Remote and Local Management of nPartitions

You can remotely manage cell-based servers using either the Enhanced nPartition Commands or Partition Manager Version 2.0.

The Enhanced nPartition Commands and Partition Manager Version 2.0 also can run on an nPartition and manage that nPartition and the complex to which it belongs.

The ability to remotely manage a server based on the HP sx1000 chipset or HP sx2000 chipset is enabled by two technologies: the Web-Based Enterprise Management infrastructure (WBEM) and the Intelligent Platform Management Interface (IPMI). A brief overview of these technologies is provided first, then explanations of how to use the tools to locally and remotely manage cell-based servers are provided.

Intelligent Platform Management Interface (IPMI)

The nPartition management tools perform their functions by sending requests to the service processor. These requests are either to get information about the server or to affect changes to the server.

On the first generation of cell-based servers (the HP 9000 Superdome SD16000, SD32000, and SD64000 models; rp7405/rp7410; and rp8400 servers) a proprietary interface to the service processor was implemented. This interface relied on system firmware to convey information between HP-UX and the service processor. This in turn required that the nPartition management tools run on an nPartition in the complex being managed.

The service processor in all sx1000-based or sx2000-based servers supports the Intelligent Platform Management Interface (IPMI) as a replacement for the proprietary interface mentioned above. IPMI is an industry-standard interface for managing hardware. IPMI also supports value-added capabilities, such as HP's nPartition and complex management features.

The service processor in all sx1000-based or sx2000-based servers supports two of the communication paths defined by the IPMI standard: the Block Transfer path and IPMI over LAN. Some background details about each of these communication paths is provided in the next sections. How and when these paths are used is covered in the explanations of the local and remote management scenarios that follow.

IPMI Block Transfer (IPMI BT)

The IPMI Block Transfer (IPMI BT) path uses a driver [/dev/ipmi for HP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31)] and a hardware buffer on each cell to provide communication between the operating system and the service processor. Thus, each nPartition running HP-UX 11i v2 or HP-UX 11i v3 in an sx1000-based or sx2000-based server has its own private path to the service processor; the block transfer hardware on the core cell in each nPartition is used. The service processor always reliably knows which nPartition a request comes from.




	NOTE: The IPMI BT path currently is supported only for nPartitions running the Enhanced nPartition Commands. To use the IPMI BT interface, you must locally or remotely access the operating system running in the target complex. For details see “Remote Management Using WBEM”.

In many respects from an administrator's perspective the IPMI BT interface behaves like the proprietary interface used in the first-generation cell-based servers. For example, a user with superuser capabilities on an nPartition can manage the entire complex, including making changes to both the local nPartition and other nPartitions in the complex.

nPartition Configuration Privilege

Because it is not always desirable to allow a user on one nPartition to make changes that affect other nPartitions, HP provides the nPartition Configuration Privilege on sx1000-based or sx2000-based servers.

You can control the nPartition Configuration Privilege by using the PARPERM command at the service processor Command menu.

The nPartition Configuration Privilege has two settings:

Unrestricted — The default setting, which allows the behavior described above.
Restricted — Restricts use of the IPMI BT interface to the following capabilities:
- Retrieving information about the server. Everything that is normally displayed by Partition Manager and the parstatus command is still available.
- Making changes to the local nPartition's Partition Configuration Data. (Details on local versus remote nPartitions is provided later.)
- Manipulating any of the attention indicators (LEDs).
- Powering on/off cells and I/O chassis that belong to the local nPartition.
Restricting the nPartition Configuration Privilege does not restrict deallocation of processors across nPartition boundaries.

By restricting the nPartition Configuration Privilege, you limit someone with superuser privileges on an nPartition to doing things that affect only that nPartition. However, when the nPartition Configuration Privilege is restricted certain changes can only be made by using the nPartition management tools in the mode that utilizes IPMI over LAN.

IPMI over LAN

IPMI requests can be sent to the service processor's LAN port, thus eliminating the need to involve any of the nPartitions in the server.

IPMI LAN access to a service processor may be enabled or disabled by the SA command at the service processor Command menu.

The service processor will accept IPMI requests over its LAN port only if the request is accompanied by the correct password. To set the IPMI password use the SO command at the service processor Command menu.

Communication using IPMI over LAN is authenticated using the challenge and response protocol defined by the IPMI specification. The MD5 message digest algorithm (RFC1321) is used to encrypt the IPMI password and to ensure authentication of both the server and the client. All IPMI messages are authenticated in the manner described above. In addition, appropriate methods are implemented to protect against replay attacks.

The use of IPMI over LAN is not affected by setting the nPartition Configuration Privilege to restricted. When the IPMI BT interfaces are restricted certain changes to a complex can only be made by using the nPartition management tools in the mode that utilizes IPMI over LAN.

The following list describes all the actions that can be performed using IPMI over LAN.

Retrieving information about the server.
Changing the Stable Complex Configuration Data, including cell local memory settings and all cell assignments (that is: creating an nPartition, assigning cells to an nPartition, unassigning cells from an nPartition, and removing an nPartition).
Powering on/off all cells and I/O chassis in the server, including unassigned resources.
Manipulating any of the attention indicators (LEDs).

Web-Based Enterprise Management (WBEM)

The Enhanced nPartition Commands and Partition Manager Version 2.0 are implemented as WBEM client applications.

The Enhanced nPartition Commands toolset for HP-UX and Linux also includes a WBEM agent known as the nPartition Provider.

The Windows operating system includes the Windows Management Instrumentation (WMI) software, which is the Microsoft implementation of WBEM. To support the Windows release of the Enhanced nPartition Commands, HP also provides the WMI Mapper and the WMI nPartition Provider software components for the Windows system. The WMI-based nPartition tools components for Windows provides a WBEM-compliant solution.

All communication with the service processor, whether by way of the IPMI BT path [for example, using /dev/ipmi on HP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31)] or by IPMI over LAN, is done by the nPartition Provider. The nPartition Provider responds to requests sent to it by the nPartition commands and Partition Manager.

Partition Manager uses the nPartition commands to make changes to a cell-based server. Partition Manager Version 2.0 only uses WBEM directly when retrieving information about a server.

The power of WBEM is that it enables a distributed architecture. The applications (the nPartition management tools) can be running on one system and can use the WBEM infrastructure to send requests to other systems. See “Remote Management Using WBEM” for more details.

Local Management

As previously mentioned, the Enhanced nPartition Commands and Partition Manager Version 2.0 can run on an nPartition to manage that nPartition and the complex that it belongs to. This is the default behavior of the tools when run on an nPartition.

In this scenario, the nPartition management tools send WBEM requests to the nPartition Provider running on the local nPartition (that is, the same nPartition where the tools are being run). The nPartition Provider uses /dev/ipmi to send requests to the service processor in the local complex.

If the nPartition Configuration Privilege is unrestricted, then the server can be managed from any nPartition and making changes to other nPartitions in the complex is supported. However, if the privilege is set to restricted then certain operations are supported only when using the tools in the mode that uses IPMI over LAN (see “Remote Management Using IPMI over LAN”).

Local management is the only form of management supported by the older nPartition tools (the Original nPartition Commands and Partition Manager Version 1.0). Also, because the nPartition Configuration Privilege is a feature of the sx1000-based and sx2000-based servers it affects the older nPartition tools when used on nPartitions in an sx1000-based or sx2000-based server, but not when used on nPartitions in the first-generation cell-based servers.

Remote Management Using WBEM

WBEM enables one form of remote management of an nPartition complex: using nPartition management tools (WBEM client applications) that are running on one system to communicate with the nPartition Provider (a WBEM agent) running on an nPartition in the complex to be managed.

When performing remote management using WBEM the following terminology is used:

The complex being managed is referred to as a "remote complex" because it is remote with respect to the system where the tools are being run.
The remote complex is also the "target complex" as it is the complex that will be affected by any changes requested by the tools.
The nPartition that the tools communicate with (using WBEM) is referred to as a "remote nPartition" because it is remote with respect to the system where the tools are being run.
If the tools are used to retrieve information about or to make a change to a specific nPartition in the target complex, then that nPartition is the "target nPartition". The target nPartition and the remote nPartition might be the same, but don't have to be the same nPartition.
For example, the parmodify command could be used in a way where it sends requests to an nPartition in the target complex but the -p option identifies a different nPartition to be modified.

The following sections explain how to use the Enhanced nPartition Commands and Partition Manager Version 2.0 to remotely manage an nPartition complex using WBEM. The system where the tools are used could be an nPartition or other system, but where the tools are run is irrelevant when performing remote management of an nPartition complex.




	NOTE: Remote management using WBEM relys on an nPartition in the target complex being booted to multi-user mode. The remote nPartition must be configured to accept remote WBEM requests. Remote management using WBEM also requires that the Trust Certificate Store file on the local system contains a copy of the server certificate data from the SSL Certificate file on the system being managed. See “WBEM Remote Management Files”.

WBEM Remote Management Files

WBEM systems provide secure remote management using the following files as part of the SSL authentication process. Both files reside on all WBEM-enabled systems.

server.pem — WBEM SSL Certificate file. The SSL Certificate file resides on the system that is being managed and contains the local server's PRIVATE KEY and CERTIFICATE data.
On HP-UX B.11.23 systems, the SSL Certificate file is the /var/opt/wbem/server.pem file.
On a Windows system, the SSL Certificate file is in the location specified by the %PEGASUS_HOME%\cimcerver_current.conf file; in this file the sslCertificateFilePath entry specifies the SSL Certificate file location.
client.pem — WBEM Trust Certificate Store file. The Trust Certificate Store file resides on the system from which WBEM remote management commands are issued.
On HP-UX B.11.23 systems, the Trust Certificate Store file is the /var/opt/wbem/client.pem file.
On a Windows system system, the Trust Certificate Store file is the %HP_SSL_SHARE%\client.pem file, where %HP_SSL_SHARE% specifies the directory where the file resides.

To remotely manage a server, the Trust Certificate Store file (client.pem) on the local system must contain a copy of the CERTIFICATE data from the SSL Certificate file (server.pem) on the remote server. The CERTIFICATE data includes all text starting with the "-----BEGIN CERTIFICATE-----" line through the "-----END CERTIFICATE-----" line.

By default the Trust Certificate Store file contains a copy of the CERTIFICATE data from the SSL Certificate data for the local system.

nPartition Commands Support for Remote Management Using WBEM

Two options supported by the Enhanced nPartition Commands result in remote management using WBEM. These options are:

-u username
The -u option specifies a valid username on the remote nPartition.
For the parstatus and fruled commands any user defined on the remote nPartition can be used, but the other commands require the username to be a user with superuser privileges on the remote nPartition.
-h hostname | IPaddress
The -h option specifies either the hostname or IP address of the remote nPartition.

When you use the -u... -h... set of options, the specified command sends the appropriate WBEM requests to the remote nPartition where the requests are handled by the nPartition Provider using /dev/ipmi to communicate with the service processor in the target complex.

Partition Manager Support for Remote Management Using WBEM

Partition Manager Version 2.0 supports remote management using WBEM in either of two ways.

Run Partition Manager Version 2.0 on an nPartition and then select the Switch Complexes task from the Tools menu. In the resulting dialog enter the hostname or IP address of the remote nPartition, and supply a username and that user's password.
If you will use Partition Manager only to display information about the target complex, then you can specify any user defined on the remote nPartition.
However, if you will use Partition Manager to make changes to the target complex then you must specify a user with superuser privileges on the remote nPartition.
Run Partition Manager Version 2.0 on a system that is not an nPartition, and Partition Manager will immediately display the Switch Complexes dialog.

Figure 1-1 Partition Manager Version 2.0 Switch Complexes Dialog

Remote Management Using IPMI over LAN

IPMI over LAN enables the second form of remote management of an nPartition complex: using nPartition management tools that are running on a system to communicate directly (without going through an nPartition) with the service processor in the complex to be managed.

When performing remote management using IPMI over LAN the following terminology is used:

The complex being managed is referred to as a "remote complex" because it is remote with respect to the system where the tools are being run.
The remote complex is also the "target complex" as it is the complex that will be affected by any changes requested by the tools.
If the tools are used to retrieve information about or to make a change to a specific nPartition in the target complex, then that nPartition is the "target nPartition".

Note that there is no concept of a "remote nPartition" in this scenario.

The following sections explain how to use the nPartition commands and Partition Manager to remotely manage an nPartition complex using IPMI over LAN.

The system where the tools are used could be an nPartition or other system, but where the tools are run is irrelevant when performing remote management of an nPartition complex.

nPartition Commands Support for Remote Management Using IPMI over LAN

Two options of the Enhanced nPartition Commands result in remote management using IPMI over LAN. These options are:

-g [password]
The password is the service processor's IPMI password.
-h hostname | IPaddress
The -h option specifies the hostname or IP address of the service processor in the target complex.

When you use the -g... -h... set of options, the specified command sends the appropriate WBEM requests to the local nPartition Provider, which in turn uses IPMI over LAN to communicate with the service processor in the target complex.

Partition Manager Support for Remote Management Using IPMI over LAN

Partition Manager Version 2.0 can be used in this mode in either of two ways:

Run Partition Manager on an nPartition and then select the Switch Complexes task from the Tools menu. In the resulting dialog enter the hostname or IP address of the service processor in the target complex, and supply that service processor's IPMI password.
Run Partition Manager on a system that is not an nPartition. In this situation Partition Manager immediately displays the Switch Complexes dialog.