Académique Documents
Professionnel Documents
Culture Documents
Hardware Management Console is a technology invented by IBM for the purpose of providing a standard interface to configuring and operating partitioned (also known as an LPAR or virtualized system) and SMP systems such as IBM System i or IBM System p series.
The HMC is a Linux kernel using Busybox to provide the base utilities and X Window using the Fluxbox window manager to provide graphical logins. The HMC also utilizes Java applications to provide additional functionality. The IBM Hardware Management Console provides systems administrators a tool for planning, deploying, and managing IBM System p and IBM System i servers.
HMC maximums At the time or writing, the following are general support considerations with respect to the HMC: A maximum of 48 non-590/595 servers are supported A maximum of 32 590/595 servers For all systems the maximum number of LPARs is 254. In an HMC managed enterprise, a maximum of 2 HMCs can manage a server at one time.
3 On the Grub menu, select e for edit. The next GRUB screen is displayed with two lines: root (hd0,0) kernel (hd0,1)/boot/bzImage ro root=/dev/hda2 vga=0x317 apm=power-off Note: The root device can vary by model: hda2 C03, C04, CR2, and hdc2 for CR3. 4 Move the cursor down to the line starting with kernel. Select e for edit. Move the cursor to the right and append the following to the end of the string: V5.1.0 to V6.1.1: init=/bin/bash V6.1.2 and later: init=/bin/rcpwsh The final string will vary slightly by version and model: kernel (hd0,1)/boot/bzImage ro root=/dev/hda2 vga=0x317 apm=power-off init=/bin/rcpwsh Press the Enter key to save the changes. 5 Press b to boot the changed selection. This will boot to a bash shell: (none):/#. 6 Verify root is mounted read/write. Type the following command: mount -o remount,rw /dev/hda2 / Note: The root device can vary by model: hda2 C03, C04; hdc2 for CR2,CR3; sda2 for CR4. 7 Reset root and hscroot passwords. Run the following commands to reset the passwords. The command will prompt the user to enter the new password and a confirmation password. Any warning concerning the password being too simplistic can be ignored. Reset root: /usr/bin/passwd Reset hscroot: /usr/bin/passwd hscroot
8 Reboot the HMC (left ctl+left alt+del). 9 Log on as hscroot. 10 Immediately after logon, use the Web-based System Manager (HMC GUI) or the chhmcusr.
HMC Commands
1. HMC Version
hscroot@hmc> lshmc -V Version: 3 Release: 3.2 HMC Build level 20040827.1
power4 HMCs could never show a version higher 3.x - HMC version 4.x and higher are only for power5 systems. Power6 systems need HMCs version 7.x.
hscroot@hmc> lshmc -n
hscroot@hmc> chhmcusr -u hscroot -t passwd Enter the new password: Retype the new password:
hscroot@hmc> monhmc -r disk -n 0 Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda2 16121184 4958484 10343788 33% / udev 517300 156 517144 1% /dev /dev/sda3 6040320 1341736 4391744 24% /var /dev/sda7 8056524 154132 7493140 3% /dump /dev/sda8 38669964 203056 36502564 1% /extra
It's just the same as you would expect from the UNIX command df. LPAR Management: Status Information
1. LPAR Status
That's how you get an overview of all systems controlled by your HMC: power4:
hscroot@hmc> lslpars
power5:
The format string 'lpar_id:name:serial_num:state' also tells you the serial number of the systems. You can omit the field 'serial_num' if you don't need to know. However, for every system from the list above you get the LPAR overview as shown below:
Example:
Don't know where to start? Find the managed system to an LPAR with a query:
hscroot@hmc> for m in $(lssyscfg -r sys -F name); do echo $m ; lssyscfg -r lpar -m $m -F name:state ; done
power5:
hscroot@hmc> lsrefcode -m pserver -r lpar --filter "lpar_names=mylpar" -F lpar_name:refcode You can even see the history of LED codes. Just use -n <NUM> for the last NUM codes. For example, if
hscroot@hmc> lsrefcode -m pserver -r lpar --filter "lpar_names=mylpar" -F lpar_name:refcode mylpar: mylpar:0c33 mylpar: mylpar:0539 mylpar:0538
-n 5
power4:
hscroot@hmc> lssyscfg -r lpar -m pserver -F lpar_id:name:serial_num:state | sort -n 1:vioserver1:Running 2:vioserver2:Running 3:mylpar1:Not Activated 4:mylpar2:Running 5:mylpar3:Running 6:mylpar4:Running 7:mylpar5:Running 8:mylpar6:Running 9:mylpar7:Running 10:mylpar8:Not Activated
hscroot@hmc> lssysconn -r all -F type_model_serial_num:ipaddr:state | sort 9117-570*65AE18C:172.16.255.253:Connected 9117-570*65AE18C:172.16.254.255:Connected 9117-570*65AE2AC:172.16.255.254:Connected 9117-570*65AE2AC:172.16.254.254:Connected 9117-570*650D70D:172.16.255.252:Connected 9117-570*650D70D:172.16.253.255:Connected 9117-570*650D71D:172.16.254.253:Connected 9117-570*650D71D:172.16.255.251:Connected 9131-52A*065F7BB:172.16.253.254:Connected 9131-52A*065F8BA:172.16.254.252:Connected
The link to the name of the managed system is the serial number - not the IP address! The IP addresses listed above are mounted on the service processor's private NIC and managed by the integrated DHCP server of the HMC.
The command below will show a list of all adapters physically plugged into a Managed System: power5:
hscroot@hmc> lshwres -r io -m pserver --rsubtype slot --filter -F lpar_name:drc_name:description null:U78C0.001.DBJC357-P2-C8-T5:Universal Serial Bus UHC Spec mylpar1:U78C0.001.DBJC357-P2-C1:Fibre Channel Serial Bus null:U78C0.001.DBJC357-P2-C2:Fibre Channel Serial Bus vios2:U78C0.001.DBJC357-P2-T3:RAID Controller vios2:U78C0.001.DBJC357-P2-C8-T7:Generic XT-Compatable Serial Controller vios2:U78C0.001.DBJC357-P2-C5:Fibre Channel Serial Bus vios2:U78C0.001.DBJC357-P2-C6:Ethernet controller vios2:U78C0.001.DBJC357-P2-C9-T2:PCI-E SAS Controller vios2:U78C0.001.DBJC357-P2-C9-T1:PCI-E SAS Controller null:U78C0.001.DBJC373-P2-C8-T5:Universal Serial Bus UHC Spec mylpar1:U78C0.001.DBJC373-P2-C1:Fibre Channel Serial Bus null:U78C0.001.DBJC373-P2-C2:Fibre Channel Serial Bus vios1:U78C0.001.DBJC373-P2-T3:RAID Controller vios1:U78C0.001.DBJC373-P2-C8-T7:Generic XT-Compatable Serial Controller vios1:U78C0.001.DBJC373-P2-C5:Fibre Channel Serial Bus vios1:U78C0.001.DBJC373-P2-C6:Ethernet controller vios1:U78C0.001.DBJC373-P2-C9-T2:PCI-E SAS Controller vios1:U78C0.001.DBJC373-P2-C9-T1:PCI-E SAS Controller A leading "none" indicates that the adapter is not assigned to an LPAR. To show a list of all I/O adapters
hscroot@hmc> lshwres -r io -m pserver --rsubtype slot -F lpar_name:drc_name:description --filter "lpar_names=mylpar1" mylpar1:U78C0.001.DBJC357-P2-C1:Fibre Channel Serial Bus mylpar1:U78C0.001.DBJC373-P2-C1:Fibre Channel Serial Bus
hscroot@hmc> lspartition -dlpar <#0> Partition:<6*9117-MMB*656D24A, mylpar1.unixwerk.de, 111.111.15.66> Active:<0>, OS:<AIX, 5.3, 5300-09-08-1036>, DCaps:<0x0>, CmdCaps:<0x0, 0x0>, PinnedMem:<512> <#1> Partition:<2*9117-MMB*656D24A, vios1.unixwerk.de, 111.111.15.65> Active:<1>, OS:<AIX, 6.1, 6100-06-00-0000>, DCaps:<0x4f9f>, CmdCaps:<0x1b, 0x1b>, PinnedMem:<520> <#2> Partition:<1*9117-MMB*656D24A, vios2.unixwerk.de, 111.111.15.64> Active:<1>, OS:<AIX, 6.1, 6100-06-00-0000>, DCaps:<0x4f9f>, CmdCaps:<0x1b, 0x1b>, PinnedMem:<518> <#3> Partition:<3*9117-570*656FFFF, mylpar2.unixwerk.de, 111.111.226.4>
Active:<1>, OS:<AIX, 5.3, 5300-09-04-0920>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<1707> <#4> Partition:<1*9117-570*656FFFF, mylpar3.unixwerk.de, 111.111.226.2> Active:<1>, OS:<AIX, 5.3, 5300-09-04-0920>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<884> <#5> Partition:<1*9133-55A*650D71D, mylpar7.unixwerk.de, 111.111.0.26> Active:<1>, OS:<AIX, 5.3, 5300-09-03-0918>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<406> <#6> Partition:<4*9117-570*656FFFF, mylpar4.unixwerk.de, 111.111.226.5> Active:<1>, OS:<AIX, 5.3, 5300-09-04-0920>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<967> A value <1> for Active: should be fine.
power5:
power5:
5. Virtual Console
That's how you get a connection to an LPAR's serial console: power4 + power5:
If your system is running in FullSystemPartition-Mode you connect with a command like this: power4:
You can escape from the console connection by typing ~~. (twice tilde followed by a dot) If you cannot connect to the serial console and you get an error message instead:
All available virtual terminal sessions have been opened and are in use. To force a new open session, perform a Close Terminal Session operation which frees up the session.
there is still another active connection to this console. You can close this connection with: power4 + power5:
If you're not sure which managed system belongs to an LPAR you could walk through the vtmenu:
hscroot@hmc> vtmenu Retrieving name of managed system(s) . . . ---------------------------------------------------------Managed Systems: ---------------------------------------------------------1) pserver1 2) pserver2 3) pserver3 Enter Number of Managed System. (q to quit): 1
---------------------------------------------------------1) mylpar1 Running 2) mylpar2 Running 3) mylpar3 Running 4) mylpar4 Running 5) mylpar5 Running Enter Number of Running Partition (q to quit):
Just enter a number and you will be connected to the console of the corresponding LPAR.
6. Activation of an LPAR
power4:
power5:
0514-440 cfgcon: failed to create log file: check path name, permissions, and available space
When seeing this you can only access diag mode or boot the LPAR in singleuser mode. This command sets the key switch back to normal position: power5:
LPAR Configuration
hscroot@hmc> lssyscfg -r lpar -m pserver -F lpar_id:name:state 1:vios1:Running 2:vios2:Running 3:barney:Running 4:mylpar2:Running 5:mylpar3:Running Now we want to change the name of LPAR 3 from barney to mylpar1:
power5:
hscroot@hmc> chsyscfg -r lpar -m pserver -i "name=barney,new_name=mylpar1" We check and see that the name of LPAR 3 indeed has changed to mylpar1:
hscroot@hmc> lssyscfg -r lpar -m pserver -F lpar_id:name:state 1:vios1:Running 2:vios2:Running 3:mylpar1:Running 4:mylpar2:Running 5:mylpar3:Running
lshmc -v Shows vital product data, such as the serial number. lshmc -V Shows the release of the HMC. lshmc -n Shows network information of the HMC. hmcshutdown -r -t now Reboot the HMC. lssysconn -r all Show the connected managed systems. chhmcusr -u hscpe -t passwd -v abc1234 Change the password of user hscpe. lshmcusr List the users of the HMC. ls -al /var/hsc/log/hmclogger.log ls -al /var/hsc/log/cimserver.log Intersting log files of the HMC. monhmc -r disk Look at the filesystems of the HMC. Try using "proc", "mem" and "swap as well. vtmenu Open a virtual console from the HMC. Exit by typing "~." (tilde dot) or "~~." (tilde tilde dot). rmvterm -m SYSTEM-9117-570-SN10XXXXX -p name Forces the closure of a virtual terminal session. chsysstate -m SYSTEM-9131-52A-SN10XXXXX -r lpar -o on -n name -f default_profile chsysstate -m SYSTEM-9131-52A-SN10XXXXX -r lpar -o shutdown -n name --immed Change the state of a partition. lssyscfg -r prof -m SYSTEM-9117-570-SN10XXXXX List partition profiles for a managed system. lspartition
This article is a cookbook tool to help you secure the Hardware Management Console (HMC). It provides detailed instructions for what should be done, and what could be done, in a straightforward manner. The HMC plays a central role in the IBM virtualization strategy. It controls hardware, configures logical partitions (LPAR), and assigns both physical and virtual devices. It is vital to systems management in a virtualized environment. IBM created and designed the HMC as a closed system to perform only those functions specifically assigned to it. The Licensed Internal Code of the HMC is based on an open operating system that has been customized to enhance security. You should do additional customization to complete the securing process. In this article, you'll learn the steps that should be taken during installation of the HMC. Optional measures that might be implemented later, if desired, are also included. The author wraps up with some maintenance guidelines for ensuring that a secure system stays secure.
Assumptions
The how-to steps in this article assume you are at the HMC console using the Web-based System Manager, which is the graphical user interface (GUI). Whenever the command-line interface is required, it is noted. Some of the configuration can be performed remotely, but some must be done at the console. While some initial configuration can be performed using the Setup Wizard, the methods described in this article focus on using the configuration menus of the HMC.
During installation
This section covers the steps you should take during installation of the HMC.
2. Open port 22 on the appropriate network adapter's firewall. You must have either the super administrator or service representative role to control this setting. To enable remote command-line access: 1. In the Navigation area, click the HMC Management icon. 2. In the Content area, double-click the HMC Configuration icon. 3. In the Contents area, click Enable/Disable Remote Command Execution. 4. Check the box Enable remote command execution. 5. Click OK. To configure a firewall to allow Web-based System Manager and SSH traffic: 1. In the Navigation area, click the HMC Management icon. 2. In the Content pane, click Customize Network Settings. 3. Click the LAN Adapters tab. 4. Select the adapter that you want to work with (probably eth1) and click Details. 5. Click the Firewall tab. 6. Using one of the following methods, you can allow any IP address using a particular application through the firewall, or you can specify one or more IP addresses: o Allow any IP address using a particular application through the firewall: 1. From the top box on the left, highlight the application. 2. Click Allow Incoming on the right. The application displays in the bottom box to signify that it has been selected. o Specify which IP addresses to allow through the firewall: 1. From the top box on the left, highlight an application. 2. Click Allow Incoming by IP Address on the right. 3. On the Hosts Allowed window, enter the IP address and the network mask. 4. Click Add and then click OK. 7. Click OK. Any change to the network settings requires that the HMC be rebooted. It is usually best to make these firewall changes during the initial network configuration.
7. 8. 9. 10.
Click the LAN Adapter tab. In the DHCP Server section, check Enable DHCP Server to enable the HMC as a DHCP server. Enter the address range of the DHCP server. Click OK.
To set up secure outbound communication using the Internet method: 1. The HMC must have a Local Area Network (LAN) adapter that is connected to a network with Internet access. 2. The LAN adapter must be configured with a default gateway that provides access to the Internet. 3. If a firewall is in place between the HMC and the Internet, it must allow outgoing TCP/IP connections on port 443 from the HMC to each of the following IP addresses: o 129.42.160.48 and 207.25.252.200 (IBM Service to the system authentication server) o 129.42.160.49 and 207.25.252.204 (HMC access to IBM Service for North or South America) o 129.42.160.50 and 207.25.252.205 (HMC access to IBM Service for all other regions) You only need to specify the IP addresses necessary to set up access to the system authentication server and those appropriate for your region. 4. From the Service Applications folder, select Remote Support. 5. Select the Customize Outbound Connectivity task. 6. On the Customize Outbound Connectivity menu, select Internet. 7. Check the box that says Enable local system as a call-home server. 8. Check the box that reads Allow an existing Internet connection for service. 9. If an Internet proxy is used, fill in the necessary information on the menu. 10. Select Test to verify that outbound connectivity is successful.
Optional steps
This section discusses optional measures you can implement after installation, if you so choose.
Select the Copy this Certificate Authority's Public Key Ring File to diskette task. The Copy Certificate Authority Public Key to Diskette window opens. o If you are going to use the diskette to distribute the public key ring file for remote Web-based System Manager clients on HMC or AIX systems, insert the diskette media in the drive. The media does not have to be formatted. o If you are going to use the diskette to distribute the public key ring file for use on Windows-based PC clients, use a formatted diskette. 4. When you have inserted the diskette, choose the appropriate selection (for "HMC or AIX Client" or for "PC client") and then click OK. 5. An information window is displayed when the copy has been completed. Click OK to close the information window. If you selected "HMC or AIX Client," the diskette contains only one file, SM.pubkr, in TAR format. If you selected "PC Client," the diskette contains only one file, SM.pubkr, in DOS format. Do not copy this file to a network accessible place, such as an FTP server. If a malicious user steals the file, the security mechanism provided by the HMC does not block access from this rogue user. To install the private key ring file for this server: 1. Expand the System Manager Security folder, and then select the Server Security application in the Navigation area. 2. Select the Install the private key ring file for this server task. The Install Private Key Ring File window opens. o If you have just generated the pair of private key ring files on your HMC, select the Directory option and then click OK. o If the private key ring file is stored in a TAR archive on the HMC, select the TAR file option. Click OK and specify the file name and location. o If you have the backup diskette media that stores the server private key ring files, select the TAR diskette option and click OK. (You can back up the server private key file using the "Copy Servers' Private Key Ring Files to diskette" task provided in the Certificate Authority application.) 3. A window opens that prompts you to enter the password that was used for creating the private key on the HMC. Enter the password and click OK. 4. The information window is displayed once the task has completed. Click OK to close. Install the Web-based System Manager client on the remote workstation first, and then the security image can be installed. 1. From the remote client, open a browser to the following URL: http:<HMC_fully_qualified_hostname>/remote_client.html. 2. Enter a valid user ID and password. 3. Follow the steps to install the client using either the Install Shield or Java Web Start method. 4. To install the SSL security package for Web-based System Manager, open a browser to the following URL: http:<HMC_fully_qualified_hostname>/remote_client_security.html. 5. Follow the instructions, using either the Install Shield or Java Web Start method. Afterward, distribute the Certificate Authority's public key to your Windows, Linux, or AIX remote clients. Use command-line or standalone tools to copy the Certificate Authority's public key from removable media to the code base directory of the remote client. The Certificate Authority's public key file must be copied in binary format. The code base directory locations are: On a Windows client: Program files\websm\codebase On an AIX client: /usr/websm/codebase On a Linux client: /opt/websm/codebase To configure this system as a Secure System Manager Server: 1. Expand the System Manager Security folder, then select the Server Security application in the Navigation window. 2. Select the Configure this system as a Secure System Manager Server task. 3. The Configure System Manager Security wizard opens. Click Next. 4. The wizard prompts you to select either of the following options: o Always use a secure connection. Select this option if you wish to disallow non-SSL connections from remote Web-based System Manager clients to the HMC. o Allow the user to choose secure or unsecured connections. This leaves it to the remote user to decide how to connect to the HMC, and that might not be something the systems administrator is willing to allow. 5. Select the appropriate security option from those just described and select Next. 6. An information window is displayed. Click OK to close it.
2. 3.
If you have an HMC that is not in a secure area, such as a data center, you might consider giving it a power-on password. This would prevent someone from inserting a bootable diskette or CD and pressing the power button to reboot into standalone mode. The power-on password would need to be entered before the HMC could finish the Initial Program Load (IPL). It would also be required if an attempt was made during IPL to press F1 and launch the setup menu. There is some risk associated with this. If a password is set and forgotten, it requires a service call to replace the HMC planar or battery -- this can result in a system outage. Therefore, it is imperative that any power-on or administrator password be stored in a secure and readily accessible location. To configure a power-on password: 1. Boot the server. 2. When prompted with the option, press F to enter the configuration utility. (The utility name might vary depending on the HMC model and BIOS level.) 3. Look for either a System Security or Passwords submenu. 4. Follow the prompts to create and save a power-on password.
Long-term management
This section covers some maintenance guidelines to help you keep your system secure.
3.
On remotehost.company.com, the syslogd daemon must be running and set up to receive messages over the network. On most Linux systems, this can be done by adding the r option to the SYSLOGD_OPTIONS in the /etc/sysconfig/syslog file. In AIX, the /etc/syslog.conf file would be edited by uncommenting the appropriate lines at the bottom of the file, such as:
*.debug /tmp/syslog.out rotate size 100k files 4
*.crit /dev/console
Summary
IBM has designed the HMC to be a special-purpose server. The code that runs the HMC eliminates many services you would expect to find in an open operating system, such as telnet access, sendmail, and so forth. The HMC uses a restricted shell to restrict access to those commands designed by developers to further the functions required of the HMC. You must install and manage a new HMC correctly to make sure prudent safeguards are in place. This includes changing passwords and maintaining them over time and being sensitive to network connectivity. The HMC has several mechanisms to help control remote access, including requiring SSL encryption for all remote access. It is possible, but usually not desirable, to manage an HMC from the console only. For full DLPAR and Service Focal Point function, only one port needs to be open between the HMC and the LPAR its manages, port 657. The HMC can be configured to notify IBM Service over a secure Internet connection when a hardware error has occurred or a problem appears imminent. Maintaining the HMC, including monitoring for security updates and other corrective service, is a customer responsibility that is made easier with several tools that IBM has made available.
Hmc Upgrade...!!!
The following are the step by steps to upgrade the HMC :