1.0 Introduction
The purpose of this article is to describe the steps required to set up IPMI for Fortanix FX2200 Series 1 appliance. It also contains the information that an administrator needs to:
Perform user authentication into IPMI
Troubleshoot the IPMI setup process
1.1 Intended Audience
This setup is intended to be used by technical stakeholders of Fortanix FX2200 Series 1 who will be responsible for planning, performing, or maintaining the setup or deployment, such as the Systems Administrator, Chief Information Officer (CIO), Analysts, or Developers.
2.0 Terminology References
IPMI – Intelligent Platform Management Interface
DHCP – Dynamic Host Configuration Protocol
BIOS – Basic Input/Output System
LDAP - Lightweight Directory Access Protocol
RADIUS – Remote Authentication Dial-In User Service
PAM – Pluggable Authentication Modules
BMC – Baseboard Management Controller
KVM – Keyboard, Video (monitor), and Mouse
DSM – Data Security Manager
3.0 Prerequisites
To set up IPMI for the FX2200 Series 1 appliance, the following requirements must be met:
1 monitor
1 keyboard
WARNING
It is widely known that IPMI is not a secure protocol and as such Fortanix recommends that customers do not rely solely on IPMI security features for IPMI access. Customers wanting to leverage the out-of-band (OOB) access port should implement logical or physical isolation and access control for this port.
4.0 IPMI Setup
4.1 Steps to Setup IPMI for FX2200 Series 1
By default, the FX2200 II appliance is set to get an IPMI IP address from DHCP. If a DHCP IP address is assigned or if a static IP address is configured, the address will be visible on one of the BIOS boot screens as shown below.
Figure 1: BIOS Boot Screen
The easiest way to set a static IP address for the IPMI interface is through the BIOS setup.
Figure 2: BIOS Boot options
If the machine is on. Press the power button (briefly) to initiate the shutdown sequence. Wait until the machine turns off.
Turn the machine on. During the boot sequence, press ESC to go to BIOS configuration.
Connect a monitor and keyboard to the FX2200 appliance and while booting up, press the key repeatedly until the following screen is displayed.
Click the Front Page tab, and then arrow down to Setup Utility. When it is highlighted, press <ENTER>.
Figure 3: Setup utility screen
Click the Advanced tab, and then arrow down to H20 IPMI Configuration. When it is highlighted, press .
Figure 4: H20 IPMI configuration screen
Using the keyboard arrow keys, move the highlight to the Advanced tab, and then arrow down to BMC Configuration. When this is highlighted, press .
Figure 5: Select BMC configuration
In the BMC configuration screen, you can set the desired IP address settings. Highlight IPv4 IP Address using the keyboard arrows, and then press . Now set the desired IP address, subnet mask, and gateway IP address as required for your network. When you are satisfied with the settings, press the F10 key on the keyboard to save the changes, and then exit. The FX2200 will reboot
Figure 6: BMC network configuration
After rebooting, the IPMI web page will be accessible at the specified IP address through any browser.
http://10.195.64.85/#login
The default administrator credentials are:
Username:admin
Password:password
Figure 7: IPMI webpage login
NOTE
The default username and password are in lower-case characters.
When you log in using the admin username and password, you get full administrative rights. You are advised to change your password once you login.
Starting with BMC firmware version 12.49.06, only one default user (admin) exists.
4.2 IPMI Authentication
User authentication into IPMI can be done using local users or by using external user services.
If using local users, the length of the password can be configured when adding or modifying the user.
Password length of 16 bytes or 20 bytes is supported for local users.
Password strength and expiration time are not supported for local users.
Perform the following steps to set password size for local users in the IPMI interface:
Click Configuration → Users → Select Desired User → Modify User.
Figure 8: Set Password Size for Local Users
4.3 Set Password Policies
Better fine-grained control on user management including password policies can be achieved using external user services which can leverage the enterprise’s existing user authentication service. The following external user services are supported:
LDAP
Active Directory
RADIUS
4.3.1 LDAP Settings
The following screenshot shows all the available external services. To access these services in the user interface (UI):
Click Configuration → LDAP/E-Directory → Advanced Settings.
Figure 9: LDAP Settings
4.3.2 Active Directory Settings
Perform the following steps to set up Active Directory as an external user service:
Click Settings → External User Services → Active directory Settings → General Active Directory Settings.
4.3.3 Radius Settings
Perform the following steps to set up RADIUS as an external user service:
Click Configuration → RADIUS.
Figure 11: RADIUS Settings
Perform the following steps to configure the PAM order for user authentication into the BMC:
It shows the list of PAM modules supported in the BMC. Drag and drop the PAM modules to change their position in the sequence.
Click Configuration→ PAM Order settings.
Figure 12: PAM Order Settings
5.0 BMC Firmware Upgrade on FX2200 Series I
5.1 Prerequisites
Check the version of BMC firmware on your FX2200 by looking at the version number displayed in the top-left corner in the Web UI as shown below.
Figure 13: BMC version
Upgrade the BMC firmware after upgrading or installing Fortanix DSM software version 4.11 or later version.
NOTE
This BMC upgrade is only for FX2200 series 1 units.
Upgrading the BMC will cause all IPMI settings (users, TLS certificate, IP, and so on) to be lost. You will need to re-configure the IP address and then log in through IPMI Web UI to add/change users and passwords.
Make sure the unit is not powered off or rebooted during the process of BMC firmware update.
After the BMC firmware upgrade, there will only be one default user “admin” and the default password of this user will be “password”.
5.2 IPMI Web UI Access
The BMC firmware upgrade will power off the unit at the end. The unit will need to be powered on using IPMI. Therefore, it is important and a must to have IPMI Web UI access before attempting the upgrade. If you do not have IPMI Web UI access, then after upgrading you will need to send someone to the data center to power on the unit. Please plan accordingly.
5.3 Physical Access to the Unit
The install guide from the board vendor mentions that:
“In some critical condition, after update BMC firmware, you might need to unplug AC power cord 5 seconds and then plug in AC power cord to reset BMC, and then updated new function can work properly.”
Fortanix has not seen this problem in their testing. But please be prepared to use remote hands to perform this action should there be a need.
5.4 Root Access
The command to perform the upgrade must be run as root.
5.5 Upgrading from BMC Version 1.1.10
Log in to the IPMI Web UI and verify that you are able to log in.
Go to the folder “
/opt/fortanix/sdkms/bmc/linux”.cd /opt/fortanix/sdkms/bmc/linuxGet root access.
sudo suNote down your current IPMI network information (IP address, Subnet mask, and Default Gateway). We will need to reconfigure the IPMI network, so keeping this information available is important. You can see the information by running the following command:
sudo ipmitool lan print 1Perform the upgrade.
./a.sh socOnce the BMC upgrade starts, DO NOT interrupt it, and DO NOT power off or reboot the system.
At the end of the upgrade, you will see the following prompt which indicates the update is complete.
NOTE: At this point, you need to make sure that you do NOT power off the unit. You will need to reconfigure the IPMI network interface before powering it off. Press Y to cancel power off.BMC need to power off to initial T control function press Y to cancel power off system, press others key to power off system.Wait for 60 secs.
You can check the status of BMC by running the following command and wait until you see “Set in Progress : Set Complete”.
sudo ipmitool lan print 1If you had set up a static IP address on the BMC, then you can set it by running the following commands from the shell. (NOTE: replace w.x.y.z with appropriate values).
sudo ipmitool lan set 1 ipsrc static sudo ipmitool lan set 1 ipaddr w.x.y.z sudo ipmitool lan set 1 netmask w.x.y.z sudo ipmitool lan set 1 defgw ipaddr w.x.y.zVerify that the IPMI network is configured correctly by running the following command and review the values for the IPMI IP address, subnet mask, and default gateway.
sudo ipmitool lan print 1Perform BMC reset by running the following command.
sudo ipmitool mc reset coldWait for 120 seconds and run the following command to verify that the reset is complete. If the output of the command does not show all the information, then wait another 120 seconds.
sudo ipmitool lan print 1Refresh the IPMI Web UI page and log in again to verify that you are able to log in. If you are not able to log in or if the Web UI page does not come up, then do not proceed.
Power off the unit by running the following command
sudo poweroffWait for 60 seconds.
Even though the unit is powered off, BMC is still running, and you can still log in. Refresh the IPMI Web UI Page and log in again.
Verify the version number shown on the dashboard in 2.50.1 as shown in the following screenshot.
Power on the unit from the IPMI Web UI by going to “Remote Control” → “Server Power Control”.
Select Power on Server and click the button Perform Action as shown below.
Figure 14: Power on