Access state problems
Use this information to identify the cause of an access state that is problematic (any access state other than OK), and configure access for the managed resource to correct the access state.
Resolving problems with access states for managed resources
The Access column in the table view of the IBM® Flex System Manager management software web interface displays the access states for managed resources. The access state for a resource is a short description of the connection between the management software and the managed resources (endpoints such as chassis or components installed in chassis). The following table describes problematic access states and corrective procedures for configuring access to managed resources.
Unknown
The access state Unknown indicates that the management software cannot determine the access state for the managed resource (for example, the management software might not have attempted to connect to the endpoint).
- From the table view, select the box for the unknown resource.
- Click .
- If the problem remains, contact your IBM representative.
Offline
- there is no physical connectivity
- firewall configuration for the network is preventing connectivity
- the managed resource is powered off and must be powered on
- the managed resource needs to be restarted
- From the table view, select the box for the offline resource.
- Click .
- If the problem remains, contact your IBM representative.
Not trusted
The access state Not trusted indicates that the management software has connectivity to the managed resource, but the certificate presented by one or more of the RSAPs is not trusted.
The following list describes scenarios where this access state is common, and the procedures required to establish trusted access:- You reset the CMM to factory defaults, replaced the only Chassis Management Module (CMM) in
your chassis with a new one, replaced the CA certificate for a CMM
or the CMM became untrusted after a CMM fail over. The CMM certificate
is regenerated, and you must complete one of the following procedures,
depending on whether your management software certificate
policy is Explicit or Implicit. To determine the current policy see Changing the certificate policy.If the management software certificate policy is set to Explicit or the FSM version is prior to 1.3.2, you must manually copy the CA certificate from the CMM and save it to management software trust store. To add the certificate to the trust store and establish a connection to the CMM, complete the following steps:
- Manually add the certificate to the trust store. See Explicit certificate policy.
- From the table view, select the box for the CMM with the regenerated
certificate; then, click Note: The chassis transitions to a trusted state quickly; however, the chassis components might take several minutes to be trusted.
.
- From the table view, select the box for the CMM that was reset.
- Click .
- Select the box for the new, untrusted certificate; then, click Accept. The chassis is now trusted (the compute nodes and network devices in the chassis are still not trusted).
- From the table view, select the box for the CMM with the regenerated
certificate; then, click Note: The chassis transitions to a trusted state quickly; however, the chassis components might take several minutes to be trusted.
.
- You change the certificate that is used by a managed resource to a certificate that is not signed by the CMM (for example, Verisign).
- The management software certificate
policy is set to Explicit and a new chassis is discovered by the management software. To
add the new CMM certificate to the trust store and establish a connection
to the CMM, complete the following steps:
- Manually add the certificate to the trust store. See Explicit certificate policy.
- From the table view, select the box for the new CMM.
- Click .
- Select the box for the new, untrusted certificate; then, click Accept. The chassis is now trusted (the compute nodes and network devices in the chassis are still not trusted).
- Revoke access for the new CMM; then, request access to the same
CMM to establish trust for all of the managed endpoints in the chassis:
- Select the box for the CMM; then, click .
- Make sure that the box for the CMM is selected; then, click .
Note: The chassis transitions to a trusted state quickly; however, the chassis components might take several minutes to be trusted.
- The endpoint for the management node is Not trusted. If
an IBM Flex
System Manager management
node is not managing the chassis in which it is installed, and the
CMM in the chassis fails over, the access state of the management
node endpoint might change to Not trusted. This is caused by
a change to the IMM certificate on the management node. To add the changed certificate to the trust store, complete the following steps:
- From the table view, select the box for the management node endpoint.
- Click .
- Select the box for the untrusted certificate; then, click Accept. The management node is now trusted.
- The endpoint for the management node is Not trusted. If
an IBM Flex
System Manager management
node is not managing the chassis in which it is installed, and you
update the firmware or install a management software fix pack for
that management node, the management node endpoint will have the access
state Not trusted after the management node restarts. When
the integrated management module (IMM) firmware is updated on the
management node, the management node will not have the CMM CA certificate
that is required to validate the new IMM certificate.
- Manually add the CMM CA certificate to the trust store. See Explicit certificate policy.
- From the table view, select the box for the CMM with the regenerated
certificate; then, click Note: The chassis changes to a trusted state quickly. However, the chassis components might take several minutes to be trusted.
.
No Access
- If the managed resource is a compute node in the chassis, the problem might be solved at the chassis level or through direct action to the compute node endpoint. If access to the managed chassis endpoint is unlocked, but access to a compute node endpoint in that chassis is locked, then access problems must be resolved by selecting and configuring access for that compute node.
- If the managed resource is a new compute node or storage node in a chassis that is in centralized user management mode, the problem might be node firmware that is not current. See Centralized user management problems for more information.
- Select the box for the resource with no access:
- If the resource with no access is a chassis or compute node in a chassis with no access, select the box for the CMM.
- If the resource is a compute node with no access in a chassis that does have access, select the box for the compute node.
- If the resource with no access is another hardware component, and not a chassis or compute node, select the box for that resource.
- Click Note: If the password has expired it is indicated in the status, and you must change the password before you request access to the resource. Click Change Password to update the password.
.
- Click Request Access.
If a chassis that was previously managed in centralized user management mode has the access state No access, you might need to update the CMM LDAP configuration and import a new management node SSL certificate. This scenario is typical when the management node IP address is changed, but centralized user management mode for the chassis was not temporarily disabled.
If you change the IP address of the management node from the command-line interface or from the web interface, the LDAP SSL certificate is out-of-sync with the centrally-managed chassis, and you cannot access the CMM with IBM Flex System Manager credentials. To solve this problem, complete the following steps:
- Open a CMM command-line
interface session, and log in with the RECOVERY_ID account.Note: The password for the RECOVERY_ID account was set when you selected the chassis for management on the Management Domain page.If this is the first time that you have used the RECOVERY_ID account to log in to the CMM, you must change the password.
- If you are prompted, type the new password for the RECOVERY_ID account.
- Run the following command to identify the IP address of the management
node: ldapcfg -T mm[p]In the output that is generated, note the IP address beside the i1 parameter; this is the management node IP address in the CMM user registry configuration.Note: If the i1 parameter shows the old management node IP address, run the following command to update the CMM configuration with the new management node IP address:
where <new_IP_address> is the new management node IP address.ldapcfg -i1 <new_IP_address> -T mm[p]
- Run the following command to import the management node certificate:
where <IP_address> is the new management node IP address that you identified in the previous step.sslcfg -tc1 import -u https://<IP_address>/FRMServerCert.der -T mm[p]
- For each chassis that you want to access, from the Chassis Manager page in the management software web interface, select the chassis; then click . The Request Access page opens.
- Click OK.
Partial Access
The access state Partial access indicates that the management software has connectivity to the managed resource. However, one or more (but not all) RSAPs have no credentials, invalid credentials, or valid credentials with an expired password.
- Select the box for the resource; then, click .
- Enter the valid credentials as needed.
- Click OK.
If you complete the preceding procedure and the partial access problem remains, investigate and address each of the following conditions as needed:
- there is no physical connectivity
- firewall configuration for the network is preventing connectivity
- the managed resource is powered off and must be powered on
- the managed resource needs to be restarted