Configuring CMC to Use Command Line Consoles

11

This section provides information about the CMC command line console (or serial/Telnet/Secure Shell console) features, and explains how to set up the system so that you can perform systems management actions through the console. For information on using the RACADM commands in CMC through the command line console, see Chassis Management Controller for Dell PowerEdge

M1000e RACADM Command Line Reference Guide.

Related links

Logging In to CMC Using Serial, Telnet, or SSH Console

CMC Command Line Console Features

The CMC supports the following serial, Telnet, and SSH console features:

• One serial client connection and up to four simultaneous Telnet client connections.

• Up to four simultaneous Secure Shell (SSH) client connections.

• RACADM command support.

• Built-in connect command connecting to the serial console of servers and I/O modules; also available as racadm connect.

• Command Line editing and history.

• Session timeout control on all console interfaces.

CMC Command Line Commands

When you connect to the CMC command line, you can enter these commands:

Table 30. : CMC Command Line Commands

Command racadm connect

Description

RACADM commands begin with the keyword racadm and are followed by a subcommand. For more information, see Chassis

Management Controller for Dell PowerEdge M1000e RACADM

Command Line Reference Guide.

Connects to the serial console of a server or I/O module. For more information, see

Connecting to Servers or I/O Modules

Using Connect Command

.

NOTE: You can also use the racadm connect command.

exit, logout, and quit

All the commands perform the same action. They end the current session and return to a login prompt.

Using Telnet Console With CMC

You can have up to four Telnet sessions with CMC at a time.

If your management station is running Microsoft Windows XP or Windows 2003, you may experience an issue with the characters in a CMC Telnet session. This issue may occur as a frozen login where the return key does not respond and the password prompt does not appear.

147

To fix this issue, download hotfix 824810 from support.microsoft.com. You can also see the Microsoft Knowledge Base article

824810 for more information.

Using SSH With CMC

SSH is a command line session that includes the same capabilities as a Telnet session, but with session negotiation and encryption to improve security. The CMC supports SSH version 2 with password authentication. SSH is enabled on the CMC by default.

NOTE: CMC does not support SSH version 1.

When an error occurs during the CMC login, the SSH client issues an error message. The message text is dependent on the client and is not controlled by CMC. Review the RACLog messages to determine the cause of the failure.

NOTE: OpenSSH must be run from a VT100 or ANSI terminal emulator on Windows. You can also run OpenSSH using

Putty.exe. Running OpenSSH at the Windows command prompt does not provide full functionality (that is, some keys do not respond and no graphics are displayed). For systems running Linux, run SSH client services to connect to CMC with any shell.

Four simultaneous SSH sessions are supported at a time. The session timeout is controlled by the cfgSsnMgtSshIdleTimeout property. For more information, see the database property chapter of the Chassis Management Controller for Dell PowerEdge

M1000e RACADM Command Line Reference Guide, the Services Management page in the Web interface, or see

Configuring

Services

.

CMC also supports Public Key Authentication (PKA) over SSH. This authentication method improves SSH scripting automation by

removing the need to embed or prompt for user ID/password. For more information, see Configure Public Key Authentication over

SSH

.

SSH is enabled by default. If SSH is disabled, then you can enable it using any other supported interface.

To configure SSH, see Configuring Services

.

Related links

Configuring Services

Supported SSH Cryptography Schemes

To communicate with CMC using SSH protocol, it supports multiple cryptography schemes listed in the following table.

Table 31. : Cryptography Schemes

Scheme Type

Asymmetric Cryptography

Symmetric Cryptography

Scheme

Diffie-Hellman DSA/DSS 512–1024 (random) bits per NIST specification

• AES256-CBC

• RIJNDAEL256-CBC

• AES192-CBC

• RIJNDAEL192-CBC

• AES128-CBC

• RIJNDAEL128-CBC

• BLOWFISH-128-CBC

• 3DES-192-CBC

• ARCFOUR-128

Message Integrity

Authentication

• HMAC-SHA1-160

• HMAC-SHA1-96

• HMAC-MD5-128

• HMAC-MD5-96

Password

148

Configure Public Key Authentication over SSH

You can configure up to 6 public keys that can be used with the service username over SSH interface. Before adding or deleting public keys, be sure to use the view command to see what keys are already set up so that a key is not accidentally overwritten or deleted. The service username is a special user account that can be used when accessing the CMC through SSH. When the PKA over SSH is set up and used correctly, you need not enter username or passwords to log in to the CMC. This can be very useful to set up automated scripts to perform various functions.

NOTE: There is no GUI support for managing this feature; you can only use RACADM.

When adding new public keys, ensure that the existing keys are not already at the index where the new key is added. CMC does not perform checks to ensure previous keys are deleted before a new one is added. As soon as a new key is added, it is automatically in effect as long as the SSH interface is enabled.

When using the public key comment section of the public key, remember that only the first 16 characters are utilized by the CMC.

The public key comment is used by the CMC to distinguish SSH users when using the RACADM getssninfo command since all

PKA users use the service username to log in.

For example, if two public keys are set up one with comment PC1 and one with comment PC2: racadm getssninfo

Type User IP Address Login

Date/Time

SSH PC1 x.x.x.x 06/16/2009

09:00:00

SSH PC2 x.x.x.x 06/16/2009

09:00:00

For more information on the sshpkauth, see the Chassis Management Controller for Dell PowerEdge M1000e RACADM

Command Line Reference Guide.

Related links

Generating Public Keys for Systems Running Windows

Generating Public Keys for Systems Running Linux

RACADM Syntax Notes for CMC

Viewing Public Keys

Adding Public Keys

Deleting Public Keys

Generating Public Keys for Systems Running Windows

Before adding an account, a public key is required from the system that accesses the CMC over SSH. There are two ways to generate the public/private key pair: using PuTTY Key Generator application for clients running Windows or ssh-keygen CLI for clients running Linux.

This section describes simple instructions to generate a public/private key pair for both applications. For additional or advanced usage of these tools, see the application Help.

To use the PuTTY Key Generator to create the basic key for systems running Windows clients:

1.

Start the application and select SSH-2 RSA for the type of key to generate (SSH-1 is not supported).

2.

Enter the number of bits for the key. RSA key size should be between 2048 and 4096.

NOTE:

• CMC may not display a message if you add keys less than 2048 or greater than 4096, but when you try to log in with these keys, it fails.

• CMC accepts RSA keys up to key strength 4096, but the recommended key strength is 2048.

3.

Click Generate and move the mouse in the window as directed.

After the key is created, you can modify the key comment field.

You can also enter a passphrase to make the key secure. Ensure that you save the private key.

4.

You have two options for using the public key:

149

• Save the public key to a file to upload later.

• Copy and paste the text from the Public key for pasting window when adding the account using the text option.

Generating Public Keys for Systems Running Linux

The ssh-keygen application for Linux clients is a command line tool with no graphical user interface. Open a terminal window and at the shell prompt type: ssh-keygen –t rsa –b 2048 –C testing where,

–t must be rsa.

–b specifies the bit encryption size between 2048 and 4096.

–c allows modifying the public key comment and is optional.

The <passphrase> is optional. After the command completes, use the public file to pass to the RACADM for uploading the file.

RACADM Syntax Notes for CMC

When using the racadm sshpkauth command, ensure the following:

• For the –i option, the parameter must be svcacct. All other parameters for -i fail in CMC. The svcacct is a special account for public key authentication over SSH in CMC.

• To log in to the CMC, the user must be service. Users of the other categories do have access to the public keys entered using the sshpkauth command.

Viewing Public Keys

To view the public keys that you have added to the CMC, type: racadm sshpkauth –i svcacct –k all –v

To view one key at a time, replace all with a number from 1 – 6. For example, to view key 2, type: racadm sshpkauth –i svcacct –k 2 –v

Adding Public Keys

To add a public key to the CMC using the file upload -f option, type: racadm sshpkauth –i svcacct –k 1 –p 0xfff –f <public key file>

NOTE: You can only use the file upload option with remote RACADM. For more information, see

Chassis Management

Controller for Dell PowerEdge M1000e RACADM Command Line Reference Guide

.

To add a public key using the text upload option, type: racadm sshpkauth –i svcacct –k 1 –p 0xfff –t “<public key text>”

Deleting Public Keys

To delete a public key type: racadm sshpkauth –i svcacct –k 1 –d

To delete all public keys type: racadm sshpkauth –i svcacct –k all –d

Enabling Front Panel to iKVM Connection

For information and instructions on using the iKVM front panel ports, see Enabling or Disabling Access to iKVM from Front Panel

Configuring Terminal Emulation Software

The CMC supports a serial text console from a management station running one of the following types of terminal emulation software:

• Linux Minicom.

• Hilgraeve’s HyperTerminal Private Edition (version 6.3).

150

Perform the steps in the following subsections to configure the required type of terminal software.

Configuring Linux Minicom

Minicom is a serial port access utility for Linux. The following steps are valid for configuring Minicom version 2.0. Other Minicom

versions may differ slightly but require the same basic settings. See the information in the Required Minicom Settings section to

configure other versions of Minicom.

Configuring Minicom Version 2.0

NOTE: For best results, set the cfgSerialConsoleColumns property to match the number of columns. Be aware that the prompt consumes two characters. For example, for an 80-column terminal window:

racadm config –g cfgSerial –o cfgSerialConsoleColumns 80.

1.

If you do not have a Minicom configuration file, go to the next step. If you have a Minicom configuration file, type minicom<Minicom config file name> and skip to step 12.

2.

At the Linux command prompt, type minicom -s.

3.

Select Serial Port Setup and press <Enter>.

4.

Press <a>, and then select the appropriate serial device (for example, /dev/ttyS0).

5.

Press <e>, and then set the Bps/Par/Bits option to 115200 8N1.

6.

Press <f>, and then set Hardware Flow Control to Yes and set Software Flow Control to No. To exit the Serial Port Setup menu, press <Enter>.

7.

Select Modem and Dialing and press <Enter>.

8.

In the Modem Dialing and Parameter Setup menu, press <Backspace> to clear the init, reset, connect, and hangup settings so that they are blank, and then press <Enter> to save each blank value.

9.

When all specified fields are clear, press <Enter> to exit the Modem Dialing and Parameter Setup menu.

10. Select Exit From Minicom and press <Enter>.

11. At the command shell prompt, type minicom <Minicom config file name>.

12. Press <Ctrl><a>, <x>, or <Enter> to exit Minicom.

Ensure that the Minicom window displays a login prompt. When the login prompt appears, your connection is successful. You are now ready to login and access the CMC command line interface.

Required Minicom Settings

See the following table to configure any version of Minicom.

Table 32. : Minicom Settings

Setting Description

Bps/Par/Bits

Hardware flow control

Software flow control

Terminal emulation

Modem dialing and parameter settings

Required Setting

115200 8N1

Yes

No

ANSI

Clear the init, reset, connect, and hangup settings so that they are blank

Connecting to Servers or I/O Modules Using Connect Command

CMC can establish a connection to redirect the serial console of server or I/O modules.

For servers, serial console redirection can be accomplished using:

• racadm connect command. For more information, see Chassis Management Controller for Dell PowerEdge M1000e

RACADM Command Line Reference Guide at dell.com/support/manuals.

• iDRAC Web interface serial console redirection feature.

151

• iDRAC Serial Over LAN (SOL) functionality.

In a serial, Telnet, SSH console, the CMC supports the connect command to establish a serial connection to server or IOM modules.

The server serial console contains both the BIOS boot and setup screens, and the operating system serial console. For I/O modules, the switch serial console is available.

CAUTION: When executed from the CMC serial console, the connect -b option stays connected until the CMC resets.

This connection is a potential security risk.

NOTE: The connect command provides the –b (binary) option. The –b option passes raw binary data, and

cfgSerialConsoleQuitKey is not used. Additionally, when connecting to a server using the CMC serial console, transitions in the DTR signal (for example, if the serial cable is removed to connect a debugger) do not cause a logout.

NOTE: If an IOM does not support console redirection, the connect command displays an empty console. In that case, to return to the CMC console, type the Escape sequence. The default console escape sequence is <CTRL><\>.

There are up to six IOMs on the managed system. To connect to an IOM: connect switch-n where n is an IOM label A1, A2, B1, B2, C1, and C2.

(See Figure 13-1 for an illustration of the placement of IOMs in the chassis.) When you reference the IOMs in the connect command, the IOMs are mapped to switches as shown in the following table.

Table 33. : Mapping I/O Modules to Switches

B2

C1

C2

I/O Module Label

A1

A2

B1

Switch switch-a1 or switch- 1 switch-a2 or switch-2 switch-b1 or switch-3 switch-b2 or switch-4 switch-c1 or switch-5 switch-c2 or switch-6

NOTE: There can only be one IOM connection per chassis at a time.

NOTE: You cannot connect to pass-throughs from the serial console.

To connect to a managed server serial console, use the command connect server-<n><x>, where n is 1-8 and x is a,b, c, or d. You can also use the racadm connect server-n command. When you connect to a server using the -b option, binary communication is assumed and the escape character is disabled. If the iDRAC is not available, you see a No route to host error message.

The connect server-n command enables the user to access the server's serial port. After this connection is established, the user can view the server's console redirection through CMC's serial port that includes both the BIOS serial console and the operating system serial console.

NOTE: To view the BIOS boot screens, serial redirection has to be enabled in the servers’ BIOS Setup. Also, you must set the terminal emulator window to 80x25. Otherwise, the screen is garbled.

NOTE: Not all keys work in the BIOS setup screens, so provide appropriate escape sequences for CTRL+ALT+DEL, and other escape sequences. The initial redirection screen displays the necessary escape sequences.

Related links

Configuring the Managed Server BIOS for Serial Console Redirection

Configuring Windows for Serial Console Redirection

Configuring Linux for Server Serial Console Redirection During Boot

Configuring Linux for Server Serial Console Redirection After Boot

152

Configuring the Managed Server BIOS for Serial Console Redirection

It is necessary to connect to the managed server using the iKVM (see Managing Servers With iKVM

) or establish a Remote

Console session from the iDRAC Web interface (see the iDRAC User’s Guide on dell.com/support/manuals).

Serial communication in the BIOS is OFF by default. To redirect host text console data to Serial over LAN, you must enable console redirection through COM1. To change the BIOS setting:

1.

Boot the managed server.

2.

Press <F2> to enter the BIOS setup utility during POST.

3.

Scroll down to Serial Communication and press <Enter> . In the pop-up dialog box, the serial communication list displays these options:

• Off

• On without console redirection

• On with console redirection via COM1

Use the arrow keys to navigate between these options.

4.

Ensure that On with console redirection via COM1 is enabled.

5.

Enable Redirection After Boot (default value is Disabled). This option enables BIOS console redirection across subsequent reboots.

6.

Save the changes and exit.

The managed server reboots.

Configuring Windows for Serial Console Redirection

There is no configuration necessary for servers running the Microsoft Windows Server versions, starting with Windows Server

2003. Windows receives information from the BIOS, and enable the Special Administration Console (SAC) console one COM1.

Configuring Linux for Server Serial Console Redirection During Boot

The following steps are specific to the Linux GRand Unified Bootloader (GRUB). Similar changes are necessary for using a different boot loader.

NOTE: When you configure the client VT100 emulation window, set the window or application that is displaying the redirected console to 25 rows x 80 columns to ensure proper text display; otherwise, some text screens may be garbled.

Edit the /etc/grub.conf file as follows:

1.

Locate the general setting sections in the file and add the following two new lines: serial --unit=1 --speed=57600 terminal --timeout=10 serial

2.

Append two options to the kernel line: kernel console=ttyS1,57600

3.

If the /etc/grub.conf contains a splashimage directive, comment it out.

The following example shows the changes described in this procedure.

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes

# to this file

# NOTICE: You do not have a /boot partition. This means that

# all kernel and initrd paths are relative to

/, e.g.

# root (hd0,0)

# kernel /boot/vmlinuz-version ro root=

/dev/sdal

# initrd /boot/initrd-version.img

153

#

#boot=/dev/sda default=0 timeout=10

#splashimage=(hd0,2)/grub/splash.xpm.gz

serial --unit=1 --speed=57600 terminal --timeout=10 serial

title Red Hat Linux Advanced Server (2.4.9-e.3smp) root (hd0,0) kernel /boot/vmlinuz-2.4.9-e.3smp ro root=

/dev/sda1 hda=ide-scsi console=ttyS0 console= ttyS1,57600 initrd /boot/initrd-2.4.9-e.3smp.img

title Red Hat Linux Advanced Server-up (2.4.9-e.3) root (hd0,00) kernel /boot/vmlinuz-2.4.9-e.3 ro root=/dev/sda1 initrd /boot/initrd-2.4.9-e.3.img

When you edit the /etc/grub.conf file, follow these guidelines:

• Disable GRUB's graphical interface and use the text-based interface; otherwise, the GRUB screen is not displayed in console redirection. To disable the graphical interface, comment out the line starting with splashimage.

• To start multiple GRUB options to start console sessions through the serial connection, add the following line to all options: console=ttyS1,57600

The example shows console=ttyS1,57600 added to only the first option.

Configuring Linux for Server Serial Console Redirection After Boot

Edit the file /etc/inittab, as follows:

Add a new line to configure agetty on the COM2 serial port: co:2345:respawn:/sbin/agetty -h -L 57600 ttyS1 ansi

The following example shows the file with the new line.

#

# inittab This file describes how the INIT process

# should set up the system in a certain

# run-level.

#

# Author: Miquel van Smoorenburg

# Modified for RHS Linux by Marc Ewing and

# Donnie Barnes

#

# Default runlevel. The runlevels used by RHS are:

# 0 - halt (Do NOT set initdefault to this)

# 1 - Single user mode

# 2 - Multiuser, without NFS (The same as 3, if you

# do not have networking)

# 3 - Full multiuser mode

# 4 - unused

# 5 - X11

# 6 - reboot (Do NOT set initdefault to this)

# id:3:initdefault:

# System initialization.

si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6

# Things to run in every runlevel.

ud::once:/sbin/update

# Trap CTRL-ALT-DELETE

154

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, assume we have a few

# minutes of power left. Schedule a shutdown for 2 minutes from now.

# This does, of course, assume you have power installed and your

# UPS is connected and working correctly.

pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure;

System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.

pr:12345:powerokwait:/sbin/shutdown -c "Power

Restored; Shutdown Cancelled"

# Run gettys in standard runlevels

co:2345:respawn:/sbin/agetty -h -L 57600 ttyS1 ansi

1:2345:respawn:/sbin/mingetty tty1

2:2345:respawn:/sbin/mingetty tty2

3:2345:respawn:/sbin/mingetty tty3

4:2345:respawn:/sbin/mingetty tty4

5:2345:respawn:/sbin/mingetty tty5

6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5

# xdm is now a separate service x:5:respawn:/etc/X11/prefdm -nodaemon

Edit the file /etc/securetty, as follows:

Add a new line, with the name of the serial tty for COM2: ttyS1

The following example shows a sample file with the new line.

vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 ttyS1

155