HMC network types:
HMC has 2 different networks:
- private network: for accessing/managing Power servers through the FSP
- open network: this network used for user logins, and each LPAR is doing DLPAR operations through this network
Private networks
The only devices on the HMC private network are the HMC itself and each of the managed systems to which that HMC is connected. The HMC is connected to each managed system's FSP (Flexible Service Processor). On most systems, the FSP provides two Ethernet ports labeled HMC1 and HMC2. This allows you to connect up to two HMCs.
This figure shows a redundant HMC environment with two managed systems. The "blue" HMC is connected to the first port on each FSP, and the "red" (redundant) HMC is connected to the second port. Each HMC is configured as a DHCP server, using a different range of IP addresses. The connections are on separate private networks. As such, it is important to ensure that no FSP port is connected to more than one HMC.
Each managed system's FSP port that is connected to an HMC requires a unique IP address. To ensure that each FSP has a unique IP address, use the HMC's built-in DHCP server capability. When the FSP detects the active network link, it issues a broadcast request to locate a DHCP server. When correctly configured, the HMC responds to that request by allocating one of a selected range of addresses.
--------------------------------------
Open networks
The open (public) network used for user logins and for DLPAR operations. Connecting to the Internet allows the HMC to "call home" when there are any hardware errors that need to be reported.
This figure shows two HMCs connected to a single managed server on the private network and to three logical partitions on the public network.
(If you decide to use a private network, use DHCP, and if you will use an open network to manage an FSP, you must set the FSP’s address manually through the Advanced System Management Interface menus, however a private, non-routable network is recommended.)
--------------------------------------
INSTALLING AND CONFIGURING A NEW HMC:
If this is a new installation, ensure that the managed system is not connected to a power source. If this is a second HMC that is connected to the same managed system, the managed system can be connected to a power source.
1. Turn on the HMC and wait for the HMC to automatically select the default language and locale preference after 30 seconds.
2. Accept the HMC license agreements and click "Log on and launch the Hardware Management Console web application."
3. Login with hscroot und default-pw abc123
4. Launch "Guided Setup Wizard"
5. Change date/time/timezone
6. Change default password for hscroot
7. Configure HMC networks
eth0 (private network):
network type = private network
Speed = default is "Autodetection" (if conn. to a switch, configure it manually: Change network sett. -> LAN Adapter)
Enable DHCP = specify a DHCP address range
(You can configure the HMC to be a DHCP server only on a private network)
eth1 (public network: hmc-admin interface)
network type = public network
speed = default is "Autodetection" (if conn. to a switch, configure it manually: Change network sett. -> LAN Adapter)
setup IP, netmask and gateway
8. Enable firewall-settings for eth1 (in the eth1 dialog-box)
check or allow the following Services and Ports:
ssh 22:tcp
secure remote web access 443:tcp,8443:tcp,9960:tcp
RMC 657:udp,657:tcp
9. Leave all other dialogs unchanged and finish changes made by the Wizard.
10. On the main view click on „HMC-Management“ and do the following:
Enable „Remote Command execution“
Enable „Remote Virtual Terminal“
Enable „Remote Operation“
11. Reboot the HMC (so configuration changes will be available)
12. Login with the new hscroot password
13. Plug network cables into the HMC and check if HMC is answering DHCP request by plugging the cable to your laptop.
--------------------------------------
vHMC on Windows
(In this procedure I will use Cygwin, which I don't really like, because it is not easy to uninstall, but I could not find other working method. If you try below steps please keep in mind the complexity of uninstallation of Cygwin.)
Since some years IBM offered the possibility to run HMC on a VM (as an LPAR or in VMware on x86 ...), it is called vHMC (virtual HMC). Earlier the only option was to buy a physical HMC device, where the HMC application was running. With vHMC we download an image and use it on a VM.
For tests at home Ben Swinney wrote a great document how to run vHMC on Mac computers (http://gibsonnet.net/blog/cgaix/resource/vHMC_running_on_Apple_hardware.pdf) and based on that I tested vHMC on Windows:
1. install VirtualBox
2. download vHMC image from IBM ESS (KVM image has been downloaded, it is a 4GB tar.gz file)
3. unzip (file size was still 4GB) and tried to untar, but untar is not easy on Windows:
The downloaded tar file (beside some other files) contains a disk image file (disk1.img). This disk image is 500GB, but to save disk space it is a special file, called: sparse file. (If a file contains a lots of consecutive "0"s, and if that file is a sparse file, the actual "0"s will not be written on the disk, some method will remember for that, so we can save a lots of disk space.) IBM requirement for a disk in a vHMC is 500GB, but the HMC application is max. 10-20GB, so the rest in that image are a lots of "0"s. (The process to untar and convert that file may need temporarily more space, at first conversion failed with 100GB free space on local drive, so I decided to use an external drive with 1TB free space, but at the end file size will be about 10GB.)
Windows 10 supports sparse files, but it is not easy to untar a file on Windows and keep it as a sparse file. I used Cygwin:
- install cygwin, and start a cygwin terminal
- mount download dir as sparse: mount -o sparse D:/tmp /mnt (my image was in D:\tmp, please note in mount command "/" character is used)
- untar with sparse: tar -Sxvf /mnt/vHMC_KVM_image.tar (ls shows 500GB, but if free space is checked on Win., it shows max 20GB is taken)
4. convert disk1.img to virtual box compatible vdi file: "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" convertdd "D:\tmp\disk1.img" "D:\tmp\disk1.vdi"
This conversion is done by VBoxManage.exe, which should be installed by default during VirtualBox installation. After the conversion we should have a normal vdi file (not sparse file) with about 10GB:
5. create a VM in Virtualbox. I used these specifics:
- type: Linux, version: Red Hat (64bit)
- Memory size: 4096MB
- using an existing virtual hard disk file (I copied disk1.vdi to VirtualBox VM directory)
After creation (before starting the VM) in Settings:
- in Display change Video Memory to 64MB
- in Audio disable audio
- in Networks enable Adapters (for me it was a test, I did not configure them for real usage):
Adapter 1: NAT with Port Forwarding (in Advanced section): Host IP: 127.0.1.1, Host and Guest port:22, IP I used: 192.168.0.9
Adapter 2: Bridged Adapter with default settings
Adapter 3: Bridged Adapter with default settings
6. Start VM and follow Guided Setup Wizard to configure your vHMC :)))))
Start up time will take longer, but after it should work normally. If network/IP configured correctly it can be accessed remotely:
HMC LDAP configuration
By default HMC is using local authentication, but it is possible to change it to LDAP. If LDAP authentication is configured, HMC users needs to be modified to use LDAP. It is also possible that some HMC users use LDAP and others use local authentication. (It is a user parameter (Auhtentication type) which decides how the user should login.)
Configuring LDAP
1. find out ldap server, port and protocol (ldap or ldaps)
We need to know the ldap server and ldap or ldaps protocol will be used, and which port can be used for LDAP requests:
Ports: 389 (LDAP) / 636 (LDAPS) <--request information from local domain controller (search in the home domain of the global catalog)
Ports: 3268 (LDAP) / 3269 (LDAPS) <--queries specifically targeted for the Global Catalog (search in the entire forest)
(In below example we will use server myldap.mydomain.org, with ldaps protocol on port 3269)
2.AD account for LDAP communication with Active Directory
An AD user and password is needed, that is used by HMC for LDAP communication. This user does not need to exist on the HMC. When someone wants to login to the HMC, it will connect to AD and performs searches in AD. (In below example we will use HMCAD1 user with password abcd1234.)
3. Change HMC authentication from local to LDAP
For this an HMC user account is needed (like hscroot) with hmcsuperadmin role:
$ chhmcldap -o s --primary 'ldaps://myldap.mydomain.org:3269' --basedn 'DC=mydomain,DC=org' --binddn 'CN=HMCAD1,OU=Functional,OU=Accounts,DC=mydomain,DC=org' --auth ldap --loginattribute 'sAMAccountName' --bindpw 'abcd1234' --scope sub --referrals 1 --automanage 0
4. Check config on HMC
$ lshmcldap -r config -v
primary=ldap://myldap.mydomain.org:3269,backup=,"basedn=DC=mydomain,DC=org",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=sAMAccountName,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=ibm-aixAdminPolicyEntry,"binddn=CN=HMCAD1,OU=Functional,OU=Accounts,DC=mydomain,DC=org",bindpwset=1,automanage=0,auth=ldap,searchfilter=,scope=sub,tlscacert=,hmcgroups=,authsearch=base
Details:
Get LDAP Config:
LdapSettings query primary[ldap://myldap.mydomain.org:3269]
LdapSettings query backup {}
LdapSettings query loginattribute[sAMAccountName]
LdapSettings query basedn[DC=mydomain,DC=org]
LdapSettings query timelimit[30]
LdapSettings query timelimit[30]
LdapSettings query referrals[1]
LdapSettings query bindtimelimit[30]
LdapSettings query tlscheckpeer {rc=1, stdOut=QueryTlsCheckPeer: tls_checkpeer not found!
, stdErr=}
LdapSettings query ssl[0]
LdapSettings query binddn[CN=HMCAD1,OU=Functional,OU=Accounts,DC=mydomain,DC=org ]
LdapSettings query bindpw [*************]
LdapSettings query searchfilter[]
LdapSettings query scope[sub]
LdapSettings query pam_authc_search {rc=1, stdOut=, stdErr=_QueryConfigAttr: pam_authc_search not found!
}
LdapSettings query tls_cacert[]
LdapSettings query authnameattribute[userPrincipalName]
LdapSettings query propsattribute[ibm-aixAdminPolicyEntry]
LdapSettings query hmcgroups[]
New user creation with LDAP:
$ mkhmcusr -i "name=gomaata3,taskrole=hmcsuperadmin,authentication_type=ldap,remote_webui_access=1,description=Super AIX Admin"
(Or use HMC GUI: Users and Roles --> Manage User Profiles and Access)
Modifying existing user from local authentication to LDAP:
$ chhmcusr -i "name=gomaata3,authentication_type=ldap"
(Or use HMC GUI: Users and Roles --> Manage User Profiles and Access)
--------------------------------------
Determining HMC adapter names:
If you set up a DHCP server, that server can operate only on eth0 and eth1.(You might need to determine which adapter to plug the ethernet cable into.)
To determine the name the HMC has assigned to an Ethernet adapter, do the following:
1. Open the restricted shell terminal. Select HMC Management -> Open Restricted Shell Terminal.
2. Type the following at the command line: tail -f /var/log/messages
3. Plug in your Ethernet cable. (If the cable was already plugged in, then unplug it, wait 5 seconds, and plug in the cable again.)
5. You will see a similar output on the console: Aug 28 12:41:20 termite kernel: e1000: eth0: e1000_watchdog: NIC Link is Up 100.
6. Repeat this procedure for all other Ethernet ports, and record your results.
7. Type Ctrl+C to stop thetailcommand.
--------------------------------------
Testing the connection between the HMC and the managed system:
This option enables you to verify that you are properly connected to the network:
(to test network connectivity, you must be a member of super administrator or service representative)
1. In the Navigation area, click HMC Management.
2. Click Test Network Connectivity.
3. In the Ping tab, type the host name or IP address of any system to which you want to connect. To test an open network, type the gateway.
4. Click Ping.
--------------------------------------
put ssh_key to HMC (passwordless login as hscroot)
version 1:
- scp hscroot@hmc_name:.ssh/authorized_keys2 temp_hmc
- cat id_rsa.pub >> temp_hmc
- scp temp_hmc hscroot@hmc_name:.ssh/authorized_keys2
- Test it: ssh hscroot@hmc_name date
version 2:
scp id_rsa.pub hmc9: <--copy your public key to hmc
ssh hmc9 <--login to hmc (it will ask for a password at this time)
KEY=`cat id_rsa.pub` <--put in the cat command to a variable
mkauthkeys -a "$KEY" <--puts the public key into authorized_keys file
ssh hmc9 <--logint without a password
--------------------------------------
NTP configuration on a HMC
# lshmc -r -Fxntp,xntpserver <--check if ntp service is enabled: enable,<ntp_server_name> (/var/log/ntp logfile can be checked as well)
# chhmc -c xntp -s add -a <ntp_server_name> <--configure ntp service and add ntp server to HMC
# chhmc -c xntp -s enable <--activate NTP service
--------------------------------------
2 comments:
This is a great bloog
Hi, thanks you very much for so great blog.
Do you know if HMC private network is knowing HMAC over L3 VPN? In situation when servers are in separate datacenter in different region and in different networks. Is it possible manage them by one pair of hmc or only solution is use more pairs hmc by regions?
Post a Comment