System configuration. Dell EMC OpenManage Enterprise

Add to My manuals
215 Pages

advertisement

System configuration. Dell EMC OpenManage Enterprise | Manualzz

4

System configuration

Define and manage appliance properties such as login policies, SSL, CSR, SNMP, and warranty. Set properties to check availability of updated OpenManage Enterprise version running remote commands, and alert notifications. Configure your system using the OpenManage Enterprise > Application Settings screen.

Related tasks

Delete Directory services

Topics:

Configure network settings

Manage OpenManage Enterprise users

Ending user sessions

Directory services integration

Login using OIDC providers

Security certificates

Manage console settings

Set the login security properties

Customize the alert display

Configure SMTP, SNMP, and Syslog

Manage incoming alerts

Manage warranty settings

Execute remote commands and scripts

OpenManage Mobile settings

Configure network settings

Set appliance network properties such as DNS domain name, FQDN, and IPv4 or IPv6 settings.

Prerequisites

Ensure you have the necessary user privileges as described in

Role and scope-based access

.

Steps

1. To only view the current network settings of all the active network connections of OpenManage Enterprise such as DNS domain name, FQDN, and IPv4 and IPv6 settings, expand Current Settings .

2. To configure the session timeouts and the maximum number of sessions for the OpenManage Enterprise API and web interface users, expand Session Inactivity Timeout Configuration and do the following: a. Select the Enable check box to activate the Universal Timeout and enter the Inactivity timeout (1-1440) value.

Inactivity timeout value can be set between 1 minute to 1440 minutes (24 hours). By default the Universal timeout is grayed out. Enabling the Universal timeout disables the API and Web Interface fields.

b. Change the API Inactivity timeout (1-1440) and the Maximum number of sessions (1-100) values. These attributes are by default set as 30 minutes and 100 respectively.

c. Change the Web Interface Inactivity timeout (1-1440) and the Maximum number of sessions (1-100) values. These attributes are by default set as 30 minutes and 100 respectively.

d. Click Apply to save the settings or click Discard to retain the default values.

3. The current system time and the source—local time zone or NTP server IP are displayed. To configure the system time zone, date, time, and NTP server synchronization, expand Time Configuration .

a. Select the time zone from the drop-down list.

b. Enter the date or click the Calendar icon to select the date.

System configuration 43

c. Enter the time in hh:mm:ss format.

d. To synchronize with an NTP server, select the Use NTP check box, and enter the server address of the primary NTP server.

You can configure up to three NTP servers in OpenManage Enterprise.

NOTE: The Date and Time options are not available when the Use NTP option is selected.

e. Click Apply .

f. To reset the settings to default attributes, click Discard .

4. To configure the OpenManage Enterprise proxy settings, expand Proxy Configuration .

a. Select the Enable HTTP Proxy Settings check box to configure the HTTP proxy, and then enter HTTP proxy address and HTTP port number.

b. Select the Enable Proxy Authentication check box to enable proxy credentials, and then enter the username and password.

c. Select the Ignore Certificate Validation check box if the configured proxy intercepts SSL traffic and does not use a trusted third-party certificate. Using this option will ignore the built-in certificate checks used for the warranty and catalog synchronization.

d. In the Proxy Exclusion List box, you can enter the IPv4 and/or IPv6 addresses or the domain names of the devices that can bypass the proxy server to directly access the appliance.

e. Click Apply .

f. To reset the settings to default attributes, click Discard .

Results

To understand all the tasks that you can perform by using the Application Settings feature, see System configuration

.

Manage OpenManage Enterprise users

View, add, enable, edit, disable, or delete the OpenManage Enterprise local users.

NOTE:

● To perform any tasks on OpenManage Enterprise, you must have the necessary user privileges. See

Role and scopebased access .

● A maximum of 1000 user accounts can exist in an appliance.

● Any change to the user role will not affect the active session of the impacted user(s) and will take effect from subsequent login.

● If a Device Manager user is demoted to a Viewer, that DM will lose access to all the owned entities such as jobs, firmware or configuration templates and baselines, alert policies, and profiles. These entities can be managed only by the administrator and can't be restored even when the same user is 'promoted' from a Viewer to DM.

By clicking OpenManage Enterprise > Application Settings > Users , you can:

● View, add, enable, edit, disable, or delete the OpenManage Enterprise local users. For more information, see

Add and edit

OpenManage Enterprise local users

● Assign OpenManage Enterprise roles to Active Directory users by importing the directory groups. AD and LDAP directory users can assigned an Admin, or a Device Manager, or a Viewer role in OpenManage Enterprise. For more information, see

Import AD and LDAP groups

● View details about the logged-in users, and then end (terminate) a user session.

● Manage Directory Services. For more information, see

Add or edit directory service AD groups

● View, add, enable, edit, disable, or delete OpenID connect providers (PingFederate and/or Key Cloak). For more information, see

Login using OIDC providers

By default, the list of users is displayed under Users . The right pane displays the properties of a user name that you select in the working pane.

● USERNAME : Along with the users you created, OpenManage Enterprise displays the following default user roles that cannot be edited or deleted: admin, system, and root. However, you can edit the login credentials by selecting the default username and clicking Edit . See

Enable OpenManage Enterprise users

. The recommended characters for user names are as follows:

○ 0–9

○ A–Z

○ a–z

44 System configuration

○ - ! # $ % & ( ) * / ; ? @ [ \ ] ^ _ ` { | } ~ + < = >

○ The recommended characters for passwords are as follows:

■ 0–9

■ A–Z

■ a–z

■ ' - ! " # $ % & ( ) * , . / : ; ? @ [ \ ] ^ _ ` { | } ~ + < = >

● USER TYPE : Indicates if the user logged in locally or remotely.

● ENABLED : Indicates with a tick mark when the user is enabled to perform OpenManage Enterprise management tasks. See

Enable OpenManage Enterprise users

and

Disable OpenManage Enterprise users .

● ROLE : Indicates the user role in using OpenManage Enterprise. For example, OpenManage Enterprise administrator and

Device Manager. See

User roles

.

Related references

Disable OpenManage Enterprise users

Enable OpenManage Enterprise users

Related tasks

Delete Directory services

Delete OpenManage Enterprise users

Ending user sessions

Role and scope-based access

OpenManage Enterprise has Role Based Access Control (RBAC) that clearly defines the user privileges for the three built-in roles—Administrator, Device Manager, and Viewer. Additionally, using the Scope-Based Access Control (SBAC) an administrator can limit the device groups that a device manager has access to. The following topics further explain the RBAC and SBAC features.

Role-based access control (RBAC) privileges

Users are assigned roles which determine their level of access to the appliance settings and device management features.

This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege required for a certain action

before allowing the action. For more information about managing users in OpenManage Enterprise, see Manage OpenManage

Enterprise users

.

This table below lists the privileges of each role.

Table 12. Role-based user privileges

Feature

Appliance setup

Privilege

Global appliance settings involving setting up of the appliance.

User levels for accessing OpenManage Enterprise

Administrator Device Manager Viewer

Y N N

Security setup Appliance security settings

Alert management Alerts actions / management

Fabric management Fabric actions / management

Network management

Network actions / management

Group management Create, read, update and delete

(CRUD) for static and dynamic groups

Discovery management

CRUD for discovery tasks, run discovery tasks

Y

Y

Y

Y

Y

Y

N

N

N

N

N

N

N

N

N

N

N

N

System configuration 45

Table 12. Role-based user privileges (continued)

Feature Privilege

Inventory management

CRUD for inventory tasks, run inventory tasks

User levels for accessing OpenManage Enterprise

Administrator Device Manager Viewer

Y N N

Y

Y

N

N

N

N

Trap management

Auto-deploy management

Monitoring setup

Import MIB, Edit trap

Manage auto-deploy configuration operations

Alerting policies, forwarding,

Services (formerly

SupportAssist ), and so on.

Power control Reboot / cycle device power

Device configuration Device configuration, application of templates, manage/migrate IO identity, storage mapping (for storage devices), and so on.

Operating system deployment

Device update

Deploy operating system, map to

LUN, and so on.

Device firmware update, application of updated baselines, and so on.

Template management

Baseline management

Create / manage templates

Create / manage firmware / configuration baseline policies

Power management Set power budgets

Job management Job execution / management

Report management CRUD operations on reports

Report run Run reports

View View all data, report execution / management, and so on.

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

N

N

N

N

N

N

N

N

Y

Y

N

N

Scope-based access control (SBAC)

With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.

While creating or updating a device manager, administrators can assign scope to restrict operational access of Device Manager to one or more system groups, custom groups, and / or plugin groups.

Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.

Scope can be implemented as follows:

1. Click Create or Edit User .

2. Assign a Device Manager role.

3. Assign scope to restrict operational access.

For more information about managing users, see

Manage OpenManage Enterprise users

.

A natural outcome of the SBAC functionality is the Restricted View feature. With Restricted View, particularly the Device

Managers will see only the following:

46 System configuration

● Groups (therefore, the devices in those groups) in their scope.

● Entities that they own (such as jobs, firmware or configuration templates and baselines, alert policies, profiles, and so on).

● Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.

● Built-in entities of any kind.

It should be noted that if the scope of a Device Manager is 'unrestricted', then that Device Manager can view all the devices and groups, however, would only be able to see the entities owned by him/her such as jobs, alert policies, baselines, and so on along with the community and built-in entities of any kind.

When a Device Manager with an assigned scope logs in, the Device Manager can see and manage scoped devices only. Also, the Device Manager can see and manage entities such as jobs, firmware or configuration templates and baselines, alert policies, profiles and so on associated with scoped devices, only if the Device Manager owns the entity (Device Manager has created that entity or is assigned ownership of that entity). For more information about the entities a Device Manager can create, see

Role-Based Access Control (RBAC) privileges in OpenManage Enterprise .

For example, by clicking Configuration > Templates , a Device Manager user can view the default and custom templates owned by the Device Manager user. Also, the Device Manager user can perform other tasks as privileged by RBAC on owned templates.

By clicking Configuration > Identity Pools , a Device Manager user can see all the identities created by an administrator or the

Device Manager user. The Device Manager can also perform actions on those identities specified by RBAC privilege. However, the Device Manager can only see the usage of those identities that are associated to the devices under the Device Manager's scope.

Similarly, by clicking Configuration > VLANs Pools , the Device Manager can see all the VLANs created by the admin and export them. The Device Manager cannot perform any other operations. If the Device Manager has a template, it can edit the template to use the VLAN networks, but it cannot edit the VLAN network.

In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for

OIDC users can be done only on Open ID Connect (OIDC) providers.

SBAC for local users

While creating or editing a local user with Device Manager role, admin can select one or more device groups that defines the scope for the Device Manager.

For example, you (as an administrator) create a Device Manager user named dm1 and assign group g1 present under custom groups. Then dm1 will have operational access to all devices in g1 only. The user dm1 will not be able to access any other groups or entities related to any other devices.

Furthermore, with SBAC, dm1 will also not be able to see the entities created by other Device Managers (let's say dm2) on the same group g1 . That means a Device Manager user will only be able to see the entities owned by the user.

For example, you (as an administrator) create another Device Manager user named dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1 , then dm1 will not have access to those entities and vice versa.

A Device Manager with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities owned by the Device Manager.

SBAC for AD/LDAP users

While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with Device Manager role. If a user is a member of multiple AD groups, each with a Device Manager role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.

For example,

● User dm1 is a member of two AD groups ( RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins ). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers . Now the scope of the Device Manager dm1 is the union of ptlab-servers and smdlab-servers .

● User dm1 is a member of two AD groups ( adg1 and adg2 ). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2 . If g1 is the superset of g2 , then the scope of dm1 is the larger scope ( g1 , all its child groups, and all leaf devices).

When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, Device Manager, Viewer).

A Device Manager with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.

SBAC for OIDC users:

System configuration 47

Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment will be available to OpenManage Enterprise. For more information about configuring user roles and scopes, see

Configure OIDC login using PingFederate

.

NOTE: If PingFederate is being used as the OIDC provider, then only administrator roles can be used. For more information, see

Configure OIDC login using PingFederate

and the Release Notes at https://www.dell.com/support/home/en-yu/ product-support/product/dell-openmanage-enterprise/docs .

Transfer ownership : The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and/or configuration baselines, configuration templates, alert policies, and profiles is considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see,

Transfer of ownership of Device Manager entities

.

Related references

User roles

Add and edit OpenManage Enterprise local users

Create and edit properties of local users based on the role a user is assigned.

About this task

This procedure is specific to only adding and editing the local users. While editing local users, you can edit all the user properties.

However, for Directory Users, only the role and device groups (in the case of a Device Manager) can be edited. To integrate

Directory Services in OpenManage Enterprise and to import the Directory users, see Directory services integration

and Import

AD and LDAP groups

.

NOTE:

● To perform any tasks on OpenManage Enterprise, you must have necessary user privileges. See

Role and scope-based access

.

● You cannot enable, disable, or delete the admin/system/root users. You can only change the password by clicking Edit in the right pane.

Steps

1. Select Application Settings > Users > Users > Add .

2. In the Add New User dialog box: a. Under User Details , select Administrator, Device Manager, or Viewer from the User Role drop-down menu.

For more information, see Role and scope-based access

.

By default, the Enabled check box is selected to indicate that the user privileges currently being set up are enabled for a user.

b. For the Device Manager roles, the scope is defaulted to All Devices (unrestricted scope), however, the administrator can restrict the scope by choosing the Select Groups option followed by selecting the device group(s).

c. Under User Credentials , enter Username , Password , and reenter the password in the Confirm Password fields.

NOTE: The username must contain only alphanumeric characters (but underscore is allowed) and the password must contain at least one character in: uppercase, lowercase, digit, and special character.

3. Click Finish .

A message is displayed that the user is successfully saved. A job is started to create a new user. After running the job, the new user is created and displayed in the list of users.

48 System configuration

Edit OpenManage Enterprise user properties

Edit the properties of a user based on the user role they are assigned.

Steps

1. On the Application Settings screen, under Users , select the check box corresponding to the user.

2. Complete the tasks in

Add and edit OpenManage Enterprise local users

.

The updated data is saved.

NOTE: When you change the role of a user, the privileges available for the new role automatically get applied.

For example, if you change a device manager to an administrator, the access rights and privileges provided for an administrator will be automatically enabled for the device manager.

Enable OpenManage Enterprise users

Select a user to enable specific roles to the user.

Select the check box corresponding to the username and click Enable . The user is enabled and a tick mark is displayed in the corresponding cell of the ENABLED column. If the user is already enabled while creating the username, the Enable button appears grayed-out.

Related tasks

Delete Directory services

Delete OpenManage Enterprise users

Ending user sessions

Related information

Manage OpenManage Enterprise users

Disable OpenManage Enterprise users

Disable a user from one or more tasks.

Select the check box corresponding to the user name and click Disable . The user is disabled and a tick mark disappears in the corresponding cell of the ENABLED column. If the user is disabled while creating the username, the Disable button appears grayed-out.

Related tasks

Delete Directory services

Delete OpenManage Enterprise users

Ending user sessions

Related information

Manage OpenManage Enterprise users

Delete OpenManage Enterprise users

Remove one or more users from performing tasks.

Steps

1. Select the check box corresponding to the username and click Delete .

2. When prompted, click YES .

System configuration 49

Related references

Disable OpenManage Enterprise users

Enable OpenManage Enterprise users

Related information

Manage OpenManage Enterprise users

Import AD and LDAP groups

This topic describes how to import users in active directory or LDAP for authentication into the appliance.

Prerequisites

● The users without Administrator rights cannot enable or disable the Active Directory (AD) and Lightweight Directory Access

Protocol (LDAP) users.

● Before importing AD groups in OpenManage Enterprise, you must include the user groups in a UNIVERSAL GROUP while configuring the AD.

● AD and LDAP directory users can be imported and assigned one of the OpenManage Enterprise roles (Admin,

DeviceManager, or Viewer). The Single-Sign-On (SSO) feature stops at login to the console. Actions run on the devices require a privileged account on the device.

Steps

1. Click Import Directory Group .

2. In the Import Active Directory dialog box: a. From the Directory Source drop-down menu, select an AD or LDAP source that must be imported for adding groups.

For adding directories, see

Add or edit directory service AD groups

.

b. Click Input Credentials .

c. In the dialog box, type the username and password of the domain where the directory is saved. Use tool tips to enter the correct syntax.

d. Click Finish .

3. In the Available Groups section: a. In the Find a Group box, enter the initial few letters of the group name available in the tested directory. All the groups names that begin with the entered text are listed under GROUP NAME.

b. Select the check boxes corresponding to the groups be imported, and then click the >> or << buttons to add or remove the groups.

4. In the Groups to be Imported section: a. Select the check boxes of the groups, and then select a role from the Assign Group Role drop-down menu. For more information about the role-based access, see

Role and scope-based access

.

b. Click Assign Role .

NOTE: For a logged-in AD user belonging to an imported child AD group, multiple roles such as Device Manager and

Viewer are displayed upon a mouse-over on the username on the appliance masthead. This happens if the parent directory group and child directory group are imported with different privileges. For such AD users, the role with the maximum privilege will be applied.

The users in the group under the selected directory service are assigned the selected user roles.

c. For the Device Manager role, the scope is defaulted to All Devices , however, the administrator can restrict the scope by choosing the Assign Scope option followed by selecting the device group(s).

5. Repeat steps 3 and 4, if necessary.

6. Click Import .

The directory groups are imported and displayed in the Users list. However, all users in those groups will log in to

OpenManage Enterprise by using their domain username and credentials.

Example

It is possible for a domain user, for example john_smith, to be a member of multiple directory groups, and also for those groups to be assigned different roles. In this case, multiple roles such as Device Manager and Viewer are displayed upon a mouseover on the username on the appliance masthead right-hand corner. Such users will receive the highest level role for all the directory groups the user is a member of.

50 System configuration

● Example 1: The user is a member of three groups with admin, DM, and viewer roles. In this case, user becomes an administrator.

● Example 2: The user is a member of three DM groups and a viewer group. In this case, the user will become a DM with access to the union of device groups across the three DM roles.

Transfer of ownership of Device Manager entities

This topic describes how an administrator can transfer entities such as jobs, firmware or configuration templates and baselines, alert policies, and profiles that are created by one device manager to another device manager. Administrator can initiate a

'transfer of ownership' when a device manager leaves the organization.

Prerequisites

● To perform this task on OpenManage Enterprise you must have the administrator user privileges.

Role and scope-based access .

● 'Transfer of ownership' transfers only the entities and not the device groups (scope) owned by a device manager to another.

● Reassign the device groups owned by the former device manager to the device manager who will be taking over.

● If the ownership of the entities is transferred to an Active Directory user group, then the ownership is transferred to all the members of that AD group.

● The new Device Manager must reschedule any tasks that were scheduled by the former Device Manager, such as the tasks for firmware updates and Deployment of templates, after the transfer of ownership.

About this task

To transfer the ownership of entities such as jobs, firmware or configuration templates and baselines, alert policies, and profiles from one device manager to another do the following:

Steps

1. Initiate the Transfer Ownership wizard by clicking OpenManage Enterprise > Application Settings > Users > Transfer

Ownership .

2. From the Source User drop-down list, select the device manager from whom the ownership of entities must be transferred.

NOTE: The Source User will only list the local, active directory, OIDC, or deleted device managers who have entities such as jobs, FW or configuration templates, alerts policies and profiles associated with them.

3. From the Target User drop-down list, select the device manager to whom the entities will be transferred.

4. Click Finish and then click Yes at the prompt message.

Results

All the owned entities such as jobs, firmware or configuration templates, alert policies, and profiles are transferred from the

'source' device manager to the 'target' device manager.

Ending user sessions

End one or more user sessions.

Steps

1. Select the check box corresponding to the username, and then click Terminate .

2. When prompted to confirm, click YES .

The selected user session is ended and the user is logged out.

Related references

Disable OpenManage Enterprise users

Enable OpenManage Enterprise users

System configuration 51

Related information

Manage OpenManage Enterprise users

Directory services integration

Directory Services enable you to import directory groups from Active Directory or LDAP for use on the console.

The following directory services are supported:

● Windows Active Directory

● Windows AD/LDS

● OpenLDAP

● PHP LDAP

Table 13. LDAP integration attributes

Attribute of User Login Certificate Requirement

AD/LDAP Cn, sAMAccountName

Attribute of Group

Membership

Member

OpenLDAP

PHP LDAP uid, sn uid

Uniquemember

MemberUid

● Subject to Domain Controller Certificate needs to have FQDN. SAN field can have IPv4 and/or IPv6 or FQDN.

● Only Base64 certificate format is supported.

Only PEM certificate format is supported.

Before you begin directory service integration:

● BindDN user and user used for 'Test connection' should be the same.

● If Attribute of User Login is provided, only the corresponding username value assigned to the attribute is allowed for appliance login.

● User used for Test connection should be part of any non-default group in LDAP

● Attribute of Group Membership should have either the 'userDN' or the short name (used for logging in) of the user.

● When MemberUid is used as 'Attribute of Group Membership,' the username used in appliance login will be considered case sensitive in some LDAP configurations.

● When search filter is used in LDAP configuration, user login is not allowed for those users who is not part of the search criteria mentioned.

● Group search will work only if the groups have users assigned under the provided Attribute of Group Membership.

● DNS should be set to return IPv6 as preferred address when queried with FQDN.

● DC certificate needs to have IPv6 in SAN field.

NOTE: If the OpenManage Enterprise is hosted on an IPv6 network, the SSL authentication against domain controller using

FQDN would fail if IPv4 is set as preferred address in DNS. To avoid this failure, do one of the following:

To use directory services:

1. Add a directory connection as described in

Add or edit directory service AD groups

.

2. Import directory groups and map all users in the group to a role as described in

Import AD and LDAP groups

.

3. Device managers should edit the directory groups to add the groups they can manage as described in Add and edit

OpenManage Enterprise local users

.

Add or edit directory service AD groups

Use directory services to add Active Directory (AD) users to the appliance user groups and assign privileges as required.

Steps

1. Click Application Settings > Users > Directory Services , and then click Add .

2. In the Connect to Directory Service dialog box, by default, AD is selected to indicate that directory type is Active

Directory (AD):

52 System configuration

NOTE: To create an LDAP user group by using Directory Services, see

Add or edit directory service LDAP groups

.

a. In the Directory Name box, enter a desired name for the AD directory.

b. Select the Domain Controller Lookup method:

● DNS : In the Method box, enter the domain name to query DNS for the domain controllers.

● Manual : In the Method box, enter the FQDN or the IP address of the domain controller(s). For multiple servers, you can use a comma-separated list with a maximum of three servers.

c. In the Group Domain box, enter the group domain as suggested in the tool tip syntax.

3. In the Advanced Options section: a. In the Server Port field, Global Catalog Address port number 3269 is populated by default. For the Domain Controller

Access, enter 636 as the port number.

NOTE: Only LDAPS ports are supported.

b. Enter the Network Timeout and Search Timeout duration in seconds. The maximum timeout duration supported is 300 seconds.

NOTE: To avoid timeout when using Manual Lookup on multiple domain controllers, ensure that the sum of individual

Search Timeout value does not exceed the Network Timeout time. For example, if you have a comma-separated list with 3 FQDN or IP addresses, with a Network Timeout value of 300 seconds, then the Search Timeout must not exceed 100 seconds.

c. To upload an SSL certificate, select Certificate Validation and click Select a file . The certificate should be a Root CA

Certificate encoded in Base64 format.

The Test connection tab is displayed.

4. Click Test connection .

5. In the dialog box, enter the username and password of the domain to be connected to.

NOTE: The username must be entered in either the UPN (username@domain) or in the NetBIOS (domain\username) format.

6. Click Test connection .

In the Directory Service Information dialog box, a message is displayed to indicate successful connection.

7. Click Ok .

8. Click Finish .

A job is created and run to add the requested directory in the Directory Services list.

Editing Active Directory (AD) groups to be used with Directory Services

1. In the DIRECTORY NAME column, select the directory. The Directory Service properties are displayed in the right pane.

2. Click Edit .

3. In the Connect to Directory Service dialog box, edit the data and click Finish . The data is updated and saved.

Add or edit directory service LDAP groups

Add or edit properties of Lightweight Directory Access Protocol (LDAP) groups that must be used with directory services. Use either DNS or manual methods to select domain controllers.

Steps

1. Click Application Settings > Users > Directory Services , and then click Add .

2. In the Connect to Directory Service dialog box, select the Type of Directory as LDAP .

NOTE:

To create an AD user group by using Directory Services, see Add or edit directory service AD groups .

a. In the Directory Name box, enter a desired name for the LDAP directory.

b. Select the Domain Controller Lookup method:

● DNS : In the Method box, enter the domain name to query DNS for the domain controllers.

● Manual : In the Method box, enter the FQDN or the IP address of the domain controller. For multiple servers, you can use a comma-separated list with a maximum of three servers.

System configuration 53

c. Enter the LDAP Bind Distinguished Name (DN) and password.

NOTE: Anonymous bind is not supported for AD LDS.

3. In the Advanced Options section: a. By default, in the Server Port field, the LDAP port number 636 is populated. To change, enter a port number.

NOTE: Only LDAPS ports are supported.

b. To match the LDAP configuration on the server, enter the group base DN to search for.

c. In the Attribute of User Login field, enter the user attributes that are already configured in the LDAP system. It is recommended that this is unique within the selected Base DN. Else, provide a Search Filter to ensure that it is unique.

NOTE:

● The user attributes should be configured in the LDAP system used to query before integrating on the directory services.

● You need to enter the user attributes as cn or sAMAccountName for AD LDS configuration and UID for LDAP configuration.

● If the user DN cannot be uniquely identified by the search combination of attribute and search filter, the login operation fails.

d. In the Attribute of Group Membership box, enter the attribute that stores the groups and member information in the directory.

e. Enter the Network Timeout and Search Timeout duration in seconds. The maximum timeout duration supported is 300 seconds.

NOTE: To avoid timeout when using Manual Lookup on multiple domain controllers, ensure that the sum of individual

Search Timeout value does not exceed the Network Timeout time. For example, if you have a comma-separated list with 3 FQDN or IP addresses, with a Network Timeout value of 300 seconds, then the Search Timeout must not exceed 100 seconds.

f. To upload an SSL certificate, select Certificate Validation and click Select a file . The certificate should be a Root CA

Certificate encoded in Base64 format.

The Test connection button is enabled.

4. Click Test connection , and then enter the bind user credentials of the domain to be connected to.

NOTE: While testing the connection, ensure that the Test username is the value of the Attribute of User Login entered previously.

5. Click Test connection .

In the Directory Service Information dialog box, a message is displayed to indicate successful connection.

6. Click Ok .

7. Click Finish .

A job is created and run to add the requested directory in the Directory Services list.

Editing LDAP groups to be used with Directory Services

1. In the DIRECTORY NAME column, select the directory. The Directory Service properties are displayed in the right pane.

2. Click Edit .

3. In the Connect to Directory Service dialog box, edit the data and click Finish . The data is updated and saved.

Delete Directory services

To remove imported users from LDAP, directory services can be deleted.

Steps

1. Select the check box corresponding to the Directory Services to be deleted.

2. Click Delete

54 System configuration

Related references

Disable OpenManage Enterprise users

Enable OpenManage Enterprise users

Related information

System configuration

Manage OpenManage Enterprise users

Login using OIDC providers

You can log in using OpenID Connect (OIDC) providers. OpenID Connect providers are the identity and user management software that allow users to securely access applications. Currently, OpenManage Enterprise provides support for PingFederate and Keycloak.

CAUTION: User roles and scopes are reset to 'default' on client re-registration with OIDC provider PingFederate

(PingIdentity). This issue might lead to resetting of the privileges and scope of non-admin roles (DM and

Viewer) to that of the Administrator. Re-registration of the appliance console with OIDC provider is triggered in the event of an appliance upgrade, change in network configuration, or change in SSL certificate.

To avoid security concerns post any of the above-mentioned re-registration events, the administrator must reconfigure all the OpenManage Enterprise Client IDs on the PingFederate site. Also, it is highly recommended that Client IDs are created only for Administrator users with Pingfederate till this issue is resolved.

NOTE:

● To perform any tasks on OpenManage Enterprise, you must have the necessary user privileges. See

Role and scopebased access .

● Only a maximum of four OpenID Connect provider IDs can be added in the appliance.

Prerequisites:

Before enabling an OpenID Connect provider login you must:

1.

Add an OIDC provider in the OpenManage Enterprise : In OpenManage Enterprise Application Settings, add an OpenID

Connect provider. When you add the OpenID Connect provider, a Client ID is generated for the OpenID Connect provider.

For more information, see:

Add an OIDC provider

.

2.

Configure the OpenID Connect provider using the Client ID : In the OpenID Connect provider, locate the Client ID and define a login role (Administrator, Device Manager or Viewer) by adding and mapping the scope called dxcua (Dell extended claim for user authentication). For more information, see:

Configure OIDC login using PingFederate

Configure OIDC login using Keycloak

When you add an OpenID Connect provider in OpenManage Enterprise, it is listed on the Application Settings > Users >

OpenID Connect Providers screen. The following OIDC provider details are displayed:

● Name - The OpenID Connect provider's name when it was added in the appliance

● Enabled - A 'check' on this field indicates that the OpenID Connect provider is enabled in the appliance

● Discovery URI - The URI (Uniform Resource Identifier) of the OpenID Connect provider

● Registration Status - Can be one of the following:

○ Successful - Indicates a successful registration with the OpenID Connect provider

○ Failed - Indicates an unsuccessful registration with the OpenID Connect provider. The 'Failed' OpenID Connect provider registration will not be allowed even when they are enabled.

○ In Progress - This status is displayed when the appliance tries to register with OpenID Connect provider.

On the right pane, Client ID, Registration Status, Discovery URI are displayed for the selected OpenID Connect provider. You can click See details to view the certificate details of the OpenID Connect provider.

On the Application Settings > Users > OpenID Connect Providers screen you can do the following:

Add an OIDC provider

Edit an OIDC providers details

Test OIDC registration

Enable OIDC providers

Disable OIDC providers

System configuration 55

Delete OIDC providers

Add an OIDC provider

Adding, enabling, and registering an OpenID Connect (OIDC) provider (Keycloak or PingFederate) allows for an authorized client login to OpenManage Enterprise. This generates a Client ID.

About this task

To add an OpenID Connect provider to OpenManage Enterprise, go to the Application Settings > Users > OIDC screen and do the following:

NOTE: Only a maximum of four OpenID Connect provider clients can be added.

Steps

1. Click Add to activate the Add New OpenID Connect Provider screen.

2. Fill the following information in the respective fields: a. Name - Name for the OIDC client.

b. Discovery URI - Uniform Resource Identifier of the OIDC provider. This is the path through which the OpenManage

Enterprise will access the provider. (Example: https://xx.xx.xx.xx:9301) c. Authentication type - Choose from one of the following methods the access token must use to access the appliance: i.

Initial Access Token - Provide the Initial access token. This can be obtained from your OIDC provider.

NOTE: If the Initial Access Token was generated by keycloak's DNS name, the registration must use the DNS name. Similarly, if Initial Access Token was generated by keycloak's IP address, then the registration must use the

IP Address.

ii. Username and Password - Provide the username and password to the OIDC provider.

d. (Optional) Certificate Validation check box - You can select the check box and upload the OIDC provider's certificate by clicking Browse and locating the certificate or by dragging and dropping the certificate in the 'broken line' box.

e. (Optional) Test connection - Click Test URI and SSL Connection to test the connection with the OpenID Connect provider.

NOTE: Test connection does not depend on the username and password or the initial access token details, as it only checks for the validity of the Discovery URI provided.

f. (Optional) Enabled check box - You can select the check box to allow the authorized client access tokens to login to the appliance.

3. Click Finish .

Results

The newly added OpenID Connect provider is listed on the Application Settings > Users > OpenID Connect providers screen and the Client ID can be located on the right pane.

Next steps:

Configure OIDC login using PingFederate

Configure OIDC login using Keycloak

Configure OIDC login using PingFederate

To enable OpenManage Enterprise OpenID Connect (OIDC) login using PingFederate, you must add and map a scope dxcua

(Dell extended claim for user authentication) to the Client ID and define the user privileges as follows:

About this task

CAUTION: User roles and scopes are reset to 'default' on client re-registration with OIDC provider PingFederate

(PingIdentity). This issue might reset the privileges and scope of non-admin roles (DM and Viewer) to that of the Administrator. Re-registration of the appliance console with OIDC provider is triggered in the event of an appliance upgrade, change in network configuration, or change in SSL certificate.

56 System configuration

To avoid security concerns post any of the above-mentioned re-registration events, the administrator must reconfigure all the OpenManage Enterprise Client IDs on the PingFederate site. Also, it is highly recommended that Client IDs are created only for Administrator users with Pingfederate till this issue is resolved.

NOTE: The default assigning algorithm should be RS256 (RSA Signature with SHA-256).

Steps

1. Add an 'exclusive' or 'default' scope called dxcua under Scope Management in OAuth Settings.

2. Map the scope created in OpenID Connect Policy Managment > Policy using the following steps: a. Enable Include User info in Token b. In the Attribute Scope, add the scope and attribute value as dxcua .

c. In Contract fulfillment, add dxcua and select the type as 'Text'. Then, define the user privileges for OpenManage

Enterprise OpenID Connect provider login using one of the following attributes: i.

Administrator: dxcua : [{“Role": "AD"}] ii. Device Manager: dxcua : [{“Role": "DM"}]

NOTE: To restrict access of the device manager to select device groups, say G1 and G2, in OpenManage

Enterprise use dxcua : [{“Role": "DM", "Entity":"G1, G2"}] iii. Viewer: dxcua : [{“Role": "VE"}] d. If an 'exclusive' scope is configured after the client registration in OpenManage Enterprise, edit the configured client in

PingFederate and enable the created 'dxcua' exclusive scope.

3.

Dynamic client registration should be enabled in PingFederate for OpenManage Enterprise client registration. If the

'Require Initial access token' option is unselected in OpenID Connect provider client settings, the registration will work with

Username and password. If the option is enabled, then the registration will work only with the Initial Access token.

Configure OIDC login using Keycloak

To enable OpenManage Enterprise OpenID Connect (OIDC) login using Keycloak, you must first add and map a scope dxcua to the Client ID and define the user privileges as follows:

Prerequisites

The Discovery URI specified in the OpenID Connect provider configuration wizard should have a valid endpoint of the provider listed.

Steps

1. In the Attributes section of Keycloak Users, define the 'Key and Value' for OpenManage Enterprise login roles using one of the following attributes:

● Administrator : dxcua : [{"Role": "AD"}]

● Device Manager: dxcua : [{"Role": "DM"}]

NOTE: To restrict access of the device manager to select device groups, say G1 and G2, in OpenManage Enterprise use dxcua : [{“Role": "DM", "Entity":"G1, G2"}]

● Viewer: dxcua : [{"Role": "VE"}]

2. Once the client is registered in Keycloak, in the Mappers section, add a "User Attribute" mapper type with below values:

● Name: dxcua

● Mapper Type: User Attribute

● User Attribute: dxcua

● Token Claim Name: dxcua

● Claim Json Type: String

● Add to ID Token: enable

● Add to access Token: Enable

● Add to user info: Enable

System configuration 57

Test OIDC registration

Based on the validity of discovery URI, test the registration status of the appliance with a OpenID Connect (OIDC) provider.

Steps

1. Navigate to Application Settings > Users > OpenID Connect Providers

2. Select an OpenID Connect provider.

3. On the right pane, click Test Registration Status .

NOTE: Test connection does not depend on the username and password or the initial access token details, as it only checks for the validity of the Discovery URI.

Results

The latest registration status ('Successful' or 'Failed') with the OIDC provider is updated.

Edit an OIDC providers details

Based on the Registration Status of the OpenID Connect (OIDC) provider client, edit the client information.

Steps

1. Navigate to Application Settings > Users > OpenID Connect Providers

2. Select an OpenID Connect provider.

3. Click Edit on the right pane.

4. Depending on the Registration Status of the OpenID Connect provider client, you can do the following: a. If the Registration Status is 'Successful,' only the Certification Validation, Test Connection, and Enabled check box can be edited.

b. If the Registration Status is 'failed,' then you can edit the Username, Password, Certification Validation, Test Connection, and Enabled check box.

5. Click Finish to implement, or click Cancel to discard the changes.

Enable OIDC providers

If an OpenID Connect (OIDC) provider's login was not enabled at the time when it was added to the appliance, then to activate the login you must 'enable' it in the appliance.

Steps

1. Navigate to Application Settings > Users > OpenID Connect providers

2. Select the OpenID Connect provider(s).

3. Click Enable .

Results

Enabling the OpenID Connect providers in OpenManage Enterprise allows the authorized client access tokens to login to the appliance.

Delete OIDC providers

Delete one or more OpenID Connect (OIDC) providers.

Steps

1. Navigate to Application Settings > Users > OpenID Connect Providers .

2. Select the OIDC provider(s).

58 System configuration

3. Click Delete .

Disable OIDC providers

Disable one or more OpenID Connect (OIDC) providers.

Steps

1. Navigate to Application Settings > Users > OpenID Connect providers .

2. Select the OpenID Connect provider(s).

3. Click Disable .

Results

The client access token from the 'disabled' OIDC providers will be rejected by the appliance.

Security certificates

Secure your appliance to device connection by using SSL security certificates.

Click Application Settings > Security > Certificates to display information about the currently available SSL certificate of a device.

NOTE: Ensure you have the necessary user privileges as described in

Role and scope-based access

.

To generate a Certificate Signing Request (CSR) , see

Generate and download a certificate signing request .

Generate and download a certificate signing request

Generate and download a certificate signing request (CSR), and then apply for an SSL.

About this task

Generate the CSR only from within the OpenManage Enterprise appliance.

Steps

1. Click Generate Certificate Signing Request .

2. In the Generate Certificate Signing Request dialog box, enter information in the fields.

3. Click Generate .

A CSR is created and displayed in the Certificate Signing Request dialog box. A copy of the CSR is also sent to the email address you provided in your request.

4. In the Certificate Signing Request dialog box, copy the CSR data and submit it to the Certificate Authority (CA) while applying for an SSL certificate.

● To download the CSR, click Download Certificate Signing Request .

● Click Finish .

Assign a web server certificate to an appliance

Assign a web server certificate to an appliance using the Microsoft Certificate Services.

Steps

1. Generate and download the Certificate Signing Request (CSR) as described in

Generate and download a certificate signing request

.

2. Open a web session to the certification server (https://x.x.x.x/certsrv) and click on the Request a certificate link .

3. On the Request a Certificat e screen, click on the submit an advanced certificate request link.

System configuration 59

4. On the Advanced Certificate Request screen, click on the Submit a certificate request by using a base-64-encoded

CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file link.

5. On the Submit a Certificate Request or Renewal Request screen do the following: a. In the base-64-encoded cerficate request (CMC or PKCS#10 file or PKCS#7) field, copy and paste the entire content of downloaded CSR.

b. For Certificate Template select Web Server .

c. Click Submit to issue a certificate.

6. On the Certificate Issued screen, select the option Base 64 encoded and then click the Download Certificate link to download the certificate.

7. Upload the certificate to OpenManage by navigating to the Application Settings > Security > Certificates screen and then clicking Upload .

Manage console settings

Set and manage console preferences such as backup and restore settings, report settings, device discovery and health monitoring frequency, and device naming. Click Application Settings > Console Preferences to set the default console settings.

NOTE: To perform any tasks on OpenManage Enterprise, you must have the necessary user privileges. See

Role and scope-based access

.

The following options are available:

1.

Backup/Restore Settings : Expand Backup/Restore Settings to set Backup/Restoration Timeout (Max: 120 minutes) and Max Number of Backups (Range: 2-20). When the user crosses the Max Number of Backups the system will automatically replace the earlier backup with the latest one.

a. Click Apply to save the changes or click Discard to reset the settings to the default attributes.

2.

Report Settings : To set the maximum number of rows that you can view on OpenManage Enterprise reports: a. Expand Report Settings .

b. Enter a number in the Reports row limit box. The default limit is set at 1,000 rows, however, the maximum rows permitted is 2,000,000,000.

c. Click Apply . A job is run and the setting is applied.

3.

Device Health : To set the time after which the health of the devices must be automatically monitored and updated on the

OpenManage Enterprise Dashboard: a. Expand Device Health .

b. Enter the frequency at which the device health must be recorded and data stored.

c. Select:

● Last Known : Display the latest recorded device health when the power connection was lost.

● Unknown : Display the latest recorded device health when the device status moved to 'unknown'. A device becomes unknown to OpenManage Enterprise when the connection with iDRAC is lost and the device is not anymore monitored by OpenManage Enterprise.

d. Click Apply to save the changes to the settings or click Discard to reset the settings to default attributes.

4.

Discovery Setting : Expand the Discovery Setting to set the device naming used by the OpenManage enterprise to identify the discovered iDRACs and other devices using the General Device Naming and the Server Device Naming settings.

NOTE: The device naming choices in the General Device Naming and the Server Device Naming are independent of each other and they do not affect each other.

a.

ICMP Ping affects the discovered devices while using the Multiple option as the Device Type while creating a

Discovery job:

● Enable check box is selected by default. Unselect to allow the appliance to pursue discovery without an initial ICMP ping.

● In the Retries box, specify the number of ICMP ping attempts by the appliance on the target devices. By default, this is set as 3 attempts.

● In the Timeout box, specify the duration the appliance must wait for a response before the next attempt. By default, this is 30 seconds.

b.

General Device Naming applies to all the discovered devices other than the iDRACs. Select from one of the following naming modes:

● DNS to use the DNS name.

● Instrumentation (NetBIOS) to use the NetBIOS name.

60 System configuration

NOTE:

● The default setting for General Device Naming is DNS .

● If any of the discovered devices do not have the DNS name or the NetBIOS name to satisfy the setting, then the appliance identifies such devices with their IP addresses.

● When the Instrumentation(NetBios) option is selected in General Device Naming , for chassis devices the

Chassis name is displayed as the device name entry on the All Devices screen.

c.

Server Device Naming applies to iDRACs only. Select from one of the following naming modes for the discovered iDRACs:

● iDRAC Hostname to use the iDRAC hostname.

● System Hostname to use the system hostname.

NOTE:

● The default naming preference for iDRAC devices is the System Hostname .

● If any of the iDRACs do not have the iDRAC hostname or the System hostname to satisfy the setting, then the appliance identifies such iDRACs using their IP addresses.

d. To specify the invalid device hostnames and the common MAC addresses expand the Advance Settings i.

Enter one or more invalid hostnames separated by a comma in Invalid Device Hostname . By default, a list of invalid device hostname is populated.

ii. Enter the common MAC addresses separated by a comma in Common MAC Addresses . By default, a list of common

MAC addresses is populated.

e. Click Apply to save the changes to the settings or click Discard to reset the settings to the default attributes.

5.

Server Initiated Discovery . Select one of the following discovery-approval policies:

● Automatic : To allow servers with iDRAC Firmware version 4.00.00.00, which are on the same network as the console, to be discovered automatically by the console.

● Manual : For the servers to be discovered by the user manually.

● Click Apply to save the changes or click Discard to reset the settings to the default attributes.

6.

MX7000 Onboarding Preferences : Specify one of the following alert-forwarding behavior on MX7000 chassis when they are onboarded:

● Receive All Alerts

● Receive 'Chassis' category alerts only

7.

Built-in Appliance Share : Select one of the following external network share options that the appliance must access to complete operations such as updating of the device firmware and/or drivers, extraction and deployment of templates and profiles, and for downloading of the diagnostic and technical support reports:

NOTE: The share type or the credentials of an active network share cannot be changed if the appliance tasks are using that network share.

● CIFS (Default):

○ Enable V1 : To enable SMBv1.

○ Enable V2 (Default): To enable SMBv2.

NOTE: Ensure to enable SMBv1 in the SMB Settings before you begin any tasks which need communication with any chassis or the PowerEdge YX2X and YX3X servers that have iDRAC version 2.50.50.50 and earlier. For more

information, see the Openmanage Enterprise Support Matrix and PowerEdge server naming conventions

.

● HTTPS : To shut the default CIFS and to enable HTTPS.

○ Device operations using HTTPS may fail on PowerEdge servers with older iDRAC firmware versions that don't support

HTTPS. See

Firmware and DSU requirement for HTTPS

.

○ When the internal share uses HTTPS, then, template creation, template deployment, Boot to Network ISO, and firmware updation are not supported on FX2, VRTX, and M1000e chassis.

○ When the internal share uses HTTPS, then, template creation and deployment, and firmware updates are not supported on the MX7000 chassis and proxied sleds.

○ The credentials to the HTTPS share is automatically rotated every 6 hours.

8.

Email Sender Settings : To set the address of the user who is sending an email message: a. Enter an email address in the Sender Email ID box.

b. Click Apply to save the changes or click Discard to reset the settings to the default attributes.

9.

Trap Forwarding Format : To set the trap forwarding format — a. Select one of the following options

● Original Format (Valid for SNMP traps only) : To retain the trap data as-is.

System configuration 61

● Normalized (Valid for all events) : To normalize the trap data. When the Trap-forwarding format is set to

'Normalized,' the receiving agent such as the Syslog receives a tag containing the device IP from which the alert was forwarded.

NOTE: To forward internal alerts select Normalized (Valid for all events) . By default Original Format (Valid for SNMP traps only) is selected that does not forward internal alerts via SNMP trap forwarding.

b. Click Apply to save the changes or click Discard to reset the settings to the default attributes.

10.

iDRAC vConsole Settings : Expand iDRAC vConsole Settings to set Maximum Allowed Sessions (Max: 10) a. Click Apply to save the changes or click Discard to reset the settings to the default attributes.

11.

Alert Correlation Settings : Expand Alert Correlation Settings to Enable Alert Correlation

NOTE: Enable Alert Correlation is disabled by default a.

Interval (minutes) can be set at 3 minutes minimum or 60 minutes maximum

NOTE: The default value is 3 minutes.

b. Click Apply to save the changes or click Discard to reset the settings to the default attributes.

12.

Metrics Collection Settings : To set the frequency of the PowerManager extension data maintenance and purging do the following: a. In the Data purge interval box, enter the frequency to delete the PowerManager data. You can enter values within 30 to 365 days.

b. Click Apply to save changes or click Discard to reset the settings to the default attributes.

Set the login security properties

Set the properties to securely log in to the appliance.

Prerequisites

NOTE:

● To perform any tasks on OpenManage Enterprise, ensure necessary user privileges. See

Role and scope-based access

.

● AD and LDAP directory users can be imported and assigned one of the OpenManage Enterprise roles (Admin,

DeviceManager, or Viewer).

About this task

By clicking OpenManage Enterprise > Application Settings > Security , you can secure your OpenManage Enterprise either by specifying the Restrict Allowed IP Range or the Login Lockout Policy .

● Expand Restrict Allowed IP Range :

NOTE: When "Restrict Allowed IP Range", is configured in appliance, any inbound connection to appliance, such as alert reception, firmware update, and network identities are blocked for the devices which are outside the given range.

However, any connection that goes out of the appliance will work on all devices.

1. To specify the IP address range that must be allowed to access OpenManage Enterprise, select the Enable IP Range check box.

2. In the IP Range Address (CIDR) box, you can enter multiple comma-separated IP address ranges.

3. Click Apply . To reset to default properties, click Discard .

NOTE: Apply button will not be enabled if multiple IP ranges are entered in the IP Range Address (CIDR) box .

● Expand Login Lockout Policy :

1. Select the By User Name check box to prevent a specific user name from logging in to OpenManage Enterprise.

2. Select the By IP address check box to prevent a specific IP address from logging in to OpenManage Enterprise.

3. In the Lockout Fail Count box, enter the number of unsuccessful attempts after which OpenManage Enterprise must prevent the user from further logging in. By default, 3 attempts.

4. In the Lockout Fail Window box, enter the duration for which OpenManage Enterprise must display information about a failed attempt.

5. In the Lockout Penalty Time box, enter the duration for which the user is prevented from making any login attempt after multiple unsuccessful attempts.

6. Click Apply . To reset the settings to default attributes, click Discard .

62 System configuration

Customize the alert display

Specify to indicate if the console must display only acknowledged, unacknowledged, or all alerts.

Steps

1. Click OpenManage Enterprise > Application Settings>Alerts and expand the Alert Display Settings .

2. Select one of the following: a.

All — to enable the display of both acknowledged and unacknowledged alerts.

b.

Unacknowledged — to enable the display of only the unacknowledged alerts.

NOTE: By default, the Alert Display Settings is set as Unacknowledged .

c.

Acknowledged — to enable the display of only the acknowledged alerts.

3. Click Apply .

Changes to the Alert Display Settings would be impact the following OpenManage Enterprise screens:

● The upper-right corner of all the OpenManage Enterprise screens. See

The OpenManage Enterprise GUI .

● The Dashboard screen. See

The OpenManage Enterprise dashboard

.

● The Devices page. See

Doughnut charts

.

● The Alert Log table under the Alerts page. See

View alert logs

.

Configure SMTP, SNMP, and Syslog

Click Application Settings > Alerts to configure the email (SMTP) address that receives system alerts, SNMP alert forwarding destinations, and Syslog forwarding properties. To manage these settings, you must have the OpenManage

Enterprise administrator level credentials.

To configure and authenticate the SMTP server that manages the email communication between the users and OpenManage

Enterprise:

1. Expand Email Configuration .

2. Enter the SMTP server network address that sends email messages.

3. To authenticate the SMTP server, select the Enable Authentication check box and enter the username and password.

4. By default, the SMTP port number to be accessed is 25. Edit if necessary.

5. The Connection Encryption can be updated using the drop down to STARTTLS or SSL/TLS .

6. You can change the Email Content-Type from HTML (default) to Plain Text .

7. To test if the SMTP server is working properly, click on the Send Test Email check box and enter an Email Recipient .

8. Click Apply .

9. To reset the settings to default attributes, click Discard .

NOTE: Users with DM privileges will be unable to use any SMTP (email) based features until an Admin sets up SMTP.

To configure the SNMP alert forwarding configuration:

1. Expand SNMP Alert Forwarding Configuration .

2. Click on the left-most check box on any of the four rows on which you want to add/edit the SNMP Alert Forwarding

Configuration details.

3. Select the Enabled check box to enable the respective SNMP traps to send alerts in case of predefined events.

4. In the Destination Address box, enter the IP address of the destination device that must receive the alert.

NOTE: Entering of the console IP is disallowed to avoid duplication of alerts.

5. From the SNMP Version menu select the SNMP version type as SNMPv1, SNMPv2, or SNMPv3 and fill the following fields: a. In the Community String box, enter the SNMP community string of the device that must receive the alert.

b. Edit the Port Number

if needed. Default port number for SNMP traps=162. See Management ports and protocols

.

c. If SNMPv3 is selected, provide the following additional details:

● Username : Provide a username.

● Authentication Type : Select SHA , MD_5 , or None .

● Authentication Passphrase : Enter a minimum of eight characters.

● Privacy Type : Select DES , AES_128 , or None .

● Privacy Passphrase : Enter a minimum of eight characters.

System configuration 63

6. To test an SNMP message, click the Send button of the corresponding trap.

7. Click Apply . To reset the settings to default attributes, click Discard .

NOTE: To forward internal alerts, you need to select the option Normalized (Valid for all events) under Application

Settings > Console Preferences > Trap Forwarding Format

. See Manage console settings

.

To update the Syslog forwarding configuration:

1. Expand Syslog Forwarding Configuration .

2. Select the check box to enable the Syslog feature on the respective server in the Server column.

3. In the Destination Address / Host Name field, enter the IP address of the device that receives the Syslog messages.

4. Default port number by using UDP=514. Edit if necessary by entering or selecting from the box. See

Management ports and protocols

.

5. Click Apply .

6. To reset the settings to default attributes, click Discard .

Manage incoming alerts

Set TrapForward properties and define users who receive incoming SNMPv3 alerts.

Prerequisites

To perform any tasks on OpenManage Enterprise, you must have necessary user privileges. See

Role and scope-based access

.

About this task

By clicking OpenManage Enterprise > Application Settings > Incoming Alerts , you can set the TrapForward properties and define the user who receives the incoming SNMPv3 alerts.

● To set the SNMP credentials for incoming alerts:

Steps

1. Select the SNMPV3 Enable check box.

2. Click Credentials .

3. In the SNMP Credentials dialog box: a. In the User Name box, enter the login ID of the user who manages the OpenManage Enterprise settings.

b. From the Authentication Type drop-down menu, select either the SHA or MD_5 algorithm as the authentication type.

c. In the Authentication Passphrase box, enter the passphrase pertaining to SHA or MD_5 based on your selection.

d. From the Privacy Type drop-down menu, select either DES or AES_128 as your encryption standard.

e. In the Privacy Passphrase box, enter the passphrase based on your privacy type.

f. Click Save .

4. In the Community box, enter the community string to receive the SNMP traps.

5. By default, the SNMP port number for the incoming traps is 162. Edit to change the port number.

6. Click Apply .

The SNMP credentials and settings are saved.

7. To reset the settings to default attributes, click Discard .

NOTE: If SNMPv3 alert settings are configured before upgrading the appliance, you have to reconfigure the settings by providing the username, authentication passphrase, and privacy passphrase to continue receiving the alerts. If the issues persists, restart the services using the Text User Interface (TUI).

8. Click Apply to save the changes or click Discard to reset to cancel.

Set SNMP Credentials

Use SNMP Credentials to secure SNMP communication on the appliance.

Steps

1. Click Credentials .

64 System configuration

2. In the SNMP Credentials dialog box: a. In the User Name box, enter the login ID of the user managing the OpenManage Enterprise settings.

b. From the Authentication Type drop-down menu, select either the SHA or MD_5 algorithm as the authentication type.

c. In the Authentication Passphrase box, enter the passphrase pertaining to SHA or MD_5 based on your selection.

d. From the Privacy Type drop-down menu, select either DES or AES_128 as your encryption standard.

e. In the Privacy Passphrase box, enter the passphrase based on your privacy type.

3. Click Save .

Manage warranty settings

Warranty settings determine the display of warranty statistics by the OpenManage Enterprise on the home screen Alert widget, scoreboard across all screens, the Warranty screen, and the reports.

About this task

To change the warranty settings:

Steps

1. Click OpenManage Enterprise > Application Settings > Warranty

2. Click Warranty Settings to activate the dialog box.

3. In the Show warning if warranties are expiring in the next box, enter the number of days. You can enter a value

0–1000(both included). The default value is set as 90 days. The warranties expiring based on this setting are represented as

in the report and the widget.

4. From the Hide expired warranties options, you can select one of the following: a.

All : To hide the display of all the 'initial' as well as 'extended' warranties that are expired.

b.

Initial Only : To hide only the 'initial' warranties that are expired.

c.

None : To display all the expired warranties.

5. Click Apply or Discard to either save the warranty settings or to discard the changes and retain the old settings.

Execute remote commands and scripts

Run remote commands and scripts on the appliance as a response to an SNMP trap.

About this task

When you get an SNMP trap, you can run a script on OpenManage Enterprise. This sets up a policy that opens a ticket on your third party ticketing system for alert management. You can create and store only up to four remote commands.

NOTE: The use of the following special characters as RACADM and IPMI CLI parameters is not supported: [ , ; , | , $ , > , < , & ,

' , ] , .

, * , and ' .

Steps

1. Click Application Settings > Script Execution .

2. In the Remote Command Setting section, do the following: a. To add a remote command, click Create .

b. In the Command Name box, enter the command name.

c. Select any one of the following command type: i.

Script ii. RACADM iii. IPMI Tool d. If you select Script , do the following: i.

In the IP Address box, enter the IP address.

ii. Select the authentication method: Password or SSH Key .

iii. Enter the user name and password or the SSH Key .

System configuration 65

iv. In the Command box, type the commands.

● Up to 100 commands can be typed with each command required to be on a new line.

● Token substitution in scripts is possible. See

Token substitution in remote scripts and alert policy

v. Click Finish .

e. If you select RACADM , do the following: i.

In the Command Name box, enter the command name.

ii. In the Command box, type the commands. Up to 100 commands can be typed with each command required to be on a new line.

iii. Click Finish f. If you select IPMI Tool , do the following: i.

In the Command Name box, enter the command name.

ii. In the Command box, type the commands. Up to 100 commands can be typed with each command required to be on a new line.

iii. Click Finish

3. To edit a remote command setting, select the command, and then click Edit .

4. To delete a remote command setting, select the command, and then click Delete .

OpenManage Mobile settings

Configure OpenManage Mobile settings for using OpenManage Enterprise on either Android or iOS devices.

OpenManage Mobile (OMM) is a systems management application that allows you to securely perform a subset of data center monitoring and remediation tasks on one or more OpenManage Enterprise consoles and/or integrated Dell Remote Access

Controllers (iDRACs) by using your Android or iOS device. Using OMM you can:

● Receive alert notifications from OpenManage Enterprise.

● View the group, device, alert, and log information.

● Turn on, turn off, or restart a server.

By default, the push notifications are enabled for all alerts and critical alerts. This chapter provides information about the OMM settings that you can configure by using OpenManage Enterprise. It also provides information required to troubleshoot OMM.

NOTE: For information about installing and using OMM, see the OpenManage Mobile User’s Guide at Dell.com/

OpenManageManuals .

Related tasks

Enable or disable alert notifications for OpenManage Mobile

Enable or disable OpenManage Mobile subscribers

Delete an OpenManage Mobile subscriber

View the alert notification service status

Troubleshooting OpenManage Mobile

Related information

Enable or disable alert notifications for OpenManage Mobile

Enable or disable OpenManage Mobile subscribers

Troubleshooting OpenManage Mobile

Enable or disable alert notifications for OpenManage Mobile

Enable or disable OpenManage Mobile alert notifications from OpenManage Enterprise.

Prerequisites

● The administrator rights are required for enabling or disabling alert notifications for OpenManage Mobile.

● For OpenManage Enterprise to send alert notifications to OpenManage Mobile, ensure that the OpenManage Enterprise server has outbound (HTTPS) Internet access.

66 System configuration

About this task

By default, OpenManage Enterprise is configured to send alert notifications to the OpenManage Mobile application. However, alert notifications are sent from OpenManage Enterprise only when a OpenManage Mobile user adds OpenManage Enterprise to the OpenManage Mobile application.

Steps

1. Click OpenManage Enterprise > Application Settings > Mobile .

2. Select the Enable push notifications check box.

3. Click Apply .

Related tasks

OpenManage Mobile settings

Related information

OpenManage Mobile settings

Delete an OpenManage Mobile subscriber

Enable or disable OpenManage Mobile subscribers

Enable or disable OpenManage Enterprise to send notifications to OpenManage Mobile subscribers.

About this task

The check boxes in the Enabled column in the Mobile Subscribers list allow you to enable or disable transmission of alert notifications to the OpenManage Mobile subscribers.

NOTE:

● The administrator rights are required for enabling or disabling OpenManage Mobile subscribers.

● OpenManage Mobile subscribers may be automatically disabled by OpenManage Enterprise if their mobile service provider push notification service indicates that the device is permanently unreachable.

● Even if an OpenManage Mobile subscriber is enabled in the Mobile Subscribers list, they can disable receiving alert notifications in their OpenManage Mobile application settings.

To enable or disable alert notifications to the OpenManage Mobile subscribers:

Steps

1. Click OpenManage Enterprise > Application Settings > Mobile .

2. To enable, select the corresponding check box and click Enable . To disable, select the check box and click Disable .

You can select more than one subscriber at a time.

Related tasks

OpenManage Mobile settings

Related information

OpenManage Mobile settings

Delete an OpenManage Mobile subscriber

Delete an OpenManage Mobile subscriber

As an OpenManage Enterprise administrator, delete OpenManage Mobile subscribers so they do not receive any notifications.

Prerequisites

Administrator rights are required for deleting an OpenManage Mobile subscriber.

System configuration 67

About this task

Deleting an OpenManage Mobile subscriber removes the user from the subscribers list, preventing the user from receiving alert notifications from OpenManage Enterprise. However, the OpenManage Mobile user can re-subscribe to alert notifications from the OpenManage Mobile application at a later time.

Steps

1. Click OpenManage Enterprise > Application Settings > Mobile .

2. Select the check box corresponding to the subscriber name and click Delete .

3. When prompted, click Yes .

Related tasks

Enable or disable alert notifications for OpenManage Mobile

Enable or disable OpenManage Mobile subscribers

Delete an OpenManage Mobile subscriber

View the alert notification service status

Related information

OpenManage Mobile settings

Delete an OpenManage Mobile subscriber

View the alert notification service status

Verify if OpenManage Mobile subscribers are receiving alerts from OpenManage Enterprise.

About this task

OpenManage Enterprise forwards alert notifications to OpenManage Mobile subscribers through their respective device platform alert notification service. If the OpenManage Mobile subscriber has failed to receive alert notifications, you can check the Notification Service Status to troubleshoot alert notification delivery.

To view the status of the alert notification service, click Application Settings > Mobile .

Related tasks

View the alert notification service status

Related information

OpenManage Mobile settings

Delete an OpenManage Mobile subscriber

View the alert notification service status

Notification service status

The alerts sent by OpenManage Enterprise to OpenManage Mobile have statuses such as normal, temporary issue in delivering message, or an issue in delivering that requires troubleshooting or help from tech support teams.

The following table provides information about the Notification Service Status displayed on the Application Settings >

Mobile screen.

Table 14. Notification service status

Status Icon Status Description

The service is running and operating normally.

NOTE: This service status only reflects successful communication with the platform notification service. If the device of the subscriber is not connected to the

68 System configuration

Table 14. Notification service status (continued)

Status Icon Status Description

Internet or a cellular data service, notifications will not be delivered until the connection is restored.

The service experienced an error delivering a message which may be of a temporary nature. If the issue persists, follow troubleshooting procedures or contact technical support.

The service experienced an error delivering a message. Follow troubleshooting procedures or contact technical support as necessary.

View information about OpenManage Mobile subscribers

View information about subscribers who receive alerts from OpenManage Enterprise to OpenManage Mobile. Export data to a

CSV file.

About this task

After an OpenManage Mobile user successfully adds OpenManage Enterprise, the user is added to the Mobile Subscribers table in OpenManage Enterprise. To view information about the mobile subscribers, in OpenManage Enterprise, click

Application Settings > Mobile .

You can also export the information about mobile subscribers to a .CSV file by using the Export drop-down list.

OpenManage Mobile subscriber information

Specify properties of subscribers who receive alerts from OpenManage Enterprise to OpenManage Mobile.

The following table provides information about the Mobile Subscribers table displayed on the Application Settings > Mobile page.

Table 15. OpenManage Mobile subscriber information

Field

ENABLED

Description

Select or clear the check box, and then click Enable or Disable respectively to enable or disable the alert notifications to an OpenManage Mobile subscriber.

STATUS

STATUS MESSAGE

USER NAME

DEVICE ID

DESCRIPTION

FILTER

LAST ERROR

LAST PUSH

LAST CONNECTION

Displays the status of the subscriber, indicating whether or not OpenManage Enterprise is able to send alert notifications successfully to the Alert Forwarding Service.

Status description of the status message.

Name of the OpenManage Mobile user.

Unique identifier of the mobile device.

Description about the mobile device.

Filters are policies that the subscriber has configured for alert notifications.

The date and time the last error occurred when sending an alert notification to the OpenManage Mobile user.

The date and time the last alert notification was sent successfully from OpenManage Enterprise to the Alert

Forwarding Service.

The date and time the user last accessed OpenManage

Enterprise through OpenManage Mobile.

System configuration 69

Table 15. OpenManage Mobile subscriber information (continued)

Field

REGISTRATION

Description

The date and time the user added OpenManage Enterprise in

OpenManage Mobile.

Troubleshooting OpenManage Mobile

Troubleshooting issues between OpenManage Enterprise and OpenManage Mobile in successfully exchanging messages.

If OpenManage Enterprise is unable to register with the Message Forwarding Service or successfully forward notifications, the following resolutions are available:

Table 16. Troubleshooting OpenManage Mobile

Problem

OpenManage Enterprise is unable to connect to the Dell Message Forwarding

Service. [Code 1001/1002]

Reason

Outbound Internet (HTTPS) connectivity is lost.

Resolution

By using a web browser, check if outbound Internet connectivity is available.

If connection is unavailable, complete the following network troubleshooting tasks:

● Verify if the network cables are connected.

● Verify the IP address and DNS server settings.

● Verify if the firewall is configured to allow outbound traffic.

● Verify if the ISP network is operating normally.

Proxy settings are incorrect.

Set proxy host, port, username, and password as required.

Wait for the service to become available.

The Message Forwarding Service is unable to connect to a device platform notification service. [Code 100-105,

200-202, 211-212]

The device communication token is no longer registered with the platform provider service. [Code 203]

Message Forwarding Service is temporarily unavailable.

The platform provider service is temporarily unavailable to the Message

Forwarding Service.

Wait for the service to become available.

The OpenManage Mobile application has been updated, restored, uninstalled, or the device operating system has been upgraded or restored.

Reinstall OpenManage Mobile on the device or follow the OpenManage Mobile troubleshooting procedures specified in the OpenManage Mobile User’s

Guide and reconnect the device to

OpenManage Enterprise.

If the device is no longer connected to OpenManage Enterprise, remove the subscriber.

The OpenManage Enterprise registration is being rejected by the Message

Forwarding Service. [Code 154]

An obsolete version of OpenManage

Enterprise is being used.

Upgrade to a newer version of

OpenManage Enterprise.

Related tasks

OpenManage Mobile settings

70 System configuration

Related information

OpenManage Mobile settings

System configuration 71

advertisement

Related manuals

Download PDF

advertisement

Table of contents