CMM management options

You configure only the active CMM. If a standby CMM is installed, it receives the configuration and status information automatically from the active CMM.

When the Flex System Enterprise Chassis is started for the first time, the CMM automatically configures its remote management port, enabling you to establish a management connection. See Configuring the CMM for remote access for information.

The following illustration shows the CMM Management menu, which contains configuration options for the chassis and components in the chassis.


Illustration of the Chassis Management menu
Note:
  • Each CMM is configured with the same static IP address. You must create a unique static IP address for each CMM. If DHCP is not used, only one CMM at a time can be added onto the network for discovery. Adding more than one CMM to the network without a unique IP address assignment for each results in IP address conflicts.
  • The Flex System Manager management software uses the CMM default user ID and password to access Power Systems compute nodes in a chassis. Before you update the firmware for one or more Power Systems compute nodes with the management software, make sure that the password for the CMM default user ID account will not expire before the update is complete. If the password expires during a code update, the Power Systems compute nodes might not reconnect to the management software, and each Power Systems compute node might have to be updated with the new password. See the User Accounts page (click Mgt Module Management > User Accounts) in the CMM web interface, or the users command, for information about how to check a password expiration date and change the password, if necessary.

If the CMM that is being installed is a replacement for the only CMM in the Flex System Enterprise Chassis and you saved the configuration file before you replaced the CMM, you can apply the saved configuration file to the replacement CMM. A saved configuration is applied from the Mgt Module Management page. Click Configuration from the Mgt Module Management menu.

You can purchase activation keys to activate the Features on Demand features for your CMM and I/O modules, if your I/O modules support these features. Click License Key Management from the Mgt Module Management menu. For more information about Features on Demand, see the Lenovo Features on Demand website.

You can configure the CMM by using the CMM Initial Setup wizard. The setup wizard starts automatically when you access the web interface of a new CMM for the first time. It also starts automatically the first time that you access the web interface of a CMM that has been reset to its default settings. To access the setup wizard, click Mgt Module Management, click Configuration, and then click Initial Setup Wizard.

Note: You can also configure the CMM by using the optional Flex System Manager management software (see Flex System Manager management node).
Attention: Installing the wrong firmware update might cause the CMM to malfunction. Before you install a firmware update, read any readme and change history files that are provided with the downloaded update. These files contain important information about the update and the procedure for installing the update, including any special procedure for updating from an early firmware version to the latest version.
The following table describes the options that are available from the Mgt Module Management menu.

The Mgt Module Management menu table is a multi-row, three-column table that contains descriptions of all the web interface options that are accessible from the Mgt Module Management page. Column one contains the navigation bar option. Column two contains the menu items that are available from the navigation bar option. Column three contains the options and their descriptions that are available under the menu items.

Navigation bar option Selection Description
Mgt Module Management   You can access CMM management options from the Mgt Module Management menu.
User Accounts The User Accounts page enables the user to define login accounts to access the CMM through the web interface.
Note: CMM user accounts are also used to log in to the service processor interfaces of compute nodes.
The following information and options are available from the User Accounts page:
  • Accounts - Contains a table of defined users with information related to each user account, and some options for managing user accounts. The following options and account information are included:
    • User Name - Click the user name to open User Properties, which enables the user to change or configure existing user information. The following pages are available:
      • General - Change the password for the selected user account or update the simultaneous active session count.
      • Permission Group - Change the permission group that is associated with the selected user name.
      • SNMPv3 - Configure SNMPv3 information including context name, authentication protocol, privacy protocol, request access type, and trap destination IP address or host name.
      • SSH Client Public Key - Import and manage up to four SSH keys used for SSH public key authentication. This option allows secure CLI access, using SSH without the need for a user-supplied password.
      • Node Account Management - Configures central management of compute node user accounts by the CMM.
    • Permission Group - Associated permission group of the user account.
    • Number of active sessions - Number of active sessions for the user account.
    • Last Login - Last time and date the user account was authenticated.
    • Dormant - Indicates whether the user account is dormant, according to the current user account security policy of the chassis. When an X is present, the account is dormant. When the account is no longer dormant, the X is not be present. To recover an account from a dormant state, the user must log in to the dormant account. No changes can be made to the user account settings while the account is in a dormant state.
    • Days to Expiration - When password expiration is enabled, this value indicates the amount of days that the user account will remain active.
    • State - Indicates the current state of the selected user account: active, disabled, or locked. User accounts are generally in an active state. An account becomes disabled if it has not been used for the period of time that is defined by the user account security policy, or if the account is manually disabled. A disabled account remains disabled until it is manually enabled. An account is locked when too many consecutive, unsuccessful login attempts are made to access the account. The account remains locked for the period of time determined by the user account security policy, after which it is unlocked automatically. The account can also be manually unlocked.
(continued on the next page)
Mgt Module Management User Accounts (continued)
  • The following options are available to configure a new user on the Accounts page:
    • Create User - Define a new user, password and authorization profile. This is a multiple step option that enables the creation of a user name and password, and limits the maximum number of simultaneous login sessions for the user. You can associate the user name with one of the following authorization permission groups:
      • Supervisor - Enables read-write permission for all operations on all components in the chassis.
      • Operator - Enables read-only permission for all configuration and status information on all components in the chassis.
      • Custom - Enables a user-defined policy that can be set to allow read-only or read-write permission for selected components in the chassis. The custom permission groups are defined on the Permission Groups page.
    • Global Login Settings - Enables the user to apply some login settings to all users.
      • General - Contains overall login settings that are typically used on the chassis.
        • User Authentication Method - Policy that sets how the user is authenticated, through internal management module authentication, external LDAP server, or both.
        • Web inactivity session timeout - Specify the time that a web session will remain open while inactive. You can set it for all users or indicate that the value will be user-specified during login.
        • CLI inactivity session timeout - Specify the time in seconds that the CLI will remain connected during periods of inactivity.
        • Number of simultaneous active sessions for LDAP users - Numerical value of the simultaneous active sessions that the CMM will allow for each user who logs in using the LDAP authentication method. The minimum value is 1, and the maximum value is 20. A value of 0 means there is no limit of simultaneous active sessions for LDAP users.
        • Authentication event logging - Limits the number of login events for a user account for a specified period of time. This is to prevent excessive logging of authentication events.
        • Ignore client IP address when tracking user authentication events - Specifies that a second login event by the same user, but from a different client will be suppressed when tracking user login events. When managing the chassis with the optional Flex System Manager management node, it ignores the setting and always suppresses login events from the same IP address.
      • Account Security Level - Security setting that applies to all user accounts that are defined on the CMM. The Legacy and High settings specify fixed values that manage the user accounts, with higher security requirements for the High setting. The Custom security setting allows the user to customize a policy for the user accounts.
      • Currently Logged In Users - List of the currently logged-in users, including user name, source IP address, and access protocol.
      • Delete - Removes the selected user account.
(continued on the next page)
Mgt Module Management User Accounts (continued)
  • Permission Groups - Enables user-defined custom permission groups, which are used for defining the authorization policy for user actions. The default supervisor group provides read-write access and the operator group provides read-only access for all components in the chassis. A custom permission group allows the user to define an authorization policy by specifying the read-write and read-only authority for select components in the chassis. The custom permission groups are generally defined before a user account is created, so that the custom permission group is available to be assigned to the new user account. You can assign a custom permission group to an existing user account by clicking the user name link in the table.
    • Create Group - Multiple-step option that enables the user to define a new custom permission group. The following options are available:
      • Group Name - Descriptive text that identifies the custom permission group.
      • Authority - Roles that the permission group will allow. For example, to allow a user to have read-only authority for IO modules and read-write authority for all compute nodes, the I/O module operator and all four Compute node xxx settings must be checked.
      • Access Scope - Restrict the defined authorities to a subset of components. For example, you can limit the I/O module operator authority to only slots 1 and 2 by selecting I/O Module 1 and I/O Module 2.
    • Delete - Removes the selected custom permission group. The default supervisor and operator groups cannot be removed.
  • Group Profiles - Enables the configuration of local (in-chassis) authorization specifications for groups of users. Each group profile includes authorizations expressed as Authority Level (Roles) and Access scope, similar to the user account permission groups. These group profiles are used in conjunction with LDAP Active Directory servers and not used when the LDAP client is configured for both authentication and authorization. To use these group profiles for authorization and LDAP for authentication, you must properly configure the LDAP Method option in the LDAP Client section.
    • Add a Group - Multiple step option that enables the user to define a new group. The following options are available:
      • Group Name - Descriptive text that identifies the group.
      • Role - Specifies the authorizations that are granted for the group. The following authorizations are available:
        • Supervisor - Read-write permission for all operations on all components in the chassis.
        • Operator - Read-only permission to view all configuration and status information on all components in the chassis. No configuration fields may be altered.
        • Custom - User-defined policy that can be set to allow read-only or read-write permission for selected components in the chassis.
      • Authority - For a custom role, the user can select one or more operations that the group profile will allow or deny. For example, to allow a user to have only read-only authority for IO modules but full read-write authority for compute nodes, the I/O module operator and all four Compute node xxx settings must be selected.
      • Access Scope - For a custom role, you can restrict the defined authorities to a subset of components by selecting only those components. For example, you can limit the I/O module operator authority can be limited to slots 1 and 2 by selecting I/O Module 1 and I/O Module 2.
    • Delete - Removes the selected group from the configuration.
Mgt Module Management Firmware The Firmware page has a table that contains information about the level of firmware on each CMM and an option to update the firmware. If there is a standby CMM, the location of the primary CMM is visible. When there is a standby CMM, the primary CMM receives the new level of firmware first. After the primary CMM has been updated, the firmware is then applied to the standby CMM from the primary CMM. For additional information about updating firmware for Flex System, see Flex System Firmware Update Guides (an ID might be required to access this content).
Attention:
  • Installing the wrong firmware update might cause the CMM to malfunction.
  • Before you update the firmware for Power Systems compute nodes using the optional Flex System Manager management software, make sure that the passwords for the Power Systems compute node accounts on the CMM will not expire before the update is complete. If the passwords expire during a code update, the compute nodes might not reconnect to the management software, and each Power Systems compute node might have to be updated with a new password.
  • After you update the CMM firmware, the old version of the firmware will be the firmware backup after the CMM has been restarted.
  • After updating the firmware, to ensure proper rendering of the web pages, it is recommended that you clear all browser-cached data.
Security The Security page contains options for setting the overall chassis security policy, including passwords, secure communication and certificate management. The following option tabs are available:
  • Security Policies -
    Note: The CMM HTTP and HTTPS ports are open at all times. Port behavior is determined by the CMM HTTPS port setting, which can be affected by the CMM chassis security policy setting:
    • When the CMM HTTPS port is enabled, the HTTP port (port 80) remains open and redirects to the HTTPS port (port 443). When the chassis security policy is set to secure, the CMM HTTPS port is automatically enabled and its setting cannot be changed.
    • When the CMM HTTPS port is disabled, the HTTPS port (port 443) remains open and redirects to the HTTP port (port 80).

    Set the overall chassis security policy on the Security Policies tab. Use the vertical slider to adjust the security policy level to one of the following:

    • Legacy - Provides the least amount of security but the greatest level of flexibility for managing platform security. Some attributes of the policy are as follows:
      • Weak password policies are permitted.
      • Well-known passwords for network login are not required to be changed.
      • Unencrypted communication protocols may be enabled.
    • Secure - Default security setting and the most secure, this policy provides a moderate level of user control over the chassis. Some attributes of the policy are as follows:
      • Password policies are automatically checked and required to be strong.
      • Well-known passwords for network login are automatically required to be changed after initial setup.
      • Only secure communication protocols may be enabled.
      • Certificates for establishing secure and trusted connections to applications running on management processors are automatically generated and managed by the system.
(continued on the next page)
Mgt Module Management Security (continued)
  • Security Policies -
    • Secure -

      When you use the Secure Chassis policy, this tab also provides feedback and detailed information regarding any problems encountered in enforcing the Secure policy. For example, the user might have unsecure Telnet enabled for CLI access when the users tries to set the chassis policy to Secure. In addition, if any of the components installed in the chassis are in violation of the overall chassis security policy, this tab provides details about the violations with suggested actions to remedy the problem.

  • Cryptography - Displays the cryptography compatibility mode and settings for the CMM. The Cryptography tab provides the following options:
    • NIST mode settings
      • Compatibility - Default NIST mode setting with a Public/Private key length minimum of 1024 bits.
      • NIST SP 800-131A - Public/Private key length minimum is 2048 bits. Hashes used for digital signatures are restricted to SHA-256 or stronger, and the only symmetric encryption algorithms used are NIST-approved algorithms with 128-bit or longer key lengths.
    • TLS/SSL Settings
      • Legacy - Default TLS/SSL setting that can use SSL v3.0 through TLS v1.2.
      • TLS 1.2 Server Only - Restricts server SSL apps to TLS v1.2 ciphers.
      • TLS 1.2 Server and Client - Restricts client and server apps to TLS v1.2 ciphers.
    Note: The default cryptographic setting for NIST mode settings is Compatibility. The default for TLS/SSL Settings is Legacy. In order to achieve NIST Strict Compliance, the NIST mode setting must be set to NIST SP 800-131A and TLS/SSL setting must be set to TLS 1.2 Server and Client.
  • Certificate Authority - The CMM acts as the certificate authority for all locally signed certificates that are generated. The Certificate Authority tab provides the following options:
    • Set the cipher strength value
    • Generate a new certificate authority root certificate
    • Download a certificate in PEM or DER formats.
  • HTTPS Server - Enable secure web support and manage associated certificates from this tab. The following options are available:
    • Generate a new key and a certificate signing request (CSR)
    • Manage a signed certificate
  • LDAP Client - Enable secure LDAP support and manage associated certificates from this tab. The following options are available:
    • Generate a new key and a certificate signing request (CSR)
    • Manage a signed certificate
    • Manage a trusted certificate
  • SSH Server - Enable the SSH server for the secure CLI user interface, and generate private host keys from this tab.
Mgt Module Management Network

The Network page contains settings to configure how the CMM communicates through the Ethernet, using different network protocols. The following tabs are available from the Network page:

  • Ethernet - Contains options to configure a wide range of network information related to the management module network interface. Changes to some IP configuration fields are not activated until Activate IP Changes is clicked. This button appears when updates are made that are different from the current values for the eth0 interface. The following information is included in this section:
    • Host name and domain name
    • IPv4 - Contains addressing information and IP address assignment preference (DHCP, Static, or DHCP then Static).
    • IPv6 - Contains addressing information, including static, stateless address configuration and DHCPv6 stateful.
    • Advanced Ethernet - Contains the following Ethernet properties and options:
      • Duplex setting, MTU, and data rate
      • MAC address specification
      • Failover policy settings for physical and logical link loss
      • Logical link check addresses and policy
  • SNMP - Options for configuring the SNMP user interface support. The following options are available:
    • Enable SNMPv1 agent - Enables definition of three SNMPv1 community names. The Community tab is visible after the option is selected. Create communties by entering a community name, access type, and up to three SNMP manager addresses, which can be a host name or an IPv4 or IPv6 address. The host name and addresses are also used as the destination for SNMP traps. A value of 0.0.0.0 or 0::0 can be specified to indicate ANY manager; however, those two special addresses cannot be used as trap destinations.
    • Enable SNMPv3 agent - This option is enabled on the SNMP tab; however, SNMPv3 is user-based and is configured on the User Accounts page. After a user is defined, click the name link and complete the configuration on the SNMPv3 tab.
    • Contact - Define a contact and specify system location information.
    • Traps - Enable the sending of SNMP traps.
  • DNS - Enable DNS to include additional DNS server addresses in the search order for host-name-to-IP address resolution. DNS lookup is always enabled, and other DNS addresses may be automatically assigned by the DHCP server when DHCP is in use. Additional DNS servers are added to the top of the search list, so the host name search is done on these servers before it happens on a DNS server that is automatically assigned by a DHCP sever.
  • SMTP - Configure a SMTP server and domain name. This protocol is used to forward service data and events to an email recipient.
  • LDAP Client - The CMM contains an LDAP client that can be configured to provide user authentication through one or more LDAP servers. The LDAP servers that are used for authentication can be discovered dynamically or manually searched. The CMM supports three remote authentication models, which use the LDAP servers to authenticate users. You can select the option to be used from the list. The following models are supported:
    • Active Directory Authentication Only - Applies to an Active Directory (AD) environment only. Only the AD servers are used to authenticate users. No authorization information is stored on the AD server for any user. This means that the CMM must be configured with user authorization information.
(continued on the next page)
Mgt Module Management Network (continued)
  • LDAP Client
    • Active Directory Role Based Authentication and Authorization - Applies to an AD environment only. This option relies on configuration stored on the AD server to associate permissions with some users, and is used to authenticate and authorize users through some AD servers. Enable this option by completing the following from the LDAP Client tab:
      • Select the Use LDAP Servers for Authentication and Authorization option.
      • Select the Use Pre-configured servers or Use DNS to find LDAP Servers option.
      • Check the Enable enhanced role-based security checkbox.
    • Legacy Authentication and Authorization - Supports AD, Novell eDirectory, and OpenLDAP environments. This option relies on configuration stored on the LDAP server to associate permissions with some users. Use this option to authenticate and authorize users through some LDAP servers. To enable this option, complete the following steps:
      1. Select Use LDAP Servers for Authentication and Authorization.
      2. Clear the Enable enhanced role-based security check box to disable the option.
    • TCP Command Mode - Enables TCP command mode protocol for an external application to manage the CMM using the Flex System Manager software. The configuration enables non-secure and secure modes of operation and allows the user to specify a maximum number of connections and an inactivity timeout value.
    • SLP - Enables the Service Location Protocol (SLP), which the CMM uses to discover other CMMs in the network. This must be enabled to use the Multi-Chassis Monitor page.
    • FTP, TFTP, and SFTP - Enables one or more of the three file transfer protocols supported by the CMM, with FTP and TFTP being the least secure options. The SFTP option provides secure file transfer capability.
  • Telnet - Enables the Telnet protocol, which is the least secure transport used for the CMM command line interface (CLI). To enable secure CLI transport over SSH, configure the SSH server on the Security page in Mgt Module Management.
  • Web Access (HTTP / HTTPS) - Enables web access to the management module. To support HTTP secure web access, the option to enable the HTTP server must be enabled on the Security page in Mgt Module Management.
  • Port Assignments - Contains all open TCP and UDP protocol ports. This option allows you to assign non-standard port numbers with various protocols on the CMM.
  • CIM - Enable CIM (Common Information Model) protocol support on the CMM.
  Configuration The Configuration page provides a means of backing up the management module configuration settings to a file and the ability to restore these settings from a file. For example, to configure a set of chassis, a single machine may be configured, that configuration saved in a file, which can then be transferred to the other chassis and restored. Optional encryption of sensitive configuration data can also be specified. "Use legacy backup file" option should only be selected for backup files that were created with IBM CMM build older than 2PET12K

Some restore operations may cause a temporary loss of web connectivity. Under these circumstances, the final confirmation popup and restore log may not be available. If web connectivity is lost, clear the browser cache (Ctrl+F5)and restart your session. For example, SSL certificates are dependent upon IPv6 addressing. If you change the IPv6 configuration, then the certificate becomes obsolete and a new one has to be generated. As a result, the user will lose browser connectivity.

This page also is the launching point for the initial setup wizard, which provides a guided sequence of steps to configure many common functions on a newly deployed chassis, including:
  • Checking initial hardware status and inventory

  • Importing an existing configuration file

  • General identification settings, such as chassis and management module labels and location information

  • Date and time setup

  • Management module IP configuration

  • User ID and password updates

  • IO module characteristics

  • Chassis security policy level

  • Domain name services

  • Event recipient configuration - The allowed characters for the recipient portion of the email are !#$%&'*+-/=?^_`{}|~ but quoted string forms are not allowed. For example, !#$%&'*+-/=?^_`{}|~@example.org is supported.

Mgt Module Management Properties The Properties section contains options to configure the primary and standby CMM. The following tabs are available:
  • General - Enter a unique CMM name and set the serial port attributes.
  • Date and Time - Set the time manually or with an NTP server. For manual operation, the date and time value is explicitly set and maintained by the system management software. For the NTP server mode, the user specifies the NTP server IP address, update frequency, and whether authentication is required. No matter which mode is chosen, the timezone setting can also be configured. This setting displays international time zones ordered by major region/minor region. Some have comments to assist in making the selection.
    Note: If you choose to set the date and time from an NTP server, the CMMNTP v3 Authentication key index and NTP v3 Authentication key must match the key ID and password values set on the NTP server. For example, if you are using an external Linux-based NTP server with a key ID of 1234 and a password of my_password, you would typically add 1234 M my_password to /etc/ntp.keys. In addition, you should also add trustedkey 1234 to /etc/ntp.conf. If you are using the Flex System Manager management node as the NTP server, make sure that you use the key ID and password that you specified for the Flex System Manager management node. See the documentation for your NTP server for information about setting a key ID and password.
  • Advanced Failover - When a standby CMM is installed, the Advanced Failover tab enables the user to configure the behavior and network properties of the standby CMM. The following options are available:
    • Use Advanced Failover - Enable or disable the use of CMM failover.
    • IP Address Policy - When a failover situation occurs, the following options are available for the handling of IP addresses:
      • Do not swap Management Module IP addresses - In a failover situation, you must login to the CMM, using the IP address that you have specified for the standby CMM.
      • Swap Management Module IP addresses - In a failover situation, the IP address that you use for the CMM remains the same. The IP address of the failed CMM is transferred to the standby CMM, and back from the standby to the primary CMM.
    • Host Name - Host name defined for the standby CMM interface.
    • Domain Name - Domain name defined for the standby CMM interface.
    • IPv4 Config - IPv4 configuration for the standby CMM interface. If DHCP is enabled for the primary CMM interface, it will also be defined for the standby. If DHCP is disabled, the user can define the static IP address, mask, and gateway.
    • IPv6 Config - IPv6 configuration of the standby CMM. If IPv6 static address support is enabled on the primary CMM, the user can define the standby CMM IPv6 static IP address.
Mgt Module Management License Key Management The License Key Management page provides status information related to I/O module and chassis licensed features that are installed on chassis switches. The following option tabs are available:
  • IOM License Keys Management - Status information related to I/O module licensed features that are installed on chassis switches. Each key generally provides the following information:
    • Cert - Identifying number of a key in the table
    • Index - Identifying number of a particular key on an I/O module
    • Bay - Bay number of the I/O module
    • Valid Through - Expiration date of the key
    • Description - Text description of the key
    • License ID - Unique identifier for the key
    • Other Info - Other relevant text about the key
    • Status - Status of the key
  • Chassis License Keys Management - Status information related to chassis licensed features that are installed on the chassis. Each key generally provides the following information:
    • Index - Identifying number of a particular key on the chassis
    • Feature - Text name of the key
    • Feature Type - Numeric identifier of the key
    • Description - Text description of the key
    • System - Text description of the related system of the key
    • License ID - Unique identifier of the key
    • Validation - Validation scheme used by the key
    • Status - Status of the key
    • Constraint - List of any constraints imposed on a key. If there are none, a (-) minus sign is displayed in the cell.
Restart This option enables the user to restart the primary and standby CMM from the web interface. The following selections are available:
  • Normal Restart - This option does not change the current configuration, but all existing network connections are temporarily lost. If the local system is being restarted, you must open a new browser window and log in to the web interface again.
  • Restart and Switch to Standby Management Module - This option restarts the primary CMM, then switches over to the standby CMM. All existing network connections are temporarily lost. You must open a new browser and log in again to get back to the web interface.
  • Restart Standby Only - Restarts the standby CMM.
Reset to Defaults This option enables the user to set the CMM configuration to its defaults. This operation might cause network connections to the CMM to be lost. After the configuration has been initialized, the CMM is automatically reset to activate the default configuration. The user can optionally choose to keep the event log and not clear the log information.
Note: Resetting the CMM to the default settings can be used to disable centralized user management and return chassis management capability to the CMM.
Mgt Module Management File Management

The File Management page contains options to view and delete files in the CMM local storage file system and to monitor space usage. The File Management section allows the user to view and delete files in the CMM local storage file system and to monitor CMM space usage. The following options are available:

  • Click the directory name to view that directory level.
  • Go Up One Level - Returns to the previous directory.
  • Delete Selected - Removes files that have been selected. Supervisor or Chassis Administrator access is required to delete a file.
  • The total, used, and available space are shown at the top of page.
Note: Directories can not be deleted.