Access state problems

Use this information to identify the cause of an access state that is problematic (any access state other than OK), and configure access for the managed resource to correct the access state.

Resolving problems with access states for managed resources

The Access column in the table view of the IBM® Flex System Manager management software web interface displays the access states for managed resources. The access state for a resource is a short description of the connection between the management software and the managed resources (endpoints such as chassis or components installed in chassis). The following table describes problematic access states and corrective procedures for configuring access to managed resources.

Unknown

The access state Unknown indicates that the management software cannot determine the access state for the managed resource (for example, the management software might not have attempted to connect to the endpoint).

  1. From the table view, select the box for the unknown resource.
  2. Click Actions > Security > Verify Connection.
  3. If the problem remains, contact your IBM representative.

Offline

The access state Offline indicates that all of the management software remote service access points (RSAPs) to the managed resource are not responding, so the management software has no connectivity.
Note: You might be able ping the managed resource from the management node (if you use telnet or SSH to it), but the management software requires a response through the protocols that it is using to manage the resource.
There are many possible reasons for this failure. Make sure that you investigate and, if necessary, address each of the following conditions that might be causing the failure:
  • there is no physical connectivity
  • firewall configuration for the network is preventing connectivity
  • the managed resource is powered off and must be powered on
  • the managed resource needs to be restarted
After the problem has been identified and resolved, reestablish a connection by either waiting for the next periodic operational status query (the default is 15 minutes) or complete the following steps:
  1. From the table view, select the box for the offline resource.
  2. Click Actions > Security > Verify Connection.
  3. If the problem remains, contact your IBM representative.

Not trusted

The access state Not trusted indicates that the management software has connectivity to the managed resource, but the certificate presented by one or more of the RSAPs is not trusted.

The following list describes scenarios where this access state is common, and the procedures required to establish trusted access:
  • You reset the CMM to factory defaults, replaced the only Chassis Management Module (CMM) in your chassis with a new one, replaced the CA certificate for a CMM or the CMM became untrusted after a CMM fail over. The CMM certificate is regenerated, and you must complete one of the following procedures, depending on whether your management software certificate policy is Explicit or Implicit. To determine the current policy see Changing the certificate policy.
    If the management software certificate policy is set to Explicit or the FSM version is prior to 1.3.2, you must manually copy the CA certificate from the CMM and save it to management software trust store. To add the certificate to the trust store and establish a connection to the CMM, complete the following steps:
    1. Manually add the certificate to the trust store. See Explicit certificate policy.
    2. From the table view, select the box for the CMM with the regenerated certificate; then, click Actions > Security > Verify Connection.
      Note: The chassis transitions to a trusted state quickly; however, the chassis components might take several minutes to be trusted.
    If the management software certificate policy is set to Implicit, complete the following steps:
    1. From the table view, select the box for the CMM that was reset.
    2. Click Actions > Security > View Certificates.
    3. Select the box for the new, untrusted certificate; then, click Accept. The chassis is now trusted (the compute nodes and network devices in the chassis are still not trusted).
    4. From the table view, select the box for the CMM with the regenerated certificate; then, click Actions > Security > Verify Connection.
      Note: The chassis transitions to a trusted state quickly; however, the chassis components might take several minutes to be trusted.
  • You change the certificate that is used by a managed resource to a certificate that is not signed by the CMM (for example, Verisign).
  • The management software certificate policy is set to Explicit and a new chassis is discovered by the management software. To add the new CMM certificate to the trust store and establish a connection to the CMM, complete the following steps:
    1. Manually add the certificate to the trust store. See Explicit certificate policy.
    2. From the table view, select the box for the new CMM.
    3. Click Actions > Security > View Certificates.
    4. Select the box for the new, untrusted certificate; then, click Accept. The chassis is now trusted (the compute nodes and network devices in the chassis are still not trusted).
    5. Revoke access for the new CMM; then, request access to the same CMM to establish trust for all of the managed endpoints in the chassis:
      1. Select the box for the CMM; then, click Actions > Security > Revoke Access.
      2. Make sure that the box for the CMM is selected; then, click Actions > Security > Request Access.
      Note: The chassis transitions to a trusted state quickly; however, the chassis components might take several minutes to be trusted.
  • The endpoint for the management node is Not trusted. If an IBM Flex System Manager management node is not managing the chassis in which it is installed, and the CMM in the chassis fails over, the access state of the management node endpoint might change to Not trusted. This is caused by a change to the IMM certificate on the management node.
    To add the changed certificate to the trust store, complete the following steps:
    1. From the table view, select the box for the management node endpoint.
    2. Click Actions > Security > View Certificates.
    3. Select the box for the untrusted certificate; then, click Accept. The management node is now trusted.
  • The endpoint for the management node is Not trusted. If an IBM Flex System Manager management node is not managing the chassis in which it is installed, and you update the firmware or install a management software fix pack for that management node, the management node endpoint will have the access state Not trusted after the management node restarts. When the integrated management module (IMM) firmware is updated on the management node, the management node will not have the CMM CA certificate that is required to validate the new IMM certificate.
    1. Manually add the CMM CA certificate to the trust store. See Explicit certificate policy.
    2. From the table view, select the box for the CMM with the regenerated certificate; then, click Actions > Security > Verify Connection.
      Note: The chassis changes to a trusted state quickly. However, the chassis components might take several minutes to be trusted.

No Access

The access state No access indicates that the management software has connectivity to the managed resource (and the managed resource might not be trusted). However, all of the RSAPs for the resource have no credentials, invalid credentials, or valid credentials with an expired password.
Notes:
  • If the managed resource is a compute node in the chassis, the problem might be solved at the chassis level or through direct action to the compute node endpoint. If access to the managed chassis endpoint is unlocked, but access to a compute node endpoint in that chassis is locked, then access problems must be resolved by selecting and configuring access for that compute node.
  • If the managed resource is a new compute node or storage node in a chassis that is in centralized user management mode, the problem might be node firmware that is not current. See Centralized user management problems for more information.
  1. Select the box for the resource with no access:
    • If the resource with no access is a chassis or compute node in a chassis with no access, select the box for the CMM.
    • If the resource is a compute node with no access in a chassis that does have access, select the box for the compute node.
    • If the resource with no access is another hardware component, and not a chassis or compute node, select the box for that resource.
  2. Click Actions > Security > Request Access.
    Note: If the password has expired it is indicated in the status, and you must change the password before you request access to the resource. Click Change Password to update the password.
  3. Click Request Access.

If a chassis that was previously managed in centralized user management mode has the access state No access, you might need to update the CMM LDAP configuration and import a new management node SSL certificate. This scenario is typical when the management node IP address is changed, but centralized user management mode for the chassis was not temporarily disabled.

If you change the IP address of the management node from the command-line interface or from the web interface, the LDAP SSL certificate is out-of-sync with the centrally-managed chassis, and you cannot access the CMM with IBM Flex System Manager credentials. To solve this problem, complete the following steps:

  1. Open a CMM command-line interface session, and log in with the RECOVERY_ID account.
    Note: The password for the RECOVERY_ID account was set when you selected the chassis for management on the Management Domain page.
    If this is the first time that you have used the RECOVERY_ID account to log in to the CMM, you must change the password.
  2. If you are prompted, type the new password for the RECOVERY_ID account.
  3. Run the following command to identify the IP address of the management node: ldapcfg -T mm[p]
    In the output that is generated, note the IP address beside the i1 parameter; this is the management node IP address in the CMM user registry configuration.
    Note: If the i1 parameter shows the old management node IP address, run the following command to update the CMM configuration with the new management node IP address: 
    ldapcfg -i1 <new_IP_address> -T mm[p]
    where <new_IP_address> is the new management node IP address.
  4. Run the following command to import the management node certificate: 
    sslcfg -tc1 import -u https://<IP_address>/FRMServerCert.der -T mm[p]
    where <IP_address> is the new management node IP address that you identified in the previous step.
  5. For each chassis that you want to access, from the Chassis Manager page in the management software web interface, select the chassis; then click Actions > Security > Request Access. The Request Access page opens.
  6. Click OK.

Partial Access

The access state Partial access indicates that the management software has connectivity to the managed resource. However, one or more (but not all) RSAPs have no credentials, invalid credentials, or valid credentials with an expired password.

Note: The following procedure will solve the partial access problem if the problem is caused by one or more of the RSAP credentials for the managed resource. However, there might be other reasons why the access is partial (for example, a firewall might be blocking one of the RSAPs).
  1. Select the box for the resource; then, click Actions > Security > Configure Access.
  2. Enter the valid credentials as needed.
  3. Click OK.

If you complete the preceding procedure and the partial access problem remains, investigate and address each of the following conditions as needed:

  • there is no physical connectivity
  • firewall configuration for the network is preventing connectivity
  • the managed resource is powered off and must be powered on
  • the managed resource needs to be restarted
Parent topic: Troubleshooting the management software