IBM Remote Supervisor Adapter

From Wikipedia, the free encyclopedia
  (Redirected from Remote Supervisor Adapter)
Jump to: navigation, search

Remote supervisor adapter (RSA) is the out-of-band management interface card optional on most IBM x86 [1]-based server machines sold under the IBM System x brand.

Remote management is independent of the status of the managed server.

An IBM Remote Supervisor Adapter II installed in an eServer 326
An IBM Remote Supervisor Adapter II

Features[edit]

  • Remote control of hardware and operating systems
  • Web-based management with standard Web browsers (no other software is required)
  • Scriptable command-line interface and text-based serial console redirect
  • System-independent graphical console redirection
  • Remote diskette and CD-ROM drive support

Adapter versions[edit]

Advanced Systems Management Adapter (ASMA)[edit]

This is a full-length ISA or PCI adapter. The ISA version is very rare, and was only ever supported in one or two servers. This adapter can be accessed either in-band through a device driver, or out-band over serial or 10Mbit Ethernet.

In addition, this adapter supports chaining of IBM Servers with Advanced Systems Management Processors (ASMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required. A total of 12 systems can be controlled this way using a single adapter.

The PCI version is supported under Linux through the ibmasm driver.

Supported servers:

  • ooo Netfinity 4500R
  • IBM Netfinity 5000, 5100, 5500, 5500 M10, 5500 M20, 5600
  • IBM Netfinity 6000R
  • IBM Netfinity 7000 M10, 7100, 7600
  • IBM Netfinity 8500R
  • IBM eServer xSeries 230, 240, 250
  • IBM eServer xSeries 330 (8654), 340, 350, 370

Remote Supervisor Adapter (RSA) 59P2952[edit]

This is a half-length PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.

In addition, this adapter supports the chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.

The adapter is supported under Linux through the ibmasm driver.

This is the first version to support remote KVM over Ethernet. But when chaining is used, only the server with the adapter installed supports the remote KVM function.

Supported servers:

  • IBM eServer xSeries 205, 225 (8647), 232, 255
  • IBM eServer xSeries 305, 330, 335, 342, 345, 360
  • IBM eServer xSeries 440, 445, 450, 455

Remote Supervisor Adapter II (RSA-II) 73P9265[edit]

This is a half-length full-height PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.

In addition, this adapter supports chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.

This adapter (when properly cabled) can be accessed for in-band management through a USB driver.

This adapter has its own ATI video chip, and will cause the onboard video chip to get disabled. The reason for this was to resolve some of the problems with capturing the video for the remote KVM function that the original RSA experienced. Just like the original RSA, in the event of chaining the remote KVM function is only supported on the server with the adapter installed.

Supported servers:

  • IBM eServer 326, 326m
  • IBM eServer xSeries 206, 225 (8649), 226, 235, 255
  • IBM eServer xSeries 305, 306, 306m, 335, 345, 365
  • IBM eServer xSeries 445

Cable[edit]

The RSA-II requires a 20-pin cable to attach to the motherboard of the server. Without this cable the remote video facilities will still work, and if the external USB cable is connected, the remote keyboard and mouse will work—but nothing else (including power control) will function properly. Moreover, some servers will pause for 30–120 seconds after power-on if the RSA-II is installed but the cable is missing.

Different cables are required for different servers, and as of April 2008 it appears that the cards themselves are far more plentiful on the used market than certain cables—often the cables sell for more than the cards themselves!

Here is a table of known server/cablenumber combinations:

  • eServer 326 uses cable 73P9312
  • x345 uses cable 02R1661

Older servers use what is known as the "planar cable". Newer servers use the cable shown in the adjacent image:

One type of IBM Remote Supervisor Adapter II internal cable (73P9312)

Remote Supervisor Adapter II Slimline (RSA-II Slimline)[edit]

This is a special version of the RSA-II that does not need a PCI slot. Instead it is plugged into a dedicated slot on the systemboard, like a mini-pci adapter. This version also does not have a video controller anymore like the RSA-II.

Out-band management is provided by a dedicated Ethernet port on the server, which is not connected if the RSA-II Slimline is not installed. In-Band management is provided by the same USB driver as the RSA-II.

Supported servers:

  • IBM eServer xSeries 236, 260
  • IBM eServer xSeries 336, 346, 366
  • IBM eServer xSeries 460, MXE-460
  • IBM System x 3200, 3250, 3350, 3400, 3500, 3550, 3650, 3655, 3755, 3800, 3850, 3950

Peculiarities[edit]

Maximum password length[edit]

A password can only be 15 characters max. If more characters are typed at the changing password form, there will be no error message but they won't be memorized.

Java 1.6 incompatibility bug[edit]

The RSA remote control is now broken IBM has issued a fix that only works some of the time.[1][2] Most users are advised to use Java JRE 1.60 U07 or earlier,[3] which is impossible if the user does not have administrative access to the client machine. IBM has been unresponsive. jre-1_5_0_21-windows-i586-p.exe generally gives good results on windows clients.

The Remote console works with the OpenJDK JRE and the IcedTea browser plugin. Tested on OpenJDK6 build 18 and IcedTea 1.1.

Passwords sent in clear text[edit]

SSL is disabled by default, meaning that administrator passwords are sent in clear text. The administrator should to use the builtin functionality to generate a CSR and have it signed by an accepted CA.

Invisible to traceroute[edit]

The network stack used by the RSAII does not respond to UDP packets sent to a closed port; therefore, it appears to be "invisible" to traceroutes based on UDP (the default for non-Windows systems).

Reliability problems[edit]

A defect in the design of the RSA can cause it to go into a state in which the remote video capabilities are disabled. Unfortunately, once in this state the only way to correct the situation is to physically remove power from the RSA and the server; no amount of remote restarting will correct the problem. Because the point of the RSA is to eliminate the need for this sort of physical intervention to clear errors, this flaw calls into question the usefulness of the device.

This flaw is documented on IBM's website at [4]

The video forwarding also takes an initial reboot to take effect after the RSA was re-configured. At this point the operator would be in the BIOS menu but without the video functionality active. A reboot of the RSA will not suffice, the whole server has to be rebooted.

The card can also crash during some operations certificate generation.

Requires UDP[edit]

The remote control feature of the service processor requires that it be possible to exchange packets on UDP port 2000 between the adapter and the client.

No video through NAT[edit]

The adapter does not cope well with NAT. The symptoms generally experienced are a lack of video when attempting to access remote control. If in doubt, ensure that the client (web browser) has its own public internet IP and is not behind any sort of NAT.

No video when using a Cisco router or switch with Network Address Translation (NAT)[edit]

Problem

When using a Cisco router or switch with Network Address Translation (NAT) enabled, connection to the Remote Supervisor Adapter (RSA) II web UI is operational. When starting the remote control session, the user receives a blank screen.

Solution

The remote console port should be changed from 2000 to 5090 or any other value.

Log into the RSA II web UI pages. In the RSA II web UI, go to Port Assignments in the left panel. Go to remote console and change the value to 5090. Save and restart the ASM. Port 2000 is being used by Cisco Skinny Client Control Protocol (SCCP). Since the default value for RSA II console port (remote video) is 2000, it needs be changed to another value such as 5090. [5]

Network port may not be set to the Default of DHCP IP Address then (Static IP - Fallback Configuration)[edit]

The RSA II adapter's network port, by Default, is set to "Try DHCP Server. If it Fails, Use Static IP Config", where "Static IP Config" is the fallback IP address configuration; however, this behavior may vary depending upon the Firmware version installed or configuration changes made by a prior user.[6] If the RSA II is reset to Defaults, the associated NIC should also automatically reset to DHCP IP address then Static IP if a DHCP address cannot be obtained.

  • RSA II - Static IP Address Default is: 192.168.70.125

If the RSA II NIC is not responding to network communication or an expected IP address, the associated network settings (including currently assigned IP address and configuration) can be viewed, modified and/or reset through the server's Advanced - BIOS settings under the RSA II or Remote Supervisor Adapter II (or similar title) Advanced feature setting.

Be sure to Save the Network settings before exiting the RSA II configuration screen and Save any other changes to BIOS settings before exiting the BIOS Setup Configuration.

Difficult to reset[edit]

Procedures for resetting the RSAII to factory defaults may be challenging for some users. The IBM forums list a procedure [7] for resetting an RSAII to factory defaults which appears to be simpler; it involves removing the card from the server and operating it from a non-PCI power supply. Most of the problems resolve around correct loading of the USB library. Ensuring this is properly loaded raises chances of success.

LDAP authentication generally unusable[edit]

LDAP authentication fails if a user is a member of more than one posixGroup, which is usually the case in non-trivial directories. IBM privately acknowledged the problem has existed for over four years, but still has not published a fix. The problem is that it considers only first posixGroup in resultset, so if you manage to reorganize directory to return your matching group first, you can succeed on the auth (with openldap ldif dump, delete and restore tends to keep results ordered).

Host OS tools[edit]

Like almost all IBM-provided management tools, software tools do not respect long established OS conventions for packaging, file paths and naming.

Firmware updates are incompatible with a non-executable /tmp directory, a commonly employed security setting.

Command line tools have many undocumented behaviors. "asu," the executable used to query or set parameters on the board, writes logs to the current directory with a hardcoded name, without warning and without basic sanity checks. It will thus silently overwrite the target of a symbolic link with that name.

Related[edit]

BladeCenter Management Module (BCMM)[edit]

This is the first management module of the IBM BladeCenter.

Its function is very similar to that of the RSA-II

The BCMM provides an external 10/100Mbit Ethernet connection (used for out-of-band management) and shared VGA, PS/2 Keyboard and PS/2 Mouse ports. Internally the VGA and PS/2 ports are switchable between blades. The PS/2 ports are internally seen to the blades as USB.

This has since been phased out and replaced by the BCAMM. It is no longer supported by IBM.

BladeCenter Advanced Management Module (BCAMM)[edit]

This is a hardware refresh of the management module for the IBM BladeCenter. The PS/2 ports for keyboard and mouse were replaced with two USB ports. The BCAMM is currently under active development and its firmware offers more capabilities than the original BCMM.

Advanced Systems Management Processor (ASMP)[edit]

This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the ISMP. Out-of-band management is possible using a serial port (shared with the OS), or by adding the Advanced Systems Management Adapter (ASMA).

These servers have ASMP functionality:

  • IBM Netfinity 4500R
  • IBM Netfinity 5000, 5100, 5500, 5600
  • IBM Netfinity 6000R
  • IBM Netfinity 7100, 7600
  • IBM xSeries 130 (8654), 135 (8654), 150
  • IBM xSeries 230, 240, 250
  • IBM xSeries 330, 340, 350

Integrated Systems Management Processor (ISMP)[edit]

This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the BMC (Baseboard Management Controller). Out-of-band management is possible by adding the RSA or RSA II.

These servers have ISMP functionality:

  • IBM xSeries 232, 235, 236, 255
  • IBM xSeries 335, 342, 345

Baseboard Management Controller (BMC)[edit]

On many legacy IBM Intel-based servers the BMC is standard with the RSA II or RSA II Slimline as an Option device.

Integrated Management Module (IMM)[edit]

The IBM Integrated Management Module (IMM) is the next generation of System Management devices for UEFI based servers and comprises features and functionality of the legacy Baseboard Management Controller (BMC), Remote Supervisor Adapter II (RSA II) while incorporating the Super I/O controller and Video controller.

The IMM interfaces with the server's UEFI System firmware (Unified Extensible Firmware Interface) to provide system management monitoring and functionality.

Although some issues known to both the RSA II and BMC may have been migrated to the early IMM generations (in addition to the IMM's own unique issues), most of these issues have been resolved while adding some of greatly improved features and Administrator / User experience over the BMC and RSA II predecessors.

For example:

  • Advanced Predictive Failure Analysis (PFA)
  • Configurable IMM Dedicated or Shared Ethernet connection
  • Virtual Light Path Diagnostic
  • Email alerts
  • Remote Firmware updating
  • Remote Power control, Remote Console / control of both hardware and Operating System
  • OS failure screen shot capture
  • Remote Mounting of Virtual Devices such as CD/DVD drive, USB Flash Drives, ISO / Disk images and Diskette drive

Default password[edit]

The default login is "USERID" and the default password is "PASSW0RD" (note the zero rather than an "O").

See also[edit]

References[edit]

  1. ^ a b 120000MW5G, drdavew00 (20 October 2009). "Public Forums". Retrieved 25 July 2016. 
  2. ^ "IBM notice: The page you requested cannot be displayed". 6 September 2007. Retrieved 25 July 2016. 
  3. ^ "also works around IBM's bug". Retrieved 25 July 2016. 
  4. ^ No graphics displayed with remote login to IBM RSA Web interface remote control option - Servers
  5. ^ "IBM notice: The page you requested cannot be displayed". 6 September 2007. Retrieved 25 July 2016. 
  6. ^ Arndt Jr, Ron (2016-12-14). "IBM & Lenovo xSeries SW Engineer". IBM & Lenovo xSeries SW Engineer. 
  7. ^ 120000MW5G, drdavew00 (20 October 2009). "Public Forums". Retrieved 25 July 2016.