No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionServer Pro E9000 Server iBMC (Earlier Than V250) User Guide 31

This document describes the underlying management software Intelligent Baseboard Management Controller (iBMC) of the servers.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Config

Config

Local User

Function Description

The Local User page allows you to view and manage the local users of iBMC.

Besides the default root user, iBMC supports up to 15 users. You can add, edit, or delete them on this page.

Page Description

On the menu bar, choose Config. In the navigation tree, choose Local User. The Local User page is displayed. The page consists two areas.

  • Local user list: lists all local users and provides operation icons.
  • Privilege information: shows the privileges of the Administrator, Operator, Common user, and four custom roles.
Figure 5-7 Local User page

Parameter Description
Table 5-20 Parameters related to local users

Parameter

Description

Displays the region for creating a local user.

Setting method: Click .

Displays the region for setting an existing local user.

Setting method: Click .

Deletes an existing local user.

Setting method: Click .

Saves the current rule configuration.

Setting method: Click .

User Name

Specifies the user name for logging in to iBMC.

By default, the user name is only root and the password is on the product nameplate. You are advised to change the default password at the first login and change the user password periodically for security purposes.

Privilege

Specifies the group to which a user belongs.

Value: Administrator, Operator, Common user, Custom Role or no access.
  • Users in the Administrator group have all permissions.
  • Users in the Operator group have the permissions of Basic Settings, KVM, VMM, Power Control, and Get Info.
  • Users in the Common user group have only the Get Info permissions.
  • Users in groups Custom Role1 to Custom Role4 have the permissions selected in the privilege settings section.
  • Users in the no access group do not have any permissions. A user that is not needed temporarily can be assigned to this group.

Password Valid Days

Specifies the validity period of a user password.

Login Rule

Specifies the login rules that apply to the local user.

Procedure

Viewing User Information

  1. On the menu bar, choose Config.
  2. In the navigation tree, choose Local User.

    The Local User page is displayed.

Adding Users

You can add a maximum of 15 users for iBMC.

  1. Click Add.

    The page for adding a user is displayed, as shown in Figure 5-8. For details about the parameters, see Table 5-21.

    Figure 5-8 Adding a user

    Table 5-21 Parameters related to adding a user

    Parameter

    Description

    Hides the region for setting a new or existing local.

    Setting method: Click .

    Saves the user information.

    Setting method: Click .

    Current User Password

    Specifies the current user's password, which is required before adding a user.

    User ID

    Specifies the ID of an user. An ID must be selected when you create a user.

    Setting method: Select an option from the drop-down list. The value is an integer ranging from 3 to 17.

    User Name

    Identifies a user of iBMC.

    Value: a string of 1 to 16 characters

    Setting rules:

    • Must consist of letters, digits, and special characters, excluding spaces. The first character cannot be #.
    • Special characters exclude:

      :<>&,'"/\%

    Setting method: Enter a value in the text box.

    Password

    Specifies the user password for logging in to iBMC. You are advised to periodically change your password for security purposes.

    Value: a string of up to 20 characters

    Setting rules:
    • If the password complexity check function is enabled, the password must meet password complexity requirements.
    • If the password complexity check function is disabled, the password can be any character string.

    Setting method: Enter a value in the text box.

    Confirm

    Specifies the user password for logging in to iBMC. This value must be the same as Password.

    Setting method: Enter a value in the text box.

    Login Rule

    Specifies whether to enable the login rules for a user.

    Setting method: Select the checkboxes.

    Method for viewing and setting login rules: Click Click here to ensure that log rules have been configured and enabled.

    Privilege

    Specifies the group to which a user belongs.

    Value: Administrator, Operator, Common user, Custom Role or No access.
    • Users in the Administrator group have all permissions.
    • Users in the Operator group have the permissions of Basic Settings, KVM, VMM, Power Control, and Get Info.
    • Users in the Common user group have only the Get Info permissions.
    • Users in groups Custom Role1 to Custom Role4 have the permissions selected in the privilege settings section.
    • Users in the no access group do not have any permissions. A user that is not needed temporarily can be assigned to this group.

    Setting method: Click an option button.

  2. Set user parameters. For details about the parameters, see Table 5-21.
    NOTE:
    • The user with ID 1 is a reserved user defined in the IPMI standard. This user has no permission and is not allowed to log in to iBMC.
    • The user with ID 2 is root.
  3. Click Save.

    The information about the new user is displayed in the user list.

Modifying User Information

  1. In the local user list, click for the target user.

    The page for modifying user information is displayed, as shown in Figure 5-9. For details about the parameters, see Table 5-22.

    Figure 5-9 Modifying user information

    Table 5-22 Parameters related to editing a user

    Parameter

    Description

    Cancels the edit.

    Setting method: Click .

    Saves the changes.

    Setting method: Click .

    Current User Password

    Specifies the current user's password, which is required before modifying a user's information.

    User Name

    Specifies the name of the user being edited.

    Change Password

    Specifies whether to change the user password.

    Setting method: Select the checkbox and enter a new password in Password and Confirm.

    Setting rules:
    • If the password complexity check function is enabled, the password must meet password complexity requirements.
    • If the password complexity check function is disabled, the password can be any character string.

    Login Rule

    Specifies the login rules that apply to the local user.

    Setting method: Select the checkboxes.

    Method for viewing and setting login rules: Click Click here to ensure that log rules have been configured and enabled.

    Privilege

    Specifies the group to which a user belongs.

    Setting method: Click an option button.

  2. Enter the current password of the user, and modify the parameters described in Table 5-22.
  3. Click Save.

    The user information is modified successfully.

Deleting a User

  1. In the local user list, click for the target user.

    A confirmation dialog box is displayed, prompting you to enter the current user password.

  2. Enter the current user password and click OK.

    The user is removed from the user list.

Setting Permissions of Custom Roles

Permissions of the default roles (Administrator, Operator, and Common user) cannot be modified, but you can set the permissions of custom roles as required.

Only administrators can set the permissions of custom roles.

  1. In the role list, select permissions for the custom roles.

    Table 5-23 describes the permissions.

    Table 5-23 Permissions

    Permission

    Description

    User Settings

    Allows users to perform settings related to users and passwords, including setting local, online, and LDAP users and restoring factory settings.

    Basic Settings

    Allows users to perform settings related to out-of-band management, including configuration about networks, alarm reporting, server identifying, firmware upgrade, SEL download or deletion, and device startup. Users without this permission can view but cannot configure the settings on the Alarm Setting, NetWork Setting, and System Settings pages.

    KVM

    Allows users to use the remote virtual console and serial port direction function.

    VMM

    Allows users to use the virtual media function.

    Security Settings

    Allows users to query and configure security settings, including operation and security log viewing, algorithm selection, protocol switching, SSL certificate management, service configuration, and one-click collection. Users without this permission can view but cannot configure the settings on the Service Settings page.

    Diagnosis

    Allows users to perform fault locating and commissioning operations, such as accessing the maintenance interface and configuring settings related to the sensors, auto video recording, manual or auto screen capturing, serial port data recording, and black box.

    Get Info

    Allows users to log in and view information excluding security, user, and system setting information.

  2. Click Save.

    A confirmation dialog box is displayed, prompting you to enter the current user password.

  3. Enter the current user password and click OK.

LDAP Settings

Function Description

The LDAP Settings page allows you to view and configure Lightweight Directory Access Protocol (LDAP) user information.

The iBMC provides only the access function for LDAP users. To improve system security, use a user domain or group domain on the domain controller or use an LDAP user who belongs to a user domain to log in to iBMC. LDAP users can log in to iBMC only using WebUI.

NOTE:
  • If the iBMC version is 2.46 or earlier, the group names, user names, and CN configured on the LDAP server for the iBMC cannot contain the following special characters: \";<>#+=,

  • On the LDAP server, DisplayName and CN must be the same.

iBMC supports three domain servers. When a user logs in to iBMC WebUI through LDAP, the domain server can be manually selected or automatically assigned by the system.

Page Description

On the menu bar, choose Config. In the navigation tree, choose LDAP Settings. The LDAP Settings page is displayed.

Figure 5-10 LDAP Settings page

Parameter Description
Table 5-24 Parameters on the LDAP Settings page

Parameter

Description

LDAP Function

Specifies whether to enable the LDAP function.

Setting method: Click or .

  • indicates the LDCAP function is enabled.
  • indicates the LDCAP function is disabled.

Domain Controller 1

iBMC supports up to three domain servers. When a user logs in to iBMC WebUI through LDAP, the domain controller can be manually selected or automatically assigned by the system.

Parameters related to domain controllers 2 and 3 are also as follows:

Basic Parameters

Certificate Verification

Specifies whether to enable certificate verification for the remote LDAP server.

Setting method: Click an option button.

You are advised to enable certificate verification for security purposes. After certificate verification is enabled, you need to import the LDAP root certificate, install the AD, DNS, and CA certificate issuer on the LDAP server, and import the CA certificate into the LDAP server and iBMC.

LDAP Server Address

Specifies the LDAP server IP address.

Format: IPv4 address.

Setting method: Enter a value in the text box.

After certificate verification is enabled, set this parameter to the LDAP server FQDN (host name.domain name), and configure DNS address information on the NetWork Settings page.

LDAPS Port

Specifies the port number for the LDAP service.

Value: an integer ranging from 1 to 65535

The default value is 636.

Setting method: Enter a value in the text box.

Encrypted transmission is enabled by default. You need to perform related configuration on the LDAP server.

Domain

Identifies the user domain to which an LDAP user defined in the domain controller belongs.

Value: a string of up to 255 characters

Setting rule: The value can contain letters, digits, and special characters.

Setting method: Enter a value in the text box.

User Folder

The value must be the same as the name of the application member data folder on the LDAP server. For example, CN = employee, OU = company or OU = department, OU = company.

Setting method: Enter a value in the text box.

Current User Password

Specifies the current user's password, which is required before setting domain controller information.

Import LDAP Root Certificate

Upload Certificate

Uploads the LDAP root certificate, which can be an .cer, .pem, .cert, or .crt file.

NOTE:
If the size of the file to be uploaded exceeds 100 MB, a message indicating a page request failure is displayed. You can refresh the page to restore it.

Certificate Status

Specifies whether the LDAP root certificate has been imported to the server.

Certificate information

Displays certificate information.

LDAP Group

Displays the region for creating a LDAP group.

Setting method: Click .

Displays the region for configuring an existing LDAP group.

Setting method: Click .

Deletes an existing LDAP group.

Setting method: Click .

LDAP Group

Specifies the name of the LDAP group to which an LDAP user belongs.

Value: a string of up to 32 characters

Setting rule: The value can contain letters, digits, and special characters.

Setting method: Enter a value in the text box.

LDAP Group Folder

The value must be the same as the name of the organization unit to which the user group on the LDAP server belongs. An example for a multi-level LDAP group directory is Role/SubRole1/SubRole2.

Value: a string of up to 255 characters

Setting rule: The value can contain letters, digits, and special characters. Setting rule: The value can contain letters, digits, and special characters. Setting rule: The value can contain letters, digits, and special characters.

Setting method: Enter a value in the text box.

Privilege

Specifies the iBMC access permission assigned to a group domain.

Value: Administrator, Operator, Common user, or Custom Role.

Setting method: Click an option button.

Login Rule

Specifies the login rules that apply to the LDAP group.

Procedure

iBMC supports up to three domain server. To configure a domain server, you need to set the basic parameters, import a root certificate, and add LDAP groups.

Enable LDAP and set basic parameters about domain servers.

  1. On the menu bar, choose Config.
  2. In the navigation tree, choose LDAP Settings.

    The LDAP Settings page is displayed.

  3. Click next to LDAP Function. indicates that LDAP is enabled.
  4. Set the basic parameters described in Table 5-24.
  5. Click Save.

    The message "Operation Succeeded" is displayed.

Import an LDAP root certificate.

  1. In the Import LDAP Root Certificate area, click Browse next to Upload Certificate and select an LDAP certificate.
  2. Click Upload.

    The message "The certificate has been uploaded." is displayed, the value of Certificate Status changes to The certificate has been uploaded, and the information about the imported certificate is displayed. For details about the parameters, see Table 5-25.

    Table 5-25 Parameters in the Import LDAP Root Certificate area

    Parameter

    Description

    Issued By

    Provides information about the issuer of an LDAP certificate. Issued By and Issued To have the same parameters.

    Issued To

    Provides information about the user (current server) of an LDAP certificate, including:

    • CN: indicates a user name.
    • OU: indicates the department of a user.
    • O: indicates the company of a user.
    • L: indicates the city of a user.
    • S: indicates the province of a user.
    • C: indicates the country of a user.

    Valid From

    Indicates the date when an LDAP certificate starts to take effect.

    Valid To

    Indicates the date when an LDAP certificate will expire.
    Serial Number Indicates the serial number of an LDAP certificate, used for identifying and migrating the certificate.

Add an LDAP group.

You can add a maximum of 5 LDAP groups for iBMC.

  1. In the LDAP Group area, click Add.

    The page for adding an LDAP group is displayed, as shown in Figure 5-11, and for details about the parameters, see Table 5-26.

    Figure 5-11 Adding an LDAP group

    Table 5-26 Parameters about adding an LDAP group

    Parameter

    Description

    LDAP Group

    Specifies the name of the LDAP group to which an LDAP user belongs.

    Value: a string of up to 32 characters

    Setting rule: The value can contain letters, digits, and special characters.

    Setting method: Enter a value in the text box.

    LDAP Group Folder

    The value must be the same as the name of the organization unit to which the user group on the LDAP server belongs. An example for a multi-level LDAP group directory is Role/SubRole1/SubRole2.

    Value: a string of up to 255 characters

    Setting rule: The value can contain letters, digits, and special characters. Setting rule: The value can contain letters, digits, and special characters. Setting rule: The value can contain letters, digits, and special characters.

    Setting method: Enter a value in the text box.

    Login Rule

    Specifies whether to enable the login rules, which apply only to the xx users.

    Setting method: Select the checkboxes.

    Method for viewing and setting login rules: Click Click here to ensure that log rules have been configured and enabled.

    Privilege

    Specifies the iBMC access permission assigned to a group domain.

    Value: Administrator, Operator, Common user, or Custom Role.

    Setting method: Click an option button.

  2. Set the LDAP group parameters.
  3. Click Save.

    The information about the new LDAP group is displayed in the LDAP group list.

Delete an LDAP group.

  1. In the LDAP group area, click for the LDAP group to be deleted.

    A confirmation dialog box is displayed, prompting you to enter the current user password.

  2. Enter the current user password.

Edit an LDAP group.

  1. In the LDAP group area, click for the LDAP group to be edited.
  2. Enter the current user password and edit the LDAP group parameters described in Table 5-26.
  3. Click Save.

Network Settings

Function Description

The NetWork Settings page allows you to perform the following operations:

  • Set a host name for the server.
  • Set the mode and IP address of the management network port on the server.

    Changing the IP address of the management network port will cause the network disconnection. Change the IP address only when necessary.

  • Set the mode for obtaining domain name system (DNS) information.
    NOTE:

    DNS supports both IPv4 and IPv6 addresses.

  • Set VLANs.
NOTE:
When the server is powered off and then on or is loading a driver, the network port is reconnected due to the power-saving feature of the X540 NIC. In this situation, the NCSI function is interrupted temporarily.
Page Description

On the menu bar, choose Config. In the navigation tree, choose NetWork Settings. The NetWork Settings page is displayed.



Parameter Description
Table 5-27 Parameters on the NetWork Settings page

Parameter

Description

Server Name

Specifies a host name for iBMC.

Value: a string of 1 to 64 characters

Setting rule: The value can contain letters, digits, and hyphens (-), but cannot start or end with a hyphen.

Setting method: Enter a value in the text box.

IPv4 Settings

Automatically obtain IP address

Indicates that the server automatically obtains an IPv4 address for the management network port.

Setting method: Click the option button.

Manually set IP address

Indicates that you need to manually set an IPv4 address for the management network port. The IPv4 address information includes IP Address, Subnet Mask, Gateway, and MAC.

NOTE:

MAC specifies the physical address of a network interface card (NIC).

Setting method: Click the option button.

IPv6 Settings

Automatically obtain IP address

Indicates that the server automatically obtains an IPv6 address for the management network port.

Setting method: Click the option button.

Manually set IP address

Indicates that you need to manually set an IPv6 address for the management network port. The IPv6 address information includes IP Address, IPv6 Prefix, Gateway, Local Link Add and IP Address List.

NOTE:
  • Local Link Add is used for local link communication.

  • IP Address List supports a maximum of fifteen IPv6 addresses when stateless address autoconfiguration (SLAAC) is used.

Setting method: Click the option button.

DNS Settings

Automatically obtain DNS IPv4 address

Indicates that the server automatically obtains DNS IPv4 address information.

Setting method: Click the option button.

Automatically obtain DNS IPv6 address

Indicates that the server automatically obtains DNS IPv6 address information.

Setting method: Click the option button.

Manually set DNS IP address

Indicates that you need to manually set DNS address information. The DNS address information includes Domain, Preferred Server, and Alternate Server.

Setting method: Click the option button.

NOTICE:

If the mode for obtaining the IP address of the management network port is manual, the DNS information obtaining mode must also be manual.

Domain

Specifies a domain name for the server.

Value: a string of 0 to 67 characters

Setting rule: The value can contain letters, digits, and special characters including spaces.

Setting method: Enter a value in the text box.

Preferred Server

Specifies the IP address of the preferred DNS server.

Setting method: Enter a value in the text box.

Alternate Server

Specifies the IP address of the alternate DNS server.

Setting method: Enter a value in the text box.

Procedure

Setting a Host Name

  1. On the NetWork Settings page, set a host name for the server. For details about this parameter, see Table 5-27.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Setting an IPv4 Address for the Management Network Port

  1. In the IPV4 area of the NetWork Settings page, set an IPv4 address for the management network port. For details about the parameters, see Table 5-27.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Setting an IPv6 Address for the Management Network Port

  1. In the IPV6 area of the NetWork Settings page, set an IPv6 address for the management network port. For details about the parameters, see Table 5-27.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Automatically Obtaining DNS Information

  1. Click the Automatically obtain DNS IPv4 address or Automatically obtain DNS IPv6 address option button, depending on the IP address type (IPv4 or IPv6) of the management network port.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Manually Setting DNS Information

  1. Click the Manually set DNS IP address option button.
  2. Set Domain, Preferred Server, and Alternate Server. For details about the parameters, see Table 5-27.
  3. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Service Settings

Function Description

The Service Settings page allows you to view and set system service information.

Page Description

On the menu bar, choose Config. In the navigation tree, choose Service Settings. The Service Settings page is displayed.



Parameter Description
Table 5-28 Parameters on the Port Settings page

Parameter

Description

Services

Specifies the name of a system service. System services include the following:
  • FTP: allows files to be transferred from one computer to another over the network. This service may cause security risks due to its own mechanism. You are advised to use the Secure File Transfer Protocol (SFTP) service instead of the FTP service. The FTP service is disabled by default. When iBMC is connected over FTP, files can be uploaded to or downloaded only from /tmp to ensure system security.

    iBMC supports a maximum of five concurrent FTP logins.

  • SSH: allows a secure channel to be established between a local computer and a remote one.

    iBMC supports a maximum of five concurrent SSH logins.

    NOTE:
    Encryption algorithms supported by SSH are AES128-CTR, AES192-CTR, and AES256-CTR . Use a supported encryption algorithm when logging in to iBMC through SSH.
  • Telnet: allows users to log in to a remote system to use resources as if they log in to a local system. This service may cause security risks due to its own mechanism. You are advised to use the SSH service instead of the Telnet service. The Telnet service is disabled by default.

    iBMC supports a maximum of five concurrent Telnet logins.

  • SNMP Agent: translates and transfers requests between management devices and managed devices.
  • KVM: allows users to remotely control a server by using the local keyboard, video, and mouse (KVM).

    A maximum of two concurrent user are allowed.

  • VMM: allows users to use a virtual DVD-ROM drive or floppy disk drive (FDD) when they remotely control a server. (VMM stands for Virtual Machine Manager.)

    Only one user is allowed at a time.

  • Video: allows users to use the video playback function when they remotely control a server. For details about this function, see Play Back.

    Only one user is allowed at a time.

  • Web Server(HTTP): supports Internet information browsing and translates Hypertext Transfer Protocol (HTTP) pages. The Web Server(HTTP) service is enabled by default to establish a connection between the browser and iBMC. After the connection is set up, the secure protocol HTTPS is used.
  • Web Server(HTTPS): supports Internet information browsing and translates Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) pages.

    A maximum of four users can log in to iBMC by using this function at the same time.

  • IPMI LAN(RMCP): stands for Intelligent Platform Management Interface (IPMI) over LAN, and supports the Remote Management Control Protocol (RMCP). This service may cause security risks due to its own mechanism. You are advised to use the IPMI LAN(RMCP+) service instead of the IPMI LAN(RMCP) service. The IPMI LAN(RMCP) service is disabled by default.
  • IPMI LAN(RMCP+): stands for Intelligent Platform Management Interface (IPMI) over LAN and supports RMCP+.

Enable a Service

Specifies whether to enable a system service.

Setting method: Click to enable a service or to disable a service.

Port

Specifies the number of the port used by a system service.

Value: an integer ranging from 1 to 65535

Default value:
  • FTP: 21
  • SSH: 22
  • Telnet: 23
  • SNMP Agent: 161
  • KVM: 2198
  • VMM: 8208
  • Video: 2199
  • Web Server(HTTP): 80
  • Web Server(HTTPS): 443
  • IPMI LAN(RMCP): 623 for port 1 (primary port) and 664 for port 2 (secondary port)
  • IPMI LAN(RMCP+): RMCP+ and RMCP share ports. After you set port numbers for RMCP, RMCP+ also uses the port numbers.
NOTE:
  • If the port number is changed to 65535 for the Web Server(HTTP) or Web Server(HTTPS) service, Google Chrome cannot establish a session over this port.
  • Disabling the SSH, Telnet, HTTPS, RMCP, and RMCP+ services at the same time may result in network disconnection. If all the services are disabled, users need to enable the Web service by connecting the PC to the serial port of the server.
Procedure

Setting Port Numbers for System Services

  1. On the menu bar, choose Config.
  2. In the navigation tree on the left, choose Service Settings.

    The Service Settings page is displayed on the right.

  3. Enable the required system services and set port numbers for these services. For details about the parameters, see Table 5-28.
    NOTE:

    To restore the default port number for a system service, click Restore Default next to the port.

    System Service

    Operation

    FTP

    Enter a port number in the Port text box.

    SSH

    Enter a port number in the Port text box.

    Telnet

    Enter a port number in the Port text box.

    SNMP Agent

    Enter a port number in the Port text box.

    KVM

    Enter a port number in the Port text box.

    VMM

    Enter a port number in the Port text box.

    Video

    Enter a port number in the Port text box.

    Web Server(HTTP)

    Enter a port number in the Port text box.

    Web Server(HTTPS)

    Enter a port number in the Port text box.

    IPMI LAN(RMCP)

    1. Enter a port number in the Port 1 text box.
    2. Enter a port number in the Port 2 text box.

    IPMI LAN(RMCP+)

    RMCP+ and RMCP share ports. After you set port numbers for RMCP, RMCP+ also uses the port numbers.

  4. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

System Settings

Function Description

The System Settings page allows you to perform the following operations:

  • View and set Simple Network Management Protocol (SNMP) information.
  • View and set Transport Layer Security (TLS) version.
  • Enable or disable the user management function on the service side.
  • View and set the web server timeout period.
  • View and set the system time zone.
  • View and set device locations.
  • View and set alarm thresholds.
Page Description

On the menu bar, choose Config. In the navigation tree, choose System Settings. The System Settings page is displayed.



Parameter Description
Table 5-29 Parameters on the System Settings page

Parameter

Description

SNMP V1

Indicates the first official SNMP version, which is defined in Requests for Comments (RFC) 1157. This service may cause security risks due to its own mechanism. You are advised to use SNMPv3 instead of SNMPv1.

Setting method: Select or deselect the check box.

NOTE:
If the SNMPv1 service is enabled, change the SNMP community name promptly.

SNMP V2C

Indicates an enhanced version of SNMPv2. SNMPv2c is an experimental protocol defined in RFC 1901 and adopts a community-based management architecture. This service may cause security risks due to its own mechanism. You are advised to use SNMPv3 instead of SNMPv2c.

Setting method: Select or deselect the check box.

NOTE:
If the SNMPv2c service is enabled, change the SNMP community name promptly.

Long Password

Specifies the enablement status of the long password function.

If the long password function is enabled, each community name must contain at least 16 characters.

Default value:

Setting method: Click to change it to , which indicates that the long password function is enabled.

Read-Only Community

Specifies the read-only community name. The default value is roAdmin12#$.

If the password complexity check function is disabled, the value is a string of 1 to 32 characters, including letters, digits, and special characters except spaces.

If the password complexity check function is enabled, the value must meet the following requirements:

  • Contains 8 to 32 characters.
  • Contains at least one of the following special characters:

    `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

  • Contains at least two types of the following characters:
    • Uppercase letters: A to Z
    • Lowercase letters: a to z
    • Digits: 0 to 9
  • Does not contain spaces.

Setting method: Enter a value in the text box.

Confirm Community

Specifies the read-only community name re-entered for confirmation.

Setting method: Enter a value in the text box.

Read/Write Community

Specifies the read-write community name. The default value is rwAdmin12#$.

If the password complexity check function is disabled, the value is a string of 1 to 32 characters, including letters, digits, and special characters except spaces.

If the password complexity check function is enabled, the value must meet the following requirements:

  • Contains 8 to 32 characters.
  • Contains at least one of the following special characters:

    `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

  • Contains at least two types of the following characters:
    • Uppercase letters: A to Z
    • Lowercase letters: a to z
    • Digits: 0 to 9
  • Does not contain spaces.

Setting method: Enter a value in the text box.

Confirm Community

Specifies the read-write community name re-entered for confirmation.

Setting method: Enter a value in the text box.

Login Rule

Specifies the login rules enabled for SNMPv1 and SNMPv2c. The login rules apply only to the users limited by login rules.

Setting method: Select the check boxes.

Method for viewing and setting login rules: Click Click here to ensure that log rules have been configured and enabled.

SNMP V3

Indicates the third official SNMP version, which enhances security and remote configuration capabilities on the basis of earlier versions.

NOTE:

iBMCSNMPv3 is enabled by default and cannot be disabled.

SNMP V3 AuthProtocol

Specifies the SNMPv3 authentication algorithm.

Value: MD5 or SHA1

Default value: SHA1

Setting method: Select an option from the drop-down list.

NOTE:
  • This setting is effective to SNMP V3 and SNMP Trap V3.
  • MD5 may cause security risks. You are advised to select SHA1.

SNMP V3 PrivProtocol

Specifies the SNMPv3 encryption algorithm.

Value: DES or AES

Default value: AES

Setting method: Select an option from the drop-down list.

NOTE:
  • This setting is effective to SNMP V3 and SNMP Trap V3.
  • DES may cause security risks. You are advised to select AES.

Login Rule

Specifies SNMPv3 login rules, which are consistent with local user login rules.

Table 5-30 Other parameters on the System Settings page

Parameter

Description

TLS Version

The Transport Layer Security (TLS) protocol is used to ensure data security and integrity during communication between two applications.

A secure connection is required for communication between the web browser and web server. TLS can be enabled to ensure connection security.

Setting method: Select or deselect the check box.

NOTE:
  • JRE 1.8 uses TLS 1.2 by default.
  • JRE 1.6 and 1.7 use TLS 1.0 by default. If TLS 1.0 is disabled, the remote KVM cannot be used for JRE 1.6 or JRE 1.7.

Set enable/disable status of user management on OS

Specifies whether the service system can manage users. Disabling this function will invalidate the IPMI commands for user management sent from the service system, for example, IPMI commands for adding or deleting users, setting permissions, and setting passwords.

Default value:

Setting method: Click to change it to and click Save. Then the service system cannot manage users. It is recommended that you set this parameter to ; otherwise security risks exist because the service system can manage iBMC users.

Set Web Server Timeout Period

Specifies the maximum interval between two consecutive operations on the iBMC UI. If the maximum interval is exceeded, the user is forcibly logged out and returned to the login page.

Value: an integer ranging from 5 to 480

Setting rule: The value must be a number and cannot be empty. Unit: minute

Setting method: Enter a value in the text box.

Set TimeZone

Specifies the time zone for the iBMC.

Value range: GMT-12:00 to GMT+13:00

NOTE:
You do not need to set the iBMC time zone because it is synchronized from the HMM.

Device Location

Sets the position information of the local server.

The value is a string ranges from 0 to 64 characters. The value is left blank by default.

The string can contain digits, letters, and following characters:

`~!@#$%^&*()-_=+\|[{}];:'",<.>/?

Setting method: Enter a value in the text box.

CPU Warning Threshold

Specifies the alarm threshold for the CPU usage. If the CPU usage exceeds the alarm threshold, iBMC reports a minor alarm.

Value range: 0 to 100, which indicates 0% to 100%

Setting method: Enter a value in the text box.

Memory Bandwidth Usage Warning Threshold

Specifies the alarm threshold for the memory bandwidth usage. If the memory bandwidth usage exceeds the alarm threshold, iBMC reports a minor alarm.

Value range: 0 to 100, which indicates 0% to 100%

Setting method: Enter a value in the text box.

Procedure

Setting the SNMP Parameters

  1. On the System Settings page, set the SNMP parameters. For details about the parameters, see Table 5-29.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Settintg the TLS Version
Configuring the option will disconnect all web sessions.
  1. In the TLS Version aera on the System Settings page, select the check box.
  2. Click Save.

Enabling the Service System to Manage Users or Disabling This Function

  1. On the System Settings page, enable the service system to manage users or disable this function. For details about the parameters, see Table 5-30.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Setting the Timeout Period for the Web Server

  1. On the System Settings page, set Timeout Period to the maximum interval between two consecutive sessions. For details about this parameter, see Table 5-30.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Setting the Device Location

  1. On the System Settings page, enter the local server position information in Device Location. For details about this parameter, see Table 5-30.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Setting Alarm Thresholds
  1. On the System Settings page, set alarm thresholds. For details about the parameters, see Table 5-30.
  2. Click Save.

    If the message "Operation Succeeded" is displayed, the setting is successful.

Security Enhance

Function Description

The Security Enhance page allows you to view and configure user security hardening rules for iBMC.

Page Description

On the menu bar, choose Config. In the navigation tree, choose Security Enhance. The Security Enhance page is displayed.

Figure 5-12 Security Enhance page

Parameter Description
Table 5-31 Password parameters

Parameter

Description

Password Complexity Check

Specifies whether to enable the password complexity check function.

This function is enabled by default. The setting applies to SNMPv1 and SNMPv2c trap community names, read-only community names, and read-write community names.

The password complexity requirements are as follows:

  • Must contain 8 to 20 characters.
  • Must contain at least one space or one of the following special characters:

    `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

  • Must contain at least two types of the following characters:
    • Uppercase letters: A to Z
    • Lowercase letters: a to z
    • Digits: 0 to 9
  • Cannot be the same as a user name or the user name in reverse order.

Setting method: Click an option button.

NOTICE:

Disabling the password complexity check function reduces system security. You are advised to enable this function.

Password expired time

Specifies the validity period of a user password.

The value ranges from 0 to 365 in days. 0 indicates that the password never expires.

Login User in Emergencies

Specifies the user name for logging in to the iBMC in emergencies. This user is not restricted by any login rule and its password will never expire.

Setting method: Select an option from the drop-down list.

NOTE:
Only an administrator can be set as the emergency login user.

Disable history password

Specifies the number of previous passwords that cannot be reused as a new password.

The value ranges from 0 to 5. 0 indicates that all previous passwords are allowed.

Setting method: Select an option from the drop-down list.

Account Locking

Specifies the maximum number of consecutive login failures allowed and the account locking duration.

  • The maximum number of consecutive login failures allowed is an integer ranging from 1 to 5 or Unlimited (account locking disabled).

  • The account locking duration (in minutes) is an integer ranging from 1 to 5.

After a user account is locked, the user cannot log in within the locking time.

Setting method: Select an option from the drop-down list.

NOTE:
  • Disabling the account locking function will reduce system security. You are advised to enable this function.
  • To unlock a user account in emergencies, run the unlock command on the CLI. For details, see the iBMC user guide of the server.
Table 5-32 Parameters in the login rules area

Parameter

Description

Time

NOTICE:
  • The start and end years cannot be later than 2050.
  • In a login rule, the start and end time must be in the same format.

Specifies the time period in which users are allowed to log in. The value can be in one of the following formats:

  • YYYY-MM-DD: indicates the start and end dates allowed for login. For example, the start date is 2013-08-30 and the end date is 2013-12-30.
  • HH:MM: indicates the daily time period allowed for login. For example, the start time is 08:30 and the end time is 20:30.
  • YYYY-MM-DD HH:MM: indicates the specific time segment allowed for login. For example, the start time is 2013-08-30 08:30 and the end time is 2013-12-30 20:30.

Setting method: Enter a value in the text box.

IP

Specifies an IP address or IP address range allowed for login. The value can be in one of the following formats:

  • xxx.xxx.xxx.xxx: indicates a single IP address.
  • xxx.xxx.xxx.xxx/mask: indicates an IP address range. mask indicates the subnet mask length, which ranges from 1 to 32.

Setting method: Enter a value in the text box.

MAC

Specifies a MAC address or MAC address range allowed for login. The value can be in one of the following formats:

  • xx:xx:xx:xx:xx:xx: indicates a single MAC address.
  • xx:xx:xx: indicates the MAC address header.

Setting method: Enter a value in the text box.

Procedure

Enabling the Security Enhancing Function

  1. On the menu bar, choose Config.
  2. In the navigation tree, choose Security Enhance.

    The Security Enhance page is displayed.

  3. Specify the password validity period, emergency login user, maximum number of consecutive login failures allowed, account locking duration, whether to enable the password complexity check function, and whether to allow historical passwords. For details, see Table 5-31.
  4. Click Save.

    A confirmation dialog box is displayed.

  5. Click OK.

Configuring Login Rules

iBMC supports up to three login rules.

NOTE:
  • A login rule is effective for local users, LDAP groups, and SNMPv3 services or interfaces of CLP(ssh/telnet/ftp), KVM_VMM and RMCP only when it meets the following two conditions:
    1. The login rule is enabled on the User Settings page.
    2. The login rule is selected for the specific configuration item.
  • If a login rule is empty and enabled (), login is not restricted.
  • Login is allowed when any of the enabled login rules is met.
  • If a field in a login rule is left blank, login is not restricted by this field.
  1. In the login rules area, click to change it to .
  2. Set the login rule parameters described in Table 5-32.
  3. Click Save.

    A confirmation dialog box is displayed.

  4. Click OK.

Boot Option

Function Description

The Boot Option page allows you to set the first boot option for the operating system (OS) on the server.

NOTE:

The setting takes effect only once. After the server restarts, the first boot option is restored to the default value specified in the basic input/output system (BIOS).

Page Description

On the menu bar, choose Config. In the navigation tree, choose Boot Option. The Boot Option page is displayed.



Parameter Description
Table 5-33 Parameters on the Boot Option page

Parameter

Description

Hard disk

Forcibly boots the OS from a hard disk.

Setting method: Click the option button.

DVD-ROM drive

Forcibly boots the OS from the CD-ROM or DVD-ROM drive.

Setting method: Click the option button.

FDD/Removable device

Forcibly boots the OS from a floppy disk drive (FDD) or removable device.

Setting method: Click the option button.

PXE

Forcibly boots the OS from the Preboot Execution Environment (PXE).

Setting method: Click the option button.

BIOS Setup

Displays the BIOS Setup menu upon server startup.

Setting method: Click the option button.

No override

Boots the OS from the default first boot option specified in the BIOS (the first boot option is not set in iBMC).

Setting method: Click the option button.

Procedure
  1. On the menu bar, choose Config.
  2. In the navigation tree, choose Boot Option.

    The Boot Option page is displayed.

  3. Set the first boot option. For details about the options, see Table 5-33.
  4. Click Save.

    If the message "Save Success" is displayed, the setting is successful.

SSL Certificate

Function Description

The SSL Certificate page allows you to view Secure Sockets Layer (SSL) certificate information, customize SSL information, and import a new certificate.

The SSL certificate sets up an SSL security channel over HTTPS between the web browser on the client and the web server to transmit encrypted data between the client and server and prevent data disclosure. SSL ensures the security of transmitted information and is used for verifying the authenticity of the website to be accessed. Servers allow you to replace SSL certificates. You are advised to replace the original certificate and keys with your customized certificate and public and private key pair, and promptly update the certificate for security purposes.

Page Description

On the menu bar, choose Config. In the navigation tree, choose SSL Certificate. The SSL Certificate page is displayed.



Parameter Description
Table 5-34 Parameters in the SSL Certificate Information area

Parameter

Description

Issued To

Provides information about the user (current server) of an SSL certificate, including:

  • CN: indicates a user name.
    NOTE:
    Set CN to the server fully qualified domain name (FQDN), that is, host name.domain name.
  • OU: indicates the department of a user.
  • O: indicates the company of a user.
  • L: indicates the city of a user.
  • S: indicates the province of a user.
  • C: indicates the country of a user.

Issued By

Provides information about the issuer of an SSL certificate. The fields contained in Issued By are the same as those in Issued To.

Valid From

Indicates the date when an SSL certificate starts to take effect.

Valid To

Indicates the date when an SSL certificate will expire.

Serial Number

Indicates the serial number of an SSL certificate, used for identifying and migrating the certificate.
Procedure

Viewing Information About the Current SSL Certificate

  1. In the navigation tree, choose Config > SSL Certificate.

    The SSL Certificate page is displayed.

  2. In the SSL Certificate Information area, view information about the current SSL certificate used by the server.

Customizing SSL Certificate Information and Importing an SSL Certificate

NOTE:
Perform this operation when you apply for and import an SSL certificate.
  1. On the SSL Certificate page, click Customize.

    The page for customizing SSL certificate information is displayed.

  2. In the Step 1: Generation CSR area, set the parameters for customizing certificate information, and click Save.

    In the displayed dialog box, export the CSR file to the client as prompted.

    Table 5-35 describes the parameters for customizing certificate information.

    Table 5-35 Parameters for customizing certificate information

    Parameter

    Description

    Country

    Specifies the country of a user.

    This parameter is mandatory. The value can contain only two letters.

    State

    Specifies the province of a user.

    The value can contain a maximum of 128 characters, including letters, digits, and spaces.

    City/Location

    Specifies the city of a user.

    The value can contain a maximum of 128 characters, including letters, digits, and spaces.

    Organization Name

    Specifies the company of a user.

    The value can contain a maximum of 64 characters, including letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

    Organizational Unit

    Specifies the department of a user.

    The value can contain a maximum of 64 characters, including letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

    Common Name

    Specifies a user name.

    This parameter is mandatory. The value can contain a maximum of 64 characters, including letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

  3. Send the exported CSR file to the SSL certificate issuer to apply for an SSL certificate.

    After obtaining the official SSL certificate, save it to the client.

  4. In the Step 2: Import Server Certificate area, click Browse, select the SSL certificate, which is in the format of .crt, .cer, and .pem, with a maximum of 1 MB, and click Save.

    After the certificate is imported, the message "Import certificate success, certificate will effect after iBMC reset" is displayed.

    • After the importing is complete, restart iBMC at appropriate time for the certificate to take effect.
    • A CSR file correlates with the server certificate applied from the CA organization. Do not generate a new CSR file before importing the server certificate. Otherwise, the original CSR file is overwritten by the new CSR file and cannot be recovered. You have to use the new CSR file to apply for a new server certificate from the CA organization.
    • The system will not encrypt the private key before the CSR generation and the import of the public key certificate to avoid security risks. You are advised to import the public key certificate after a CSR file is generated as soon as possible.
Importing an SSL Certificate
NOTE:
  • You can perform this operation only when an SSL certificate is available on the client.
  • Before importing a customized SSL certificate, you are advised to use a highly secure encryption algorithm (for example, RSA2048) to encrypt the certificate when the certificate is generated.
  1. On the SSL Certificate page, click Customize.

    The page for customizing SSL certificate information is displayed.

  2. In the Custom Certificate area, import an SSL certificate.
    1. Click Browse next to Certificate File, and select the SSL certificate file to be imported. The certificate is in the format of .pfx and .p12, with a maximum of 1 MB.
    2. In the Certificate Password text box, enter a password to ensure certificate security during transmission.

      If the certificate is protected by a password, you must enter the password. Otherwise, the certificate cannot be uploaded.

    3. Click Save.
      NOTE:
      If the size of the file to be uploaded exceeds 100 MB, a message indicating a page request failure is displayed. You can refresh the page to resolve this issue.
      After the certificate is uploaded to the server, the message "Import certificate success, certificate will effect after iBMC reset" is displayed.
    After the certificate is imported, restart iBMC at an appropriate time for the certificate to take effect.
Adding the Root Certificate to the Browser
NOTE:
After importing an SSL certificate, check whether the root certificate of the issuer exists in the client browser.
The following uses Internet Explorer as an example to describe how to view and add a root certificate in the browser.
  1. Open Internet Explorer.
  2. On the toolbar, choose Tools > Internet Options.

    The Internet Options dialog box is displayed.

  3. On the Content tab page, click Certificates.

    The Certificates dialog box is displayed.

  4. On the Trusted Root Certification Authorities tab page, check whether the SSL certificate issuer is listed.
    • If yes, go to 5.
    • If no, go to 6.
  5. Check whether the SSL certificate has expired.
    • If yes, go to 6.
    • If no, go to 7.
  6. On the Trusted Root Certification Authorities tab page, click Import.

    Import the root certificate as prompted.

  7. Open Internet Explorer again, and check whether the icon is displayed in the address bar.
    • If yes, no further action is required.
    • If no, contact technical support.
Translation
Download
Updated: 2019-08-01

Document ID: EDOC1000058833

Views: 217118

Downloads: 1936

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next