Hardware Management Console Readme

For use with Version 7 Release 3.1.0

Date: June 8, 2007

(C) Copyright International Business Machines Corp., 2005 All rights reserved.
 

Introduction

The information in this Readme contains hints and errata information about the Hardware Management Console. Please consult the HMC's technical support Web site for up to date information. (https://www14.software.ibm.com/webapp/set2/sas/f/hmc/home.html)

Hints and Tips:

Hints and Tips for using the new web-based user interface

 

This user interface is comprised of several major components: the Banner, the Task bar, the Navigation pane, the Work pane, and the Status bar. The Banner, across the top of the workplace window, identifies the product and logo. It is optionally displayed and is set by using the Change User Interface Settings task. The Task bar, located below the Banner, displays the name(s) of any tasks that are running, the user ID you are logged in as, online help information, and the ability to logoff or disconnect from the console. The Navigation pane, in the left portion of the window, contains the primary navigation links for managing your system resources and the Hardware Management Console. The items are referred to as nodes. The Work pane, in the right portion of the window, displays information based on the current selection from the Navigation pane. For example, when Welcome is selected in the Navigation pane, the Welcome window content is displayed in the Work pane. The Status bar, in the bottom left portion of the window, provides visual indicators of current overall system status. It also contains a status overview icon which may be selected to display more detailed status information in the Work pane.

 

The System p Operations Guide for the Hardware Management Console and Managed Systems can be accessed online on the HMC.  Select Welcome in the Navigation pane.  The Welcome window content is displayed in the Work pane.  Select HMC Operations Guide to view it.

Additional education, support, tutorial and technical information can also be accessed online on the HMC.  Select Welcome in the Navigation pane. The Welcome window content is displayed in the Work pane. Select Online Information to view it.

To log on the HMC from a remote browser, the HMC must first be configured for web browser access.  See appendix C of the System p Operations Guide for the Hardware Management Console and Managed Systems for instructions on how to configure the HMC for remote web browser access.  After the HMC has been properly configured, from your web browser enter the URL of the HMC using the format https://xxx.xxx.xxx.xxx. Also in Appendix C, it is important to read the “Logging on the HMC from a LAN connected Web browser’ section. Security warnings may be presented to your Web browser and the issues related to certificate management should be understood prior to using this function so you can perform the appropriate actions.

 

Upgrade Hints

 

Certificates and keyring files generated by the System Manager Security application (on HMC Version 6) will not be migrated to HMC Version 7. Applications such as remote 5250, which import the public key ring file to establish a secure connection with HMC, will need to import a new public key ring file. The new file, SM.pubkr, will be generated and stored on HMC V7 under /opt/ccfw/data directory. User can copy this file, using the scp or sendfile command.

For further information on how to setup remote 5250 using SSL, see support document located on the System i Technical Support website at the URL

http://www-03.ibm.com/servers/eserver/support/iseries/index.html. This document and many others can be found by selecting the "Technical databases" link.

Enhancements and Changes in V7R3.1.0

Server and Partition Management:

The most significant and the most noticeable change in the HMC for 7.310 is the move to a new Web-based User Interface both locally and remote.  This interface uses a tree style navigation model providing hierarchical views of system resources and tasks using drill-down and launch-in-context techniques to enable direct access to hardware resources and task management capabilities.  It provides views of system resources and provides tasks for system administration.

 

HMC 7.310 can manage both Power5 and Power6 servers. 

 

On Power6 servers the following new features/enhancements have been added.

• Support for Host Ethernet Adapter (HEA).   An HEA provides each logical partition using the adapter with its own virtual adapter and logical ports.  An HEA may be shared between multiple partitions.  This provides direct data and control path between the partitions and the adapter, allowing partition-to-partition connectivity.
• Partition Availability Priority.  This can be used to prevent transient and catastrophic CPU (processor core) failures from resulting in system or partition termination. Total recovery from catastrophic CPU failures will require that a spare processor is or can be made available to replace the failed CPU. 
• Utility CoD is a new CoD offering for eClipz GA1.  It replaces the Reserve CoD offering.  Utility CoD is only available for processor resources.
• Enhancements to the Dump facilities.   These enhancements will reduce unplanned customer outages and improve platform serviceability, by eliminating unneeded and duplicate hardware data from platform system dump, and moving all formatting of dump data to the post-collection analysis phase. This improves dump runtime performance and frees up FSP control store to allow more problem-specific hardware data to be collected.
• Shared Pool Usage of Dedicated Capacity.  This feature provides the ability for partitions that normally run as “dedicated processor” partitions to contribute unused processor capacity to the shared processor pool. 
• Customers may use some of the capacity that is formerly locked up in dedicated processor partitions to satisfy peak needs for the shared processor pool without resorting to using utility on-demand processors.
• Automatic Call-home for i5/OS partitions
• Virtual Server Model Instrumentation. This feature provides a common interface for server system management. Driven by IBM and several other companies, there is an effort to standardize the Virtual Server Model (VS Model) for the server system management, which includes the managed server resource representation and the management service functions.  HMC 7.310 contains the first phase of work for HMC to provide the standardized VS Model as the common interface for third parties to manage the server system and their hardware resources. 

System Plans:

• Automated installation of VIOS into LPAR
• Automated provisioning of virtual resources with the VIOS LPAR
• Improved capability of creating a system plan from a managed system
•   Additional import &export capability via HTTPS
•   Improved System Plan Viewer user controls and details

HMC Command Line:

• A new command, dump, has been added.  The dump command sets the system dump parameters for a managed system (POWER6 servers only).
• The following commands have been added for system plan resource management on the HMC:
•   defsysplanres - defines a system plan resource
• lssysplanres - lists defined system plan resources
•   rmsysplanres - removes a defined system plan resource
• The following commands have been enhanced to support barrier synchronization (POWER6 servers only):  chsyscfg, lshwres, lssyscfg, and mksyscfg.
• The following commands have been enhanced to support partition availability priorities (POWER6 servers only):  chsyscfg, lssyscfg, and mksyscfg.
• The  following commands have been enhanced to support the new processor sharing mode that allows an active dedicated processor partition to share its unused processors (POWER6 servers only):  chhwres, chsyscfg, lshwres, lslparutil, lssyscfg, and mksyscfg.
• The following commands have been enhanced to support electronic error reporting for i5/OS partitions (POWER6 servers only):  chsyscfg, lssyscfg, and mksyscfg.
• The following commands have been enhanced to support processor compatibility modes (POWER6 servers only):  chsyscfg, lssyscfg, and mksyscfg.
• The  following commands have been enhanced to support Host Ethernet Adapters (POWER6 servers only):  chhwres, chsyscfg, lshwres, lssyscfg, mksyscfg, and rsthwres.
• The following commands have been enhanced to support Utility Capacity on Demand (POWER6 servers only):  chcod, lscod, and lslparutil.
•  The lssyscfg -r prof command to list partition profiles has been changed.  The --filter option to specify the partition for which profiles are to be listed is no longer required.  Therefore, all partition profiles for all partitions in the managed system can now be listed by issuing lssyscfg -r  prof  -m <managed system>.
• The mksyscfg -r lpar and mksyscfg -r prof commands have been changed.  The load_source_slot attribute is no longer required to be specified when creating an i5/OS partition or partition profile on a POWER6 server.
• The partition shared_proc_pool_util_auth attribute has been deprecated.  It has been replaced by the allow_perf_collection attribute.  These two attributes will always have the same value.  The commands that use these attributes are chsyscfg, lssyscfg, and mksyscfg.
• A new option has been added to the chsysstate command to enable console service functions for an i5/OS partition.
•   New options have been added to the chhmc command to set the date, time, time zone, and clock type on the HMC.
• A new option has been added to the chsvcevent command to close all serviceable events on the HMC.
• A new option has been added to the mksysplan command to limit the inventory gathered to just the PCI slot devices.
• A new option has been added to the mksysplan command to display verbose output during command processing.
• A new option has been added to the lsdump command to list the system dump parameters for a managed system (POWER6 servers only).
• The lsdump -h command has been enhanced to display dump offload progress.
• The lslic -t power and lslic -t syspower commands have been enhanced to display automatic code download status.
•   A new option has been added to the lslic command to display Power FRU level and status information.
• The dlslic command has been removed.  The information that was displayed by the dlslic command is now displayed by the lslic command.
•  Due to security restrictions in the HMC Web-based user interface, an HTML file containing Terms and Conditions can no longer be presented to users who login locally on the HMC.  Instead, a text file containing welcome text can be presented to users who login locally on the HMC.  Therefore, the chusrtca command has been changed to no longer support deployment of Terms and Conditions and to support deployment of welcome text instead.  If you are upgrading from HMC V6R1 and the display or Terms and Conditions at login is currently enabled on your HMC, then the contents of the UserLicense.html file containing the Terms and Conditions is preserved.  After the upgrade is complete, the contents of the UserLicense.html file will exist unchanged in the /opt/hsc/data/license/WelcomeFile.txt file and will be displayed as welcome text to users that login locally on the HMC.  You may then want to deploy a new welcome text file that does not contain HTML and that has text that better fits a welcome message.
• The lsusrtca command has been deprecated.
•   To use X11Forwarding on HMC, from the SSH client, run your ssh command with the -Y or set the value of ForwardX11Trusted in your /etc/ssh_config file to yes.
• The max_capacity_sys_proc_units and max_capacity_sys_mem attributes displayed by the lshwres command have been deprecated since these values cannot be accurately determined for all managed systems.  For partition profiles, the maximum memory value will now be limited to the value 4,294,967,295 (0xFFFFFFFF) MB.  The maximum processor values for a partition profile will now be limited to a new value, which is displayed by the new attribute max_procs_per_lpar in the lshwres command.

 

 

 

 National Language Support:

         Translation language packs are not available at this time. HMC
      will release the translation language packs separately at a later   

      time. In the initial release there are some locale specific issues,   

      i.e., decimal numbers are not being formatted properly. These
      issues will be addressed in the translation language packs.

     

 

Known Issues:

 

    Web Browser Requirements

 

     Hardware Management Console web browser support requires   

     HTML 2.0, JavaScript™ 1.0, Java Virtual Machine (JVM), and
     cookie support in browsers that will connect to it. Contact your 

     support personnel to assist you in determining if your browser

     is configured with a Java Virtual Machine. It is required that the
     web browser uses the HTTP 1.1 protocol and if you are using a
     proxy server, the HTTP 1.1 protocol is enabled for the proxy   

     connections. Additionally, pop-ups must be enabled for all   

     Hardware Management Consoles addressed in the browser if   

     running with pop-ups disabled. The following browsers have

     been tested:

 

• Microsoft® Internet Explorer 6.0 or later Note: If this browser is configured to use an internet proxy, then local intranet addresses should be included in the exception list, consult your network administrator for more information. If you still need to use the proxy to get to the Hardware Management Console, enable Use HTTP 1.1 through proxy connections under the Advanced tab in your Internet Options window. 

•   Firefox 1.5.0.6 or later.

                    Note: For Firefox 2.0 make sure the JavaScript options to
        raise or lower windows and move or resize existing windows
        are enabled. To enable these options, go to the Content tab in
        the browser’s Options dialog, click Advanced... next to the  
        Enable JavaScript option, then select Raise or lower
        windows option (a check mark appears) and Move or resize    
        existing windows option (a check mark appears). These
        features allows you to switch easily between HMC tasks.

 

.

     Other Web Browser Considerations

 

Session cookies need to be enabled in order for ASMI to work when connected to HMC remotely.  The asm proxy code saves session information and uses it.

 

Using Internet Explorer

 

1.  Select Tools -> Internet Options

2.  Select Privacy tab and select 'Advanced'.

3. Check if 'Always allow session cookies'

4. If not checked, check 'Override automatic cookie handling' and check 'Always allow session cookies'

5. You can choose how you want to handle First-party Cookies and Third-party Cookies, block or prompt or accept.  (prompt is preferred in which case you will be prompted every time a site tries to write cookies.  It may be a little annoying, but it is the safe thing to do.  Some sites need to be allowed to write cookies)

 

  Using Firefox

 

   1. Tools -> Options

   2.  Select Cookies Tab

3. Select check box Allow sites to set cookies.

4. If you want to allow only specific sites then select 'Exceptions' and then you can just add this HMC to allow.

 

Other Issues

• The HMC now reserves the first ten virtual adapter slots on each VIOS (Virtual I/O Server) partition for internal HMC use. 

 

Configuration rules:

1.     The maximum Virtual I/O Slot Number should be set to (at least) 10 plus the number of virtual I/O slots desired by the customer.

Note that setting the maximum higher is OK, the danger is setting it too low.  Setting it below 10 will cause a compatibility issue with newer levels of HMC code.   Excess virtual slots use a small amount of additional memory, but otherwise have no impact.

 

2.  All customer virtual I/O slots (virtual SCSI, virtual Ethernet or virtual serial) must use virtual slot IDs 11 or greater.

 

3. The VASI adapter (used by the Mobile Partition function) must be assigned to virtual slot ID 2.  

 

• When using the updhmc command with the -i flag, input echo is not restored when the command finishes. You can use the CTRL-D key to logoff then log back in.

 

       

    Licenced Internal Code (LIC) update

 

• A new task was added which allows the user to ensure that the system has no errors which will prevent Licensed Internal Code update from working correctly.  This new task is invoked by selecting "Check System Readiness" from the Updates task selection list or using the "-o k" parameter of the updlic command.   
• A new task was added which allows the user to view system information without entering a "change" task.  This new task is invoked by selecting "View System Information" from the Updates task selection list.   
• The restricted-access dlslic command was removed.  Equivalent capability was added to the lslic command.   For more details, see the command line section of the readme.

 

              

    Security Fixes:

CAN-2003-0989	tcpdump remote DOS
CAN-2003-0190	OpenSSH: info leak issue
CAN-2004-0078	mutt remote buffer overflow
CAN-2004-0110	libxml2 URI Parsing Remote Buffer Overflow
CAN-2004-0109 CAN-2004-0181	Kernel ISO9660/JFS local privilege escalation, info leak
CAN-2004-0183	tcpdump ISAKMP remote DOS
CA-2005-35	SSH Protocol 1 Weakness and Vulnerability
CAN-2004-0427  CAN-2004-0424  CAN-2004-0229  CAN-2004-0228  CAN-2004-0394	Kernel privilege escalation, local DoS
CAN-2004-0554	Kernel "__clear_fpu()" Macro local DoS
CAN-2004-0523	kerberos aname_to_localname remote root compromise
CVE-2004-0493	Input Header Memory Allocation  Denial of Service
CVE-2004-0488	Apache mod_ssl FakeBasicAuth Buffer overflow
CVE-2004-0747                                                              CVE-2004-0748                                                              CVE-2004-0751                                                               CVE-2004-0786                                                              CVE-2004-0809	Apache 2 Multiple Denial of Service
CVE-2004-0942	Apache MIME Header Memory Consumption
CAN-2004-0460 CAN-2004-0461 VU#317350 VU#654390	dhcp-server: remote system compromise
CVE-2002-1363	libpng remote DoS
CAN-2004-0590	Certificate chain authentication in Openswan pluto
CAN-2004-0649	L2tpd: remote execution of arbitrary files w/ privs of l2tpd user
VU#388984 VU#236656 VU#160448 VU#477512 VU#817368 VU#286464 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599	libpng: multiple vulnerabilities
CAN-2004-0415	Kernel: local privilege escalation, race condition in file offset pointer handling
VU#550464 CAN-2004-0644	krb5:  remote unauthenticated DoS
CAN-2004-0817	imlib: local execution via heap overflow
CAN-2004-0687 CAN-2004-0688	xf86: multiple buffer overflows with malformed xpm images
CAN-2004-0966	gettext: Insecure temporary file handling
CAN-2004-0804 CAN-2004-0886	tiff: Buffer overflows in image decoding
CAN-2004-0884	Cyrus-sasl2: (ver2.1.7)Insecure handling of environment variable
CAN-2004-0971	krb5: krb5-workstation: Possible symlink attack, priv escalation via temproary file mishandling
CAN-2004-0989	libxml: remote code execution, buffer overflow
CVE-2004-0079	Openssl vulnerability
CAN-2004-0975	Openssl: possible symlink attack via temp file mishandling
SUSE-SA:2004:041	xf86: SuSE security updates for libxpm
CAN-2004-0782	imlib: xpm security updates in imlib
CAN-2004-1010	zip: buffer overflow in info-zip when using recursive folder compression
CAN-2004-1308	tiff: multiple buffer overflows
CAN-2004-0986	iptables: variable init failure can cause failure to load firewall rules
CAN-2004-0883 CAN-2004-0949 CAN-2004-1070 CAN-2004-1071 CAN-2004-1072 CAN-2004-1073 CAN-2004-1074	Kernel update for multiple local and remote DoS vulnerabilities
CAN-2004-0079 CAN-2004-0112	OpenSSL remote DOS
CVE-2006-2937 CVE-2006-2940 CVE-2006-2969 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343	OpenSSL vulnerability
CAN-2005-0155 CAN-2004-0452 CAN-2005-0077	Perl: Security update to address two priv escalation and a buffer overflow condition
CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2004-0814 CAN-2004-1333 CAN-2005-0003	Updates for multiple issues on 2.4-2.6.11 kernels
CAN-2005-1993	sudo: vulnerabilities allow execution of arbitrary commands
CAN-2005-1267 CAN-2005-1278 CAN-2005-1279 CAN-2005-1280	tcpdump: fix for several DOS vulnerabilities
CAN-2005-1151                            CAN-2005-1152                 CAN-2005-1349                             CAN-2005-0103                  CAN-2005-0104                   CAN-2005-1455                  CAN-2005-1454                   CAN-2004-1456 - CAN-2004-1470	tiff: buffer overflow allows execution of arbitrary code
CAN-2005-0109	OpenSSL update
CAN-2005-2969	OpenSSL fix for potential SSL 2.0 Rollback vulnerability
CVE-2001-0572	SSHv1 Protocol Available
CVE-2004-0175	OpenSSH SCP Client File Corruption Vulnerability
CVE-2006-0225	OpenSSH scp remote attack vulnerability
CVE-2006-4924 CVE-2006-4925	Open SSH vulnerability
CVE-2006-5051	Open SSH vulnerability not applicable to HMC due to GSSAPI being disabled
CVE-2006-5794	Open SSH vulnerability
CVE-2006-0058	Sendmail remote code execution
CVE-2006-1721	Cyrus-sasl remote denial of service
CVE-2006-2024 CVE-2006-2025 CVE-2006-2026	Libtiff: various denial of service attacks
CVE-2005-3352 CVE-2005-3357	Apache2 cross site scripting in mod_imap and mod_ssl
CVE-2006-0455	Gpg remote execution by signature checking
CVE-2005-3353 CVE-2005-3389 CVE-2005-3390 CVE-2005-3391 CVE-2005-3392 CVE-2005-3883	Multiple vulnerabilities in php4
CVE-2005-2970	Apache2 worker memory leak
CVE-2005-2974 CVE-2005-3350	Libungif denial of service attack/buffer overflow
CVE-2005-2959	Sudo environment cleaning privilege escalation vulnerability
CAN-2005-2491	PCRE: Integer overflow vulnerability
CVE-2005-3119 CVE-2005-3179 CVE-2005-3180 CVE-2005-3181	Kernel potential denial of service and information disclosure
CAN-2005-2797 CAN-2005-2798	OpenSSH: fixes to prevent escalation of privileges and bypass certain security restrictions
CVE-2005-2876	Util-linux umount “-r” Re-Mounting security issue
CAN-2005-2495	Xf86: Fix remote command execution
CAN-2005-2491 CAN-2005-2700 CAN-2005-2728	Apache2: Security fixes
CAN-2005-1761 CAN-2005-1768 CAN-2005-2500	Kernel: Various Security Fixes
CAN-2005-2452	Tiff: Vulnerability allows DOS attack due to divide by zero error
CAN-2005-2177	Net-snmp remote attack vulnerability
CAN-2005-0448	Perl vulnerabilities
CAN-2005-0758 CAN-2005-0988 CAN-2005-1228 CAN-2005-1260 CAN-2005-0953	Bzip2 vulnerability
CAN-2004-1189	Krb5 multiple security issues
CAN-2005-1849 CAN-2005-2096	Zlib buffer overflow
CAN-2005-2088 CAN-2005-1268	Apache2: fix for multiple vulnerabilities
CVE-2005-2970	Apache2: memory leak
CVE-2005-3357	Apache2 Cryptographic problem
CVE-2006-3747	Apache2: Off-by-one error in the ldap scheme handling in the Rewrite module
CVE-2006-3918	Apache2 vulnerability
CVE-2005-2728	Apache Byte Range Denial of Service
CAN-2004-1453 CAN-2004-0968 CAN-2004-1382	Glibc: Infoleak and symlink attack vulnerabilities
CAN-2005-1111 CAN-2005-1229	Cpio directory traversal and privilege escalation
CAN-2005-0605	Xf86: libXPM integer overflow
CAN-2004-0970	Gzip: temporary file mishandling
CAN-2005-0160 CAN-2005-0161 CAN-2005-0961	telnet: ENV buffer overflow
CAN-2005-1704	Binutils vulnerabilities
CAN-2005-1993	Sudo: race condition
CAN-2005-0373	Cyrus-sasl, cyrus-sasl2 remote code execution
CVE-2005-0916 CVE-2005-2456 CVE-2005-2457 CVE-2005-2458 CVE-2005-2555 CVE-2006-0554 CVE-2006-0555 CVE-2006-0557 CVE-2006-0744 CVE-2006-1055 CVE-2006-1056 CVE-2006-1242 CVE-2006-1523 CVE-2006-1524 CVE-2006-1525 CVE-2006-1527 CVE-2006-1528 CVE-2006-1857 CVE-2006-1858 CVE-2006-1863 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2444 CVE-2006-2448 CVE-2006-2451 CVE-2006-2934 CVE-2006-2935 CVE-2006-3085 CVE-2005-3180 CVE-2006-3468 CVE-2006-3626 CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4813 CVE-2006-4997 CVE-2006-5757 CVE-2006-5823 CVE-2006-6053 CVE-2006-2274 CVE-2006-2444 CVE-2006-2448 CVE-2006-2451 CVE-2006-2934 CVE-2006-2935 CVE-2006-3085 CVE-2005-3180 CVE-2006-3468 CVE-2006-3626 CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4813 CVE-2006-4997 CVE-2006-5757 CVE-2006-5823 CVE-2006-6053	Kernel Vulnerabilities