    1. Choose System Management > Account Management > Two-Factor Authentication.
    2. In the CA certificate area, click Import.
    3. In the displayed Import dialog box, select the CA certificate to be uploaded, enter the password of the current user, and click OK.

    4. Import a user certificate to the browser.
      NOTE:

      This section uses Firefox 50.1.0 as an example. If you use Internet Explorer, ensure that Use SSL 2.0 is deselected (for example, choose > Internet options > Advanced in Internet Explorer 11).

    5. Click at the upper right corner of the browser and select Options.
    6. Choose Advanced > Certificates.
    7. Click View Certificates to import the user certificate, enter the certificate encryption password, and click OK.
      NOTE:

      The imported user certificate must be in the .p12 or .pfx format.

      Enable two-factor authentication.

    8. In the Basic Configuration area, click Edit.
    9. Enable Two-Factor Authentication and click Save.
    10. Refresh the browser and log in. If the login succeeds, the configuration is complete.

  2. Import a user certificate.

    1. In the User Certificate area, click Import.
    2. In the displayed Import dialog box, select the user to be associated and the user certificate to be uploaded, enter the password of the current user, and click OK.

  3. Import a user certificate to the browser.

    NOTE:

    This section uses Firefox 50.1.0 as an example. If you use Internet Explorer, ensure that Use SSL 2.0 is deselected (for example, choose > Internet options > Advanced in Internet Explorer 11).

    1. Click at the upper right corner of the browser and select Options.
    2. Choose Advanced > Certificates.
    3. Click View Certificates to import the user certificate, enter the certificate encryption password, and click OK.
      NOTE:

      The imported user certificate must be in the .p12 or .pfx format.

  4. Enable two-factor authentication.

    1. In the Basic Configuration area, click Edit.
    2. Enable Two-Factor Authentication and click Save.
    3. Refresh the browser and log in. If the login succeeds, the configuration is complete.

SSO

GUI

Function

Single sign-on (SSO) is an optional function. It allows all SSO clients to share the same authentication system, which simplifies user login, protects account and password security, and facilitates account management. Once a user successfully logs in to an SSO client (for example, an HMM), the user can logs in to another SSO client (another HMM) without authentication.

Table 7-97 Function description

Parameter

Description

SSO switch

Status of SSO.

  • On: The SSO is enabled. You can switch to the SSO login page.
  • Off: The SSO is disabled.
NOTE:
  • The user name and password of eSight are required for the first login to the SSO page.
  • If a user has logged in to the SSO page using the local browser, the HMM home page of the server configured will be displayed.

Server address

Server IP address or domain name.

Server port

Server port number.

Value range: 1 to 65535.

User role

Operation permission of the user:

  • Administrator
  • Operator
  • Common user
Translation
Download
Updated: 2019-04-10

Document ID: EDOC1000015900

Views: 70284

Downloads: 5173

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next