Tech Sales

Certification
Systems Management
Notices
Lenovo may not offer the products, services, or features discussed in this document in all
countries. Consult your local Lenovo representative for information on the products and services
currently available in your area. Any reference to a Lenovo product, program, or service is not
intended to state or imply that only that Lenovo product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any Lenovo
intellectual property right may be used instead. However, it is the user’s responsibility to
evaluate and verify the operation of any other product, program, or service.
Lenovo may have patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not give you any license to these patents.
You can send license inquiries, in writing, to:

Lenovo (United States), Inc.

1009 Think Place - Building One

Morrisville, NC 27560

U.S.A.

Attention: Lenovo Director of Licensing

LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new editions
of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time without notice.
The products described in this document are not intended for use in implantation or other life
support applications where malfunction may result in injury or death to persons. The information
contained in this document does not affect or change Lenovo product specifications or
warranties. Nothing in this document shall operate as an express or implied license or indemnity
under the intellectual property rights of Lenovo or third parties. All information contained in this
document was obtained in specific environments and is presented as an illustration. The result
obtained in other operating environments may vary.
Lenovo may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you. Any references in this publication to non-
Lenovo Web sites are provided for convenience only and do not in any manner serve as an

2
endorsement of those Web sites. The materials at those Web sites are not part of the materials
for this Lenovo product, and use of those Web sites is at your own risk.
Any performance data contained herein was determined in a controlled environment. Therefore,
the result obtained in other operating environments may vary significantly. Some measurements
may have been made on development-level systems and there is no guarantee that these
measurements will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific environment.

Trademarks
Lenovo, the Lenovo logo, and For Those Who Do are trademarks or registered trademarks of
Lenovo in the United States, other countries, or both. These and other Lenovo trademarked
terms are marked on their first occurrence in this information with the appropriate symbol (® or
™), indicating US registered or common law trademarks owned by Lenovo at the time this
information was published. Such trademarks may also be registered or common law trademarks
in other countries. A current list of Lenovo trademarks is available on the Web at
http://www.lenovo.com/legal/copytrade.html.
The following terms are trademarks of Lenovo in the United States, other countries, or both:
Blade Network Technologies®

BladeCenter®

BNT®

Flex System™

Lenovo®

RackSwitch™

Lenovo(logo)®

vNIC™

xSeries®

The following terms are trademarks of other companies:

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.

3
Table of Contents
LENOVO XCLARITY ADMINISTRATOR ............................................................................................................ 5

PLANNING FOR LENOVO XCLARITYADMINISTRATOR .................................................................................... 18

LENOVO XCLARITY CONTROLLER (XCC).................................................................................................... 66

CHASSIS MANAGEMENT MODULE ............................................................................................................... 72

4
Lenovo XClarity Administrator
Lenovo XClarity™ Administrator is a centralized resource management solution that is aimed at
reducing complexity, speeding response, and enhancing the availability of Lenovo® server
systems and solutions. Lenovo XClarity Administrator provides agent-free hardware
management for our servers, storage, network switches, hyperconverged and ThinkAgile
solutions.

Figure 1. Lenovo XClarity Administrator dashboard

Migrating from v1.x.x? For information on migrating to XClarity Administrator v2.1.x from a previous
release (1.x.x) please refer to the Lenovo XClarity Administrator Quick Start Guide .

Tip: If running a version of XClarity v1.x.x you must update to v1.4.1 then you must migrate your system to
v2.0.0 then upgrade to v2.1.0.

Did you know?

Lenovo XClarity offers a mobile app for Android and iOS devices. The app enables you to
securely monitor physical systems, get real-time status alerts and notifications, and take action
on common system level tasks. The app can also connect directly via an enabled USB port to a
ThinkSystem server and provide virtual LCD capability.

5
Features
The XClarity Administrator dashboard is an HTML 5-based web interface that allows fast
location of resources so tasks can be run quickly. Because Lenovo XClarity Administrator does
not include any agent software that is installed on the managed endpoints, there are no CPU
cycles spent on agent execution and no memory is used, which means that up to 1GB of RAM
and 1 - 2% CPU usage is saved, compared to a typical managed system where an agent is
required.
Lenovo XClarity Administrator delivers Lenovo resources faster. With a simplified administration
dashboard, the following functions can be easily achieved:

• Discovery

• Inventory

• Monitoring

• Firmware compliance

• Firmware updates

• Windows device driver updates

• Configuration management and compliance

• Deployment of operating systems and hypervisors to bare metal servers

Fast time to value is realized through automatic discovery of existing or new Lenovo rack
servers and Flex System infrastructure. Inventory of the discovered endpoints is gathered, so
the managed hardware inventory and its status can be viewed-at-a-glance.
A centralized view of events and alerts that are generated from managed endpoints is available.
When an issue is detected by a managed endpoint, an event is passed to Lenovo XClarity
Administrator. Alerts and events are visible via the XClarity Administrator Dashboard, the Status
bar, and the Alerts and Events detail for the specific system.
Supported endpoints include:

• ThinkSystem servers and compute nodes

• Flex System Compute Nodes

• System x Servers

• ThinkServer Servers

• ThinkAgile solutions

• Hyperconverged solutions

• NeXtScale servers

• RackSwitch switches

6
 • ThinkSystem storage

• Lenovo storage

Firmware management
Firmware management is simplified by assigning Firmware-compliance policies to supported
managed endpoints to ensure that firmware on those endpoints remains compliant. You can
also create and edit firmware-compliance policies when validated firmware levels do not match
the suggested predefined policies. Additionally you can also apply and activate firmware that is
later than the currently installed firmware on a single managed endpoint or group of endpoints
without using compliance policies.

Windows Device Driver updates

Starting with v2.1.0, XClarity Administrator utilizes Windows UpdateXpress System Packs
(UXSPs) to enable the update of the OS device drivers on deployed Windows operating
systems. Windows UXSPs contain Windows device drivers for supported Windows versions and
for Lenovo servers that supports Windows. You can download or import Windows UXSPs in the
repository. UXSPs must be available in the repository before you can update Windows device
drivers on managed severs.

Configuration management and compliance

Configuration management uses pattern-based configurations to quickly provision and re-
provision a single server or multiple servers and compute nodes, all with a single set of
configuration settings. Settings to configure include local storage, I/O adapters, boot order, and
other baseboard management controller and UEFI settings on managed servers. Server
patterns also integrate support for virtualizing I/O addresses, so you can virtualize server fabric
connections or repurpose servers without disruption to the fabric.
Additionally if the settings on a server change, you can determine the compliance status of each
server from within the Configuration Patterns Server Profiles page.
Configuration support for CNOS-based RackSwitch networking switches has been added
starting with XClarity Administrator 2.4. It provides template creation, editing and deployment for
global settings, port channel, spine-leaf, VLAG and VLAN.

OS Provisioning
OS Provisioning enables bare metal deployment. VMware ESXi, Windows Server, SUSE Linux
Enterprise Server (SLES) and Red Hat Linux images can be imported and held in a repository
for images. A maximum of 10 Images can be stored within the repository and it is possible to
deploy operating-system images to up to 28 bare-metal servers concurrently.

Security
Lenovo XClarity Administrator includes several features that can help you secure your
environment. These include:

• When you manage Lenovo chassis and servers in XClarity Administrator, you can
configure XClarity Administrator to change the firewall rules for the devices so that

7
 incoming requests are accepted only from XClarity Administrator. This is referred to
as encapsulation.

• If you must be compliant with NIST SP 800-131A or FIPS 140-2, XClarity

Administrator can help you meet that compliance. XClarity Administrator supports
self-signed SSL certificates (issued by an internal certificate authority) or external
SSL certificates (private or commercial CA).

• When changing cryptographic settings within XClarity Administrator you can choose
to apply the settings to the management server only, to the managed devices only, or
both.

• XClarity Administrator includes an audit log that provides a historical record of user
actions, such as logging on, creating users, or changing user passwords.

Integration
XClarity Administrator can be integrated into external, higher level management, automation,
and orchestration platforms through open REST application programming interfaces (APIs).
This means Lenovo XClarity can easily integrate with your existing management infrastructure.

Lenovo XClarity Integrators

Lenovo XClarity integrates with leading management applications in the areas of infrastructure
management, orchestration and automation, and IT service management.
Available integrators include the following:

• Lenovo XClarity Integrator for VMware vCenter (free download, support requires
XClarity Pro license)
https://datacentersupport.lenovo.com/documents/LNVO-VMWARE

• Lenovo XClarity Integrator for VMware vRealize Orchestrator (free download, support
requires XClarity Pro license)
https://datacentersupport.lenovo.com/documents/LNVO-VMRO

• Lenovo XClarity Integrator for VMware vRealize Log Insight (free download, support
requires XClarity Pro license)
https://marketplace.vmware.com/vsx/solutions/xclarity-integrator-for-vrealize-log-insight

• Lenovo XClarity Integrator for Microsoft System Center (free download, support
requires XClarity Pro license)
https://datacentersupport.lenovo.com/documents/LNVO-MANAGE

• Lenovo XClarity Integrator for Microsoft Windows Admin Center

https://support.lenovo.com/us/en/solutions/HT507549

• Lenovo XClarity Administrator App for SPLUNK (as-is solution)

https://splunkbase.splunk.com/app/3105/

8
 • Lenovo XClarity and Moogsoft AIOps Integration (as-is solution)
https://docs.moogsoft.com/en/lenovo-xclarity-lam.html

• Lenovo XClarity Administrator Ruby toolkit

The Ruby toolkit provides a Ruby-based library of commands and APIs to automate
resource management from an OpenStack environment, such as Ansible, Chef or
Puppet: https://github.com/lenovo/Ansible.lenovo-lxca
https://github.com/lenovo/chef.lenovo-lxca
https://github.com/lenovo/puppet.lenovo-lxca

• Lenovo XClarity and PagerDuty Integration (as-is solution)

Note: XClarity Administrator integrates with PagerDuty without additional software.
Lenovo XClarity Integrator for ServiceNow (free download)
https://datacentersupport.lenovo.com/us/en/solutions/ht506884

• Lenovo ThinkAgile XClarity Integrator for Red Hat Cloudforms (no download required)
The Lenovo Physical Infrastructure Provider provides IT administrators the ability to
integrate the management features of Lenovo XClarity Administrator with the hybrid-
cloud management capabilities of Red Hat CloudForms.
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html
/configuring_the_lenovo_physical_infrastructure_provider_for_red_hat_cloudforms/overview

• Lenovo XClarity Integrator for Microsoft Azure Log Analytics (free download)
https://support.lenovo.com/us/en/solutions/ht506712

• Lenovo XClarity Integrator for Nagios (free download, requires Lenovo XClarity
Administrator installed)
Lenovo XClarity Integrator for Nagios retrieves alerts from XClarity Administrator, and
makes them available to Nagios.
https://support.lenovo.com/us/en/solutions/ht507298

• Lenovo XClarity Essentials Plug-in for Nagios (free download)

Lenovo XClarity Essentials Plug-in for Nagios is a stand-alone plugin for Nagios that
retrieves health status from individual Lenovo ThinkSystem servers.
https://support.lenovo.com/us/en/solutions/ht507403
Ordering information for those integrators requiring a license is described in the Download and
ordering information section.
Support for Lenovo XClarity Integrators for VMware vCenter & vRealize and Microsoft System
Center is included in Lenovo XClarity Pro offering which is described in the next section. For
details on Support click on Scope of Support tab at
https://support.lenovo.com/gb/en/solutions/lnvo-xclarit

9
Lenovo XClarity Pro
Lenovo XClarity Pro provides the following entitlement:

• Lenovo XClarity Administrator Configuration Pattern feature entitlement

• Lenovo XClarity Administrator OS deployment feature entitlement

• Lenovo XClarity Administrator Service & Support

• Lenovo XClarity Integrator for Microsoft System Center Support

• Lenovo XClarity Integrator for VMware vCenter Support

• Lenovo XClarity Integrator for VMware vRealize

Lenovo XClarity Administrator is available for download from the following URL:
https://www3.lenovo.com/us/en/data-center/software/systems-management/xclarity/
This download provides Lenovo XClarity Administrator base functionality plus a 90-day trial
evaluation Licenses for XClarity Administrator features Configuration Patterns and Operating
System Deployment.

Note: Service and Support for XClarity Administrator and XClarity Integrators is only available with an
XClarity Pro purchase.

The following table compares XClarity and XClarity Pro.

Table 1. Comparing Lenovo XClarity Administrator and Lenovo XClarity Pro

Lenovo XClarity Lenovo

Administrator XClarity Pro
Feature

Licensing and Support

License Free Licensed

Service and Support No Yes

Key Features

REST APIs and XClarity Integrators Yes Yes

Auto-discovery and asset management Yes Yes

Real-time monitoring, fault handling, alert notification, and call home Yes Yes

Firmware update management Yes Yes

Configuration patterns No Yes

Operating system and hypervisor installation No Yes

10
Lenovo XClarity mobile app
The Lenovo XClarity mobile app provides management functions on Android and iOS devices:

• View the status summary of all hardware.

• Monitor the detailed status of each device.

• Monitor the inventory of each device.

• Monitor audit events, hardware and management events, alerts, and jobs.

• Perform power actions on a device.

• Take action on common system level tasks to minimize the risk of disruptions and
downtime

• Forward emails to share inventory, alert and event information.

• On ThinkSystem servers: Perform initial configuration of servers, retrieve diagnostic

information (virtual LCD) and perform actions, Initiate Lenovo XClarity Administrator
management from a mobile device.
Support requirements are as follows:

• Supports Android 5 to 8, and iOS 10 and 11.

• Requires Lenovo XClarity Administrator v1.2.1 or later.

Note:

• IOS 8 is supported only for Lenovo XClarity Mobile v1.3.0 and earlier.

• iOS 9 is supported only for Lenovo XClarity Mobile v1.3.1 and earlier.

11
The following figure shows the Inventory screen of the mobile app.

Figure 2. Lenovo XClarity mobile app

The mobile app is available for download from these app stores:

• Google Play

• Apple iTunes

Management tasks
By using Lenovo XClarity, users can perform the following tasks that are described in this
section.

User Management
Lenovo XClarity Administrator provides a centralized authentication server to create and
manage all user accounts and to manage and authenticate user credentials. The authentication
server is created automatically when the management server first starts. The User accounts,
which are used to log on and manage the Lenovo XClarity Administrator, are also used for all
chassis and servers that are managed by the Lenovo XClarity Administrator. When you create a
user account, you control the level of access, such as whether the account has read/write
authority or read-only authority, by using role groups.

12
When devices are initially managed by Lenovo XClarity Administrator, a predefined set of role
groups have permission to access the devices by default. This predefined set is empty by
default until it is configured. You can change the role groups that can access specific managed
devices. When permission is given to certain role groups, only users that are members of those
role groups can see and act on those specific devices.
By default, devices are managed using XClarity Administrator managed authentication to log in
to the devices. When managing rack servers and Lenovo chassis, you can choose to use
managed authentication or local authentication to log in to the devices.
The following figure shows the Lenovo XClarity Administration interface for Security that
comprises User Management, roles, and other security settings.

Figure 3. User management interface

Hardware monitoring
Lenovo XClarity Administrator provides a centralized view of events and alerts that are
generated from managed endpoints, such as chassis, servers, and Flex System switches.
When an issue is detected by the Chassis Management Module (CMM) or device that is
installed in the chassis, an event is passed to the Lenovo XClarity Administrator. That event is
displayed in the alerts list that is available within the user interface. A status bar also is available
that provides overall status information on the main XClarity Administrator interface. An example
list of alerts is shown in the following figure.

13
 Figure 4. Alerts and actions

Hardware management
There are various management tasks for each supported endpoint, including viewing status and
properties, configuring system information and network settings, starting the CMM/IMM web
interface, and remote control for the System x or Flex system node. The interface with a single
System x Server selected and the power actions is shown in the following figure.

Figure 5. Hardware Management

Configuration management
Configuration patterns provide a way to ensure that you have consistent configurations applied
to managed servers. Server patterns are used to provision or pre-provision a managed server
by configuring local storage, I/O adapters, boot setting, firmware, ports, IMM, and UEFI settings.
Server patterns also integrate support for virtualizing I/O addresses so you can virtualize Flex
System fabric connections or re- purpose servers without disruption to the fabric.
You can also determine whether the settings on a server are in compliance with the server
profile. The settings on a server can become out of compliance with its server profile if settings
are changed without using Configuration Patterns or if an issue occurred during deployment,
such a firmware issue or an invalid setting.

14
Operating system deployment
Lenovo XClarity Administrator can be used to manage the OS images repository and deploy
operating system images to managed servers. To deploy an operating system image from
Lenovo XClarity, at least one of the network interfaces (Eth0 or Eth1) must have IP network
connectivity to the server network interface that is used to access the host operating system. It
also must be configured with an IPv4 address. Additionally the Feature on Demand (FoD) key
for remote presence is required on ThinkSystem, ThinkAgile Solutions, NeXtScale, and System
x servers if not included as standard.

Firmware updates
Within Lenovo XClarity, you can manage the firmware updates repository and apply and
activate firmware updates for all managed endpoints. Compliance policies can be started to flag
managed endpoints that do not comply with the defined firmware rules. Refreshing the
repository and downloading updates requires an Internet connection. If Lenovo XClarity has no
Internet connection, you can manually import updates to the repository. The firmware apply and
activate interface is shown in the following figure.

Figure 6. Firmware updates

Task automation using scripts

Lenovo XClarity Administrator can run the provided cmdlets in a Microsoft PowerShell session
to automate certain management functions. The cmdlets use Lenovo XClarity REST APIs and
can automate the following functions:

• Logging in to Lenovo XClarity Administrator

• Managing user accounts

• Managing a chassis

• Deploying an operating system image to one or more compute nodes or rack servers

15
 • Configuring compute nodes and rack servers through the use of configuration
patterns
XClarity Administrator offers a PyLXCA toolkit which provides a Python-based library of
commands and APIs to automate provisioning and resource management from an OpenStack
environment, such as Ansible or Puppet.
The PyLXCA toolkit provides an interface to Lenovo XClarity Administrator REST APIs to
automate functions such as:

• Logging in to Lenovo XClarity Administrator

• Managing and unmanaging chassis, servers, storage systems, and top-of-rack

switches (endpoints)

• Viewing inventory data for endpoints and components

• Deploying an operating-system image to one or more servers

• Configuring servers through the use of Configuration Patterns

• Applying firmware updates to endpoints

Additionally, Lenovo now provides the Lenovo XClarity Ruby toolkit which is supported to
automate resource management from an OpenStack environment, such as Ansible, Chef, or
Puppet. The Ruby toolkit provides an interface to Lenovo XClarity Administrator REST APIs to
automate functions (see Lenovo XClarity Administrator Ruby toolkit).

Download and ordering information

Lenovo XClarity Administrator is available to download from Lenovo at the following link:
https://www.lenovo.com/us/en/data-center/software/systems-management/XClarity-
Administrator/p/WMD00000366

The free download includes a 90-day evaluation license for Configuration Patterns and
Operating System Deployment to allow you to evaluate these licensed components.
Lenovo XClarity Integrators for Microsoft System Center (MSSC) are also available to download
for free from the following link (XClarity Pro License required for technical support):
https://datacentersupport.lenovo.com/documents/lnvo-manage

Lenovo XClarity integrator for VMware vCenter is also available to download for free from the
following link (XClarity Pro License required for technical support):
https://datacentersupport.lenovo.com/documents/lnvo-vmware

Note: The free downloads do not include any entitlement for technical support.

To gain entitlement for technical support, purchase a license for Lenovo XClarity Pro to add
entitlement to use these features and gain technical support:

• Lenovo XClarity Administrator Configuration Patterns

16
 • Lenovo XClarity Administrator Operating System (OS) Deployment

• Technical support for Lenovo XClarity Administrator

• Technical support for Lenovo XClarity Integrators for MSSC

• Technical support for Lenovo XClarity Integrators for VMware vCenter

• Technical support for Lenovo XClarity Integrators for VMware vRealize

Lenovo XClarity Pro editions are available with a 1-year, 3-year, or 5-year software subscription
and support. Lenovo XClarity Pro is available on a per-managed-server basis or per-managed-
chassis basis. The per chassis licenses offer a more cost effective way of purchasing licenses
for the Flex System environment.
When you purchase XClarity Pro, the order is fulfilled via electronic software delivery (ESD)
using the Lenovo Key Management System (LKMS). The order is placed onto LKMS using an
email address for the end user who has ordered the code. This email address is where the
Activation Code is sent in PDF format (the email will come from [email protected]). The
recipient email address is the login to the LKMS system for administration and to manage the
LKMS inventory.
The Activation code is redeemed via LKMS and the information about the end customer should
be entered during the redemption process. The customer information is then used to send the
electronic proof of entitlement (will come from [email protected]) and a welcome letter
along with an explanation of how to obtain the code from the ESD portal (will come from
[email protected]). The ESD portal is also known as Flexnet or Lenovo
Download and License Center:
https://lenovoesd.flexnetoperations.com/control/lnvo/login
Lenovo XClarity Pro includes Lenovo XClarity Integrator for Microsoft System Center and
Lenovo XClarity Integrator for VMware vCenter.

Supported Host Systems

The Lenovo XClarity management appliance runs in a virtual machine on the host system. The
following Hypervisors are supported for installing Lenovo XClarity:

• Nutanix Acropolis Hypervisor (AHV)

• Microsoft Windows Server 2019 with Hyper-V installed

• Microsoft Windows Server 2016 with Hyper-V installed

• Microsoft Windows Server 2012 R2 with Hyper-V installed

• Microsoft Windows Server 2012 with Hyper-V installed

• Red Hat Enterprise Linux 7.x with Kernel-based Virtual Machine (KVM) v1.2.17
installed

• VMware ESXi 6.7 base and U1

17
 • VMware ESXi 6.5 U1 and U2

• VMware ESXi 6.0 U1, U2 and U3

• VMware ESXi 5.5 U1 and U2

• VMware ESXi 5.1 U1, U2, and U3

For VMware, the virtual machine is available as an OVF template. For Hyper-V and Nutanix
AHV, the virtual machine is a virtual-disk image (VHD). For KVM, the virtual machine is
available as qcow2 format.
The host system that is running the Lenovo XClarity virtual machine has the following minimum
requirements:

• Two virtual microprocessors

• 8 GB of memory

• A minimum of 192 GB of storage for use by Lenovo XClarity virtual appliance

• Display with a minimum resolution of 1024 pixels in width (XGA)

For more information about minimum hardware recommendations based on the number of
managed devices in your environment, see the Lenovo XClarity Administrator Performance
white paper:
https://download.lenovo.com/servers_pdf/Lenovo_XClarity_Performance_V2.1.0.pdf

Supported Managed Endpoints

XClarity Administrator supports the following endpoints:

• ThinkSystem servers and compute nodes

• Flex System Compute Nodes

• System x Servers

• ThinkServer Servers

• Converged HX Servers

• NeXtScale servers

• RackSwitch switches

• ThinkSystem storage

• Lenovo storage

Planning for Lenovo XClarity Administrator

18
Before installing Lenovo XClarity Administrator, review the following considerations to help you
plan for installation and day-to-day management.

Free 90-day trial

Lenovo XClarity Administrator offers a free, 90-day trial license that enables full use of all
available features (including operating-system deployment and configuration management) for a
limited time.

You can determine how many days are left in the trial license by clicking the user-actions menu (
) on the XClarity Administrator title bar, and then clicking About.
After 90 days, you can continue to use XClarity Administrator to manage and monitor your
hardware for free; however, you must purchase a full-function-enablement license to continue
using XClarity Administrator to configure your hardware using Configuration Patterns and to
deploy operating systems. Lenovo XClarity Pro provides entitlement to service and support and
the full-function-enablement license. For more information about purchasing Lenovo XClarity
Pro, contact your Lenovo representative or authorized business partner.

For information about installing the license, see Installing the full-function enablement license in
the XClarity Administrator online documentation.
Note: If the full-function-enablement license is already installed, a new license is not required
when upgrading to a new release of XClarity Administrator.

Hardware and software support

Ensure that Lenovo XClarity Administrator supports the hardware and software that is in your
environment.

Supported host systems

The Lenovo XClarity Administrator management appliance runs in a virtual machine on a host
system.

Hypervisor requirements
The following hypervisors are supported for installing XClarity Administrator:

• Citrix XenServer v7.6

• Microsoft Windows Server 2019 with Hyper-V installed

• Microsoft Windows Server 2016 with Hyper-V installed

• Microsoft Windows Server 2012 R2 with Hyper-V installed

19
 • Microsoft Windows Server 2012 with Hyper-V installed

• Microsoft Windows Server Semi-Annual Channel (SAC) v1709 and v1803 with Hyper-
V installed
Note: XClarity Administrator is tested with only Windows versions that are supported by
Microsoft at the time when the XClarity Administrator version was released

• Nutanix Acropolis Hypervisor (AHV)

• Red Hat v7.x with Kernel-based Virtual Machine (KVM) v1.2.17 installed

• VMware ESXi 6.7 and U1

• VMware ESXi 6.5, U1 and U2

• VMware ESXi 6.0, U1, U2, and U3

• VMware ESXi 5.5, U1, U2, and U3

• VMware ESXi 5.1, U1, U2, and U3

For VMware, the virtual machine is available as an OVF template. For Hyper-V and Nutanix AHV,
the virtual machine is a virtual-disk image (VHD). For KVM, the virtual machine is available as
qcow2 format.
Important: For Hyper-V environments that run on Linux guests with a 2.6 kernel base and that
use large amounts of memory for the virtual appliance, you must disable the use of non-uniform
memory access (NUMA) on the Hyper-V Settings Panel from Hyper-V Manager. Changing this
setting requires you to restart the Hyper-V service, which also restarts all running virtual
machines. If this setting is not disabled, XClarity Administrator virtual appliance might
experience problems during initial startup.

Hardware requirements
The following minimum requirements must be met for the virtual machine. Depending on the
size of your environment and your use of Configuration Patterns, additional resources might be
required for optimal performance.

• Two virtual microprocessors

• 8 GB of memory

• 192 GB of storage for use by the XClarity Administrator virtual appliance.

• Display with a minimum resolution of 1024 pixels in width (XGA)

The following table lists the minimum recommended virtual-machine configurations for a given
number of devices. Keep in mind that if you run the minimum configuration, you might
experience longer than expected completion times for management tasks. For initial deployment
tasks such as firmware updates and server configuration, you might need to increase the VM
resources temporarily.

20
 Number of Managed Devices Virtual CPU/Memory Confi
0 - 100 devices 2 vCPUs, 8 GB RAM
100 - 200 devices 4 vCPUs, 10 GB RAM
200 - 400 devices 6 vCPUs, 12 GB RAM
400 - 600 devices 8 vCPUs, 16 GB RAM
600 - 800 devices 10 vCPUs, 20 GB RAM
800 – 1,000 devices 12 vCPUs, 24 GB RAM

Notes:

• For the latest recommendations and additional performance considerations, see the
XClarity Administrator: Performance Guide (White paper).

• Depending on the size of your managed environment and the pattern of use in your
installation, you might need to add resources to maintain acceptable performance. If
you frequently see processor usage in the system resources dashboard displaying
high or very high values, consider adding 1-2 virtual processor cores. If your memory
usage persists above 80% at idle, consider adding 1-2 GB of RAM. If your system is
responsive at a configuration as defined in the table, consider running the VM for a
longer period to assess system performance.

• For information about how to free up disk space by deleting XClarity Administrator
resources that are no longer needed, see Managing disk space in the XClarity
Administrator online documentation.

Software requirements
A Network Time Protocol (NTP) server is required to ensure that timestamps for all events and
alerts that are received from managed devices are synchronized with XClarity Administrator.
Ensure that the NTP server is accessible over the management network (typically the Eth0
interface).

If you choose to use an external authentication server, only Microsoft Active Directory running
on Windows Server 2008 or later is supported.
If you choose to use an SAML identify provider, only Microsoft Active Directory Federation
Services (AD FS) versions 2.0 or later running on Windows Server 2012 is supported.
Tip: Consider using the host system on which XClarity Administrator is installed as the NTP
server. If you do, ensure that the host system is accessible over the management network.
Restriction: If the host system on which XClarity Administrator is installed is a managed
compute node, you cannot use XClarity Administrator to apply firmware updates to that host

21
system or to the entire chassis at one time. When firmware updates are applied to the host
system, the host system must be restarted.
Restarting the host system also restarts XClarity Administrator, making XClarity Administrator unavailable
to complete the updates on the host system.

Supported devices
Before using Lenovo XClarity Administrator to manage your devices, ensure that devices are
supported and review any limitations.

For information about the number of devices that can be managed by each XClarity
Administrator instance, see the XClarity Administrator: Performance Guide (White paper).

For support and limitations information for manageable devices (such as servers, switches,
storage, and CMMs) and other I/O devices and options, see the following compatibility pages for
each device type:

• Flex System and ThinkSystem devices in Flex System chassis

• Converged HX, NeXtScale, System x, ThinkAgile, and ThinkSystem rack and tower
servers

• ThinkServer rack and tower servers

• RackSwitch devices

• Storage devices

There are minimum levels of required firmware for each managed device. During installation
and discovery, XClarity Administrator prompts when firmware can be updated to enable devices
to be managed. For information about firmware requirements, see Supported firmware.

For general information about hardware configuration and options for a specific device, see the Lenovo
Server Proven webpage.

Supported firmware
Before using Lenovo XClarity Administrator to manage your devices, ensure that the firmware
on each device is at the minimum required level.

22
There are minimum levels of required firmware for each managed device. During installation
and discovery, XClarity Administrator prompts when firmware can be updated to enable devices
to be managed. For information about firmware requirements, see the following compatibility
pages for each device type:

• Flex System devices and ThinkSystem compute nodes

• Converged HX, NeXtScale, System x, ThinkAgile and ThinkSystem rack and tower
servers

• ThinkServer rack and tower servers

• RackSwitch devices

• Storage devices

For information about updating firmware on managed devices, see Updating firmware on managed
devices in the XClarity Administrator online documentation.

Supported web browsers

Ensure that you access Lenovo XClarity Administrator using one of the supported browsers.
The following browsers are supported:

• Chrome™ 48.0 or later (55.0 or above for Remote Console)

• Firefox® ESR 38.6.0 or later

• Microsoft® Internet Explorer® 11

• Microsoft Edge

• Safari® 9.0.2 or later (IOS7 or later and OS X)

Firewalls and proxy servers

Some functions of Lenovo XClarity Administrator, including management server updates,
firmware updates, service and support, require access to the Internet. If you have firewalls in
your network, configure the firewalls to enable XClarity Administrator management server to
perform these operations. If the management server does not have direct access to the Internet,
configure XClarity Administrator to use a proxy server.

Firewalls
Ensure that the following DNS names and ports are open on the firewall. Note: IP addresses
are subject to change. Use DNS names when possible.
Table 1. Required Internet connections

23
DNS name IPv4 address IPv6 address Ports Protocols

Download management-server updates, firmware updates, UpdateXpress System Packs (OS device drivers), and
repository packs

datacentersupport.lenovo.com N/A N/A 443 and https

80

download.lenovo.com N/A N/A 443 and https

80

filedownload.lenovo.com N/A N/A 443 and https

80

support.lenovo.com N/A N/A 443 and https and http

80

supportapi.lenovo.com N/A N/A 443 and https

80

Download firmware (Flex System x220, x222, x240, x280 X6, x440, x480 X6, x880 X6, some Flex switches, and first-
generation CMMs only)

www.ibm.com 129.42.56.216, N/A 443 and https and http

129.42.58.216, 80

129.42.60.216,

129.42.160.51,

207.25.252.197

www-03.ibm.com 204.146.30.17 N/A 443 and https and http

80

download3.boulder.ibm.com 170.225.15.76 N/A 443 and https and http

80

download3.mul.ie.ibm.com 129.35.224.114 N/A 443 and https and http

80

download4.boulder.ibm.com 170.225.15.107 N/A 443 and https and http

80

24
Table 1. Required Internet connections (continued)

DNS name IPv4 address IPv6 address Ports Protocols

download4.mul.ie.ibm.com 129.35.224.107 N/A 443 and https and http

80

delivery04-bld.dhe.ibm.com 170.225.15.104, N/A 443 and https and http

129.35.224.104 80

delivery04-mul.dhe.ibm.com 129.35.224.115, N/A 443 and https and http

170.225.15.115 80

delivery04.dhe.ibm.com 129.35.224.105, N/A 443 and https and http

170.225.15.105 80

eccgw01.boulder.ibm.com 207.25.252.197 N/A 443 https

eccgw02.rochester.ibm.com 129.42.160.51 N/A 443 https

Send service data to Lenovo Support (Call Home)

soa.lenovo.com 34.205.152.33, N/A 443 https

52.6.12.38,

103.30.232.240

logupload.lenovo.com/BLL/ N/A N/A 443 and https

Logupload.ashx
80

esupport.ibm.com *, eccgw01. 129.42.56.189, 2620:0:6C0:200: 443 and https and http

rochester.ibm.com *, eccgw02. 129:4-
boulder.ibm.com * 129.42.60.189, 80
2:56:189,
129.42.54.189
2620:0:6C2:200:
129:4-

2:60:189,

2620:0:6C4:200:
129:4-

2:54:189

www-945.ibm.com * 129.42.26.224, 2620:0:6C0:1::10 443 and https and http

00,
129.42.42.224, 80
2620:0:6C2:1::10
129.42.50.224 00,

2620:0:6C4:1::10
00

Send service data to the Lenovo Update Facility

25
logupload.lenovo.com/BLL/ N/A N/A 443 and https
Logupload.ashx
80

Retrieve warranty information

ibase.lenovo.com (worldwide) N/A N/A 443 and https and http

80

service.lenovo.com.cn (China only) 114.247.140.212 (China N/A 83 http

only)

supportapi.lenovo.com N/A N/A 443 and https and http

80

Note: * These DNS names and IP addresses are not required to use Call Home for XClarity
Administrator v2.3.0 and later; however, they are needed to retrieve status for open service
tickets that were submitted prior to updating to v2.3.0.
Attention: For users in China, to retrieve warranty information for managed devices using
XClarity Administrator, you must upgrade to XClarity Administrator v1.3.1 or later.

Proxy server
If the management server does not have direct access to the Internet, ensure that the
management server is configured to use an HTTP proxy server (see Configuring network
access).

• Ensure that the proxy server is set up to use basic authentication.

• Ensure that the proxy server is set up as a non-terminating proxy.

• Ensure that the proxy server is set up as a forwarding proxy.

• Ensure that load balancers are configured to keep sessions with one proxy server
and not switch between them.

Port availability
Several ports must be available, depending on how the firewalls are implemented in your
environment. If the required ports are blocked or used by another process, some Lenovo
XClarity Administrator functions might not work.

To determine which ports must be opened based on your environment, review the following
sections. The tables in these sections include information about how each port is used in
XClarity Administrator, the managed device that is affected, the protocol (TCP or UDP), and the
direction of traffic flow between the managed device and XClarity Administrator. Inbound traffic

26
flows from the managed device to XClarity Administrator. Outbound traffic flows from XClarity
Administrator to the managed device.

• Access to the XClarity Administrator server

• Access between XClarity Administrator and managed devices

• Access between XClarity Administrator and data network for OS deployment

Access to the XClarity Administrator server

If the XClarity Administrator server and all managed devices are behind a firewall, and you
intend to access those devices from a browser that is outside of the firewall, you must ensure
that the XClarity Administrator ports are open. If you are using SNMP and SMTP for event
management, you might also need to ensure that the ports that are used by the XClarity
Administrator server for event forwarding are open.

The XClarity Administrator server listens on and responds through the following ports that are
listed in the following table.
Note: XClarity Administrator can be optionally configured to make outgoing connections to a
number of external services, such as LDAP, SMTP, or syslog. These connections might require
additional ports that are generally user configurable and not included in this list. They might also
require access to a domain name service (DNS) server on TCP or UDP port 53 to resolve
external server names.

Table 2. Ports that must be open for the XClarity Administrator server

TCP

or UDP

Port Direction Affected devices Purpose

53 UDP Inbound/ Domain name service (DNS) Used for DNS resolution.
Outbound

83 TCP Inbound/ (China only) Warranty service Used when collecting warranty
Outbound information for devices that were
purchased in China.

Note: Though not required outside of

China, XClarity Administrator might
attempt to connect to this service in other
countries.

Table 2. Ports that must be open for the XClarity Administrator server (continued)

27
 TCP

or UDP

Port Direction Affected devices Purpose

389 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.

443 TCP Inbound/ Client computers that access XClarity Used by HTTPS for web access and
Outbound Administrator REST communications.

Note: If Call Home is enabled, you must

open port 443. Outbound direction is used
for Call Home.

Used when forwarding events to the

Apple push notifications service and Wi-Fi
is behind a firewall or private Access Point
Name (APN) for cellular data. A direct,
unproxied connection is required to the
APN servers on this port. This port is used
as a failback on Wi-Fi only, when devices
cannot reach the Apple Push Notifications
service on port 5223.

IP address range: 17.0.0.0/8

Used when forwarding events the Google

push service.

Domain: android.googleapis.com

636 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.

3268 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.

3269 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.

Optionally, the ports that are listed in the following table must be open for event forwarding from
the Lenovo XClarity Administrator server to other event management tools.

Table 3. Ports that must be open for event management

28
 TCP

or

Port Direction Affected devices Purpose

21 UDP Outbound FTP server that is to receive events Used when FTP event forwarding is
configured.

Note: This port number is configurable

from the XClarity
Administrator interface.

25 UDP Outbound Email (SMTP) server that is to receive Used when email (SMTP) event
events forwarding is
configured.

Note: This port number is configurable

from the XClarity
Administrator interface.

Table 3. Ports that must be open for event management (continued)

TCP

or UDP

Port Direction Affected devices Purpose

80 UDP Outbound REST interface that is to receive Used when REST event forwarding is
events configured.

Note: This port number is configurable

from the XClarity Administrator interface.

161 UDP Inbound / SNMP manager that is to receive Used when SNMP event forwarding with
Outbound traps user authentication is configured.

162 UDP Inbound SNMP manager that is to receive Used when SNMP event forwarding is
traps configured.

Note: This port number is configurable

from the XClarity Administrator interface.

443 UDP Outbound Microsoft®Azure Log Analytics Used when Azure Log Analytics event
interface that is to receive events forwarding is configured.

Note: This port number is configurable

from the XClarity Administrator interface.

514 UDP Outbound Syslog server that is to receive events. Used when Syslog event forwarding is
configured.

Note: This port number is configurable

from the XClarity Administrator interface.

29
2195 TCP Outbound Apple push server that is to receive Used when forwarding events to the
events Apple push notifications service and Wi-
Fi is behind a firewall or private Access
Point Name (APN) for cellular data. A
direct, unproxied connection is required to
the APN servers on this port.

IP address range: 17.0.0.0/8

5223 TCP Outbound Apple push server that is to receive Used when forwarding events to the
events Apple push notifications service and Wi-
Fi is behind a firewall or private Access
Point Name (APN) for cellular data. A
direct, unproxied connection is required to
the APN servers on this port.

IP address range: 17.0.0.0/8

5228 Outbound Google push server that is to receive Used when event forwarding to the
events. Google push service is configured. IP
address range: see Google ASN 15169

5229 Outbound Google push server that is to receive Used when event forwarding to the
events. Google push service is configured. IP
address range: see Google ASN 15169

5230 Outbound Google push server that is to receive Used when event forwarding to the
events. Google push service is configured. IP
address range: see Google ASN 15169

Access between XClarity Administrator and managed devices

If managed devices (such as compute nodes or rack servers) are behind a firewall and if you
intend to manage those devices from a XClarity Administrator server that is outside of that
firewall, you must ensure
that all ports involved with communications between XClarity Administrator and the baseboard
management controller in each managed device are open.

If you intend to install operating systems on managed devices using XClarity Administrator,
ensure that you review the list of ports in Access between XClarity Administrator and data
network for OS deployment.

30
Table 4. Ports that must be open between XClarity Administrator and managed devices

TCP

Port or UDP Direction Affected devices Purpose

21 TCP Inbound/ Lenovo Storage controllers Used for FTP access when updating the
Outbound storage device firmware.

22 TCP Inbound/ Baseboard management controller in Used launch a remote SSH session and
Outbound each managed server (except for SFTP file transfer
ThinkServer)
(RackSwitch ENOS switches) Used to
CMMs in each managed chassis configure HoS credentials, activate the
firmware slot, and clear SSH host keys
Flex switches in each managed Flex before SFTP file transfer operations
System chassis

Flex and RackSwitch switches

115 TCP Inbound/ Management controller in each Used to push maintenance mode images
Outbound managed ThinkSystem server to the management controller.

161 UDP Inbound/ Flex switches in each managed Flex Flex switches) Use to enable/disable ports
Outbound System chassis and to configure through configuration
patterns.
RackSwitch ENOS switches
(RackSwitch switches) Used to retrieve
inventory and to configure switches
through configuration patterns using the
SNMP protocol

Attention: If Flex or RackSwitch switches

are on a different network than XClarity
Administrator, that network must be
configured to allow inbound UDP through
port 161 so that XClarity Administrator
can send/receive SNMP messages
to/from the switch.

162 UDP Inbound Flex switches in each managed Flex Used to receive SNMP traps from Flex
System chassis System and RackSwitch switches,
ThinkServer servers, and storage devices.
RackSwitch switches
Attention: If ThinkServer servers and
ThinkServer System Manager (TSM) in RackSwitch switches are on a different
each managed ThinkServer server network than XClarity Administrator, that
network must be configured to allow
Lenovo Storage controllers
inbound UDP through port 162 so that
XClarity Administrator can receive events
for those devices.

31
Table 4. Ports that must be open between XClarity Administrator and managed devices (continued)

TCP

Port or UDP Direction Affected devices Purpose

427 UDP, Inbound/ Management controller in each Used by Service Location Protocol (SLP)
TCP Outbound managed server (except ThinkServer) for device discovery and initial
management.
CMMs in each managed Flex System
chassis

Flex switches in each managed

chassis

TSM in each managed ThinkServer

server

Lenovo Storage controllers

Flex and RackSwitch switches

443 TCP Inbound/ Lenovo Storage controllers (M4 servers and storage devices) Used
Outbound for management
RackSwitch CNOS switches
(RackSwitch switches) Used for HTTPS
System x M4 server communication to retrieve inventory and
configuration

623 UDP Outbound Management controller in each Used for IPMI communication with the
managed ThinkServer and System x Management controller.
M4 servers

3888 TCP Inbound/ Management controller in each Used for remote-control tunneling.
Outbound managed server (except ThinkServer)

5988 TCP Inbound/ Management controller in each Used by HTTP for CIM communication.
Outbound managed server (except ThinkServer) Note: This port number is configurable
from the CMM and management-
CMMs in each managed Flex System controller interfaces.
chassis

5989 TCP Inbound/ Management controller in each Used by HTTPS for CIM communication.
Outbound managed server (except ThinkServer) Note: This port number is configurable
from the CMM and management-
CMMs in each managed Flex System controller interfaces.
chassis

6091 TCP Inbound/ CMMs in each managed Flex System Secure TCP Command Mode port. Note:
Outbound chassis This port number is configurable from the
CMM interface.

6990 TCP Inbound/ Management controller in each Used by HTTPS for CIM indications.
Outbound managed server (except ThinkServer)

32
9090 TCP Inbound/ Management controller in each Used by HTTPS for CIM indications.
Outbound managed server (except ThinkServer)

CMMs in each managed Flex System

chassis

Table 4. Ports that must be open between XClarity Administrator and managed devices (continued)

TCP

or UDP

Port Direction Affected devices Purpose

50636 TCP Inbound Management controller on each Used by the authentication server for
managed server (except ThinkServer) secure traffic. Receives client certificates.

50637 TCP Inbound Management controller in each Used by the authentication server for
managed server (except ThinkServer) secure traffic.

CMMs in each managed chassis

Access between XClarity Administrator and data network for OS deployment

To install operating systems on managed devices, ensure that the ports that are listed in the
following table are open to the network that is used as the data network (or operating-system
deployment network).
Note: Each XClarity Administrator instance has a unique Certificate Authority (CA) that is used
for only OS deployment. That CA signs a certificate that is used for the target server on ports
3001 and 8443. When OS deployment is initiated, the CA certificate is included in the OS image
that is pushed to the target server. As part of the deployment process, that server connects
back to ports 3001 and 8443, and verifies the certificate that ports 3001 and 8443 provide
during the handshake because they have the CA certificate.

Table 5. Ports that must be available to deploy operating systems

TCP

or UDP

Port Direction Affected devices Purpose

3001 TCP Inbound/ Management controller and host on Used for operating-system deployment.
Outbound each managed server (except
ThinkServer)

3900 TCP Inbound/ Management controller and host on Used for operating-system deployment.
Outbound each managed server (IMM2 only)

33
8443 TCP Inbound/ Management controller and host in Used for operating-system deployment.
Outbound each managed server (except
ThinkServer)

For a list of ports that must be available for deploying operating systems, see Port availability for
deployed operating systems in the XClarity Administrator online documentation.

Additionally, if you are deploying Microsoft Windows, the ports that are listed in the following
table must also be available.
Table 6. Ports that must be available to deploy Microsoft Windows

TCP

or UDP

Port Direction Affected devices Purpose

137 UDP Inbound/ Host operating system on each Used for Windows operating-system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).

138 UDP Inbound/ Host operating system on each Used for Windows operating-system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).

139 UDP Inbound/ Host operating system on each Used for Windows operating- system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).

445 TCP Inbound/ Host operating system on each Used for Windows operating-system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).

Access between XClarity Administrator and data network for device-driver updates
To update OS device drivers on managed devices, ensure that the ports that are listed in the
following table are open to the network that is used as the data network (or operating-system
deployment network).

34
Table 7. Ports that must be available to update OS device drivers

TCP

or UDP

Port Direction Affected devices Purpose

5985 TCP Inbound/ Host operating system on each Use for Microsoft Windows OS device
Outbound managed server to which Microsoft driver updates to connect using Windows
Windows is deployed Remote Management (WinRM) listening
over HTTP.

5986 TCP Inbound/ Host operating system on each Use for Microsoft Windows OS device
Outbound managed server to which Microsoft driver updates to connect using WinRM
Windows is deployed listening over HTTPS.

Management considerations
There are several alternatives to choose from when managing devices. Depending on the
devices being managed, you might need multiple management solutions running at the same
time.

For a list of hardware that Lenovo XClarity Administrator can manage, see Supported devices.

Consider the following factors that are related to the management of devices by XClarity

Administrator:
• a device can be managed by only one instance of Lenovo XClarity Administrator.

• You cannot use the following management software to manage devices that XClarity
Administrator currently manages:
o Flex System Manager
o IBM Fabric Manager
o IBM Systems Director
However, you can use other management software (such as IBM device Manager or
Microsoft Systems Center Operations Manager) in tandem with XClarity
Administrator to monitor managed devices (see Using another management
software in tandem with Lenovo XClarity Administrator).

• You can discover and manage Flex Power Systems compute nodes and Flex System
v7000 Storage Node. Using XClarity Administrator, you can view properties and
status. Additionally for storage devices, you can also power on and off a storage
device, virtually reseat the storage controllers, and launch the management module.
However, you must use other management alternatives to take any management-
related actions on the devices, such as updating or configuring the device.

35
 o Use the Flex Power Systems Hardware Management Console to manage Flex
Power Systems compute nodes. You can use the Power Systems Hardware
Management Console to manage these devices even if you are also managing that
chassis in which the devices are installed using XClarity Administrator.
o Use either the management controller web interface or the command-line interface
(CLI) that is provided with the Flex System v7000 Storage Node to manage that
device.
o LAN-over-USB is used when updating firmware. XClarity Administrator automatically
enables the LAN- over-USB interface.
o Intelligent Platform Management Interface (IPMI) is used to perform management
operations on System x M4 and ThinkServer servers. Disabling IMPI prevents
XClarity Administrator from managing these servers.

Comparison between Flex System Manager and Lenovo XClarity Administrator

Lenovo XClarity Administrator is an optimized hardware manager for Flex System servers. It is
also designed to integrate with industry leaders in virtualization management, such as VMware
vSphere and Microsoft System Center.

The following table compares the features and functions that are available with the Flex System
Manager and with the XClarity Administrator.

Table 8. Functional comparison between Flex System Manager and XClarity Administrator

Flex Lenovo XClarity

System Administrator
Manager
Feature More information

Provide a graphical √ √
representation of all supported
managed devices.

Support failover of the √ XClarity Administrator is a virtual appliance. Therefore,

management server it can leverage VMware High Availability and Hyper-V
clustering for failover. For more information, see:

Implementing high availability (VMware ESXi)

Implementing high availability (Microsoft Hyper-V)

Manage rack and tower √ XClarity Administrator manages Converged, NeXtScale,

servers and System x servers.XClarity Administrator manages
the hardware only. It does not require the installation of
agents on the rack or tower servers.

36
Table 8. Functional comparison between Flex System Manager and XClarity Administrator (continued)

Flex Lenovo XClarity

System Administrator
Manager
Feature More information

Manage Flex System servers √ √ Both Flex System Manager and XClarity Administrator
manage Flex System servers.

Flex System Manager requires the use of agents

installed in the servers to discover, inventory, and
manage the server and installed operating system.

XClarity Administrator manages the hardware only. It

does not require the installation of agents on the
servers.

Manage Flex Power Systems √ If you are managing a chassis that contains both Flex
servers System servers and Flex Power Systems servers:

Use XClarity Administrator to manage the Flex System

servers.

Use the Flex Power Systems Hardware Management

Console (HMC) to manage the Flex Power Systems
servers.For information about managing a Flex Power
Systems server from the HMC, see the Flex System
p270 Compute Node Planning and Implementation Guide.

Managing RackSwitch √ XClarity Administrator manages RackSwitch switches.

switches XClarity Administrator manages the hardware only. It
does not require the installation of agents.

Manage storage devices, such √ If a Flex System v7000 Storage Node is installed in a
as the Flex System v7000 managed chassis, it is displayed in the graphical
Storage Node or external chassis view, and you can view properties and status
devices for the storage device. However, management of the
storage device must be done through the management
controller web interface or command- line interface for
the storage device.

Manage virtual addressing for √ √ On Flex System Manager, you can define virtual
servers address ranges and allocate those virtual addresses to
managed servers using IBM Fabric Manager (IFM).

You can choose to configure IFM to distribute an

address to a server through the CMM (called push
mode), or to distribute the address directly in response
to server request (called pull mode).

XClarity Administrator uses a different approach to

define virtual address through Configuration Patterns.
Managed servers pull the virtual-address information
from XClarity Administrator.

37
 Update firmware for managed √ √ Flex System Manager updates firmware and device
devices drivers.

XClarity Administrator updates the firmware. Devices

drivers are updated through your normal operating-
system update processes.

Centrally manage √ √ Both management applications support the use of

configurations for managed configuration patterns to manage configurations for
chassis and servers. managed chassis and servers.

Deploy operating systems to √ √ Both management applications support the deployment

managed servers of operating systems to managed servers.

Table 8. Functional comparison between Flex System Manager and XClarity Administrator (continued)

Flex Lenovo XClarity

System Administrator
Manager
Feature More information

Manage virtualized resources √ √ XClarity Administrator can be used with Lenovo XClarity
Integrator options (previously known as Upward
Integration Modules or UIMs) to integrate with
virtualization managers.

For more information about Lenovo XClarity Integrator

options, see the following Web sites.

Lenovo XClarity Integrator for Microsoft System Center

Lenovo XClarity Integrator for VMware vCenter

Script management functions √ XClarity Administrator includes both REST APIs and
Microsoft PowerShell cmdlets to provide scripting
capabilities for management functions.

For more information about support for REST APIs and

Microsoft PowerShell, see Scripting XClarity
Administrator management functions in the XClarity
Administrator online documentation.

Migrating from Flex System Manager

If you are planning to manage a chassis with Lenovo XClarity Administrator and that chassis is
managed by a Flex System Manager, review these considerations to transition the chassis to
XClarity Administrator management successfully.

Depending on your configuration, transitioning from management by Flex System Manager to

management by XClarity Administrator might be disruptive to your running workloads.
Therefore, consider doing the transition during a maintenance window to minimize downtime
with running workloads.

38
To ensure that XClarity Administrator can manage a chassis that was previously managed by
Flex System Manager, complete the following steps:
Optional: Prepare the chassis to be removed from management by Flex System Manager.If you
are using IBM Fabric Manager (IFM) to virtualize addresses, modify IFM to use push mode to
distribute virtual addresses through the CMM. If you are using IFM in pull mode and Flex
System Manager is powered off, the virtual addresses will no longer be available after the next
restart of the compute node.
Note: IFM supports the concept of a standby node. In the event of a hardware failure, IFM
assigns the virtual address of the failed compute node to the standby node so that it can
automatically take over the workload from the failed node. XClarity Administrator does not
support the concept of a standby node. Therefore, if you have implemented the standby node,
you must devise a different strategy for continuous availability when there is a failed compute
node.
Remember that if virtual addresses are changed, you must adjust infrastructure services as
well. For example:

• If the World Wide Port Name (WWPN) is changed for a compute node, adjust SAN
zoning and LUN mapping.

• If the MAC address for a port is changed, adjust the MAC-to-IP address binding in the
DHCP server or clustering software.

• IFM can configure a virtual boot-target WWN. If you do not migrate correctly, you
might lose the ability to start our operating system.
1. Remove the chassis from management by the Flex System Manager.
2. Manage the chassis from XClarity Administrator. For information about managing a
chassis, see Managing chassis in the XClarity Administrator online documentation.
3. Remove any agents that were installed on devices that are managed by the Flex
System Manager. The XClarity Administrator implements an agentless management
approach. Therefore, you do not need to install agents on managed compute nodes.
Although the installed agents have no effect on XClarity Administrator management
functions, you can choose to remove those agents and reclaim the space on the
compute node.

Using another management software in tandem with Lenovo XClarity

Administrator
You can use other management software (such as IBM device Manager or Microsoft Systems
Center Operations Manager) in tandem with Lenovo XClarity Administrator to monitor devices
that XClarity Administrator manages.

39
Attention: Extra care must be taken when using multiple management tools to manage your
devices to prevent unforeseen conflicts. For example, submitting power-state changes using
another tool might conflict with configuration or update jobs that are running in XClarity
Administrator.

Flex System devices

If you intend to use another management software to monitor your managed devices, and if that
management software uses SNMPv3 or IPMI communication, you must prepare your
environment by performing the following steps for each managed CMM:

• Log in to the management controller web interface for the chassis using the
RECOVERY_ID user name and password.

• If the security policy is set to Secure, change the user authentication method.

o Click Mgt Module Management ➙ User Accounts.

o Click the Accounts tab.

o Click Global login settings.
o Click the General tab.
o Select External first, then local authentication for the user authentication method.
o Click OK.

• Create a new local user with the correct SNMP or IPMI settings from the
management controller web interface.

• If the security policy is set to Secure, log out and then log in to the management
controller web interface using the new user name and password. When prompted,
change the password for the new user.

You can now use the new user as an active SNMP or IPMI user.
Note: If you unmanage and then manage the chassis again, this new user account becomes
locked and disabled. In this case, repeat these steps to create a new user account.

ThinkSystem, ThinkServer and System x devices

If you intend to use another management software to monitor your managed devices, create a
new local user with the correct SNMP or IPMI settings from the IMM interface. Ensure that you
grant SNMP or IPMI privileges, depending on the your needs.

40
Network considerations
When planning the Lenovo XClarity Administrator installation, consider the network topology
that is implemented in your environment and how XClarity Administrator fits into that
topology.Important: Configure the servers and chassis components in ways that minimize IP
address changes. Consider using static IP addresses instead of Dynamic Host Configuration
Protocol (DHCP). If DHCP is used, ensure that IP address changes are minimized.

IP configuration limitations
For the following functions and managed devices, network interfaces must be configured with
an IPv4 address. IPv6 addresses are not supported.

• Firmware updates for Lenovo Storage devices

• ThinkServer servers

• Lenovo Storage and Nimble storage systems

Network address translation (NAT), which remaps one IP address space into another, is not
supported.

Network types
In general, most environments implement the following types of networks. Based on your
requirements, you might implement only one of these networks or you might implement all
three.

• Management network
The management network is typically reserved for communications between Lenovo
XClarity Administrator and the management processors for managed devices. For
example, the management network might be configured to include XClarity
Administrator, the CMMs for each managed chassis, and the baseboard management
controller of each server that XClarity Administrator manages.

• Data network
The data network is typically used for communications between the operating systems
that are installed on the servers and the company intranet, the Internet, or both.

• Operating-system deployment network

In some cases, an operating-system deployment network is set up to separate out the
communications that are required to deploy operating systems on servers. If
implemented, this network typically includes XClarity Administrator and all server hosts.
Instead of implementing a separate operating-system deployment network, you might choose to

41
combine this functionality in either the management network or the data network.

Network configurations
You can configure Lenovo XClarity Administrator to use one or two network interfaces.

• Attention:

• Changing the XClarity Administrator IP address after managing devices might cause
the devices to be placed in offline state in XClarity Administrator. Ensure that all
devices are unmanaged before changing the IP address.

• You can enable or disable checking for duplicate IP addresses in the same subnet by
clicking the Duplicate IP address checking toggle. It is disabled by default. When
enabled, XClarity Administrator raises an alert if you attempt to change the IP
address of XClarity Administrator or manage a device that has the same IP address
as another device that is under management or another device found in the same
subnet.

• If the network interface for the management network is configured to use the Dynamic
Host Configuration Protocol (DHCP), the management-interface IP address might
change when the DHCP lease expires. If the IP address changes, you must
unmanage the chassis, rack and tower servers, and then manage them again. To
avoid this problem, either change the management interface to a static IP address, or
ensure that the DHCP server configuration is set so that the DHCP address is based
on a MAC address or that the DHCP lease does not expire.

• If you do not intend to use XClarity Administrator to deploy operating system or

update OS device drivers, you can disable Samba and Apache servers by changing
the network interface to use the discover and manage hardware only option. Note
that the management server is restarted after changing the network interface

XClarity Administrator has two separate network interfaces (eth0 and eth1) that can be defined
for your environment, depending on the network topology that you implement.

• When only one network interface (eth0) is present:

o The interface must be configured to support the device discovery and management
(such as server configuration and firmware updates). It must be able to
communicate with the CMMs and Flex switches in each managed chassis, the
baseboard management controller in each managed server, and each RackSwitch
switch.
o If you intend to acquire firmware and OS device-driver updates using XClarity
Administrator, the network interface must be connected to the Internet, preferably
through a firewall. Otherwise, you must manually import updates into the repository.

42
 o If you intend to collect service data or use automatic problem notification (including
Call Home), the interfaces must be connected to the Internet, preferably through a
firewall.
o If you intend to deploy operating-system images and update OS device drivers, the
interface must have IP network connectivity to the server network interface that is
used to access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed

• When two network interfaces (eth0 and eth1) are present:

o The first network interface (typically the Eth0 interface) must be connected to the
management network and configured to support the device discovery and
management (including server configuration and firmware updates. It must be able
to communicate with the CMMs and Flex switches in each managed chassis, the
management controller in each managed server, and each RackSwitch switch.
o The second network interface (typically the eth1 interface) can be configured to
communicate with an internal data network, a public data network, or both.
o If you intend to acquire firmware and OS device-driver updates using XClarity
Administrator, the interface that you use for the management network must be
connected to the Internet, preferably through a firewall. Otherwise, you must import
updates into the repository.
o If you intend to collect service data or use automatic problem notification (including
Call Home and Lenovo Upload Facility), at least one of the network interfaces must
be connected to the Internet, preferably through a firewall.
o If you intend to deploy operating-system images and update device drivers, you can
choose to use either eth1 or eth0 interface. However, the interface that you use
must have IP network connectivity to the server network interface that is used to
access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed

• Other XClarity Administrator functions (including discovery and hardware

management, server configuration, firmware downloads and updates, service-data
collection, automatic problem notification, and warranty data retrieves) can be
performed from either interface.

43
The following table shows possible configurations for the XClarity Administrator network
interfaces based on the type of network topology that has been implemented in your
environment. Use this table to determine how to define each network interface.
Table 9. Role of each network interface based on network topology

Network topology Role of interface 1 (eth0) Role of interface 2 (eth1)

Converged network (management and Management network None

data network with support for OS
deployment and OS device-driver Discovery and management
updates)
Server configuration

Firmware updates

Service data collection

Automatic problem notification (such

as Call Home and Lenovo Update
Facility)

Warranty data retrieval

OS deployment

OS device-driver updates

Separate management network with Management network Data network

support for OS deployment and OS
device-driver updates and data Discovery and management Discovery and management
network
Server configuration Server configuration

Firmware updates Firmware updates

Service data collection Service data collection

Automatic problem notification (such Automatic problem notification (such

as Call Home and Lenovo Update as Call Home and Lenovo Update
Facility) Facility)

Warranty data retrieval Warranty data retrieval

OS deployment

OS device-driver updates

Separate management network and Management network Data network

data network with support for OS
deployment and OS device-driver Discovery and management Discovery and management
updates
Server configuration Server configuration

Firmware updates Firmware updates

Service data collection Service data collection

Automatic problem notification (such Automatic problem notification (such

as Call Home and Lenovo Update as Call Home and Lenovo Update

44
 Facility) Facility)

Warranty data retrieval Warranty data retrieval

OS deployment

OS device-driver updates

Table 9. Role of each network interface based on network topology (continued)

Network topology Role of interface 1 (eth0) Role of interface 2 (eth1)

Separate management network and Management network Data network

data network without support for OS
deployment and OS device-driver Discovery and management Discovery and management
updates
Server configuration Server configuration

Firmware updates Firmware updates

Service data collection Service data collection

Automatic problem notification (such Automatic problem notification (such

as Call Home and Lenovo Update as Call Home and Lenovo Update
Facility) Facility)

Warranty data retrieval Warranty data retrieval

Management network only (OS Management network None

deployment and OS device-driver
updates is not supported) Discovery and management

Server configuration

Firmware updates

Service data collection

Automatic problem notification (such

as Call Home and Lenovo Update
Facility)

Warranty data retrieval

Single data and management network

In this network topology, management communications, data communications, and operating-
system deployment occur over the same network. This topology is referred to as a converged
network.
Important: Implementing a shared data and management network can cause disruptions in
traffic, such as packets being dropped or management-network connectivity issues, depending

45
on your network configuration (for example, if traffic from servers have a high priority and traffic
from the management controllers have a low priority). The management network uses UDP
traffic in addition TCP. UDP traffic can have a lower priority when the network traffic is high.

When you install Lenovo XClarity Administrator, define the eth0 network interface using the
following considerations:

• The interface must be configured to support the device discovery and management
(such as server configuration and firmware updates). It must be able to communicate
with the CMMs and Flex switches in each managed chassis, the baseboard
management controller in each managed server, and each RackSwitch switch.

• If you intend to acquire firmware and OS device-driver updates using XClarity

Administrator, the network interface must be connected to the Internet, preferably
through a firewall. Otherwise, you must manually import updates into the repository.

• If you intend to collect service data or use automatic problem notification (including
Call Home), the interfaces must be connected to the Internet, preferably through a
firewall.

• If you intend to deploy operating-system images and update OS device drivers, the
interface must have IP network connectivity to the server network interface that is
used to access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed

• You can set up XClarity Administrator on any system that meets the requirements for
XClarity Administrator, including a managed server only when you implement either a
single data and management network topology or a virtually separate data and
management network topology; however, you cannot use XClarity Administrator to
apply firmware updates to that managed server. Even then, only some of the firmware
is applied with immediate activation, and XClarity Administrator forces the target
server to restart, which would restart XClarity Administrator as well. When applied
with deferred activation, only some firmware is applied when XClarity Administrator
host is restarted.

You can also configure a second network interface to connect to the same network from
XClarity Administrator to support redundancy.

The following figure shows an example implementation for a converged network topology.

46
 Figure 1. Example implementation of a single network for management, data, and operating system deployment

For installation procedures that are related to this network topology, see the following
information:

• VMware ESXi: Single data and management network (ESXi)

• Microsoft Hyper-V: Single data and management network (Hyper-V)

Physically separate data and management network

In this network topology, the management network and the data network are physically separate
networks, and the operating-system deployment network is configured as part of either the
management network or the data network.

When you install Lenovo XClarity Administrator, define network settings using the following
considerations:

• The first network interface (typically the Eth0 interface) must be connected to the
management network and configured to support the device discovery and
management (including server configuration and firmware updates. It must be able to
communicate with the CMMs and Flex switches in each managed chassis, the
management controller in each managed server, and each RackSwitch switch.

47
 • The second network interface (typically the eth1 interface) can be configured to
communicate with an internal data network, a public data network, or both.

• If you intend to acquire firmware and OS device-driver updates using XClarity

Administrator, the interface that you use for the management network must be
connected to the Internet, preferably through a firewall. Otherwise, you must import
updates into the repository.

• If you intend to collect service data or use automatic problem notification (including
Call Home and Lenovo Upload Facility), at least one of the network interfaces must
be connected to the Internet, preferably through a firewall.

• If you intend to deploy operating-system images and update device drivers, you can
choose to use either eth1 or eth0 interface. However, the interface that you use must
have IP network connectivity to the server network interface that is used to access the
host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed

• Other XClarity Administrator functions (including discovery and hardware

management, server configuration, firmware downloads and updates, service-data
collection, automatic problem notification, and warranty data retrieves) can be
performed from either interface.

48
Figure 2 “Example implementation of physically separate data and management networks with
the operating-system network as part of the data network” on page 28 shows an example
implementation of separate management and data networks in which the operating-system
deployment network is configured as part of the data network.

Figure 2. Example implementation of physically separate data and management networks with the operating-system network as part of the data network

Figure 3 “Example implementation of physically separate data and management networks with
the operating-system network as part of the management network” on page 29 shows another
example implementation of separate management and data networks in which the operating-
system deployment network is configured as part of the management network. In this
implementation, XClarity Administrator does not need connectivity to the data network.
Note: If the operating-system deployment network does not have access to the data network,
configure an additional interface on the servers to provide connectivity from the host operating
system on the server to the data network, if needed.

49
 Figure 3. Example implementation of physically separate data and management networks with the operating-system network as part of the management network

For installation procedures that are related to this network topology, see the following
information:

• VMware ESXi: Physically separate data and management networks (ESXi)

• Microsoft Hyper-V: Physically separate data and management networks (Hyper-V)

Virtually separate data and management network

In this topology, the data network and management network are virtually separate. Packets from
the data network and packets from the management network are sent over the same physical
connection. VLAN tagging is used on all management-network data packets to keep the traffic
between the two networks separated.
Note: If Lenovo XClarity Administrator is installed on a host running on a managed server in a
chassis, you cannot use XClarity Administrator to apply firmware updates to that entire chassis
at one time. When firmware updates are applied, the host system must be restarted.

50
When you install XClarity Administrator, define network settings using the following
considerations:

• The first network interface (typically the Eth0 interface) must be connected to the
management network and configured to support the device discovery and
management (including server configuration and firmware updates. It must be able to
communicate with the CMMs and Flex switches in each managed chassis, the
management controller in each managed server, and each RackSwitch switch.

• The second network interface (typically the eth1 interface) can be configured to
communicate with an internal data network, a public data network, or both.

• If you intend to acquire firmware and OS device-driver updates using XClarity

Administrator, the interface that you use for the management network must be
connected to the Internet, preferably through a firewall. Otherwise, you must import
updates into the repository.

• If you intend to collect service data or use automatic problem notification (including
Call Home and Lenovo Upload Facility), at least one of the network interfaces must
be connected to the Internet, preferably through a firewall.

• If you intend to deploy operating-system images and update device drivers, you can
choose to use either eth1 or eth0 interface. However, the interface that you use must
have IP network connectivity to the server network interface that is used to access the
host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed

• Other XClarity Administrator functions (including discovery and hardware

management, server configuration, firmware downloads and updates, service-data
collection, automatic problem notification, and warranty data retrieves) can be
performed from either interface.

• You can set up XClarity Administrator on any system that meets the requirements for
XClarity Administrator, including a managed server only when you implement either a
single data and management network topology or a virtually separate data and
management network topology; however, you cannot use XClarity Administrator to
apply firmware updates to that managed server. Even then, only some of the firmware
is applied with immediate activation, and XClarity Administrator forces the target
server to restart, which would restart XClarity Administrator as well. When applied
with deferred activation, only some firmware is applied when XClarity Administrator
host is restarted.

51
Figure 4 “Example implementation of virtually separate data and management networks with the
operating- system network as part of the data network” on page 31 shows an example
implementation of virtually separate management and data networks in which the operating-
system deployment network is configured as part of the data network. In this example, XClarity
Administrator is installed on a managed server in a chassis.

Figure 4. Example implementation of virtually separate data and management networks with the operating-system network as part of the data network

Figure 5 “Example implementation of virtually separate management and data networks with the
operating- system network as part of the management network” on page 32 shows an example
implementation of virtually separate management and data networks in which the operating-
system deployment network is configured as part of the management network, and XClarity
Administrator is installed on a managed server in a chassis. In this implementation, XClarity
Administrator does not need connectivity to the data network.
Note: If the operating-system deployment network does not have access to the data network,
configure an additional interface on the servers to provide connectivity from the host operating
system on the server to the data network, if needed.

52
 Figure 5. Example implementation of virtually separate management and data networks with the operating-system network as part of the management network

For installation procedures that are related to this network topology, see the following
information:

• VMware ESXi: Virtually separate data and management network topology (ESXi)

• Microsoft Hyper-V: Virtually separate data and management network (Hyper-V)

Management-only network
In this topology, Lenovo XClarity Administrator has access to only the management network. It
does not have access to the data network. However, XClarity Administrator must have access to
the operating-system deployment network if you intend to deploy operating-system images from
XClarity Administrator to managed servers.

When you install XClarity Administrator and define network settings, the eth0 network interface
must be configured to:

• The interface must be configured to support the device discovery and management
(such as server configuration and firmware updates). It must be able to communicate

53
 with the CMMs and Flex switches in each managed chassis, the baseboard
management controller in each managed server, and each RackSwitch switch.

• If you intend to acquire firmware and OS device-driver updates using XClarity

Administrator, the network interface must be connected to the Internet, preferably
through a firewall. Otherwise, you must manually import updates into the repository.

• If you intend to collect service data or use automatic problem notification (including
Call Home), the interfaces must be connected to the Internet, preferably through a
firewall.

• If you intend to deploy operating-system images and update OS device drivers, the
interface must have IP network connectivity to the server network interface that is
used to access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed

You can also configure a second network interface to connect to the same network from
XClarity Administrator to support redundancy.

Figure 6 “Example implementation of a management-only network with no support for operating-

system deployment” on page 33 shows an example implementation for a management-only
network in which operating-system deployment from XClarity Administrator is not supported.

54
 Figure 6. Example implementation of a management-only network with no support for operating-system deployment

Figure 6 “Example implementation of a management-only network with no support for operating-

system deployment” on page 33 shows an example implementation for a management-only
network in which operating-system deployment from XClarity Administrator is supported.

55
 Figure 7. Example implementation of a management-only network with support for operating-system deployment

For installation procedures that are related to this network topology, see the following
information:

• VMware ESXi: Management-only network topology (ESXi)

• Microsoft Hyper-V: Management-only network topology (Microsoft Hyper-V)

Security considerations
Plan for the security of Lenovo XClarity Administrator and all managed devices.

Encapsulation management
When you manage Lenovo chassis and servers in Lenovo XClarity Administrator, you can
configure Lenovo XClarity Administrator to change the firewall rules for the devices so that
incoming requests are accepted only from Lenovo XClarity Administrator. This is referred to as
encapsulation. You can also enable or disable encapsulation on chassis and servers that are
already managed by Lenovo XClarity Administrator.

When enabled on devices that support encapsulation, Lenovo XClarity Administrator changes
the device encapsulation mode to “encapsulationLite,” and changes the firewall rules on the
device to limit incoming requests from only this Lenovo XClarity Administrator.

When disabled, the encapsulation mode is set to “normal”. If encapsulation was previously
enabled on the devices, the encapsulation firewall rules are removed.
Attention: If encapsulation is enabled and XClarity Administrator becomes unavailable before a
device is unmanaged, necessary steps must be taken to disable encapsulation to establish
communication with the device. For recovery procedures, see Recovering chassis management with
a CMM after a management server failure and Recovering rack or tower server management after a
management server failure in the XClarity Administrator online documentation.

Notes:

• Encapsulation is not supported on switches, storage devices, and non-Lenovo chassis

and servers.

• When the management network interface is configured to use the Dynamic Host
Configuration Protocol (DHCP) and when encapsulation enabled, managing a rack
server can take a long time.

56
For more information about encapsulation, see Enabling encapsulation in the XClarity
Administrator online documentation.

Cryptographic management
Cryptographic management is composed of communication modes and protocols that control
the way that secure communication is handled between Lenovo XClarity Administrator and the
managed devices (such as chassis, servers, and Flex switches).

The cryptographic mode determines the mode to use for secure communications. There are two
options:

• Compatibility. This mode is the default. It is compatible with older firmware versions,
browsers, and other network clients that do not implement strict security standards
that are required for compliance with NIST SP 800-131A.

• NIST SP 800-131A. This mode is designed to comply with the NIST SP 800-131A
standard. XClarity Administrator is designed to always use strong cryptography
internally and, where available, to use strong cryptography network connections.
However, in this mode, network connections using cryptography that is not approved
by NIST SP 800-131A is not permitted, including rejection of Transport Layer Security
(TLS) certificates that are signed with SHA-1 or weaker hash.
If you select this mode:

• You must also select TLSv1.2 for the minimum TLS client and server versions

• Event notifications might not be successfully pushed to some mobile-device

subscriptions (see Forwarding events to mobile devices in the XClarity Administrator online
documentation). External services, such as Android and iOS, present certificates that
are signed with SHA-1, which is an algorithm that does not conform to the stricter
requirements of NIST SP 800-131A mode. As a result, any connections to these
services might fail with a certificate exception or a handshake failure.
For more information about NIST SP 800-131A compliance, see Implementing NIST 800-131A
compliance in the XClarity Administrator online documentation.

The minimum TLS client mode determines the minimum TLS protocol version to use for client
connections to other servers (such as the LDAP client). There are two options:

• TLSv1. TLS v1.0 and later can be used.

• TLSv1.2. TLS v1.2 and later can be used.

57
This option enforces TLS v1.2 or later cryptography protocols on both XClarity Administrator
and all managed endpoints. If you choose NIST SP 800-131A for the cryptographic mode, this
option must be selected.

The minimum TLS server mode determines the minimum TLS protocol version to use for server
connections (such as the web server). . There are two options:

• TLSv1. TLS v1.0 and later can be used.

• TLSv1.2. TLS v1.2 and later can be used.

This option enforces TLS 1.2 cryptography protocols on both XClarity Administrator and all
managed endpoints. If you choose NIST SP 800-131A for the cryptographic mode, this option
must be selected.

The minimum TLS mode determines the minimum TLS protocol version to for operating-system
deployment and device-driver updates. There are two options:

• TLSv1. TLS v1.0 and later can be used. You can deploy operating systems and
update OS device drivers on servers through XClarity Administrator, even if the OS-
image installer does not support the restricted settings that NIST SP 800-131A
requires.

• TLSv1.2. TLS v1.2 and later can be used.

Only operating systems with an installation process that supports TLS 1.2 and strong
cryptographic algorithms can be deployed and updated through XClarity Administrator.

When you change the cryptographic mode in the XClarity Administrator, the cryptographic mode
for all CMMs and baseboard management controllers in the managed devices are changed to
the same setting automatically. Consider the following implications of changing the
cryptographic mode:

• If you switch from compatibility mode to NIST SP 800-131A mode and the current
certificate authority on the managed CMMs and baseboard management controllers
use RSA-2048/SHA-1 (the default), an RSA- 2048/SHA-256 certificate is regenerated
on each managed chassis and server. This causes a mismatch between the newly
generated server certificates on the CMMs and baseboard management controllers
and the server certificate that is stored in the XClarity Administrator trust store. To
resolve this issue, go to the Chassis page and Servers page, and click All Actions ➙
Resolve Untrusted Certificate for each device (see Resolving an untrusted server
certificate in the XClarity Administrator online documentation).

• Not all Flex switches support NIST SP 800-131A mode. If a Flex switch does support
NIST SP 800-131A mode, you might need to change the configuration for the
switches through the Flex switch interface. For information about support for NIST SP
800-131A and about switching Flex switches between compatibility mode and NIST

58
 SP 800-131A mode, see the product documentation that is available for the Flex
switches. For more information, see CMM Reset in the Flex Systems online documentation.

For more information about cryptography, see Setting the cryptography mode and
communication protocols in the XClarity Administrator online documentation.

Security certificates
Lenovo XClarity Administrator uses certificates to establish secure, trusted communications
between XClarity Administrator and its managed devices (such as chassis and service
processors in the System x servers) as well as communications with XClarity Administrator by
users. By default, XClarity Administrator, CMMs, and baseboard management controllers use
XClarity Administrator-generated certificates that are self-signed and issued by an internal
certificate authority.

The default server certificate, which is uniquely generated in every instance of XClarity
Administrator, provides sufficient security for many environments. You can choose to let Lenovo
XClarity Administrator manage certificates for you, or you can take a more active role and
customize or replace the server certificates. XClarity Administrator provides options for
customizing certificates for your environment. For example, you can choose to:

• Generate a new server key and certificate that uses values that are specific to your
organization.

• Generate a certificate signing request (CSR) that can be sent to your choice of
certificate authority to create a signed certificate that can then be uploaded to XClarity
Administrator trust store.

• Download the certificate to your local system so that you can import that certificate
into your web browser's list of trusted certificates.

For more information about certificates, see Working with security certificates in the XClarity
Administrator online documentation.

Authentication

• Supported authentication servers

The authentication server is a Microsoft Active Directory Lightweight Directory Access Protocol
(LDAP) server that is used to authenticate user credentials. Lenovo XClarity Administrator
supports three types of authentication servers:

• Local authentication server. By default, XClarity Administrator is configured to use

the local authentication server that resides on the management node.

59
 • External LDAP server. Currently, only Microsoft Active Directory is supported. This
server must reside on an outboard Microsoft Windows server that is connected to the
management network.When an external LDAP server is used, the local authentication
server is disabled. Attention: To configure the Active Directory binding method to use
login credentials, the baseboard management controller for each managed server
must be running firmware from September 2016 or later.

• External SAML identity provider. Currently, only Microsoft Active Directory

Federation Services (AD FS) is supported. In addition to entering a user name and
password, multi-factor authentication can be set up to enable additional security by
requiring a PIN code, reading smart card, and client certificate. When an SAML
identity provider is used, the local authentication server is not disabled. Local user
accounts are required to log in directly to a managed chassis or server (unless
Encapsulation is enabled on that device), for PowerShell and REST API
authentication, and for recovery if external authentication is not available. You can
choose to use both an external LDAP server and an external identity provider. If both
are enabled, the external LDAP server is used log in directly to the manage devices,
and the identity provider is used to log in to the management server.

For more information about authentication servers, see Managing the authentication server in the
XClarity Administrator online documentation.

• Device authentication
By default, devices are managed using XClarity Administrator managed authentication to log in
to the devices. When managing rack servers and Lenovo chassis, you can choose to use local
authentication or managed authentication to log in to the devices.

• When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack
switches, XClarity Administrator uses a stored credential to authenticate to the
device. The stored credential can be an active user account on the device or a user
account in an Active Directory server. You must create a stored credential in XClarity
Administrator that matches an active user account on the device or a user account in
an Active Directory server before managing the device using local authentication (see
Managing stored credentials in the Lenovo XClarity Administrator online documentation).

Note: RackSwitch devices support only stored credentials for authentication. XClarity
Administrator user credentials are not supported.

• Using managed authentication allows you to manage and monitor multiple devices
using credentials in the XClarity Administrator authentication server instead of local
credentials. When managed authentication is used for a device (other than switches,
System x M4, and ThinkServer, servers), XClarity Administrator configures the device
and its installed components to use the XClarity Administrator authentication server
for centralized management.

60
 o If a local or external LDAP server is used as the XClarity Administrator
authentication server, user accounts that are defined in the authentication server are
used to log in to XClarity Administrator, CMMs and baseboard management
controllers in the XClarity Administrator domain. Local CMM and management
controller user accounts are disabled.
o If an SAML 2.0 identity provider is used as the XClarity Administrator authentication
server, SAML accounts are not accessible to managed devices. However, when
using an SAML identity provider and an LDAP server together, if the identity provider
uses accounts that exist in the LDAP server, LDAP user accounts can be used to log
into the managed devices while the more advanced authentication methods that are
provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be
used to log into XClarity Administrator.
o For ThinkServer servers, the XClarity Administrator authentication server is not
used. Instead, an IPMI account is created on the device with the prefix “LXCA_”
followed by a random string. (The existing local IPMI user accounts are not
disabled.) When you unmanage a ThinkServer server, the “LXCA_” user account is
disabled, and the prefix “LXCA_” is replaced with the prefix “DISABLED_”. To
determine whether a ThinkServer server is managed by another instance, XClarity
Administrator checks for IPMI accounts with the prefix “LXCA_”. If you choose to
force management of a managed ThinkServer server, all the IPMI accounts on the
device with the “LXCA_” prefix are disabled and renamed. Consider manually
clearing IPMI accounts that are no longer used.
When managed authentication is enabled, you can manage devices using either user
accounts in the XClarity Administrator authentication server or stored credentials (see
Managing user accounts and Managing stored credentials in the Lenovo XClarity Administrator
online documentation).
If managed authentication is enabled, and you manage a device using a stored
credential, the stored credential is used only until XClarity Administrator configures the
LDAP settings on the device. After that, changes to the stored credential do not impact
the management or monitoring of that device.
Note: When managed authentication is enabled (devices are centrally managed), you
can edit only XClarity Administrator user accounts. You cannot edit stored credentials
using XClarity Administrator.

• Recovery user account

If you specify a recovery password, XClarity Administrator disables the local CMM or
management-controller user account and creates a new recovery user account (RECOVERY_ID)
on the device for future authentication. If the management server fails, you can use the
RECOVERY_ID account to log in to the device to take recovery actions to restore account-
management functions on the device until the management node is restored or replaced.

61
If you unmanage a device that has a RECOVERY_ID user account, all local user accounts are
enabled, and the RECOVERY_ID account is deleted.

• If you change the disabled local user accounts (for example, if you change a
password), the changes have no effect on the RECOVERY_ID account. In managed-
authentication mode, the RECOVERY_ID account is the only user account that is
activated and operational.

• Use the RECOVERY_ID account only in an emergency, for example, if the management
server fails or if a network problem prevents the device from communicating with
XClarity Administrator to authenticate users.

• The RECOVERY_ID password is specified when you discover the device. Ensure that
you record the password for later use.

For information about recovering a device management, see Recovering chassis management
with a CMM after a management server failure and Recovering rack or tower server
management after a management server failure in the XClarity Administrator online
documentation.

• User accounts and role groups

• User accounts are used to log in and manage Lenovo XClarity Administrator and all
managed chassis and servers. XClarity Administrator user accounts are subjected to
two interdependent processes: authentication and authorization.

• Authentication is the security mechanism by which a user's credentials are verified.

The authentication process uses the user credentials that are stored in the configured
authentication server. It also prevents unauthorized management servers or rogue
managed-system applications from accessing the resources. After authentication, a
user can access XClarity Administrator. However, to access a specific resource or
perform a specific task, the user must also have the appropriate authorization.

• Authorization checks the permissions of the authenticated user and controls access
to resources based on the users membership in a role group. Role groups are used to
assign specific roles to a set of user accounts that are defined and managed in the
authentication server. For example, if a user is a member of a role group that has
Supervisor permissions, that user can create, edit, and delete user accounts from
XClarity Administrator. If a user has Operator permissions, that user can only view
user-account information.

For more information about the user accounts and role groups, see Managing user accounts in
the XClarity Administrator online documentation.

• User-account security

62
User-account settings control the password complexity, account lockout, and web-session
inactivity time- out. You can change the values of the account-security settings.

For more information about the account-security settings, see Changing the user-account
security settings in the Lenovo XClarity Administrator online documentation.

Performance considerations
For information about the number of devices that can be managed by each Lenovo XClarity
Administrator instance and minimum and recommended hardware requirements based on the
number of managed devices in your environment, see Supported host systems.

If you have an environment with a large number of devices and a large number of concurrent
user sessions, and you experience reduced system performance, reduce the number of
concurrent user sessions to the XClarity Administrator web interface or increase the virtual CPU
resources that are allocated to the virtual appliance.

For additional performance considerations and tips, see the XClarity Administrator: Performance
Guide (White paper).

High availability considerations

To set up high availability for Lenovo XClarity Administrator, use the high availability features
that are part of the host operating system (VMware ESXi or Microsoft Hyper-V).

• VMware ESXi
In a VMware high-availability environment, multiple hosts are configured as a cluster. Shared
storage is used to make the disk image of a virtual machine (VM) available to the hosts in the
cluster. The VM runs on only one host at a time. When there is an issue with the VM, another
instance of that VM is started on a backup host.

VMware high availability requires the following components:

• A minimum of two hosts on which ESXi is installed. These hosts become part of the
VMware cluster.

• A third host on which VMware vCenter is installed.

63
 Tip: Ensure that you install a version of VMware vCenter that is compatible with the
versions of ESXi that are installed on the hosts to be used in the cluster.
VMware vCenter can be installed on one of the hosts that is used in the cluster.
However, if that host is powered off or not usable, you lose access to the VMware
vCenter interface as well.

• Shared storage (datastores) that can be accessed by all hosts in the cluster. You can
use any type of shared storage that VMware supports. The datastore is used by
VMware to determine if a VM should fail over to a different host (heartbeating).

For details about setting up a VMware high availability cluster (VMware 5.0), see the Setting up
HA for VMware webpage.

For information about implementing high-availability, see Implementing high availability

(VMware ESXi).

• Microsoft Hyper-V
For information about implementing high-availability, see Implementing high availability
(Microsoft Hyper-V).

Features on Demand
Features on Demand activates features without requiring the installation of hardware or the
purchase of new equipment. This activation is done by acquiring and installing the
corresponding Features on Demand key.

To use the remote-control and operating-system deployment operations in Lenovo XClarity

Administrator, you must enable XClarity Controller Enterprise level or MM Advanced Upgrade
for servers that do not come with these features already activated by default. These operations
also require that a Features on Demand key for remote presence is installed on ThinkSystem,
Converged, and System x servers. You can determine whether remote presence is enable,
disabled, or not installed on a server from the Servers page (see Viewing the status of a
managed server in the XClarity Administrator online documentation).

Some advanced server functions are activated using Features on Demand keys. If features
have configurable settings that are exposed during UEFI setup, you can configure the setting
using Configuration Patterns; however, the resulting configuration is not activated until the
corresponding Features on Demand key is installed.

64
Note: You cannot install or managed Features on Demand keys from XClarity Administrator;
however, you can view the list of Features on Demand keys that are currently installed on
managed servers. For more information about viewing installed Features on Demand keys, see
Viewing Feature on Demand keys in theXClarity Administrator online documentation.

To acquire and install Features on Demand keys:

• Purchase the Features on Demand upgrade using the appropriate part number.

• You can purchase keys from the Features on Demand portal. When your purchase is
complete, you will receive an authorization code by e-mail.

• On the Features on Demand portal, enter the authorization code that you received,
along with the unique system identifier of the server that you intend to upgrade.

• Download the activation key in the form of a .KEY file.

• Upload the activation key to the management controller for the server.

• Restart the server. When the restart is complete, the feature is activated.

For more information about Features on Demand keys, see Using Lenovo Features on
Demand.

65
Lenovo XClarity Controller (XCC)
Lenovo ThinkSystem servers contain an integrated service processor, XClarity Controller
(XCC), which provides advanced service-processor control, monitoring, and alerting functions.
The XCC consolidates the service processor functionality, super I/O, video controller, and
remote presence capabilities into a single chip on the server system board. The XCC is based
on the Pilot4 XE401 baseboard management controller (BMC) using a dual-core ARM Cortex
A9 service processor.

Figure 1. ThinkSystem servers include the XClarity Controller integrated service processor

Features
There are three levels of features of XCC: Standard, Advanced and Enterprise:
XClarity Controller Standard offers the following capabilities:

• Gathering and viewing system information and inventory

• Monitoring system status and health

• Alerting and notifications

• Event logging

• Configuring network connectivity

• Configuring security

• Updating system firmware

• Configuring server settings and devices

• Real-time power usage monitoring

66
 • Remotely controlling server power (Power on, Power off, Restart)

• Managing FoD activation keys

• Redirecting serial console via IPMI

• Capturing the video display contents

XClarity Controller Advanced Upgrade adds the following functionality to the Standard features:

• Remotely viewing video with graphics resolutions up to 1920x1200 at 60 Hz with 16

bits per pixel

• Remotely accessing the server using the keyboard and mouse from a remote client

• Ability to record and replay the video from a remote control session

• Remotely deploying an operating system

• Component replacement logs

• Syslog alerting

• Redirecting serial console via SSH

• Security Key Lifecycle Manager (SKLM)

• IP Address blocking

• Displaying graphics for real-time and historical power usage data and temperature

XClarity Controller Enterprise Upgrade adds the following functionality to the Advanced
features:

• Capping power usage

• Mapping the ISO and image files located on the local client as virtual drives for use by
the server

• Mounting the remote ISO and image files via HTTPFS, CIFS, and NFS

• Collaborating across up to six users of the virtual console

• Virtual console chat

• Ability to capture and replay the server’s boot-up video

• Ability to capture and replay the server's video information leading up to the point
where the operating system may hang or crash.

• Out-of-band (OOB) performance monitoring - System performance metrics

• Controlling quality and bandwidth usage of the virtual console

67
Management interfaces
There are two ways to access the XCC management processor remotely:

• Command-line interface. To access the CLI interface, use SSH to log in to the
management processor.

• Web-based interface. To access the web-based interface, point your browser to the
IP address for the management processor. The new intuitive interface includes at-a-
glance visualizations and simple access to common system actions. The dashboard
is shown in the following figure.

Figure 2. Lenovo XClarity Controller dashboard

XCC can also be accessed remotely through industry-standard interfaces:

• Intelligent Platform Management Interface (IPMI) Version 2.0

• Simple Network Management Protocol (SNMP)

o Version 3 supported (no SET commands)
o Version 1 supported, traps only*

• Common Information Model (CIM-XML)

• Data Center Manageability Interface (DCMI) Version 1.5

• Representational State Transfer (REST) support

• Redfish support (DMTF compliant) with specification version 1.2.0 and schema
version 2017.1

68
 • Web browser - HTML 5-based browser interface (Java and ActiveX not required)
using a responsive design (content optimized for device being used - laptop, tablet,
phone) with NLS support
*Support for SNMP v1 requires updated XCC firmware. Depending on the server model, this is
v1.4.0, v2.10 or v2.12 (or newer). For specifics, consult the change history file for the XCC
firmware for your server at https://datacentersupport.lenovo.com.

Access via the XClarity Mobile app

XCC can also be managed locally from the XClarity Mobile app on a phone or table. The mobile
device is physically attached to the server via a USB cable connected to a front USB port with
XClarity Controller access.

Note: The ThinkSystem SD650 dense server does not support the use of the XClarity Mobile app.

The steps to enable this tethering function are as follows:

1. If you haven't done so already, install the XClarity Mobile app on your mobile device.
2. Enable USB Management on the server, by holding down the ID button for 3 seconds
(or pressing the dedicated USB management button if one is present)
3. Connect the mobile device via a USB cable to the server's USB port with the
management symbol
4. In iOS or Android settings, enable Personal Hotspot or USB Tethering
5. Launch the XClarity Mobile app
Once connected you can see the following information via a Virtual Operator Panel:

• System status, firmware, network, health, and alerts information (read only, no login
required)

• Server management functions including configuring systems management and

network settings, and controlling system power (power on, power off, restart) (XClarity
login credentials required)

Part numbers
Models of ThinkSystem servers come with either XClarity Controller Standard, Advanced or
Enterprise, depending on the server type and the model. The servers will be delivered with the
stated version already active. The following table shows the field upgrades available for models
that come with XCC Standard or XCC Advanced.
Important considerations:

• If you will be using XClarity Administrator for tasks such as remote control and OS
deployment then the XCC Enterprise level must be used on the server.

69
 • Lenovo ThinkSystem XClarity Controller Enterprise license includes license for
Lenovo XClarity Energy Manager

Table 1. XClarity Controller field upgrades

Part number Feature code Description

4L47A09132 AVUT ThinkSystem XClarity Controller Standard to Advanced Upgrade

(for servers that have XCC Standard)

4L47A09133* AVUU ThinkSystem XClarity Controller Advanced to Enterprise Upgrade

(for servers that have XCC Advanced) (requires XCC Advanced*)

The Enterprise Upgrade requires that XCC already be at the Advanced level. If the server
currently has XCC Standard, you must first apply the XCC Standard to Advanced Upgrade
before applying the XCC Advanced to Enterprise Upgrade.
For configure-to-order (CTO) models, you can specify the XCC level you require by selecting
the appropriate XCC feature code as listed in the following table:

• XCC Standard - if both AVUT and AUPW are not in the order

• XCC Advanced - select feature AVUT

• XCC Enterprise - select feature AUPW

Lenovo XClarity Provisioning Manager

Lenovo XClarity Provisioning Manager is a UEFI-embedded GUI application that combines the
functions of configuring system setup settings, configuring RAID, and updating applications and
firmware. It also enables you to install the supported operating systems and associated device
drivers, run diagnostics, and collect service data.
Lenovo XClarity Provisioning Manager has the following features:

• Automatic hardware detection

• Collecting and viewing system inventory information Configuring UEFI system setup
settings

• Updating the system firmware

• Configuring RAID by using the RAID Setup Wizard or Advanced mode Installing an
operating system and device drivers automatically or manually

• Running diagnostics and collecting service data

Lenovo Capacity Planner

Lenovo Capacity Planner is a power consumption evaluation tool that enhances data
center planning by enabling IT administrators and pre-sales professionals to understand

70
various power characteristics of racks, servers, and other devices. Capacity Planner can
dynamically calculate the power consumption, current, British Thermal Unit (BTU), and volt-
ampere (VA) rating at the rack level, improving the planning efficiency for large scale
deployments.

71
Chassis Management Module
The CMM provides single-chassis management and is used to communicate with the
management controller in each compute node. It provides system monitoring, event recording,
and alerts. It also manages the chassis, its devices, and the compute nodes. The chassis
supports up to two CMMs. If one CMM fails, the second CMM can detect its inactivity, self-
activate, and take control of the system without any disruption. The CMM is central to the
management of the chassis and is required in the Enterprise Chassis
CMM2 is the Chassis Management Module that is currently available from Lenovo. The original
CMM is now withdrawn from marketing.

Overview
The CMM is a hot-swap module that provides basic system management functions for all devices that are
installed in the Enterprise Chassis. A chassis includes at least one CMM and supports CMM redundancy.

Mixing of CMM versions: If two CMMs are installed in a Flex System chassis, they should be of the same type. If
a primary CMM2 is installed, the secondary must be a CMM2

The CMM is shown in Figure 2-3.$$

Figure 2-3 Chassis Management Module

Through an embedded firmware stack, the CMM implements functions to monitor, control, and
provide external user interfaces to manage all chassis resources. You can use the CMM to
perform the following functions:

• Define login IDs and passwords.

72
 • Configure security settings, such as data encryption and user account security. The
CMM contains an LDAP client that can be configured to provide user authentication
through one or more LDAP servers. The LDAP server (or servers) to be used for
authentication can be discovered dynamically or manually pre-configured.

• Select recipients for alert notification of specific events.

• Monitor the status of the compute nodes and other components.

• Find chassis component information.

• Discover other chassis in the network and enable access to them.

• Control the chassis, compute nodes, and other components.

• Access the I/O modules to configure them.

• Change the start sequence in a compute node.

• Set the date and time.

• Use a remote console for the compute nodes.

• Enable multi-chassis monitoring.

• Set power policies and view power consumption history for chassis components.

Interfaces
The CMM supports a web-based graphical user interface (GUI) that provides a way to perform
chassis management functions within a supported web browser. You can also perform
management functions through the CMM command-line interface (CLI). The web-based and CLI
interfaces are accessible through the single RJ45 Ethernet connector on the CMM, or from any
system that is connected to the same network.
The CMM has the following default IPv4 settings:

• IP address: 192.168.70.100

• Subnet: 255.255.255.0

• User ID: USERID (all capital letters)

• Password: PASSW0RD (all capital letters, with a zero instead of the letter O)
The CMM does not have a fixed static IPv6 IP address by default. Initial access to the CMM in an
IPv6 environment can be done by using the IPv4 IP address or the IPv6 link-local address. The
IPv6 link-local address is automatically generated based on the MAC address of the CMM. By
default, the CMM is configured to respond to DHCP first before it uses its static IPv4 address. If
you do not want this operation to occur, connect locally to the CMM and change the default IP
settings. For example, you can connect locally by using a notebook.
The web-based GUI brings together all of the functionality that is needed to manage the chassis
elements in an easy-to-use fashion consistently across all System x IMM2 based platforms.

73
The CMM login window is shown in the following figure.

Figure 2-4 CMM login window

An example of the CMM home page after login is shown in Figure 2-5.

Figure 2-5 Initial view of CMM after login

74
Security
Today’s world of computing demands tighter security standards and native integration with
computing platforms. For example, the push towards virtualization increased the need for more
security. This increase comes as more mission-critical workloads are consolidated on to fewer
and more powerful servers. The Flex System Enterprise Chassis takes a new approach to
security with a ground-up chassis management design to meet new security standards.

• The following security enhancements and features are provided in the chassis:

• Single sign-on (central user management)

• End-to-end audit logs

• Secure boot: Tivoli Provisioning Manager and CRTM

• Intel TXT technology (Intel Xeon based compute nodes)

• Signed firmware updates to ensure authenticity

• Secure communications

• Certificate authority and management

• Chassis and compute node detection and provisioning

• Role-based access control

• Security policy management

• Same management protocols that are supported on BladeCenter AMM for

compatibility with earlier versions

• Insecure protocols are disabled by default in CMM, with Locks settings to prevent
user from inadvertently or maliciously enabling them

• Supports up to 84 local CMM user accounts

• Supports up to 32 simultaneous sessions

• CMM supports LDAP authentication

The Enterprise Chassis ships Secure and supports the following security policy settings:

• Secure: Default setting to ensure a secure chassis infrastructure and includes the
following features:
o Strong password policies with automatic validation and verification checks
o Updated passwords that replace the manufacturing default passwords after the initial
setup
o Only secure communication protocols, such as Secure Shell (SSH) and Secure
Sockets Layer (SSL)

75
 o Certificates to establish secure, trusted connections for applications that run on the
management processors

• Legacy: Flexibility in chassis security, which includes the following features:

o Weak password policies with minimal controls
o Manufacturing default passwords that do not have to be changed
o Decrypted communication protocols, such as Telnet, SNMPv1, TCP Command
Mode, FTP Server, and TFTP Server

• Trusted Platform Module (TPM):

o CMM2: Trusted Platform Module v2.0
The centralized security policy makes Enterprise Chassis easy to configure. All components run
with the same security policy that is provided by the CMM. This consistency ensures that all I/O
modules run with a hardened attack surface.
The CMM and Lenovo XClarity Administrator each have their own independent security policies
that control, audit, and enforce the security settings. The security settings include the network
settings and protocols, password and firmware update controls, and trusted computing
properties.

Compute node management

Each node in the Enterprise Chassis has a management controller that communicates upstream
through the CMM-enabled 1 GbE private management network that enables management
capability.
The management controllers for the various Enterprise Chassis components have the following
default IPv4 addresses:

• CMM: 192.168.70.100

• Compute nodes: 192.168.70.101-114 (corresponding to the slots 1 - 14 in the

chassis)

• I/O Modules: 192.168.70.120-123 (sequentially corresponding to chassis bay

numbering)
In addition to the IPv4 address, all I/O modules support link-local IPv6 addresses and
configurable external IPv6 addresses.

XClarity Controller
With the announcement of the ThinkSystem brand, a new improved management controller was
launched, known as XClarity Controller or XCC.
XCC has many improvements over the previous generation IMM2. Boot times have been
improved to the extent that systems are twice as fast booting, some firmware updates can be
applied six times faster than the previous x240 M5 generation.

76
The User experience is much improved when managing a ThinkSystem node via the integrated
XCC management controller web interface. The GUI has intuitive dashboards featuring an “at a
glance” main screen giving access to most common system actions.
Other improvements include:

• Support for HTML5 - no longer a need for Java or Active X

• Support access via the XClarity Mobile application, via the front USB port located on
the node front panel

• Support for XClarity Provisioning Manager

• Remote configuration using XClarity Essentials or XClarity Controller CLI.

• Enhanced remote-presence capabilities.

• REST API (Redfish schema) support for additional web-related services and software
applications. It currently supports Redfish Scalable Platforms Management API
Specification 1.0.2 and schema 2016.2
There are three levels of features available with XCC:

• Standard

• Advanced

• Enterprise
ThinkSystem nodes ship with the enterprise level enabled as standard, which provides full
function, including mounting of local ISO/IMG files, remote virtual media mounting of ISO/IMG
files and most importantly, allow remote deployment when using XClarity Administrator.
Following figure shows the improved interface that is presented when logged into the XCC, on a
ThinkSystem SN550 node. Health summary, system information, settings and power utilization
can be quickly seen on this one screen with much further information and quick actions being
available with simple clicks of the mouse.

77
Figure 2-6 XClarity Controller web interface

Local management using XClarity mobile application

The ThinkSystem SN550 and SN850 nodes have a new feature for direct USB management
that is common on all of the XCC managed ThinkSystem Servers.
This allows the front panel USB 3.0 port to be used for management of the node, when the node
is installed into a chassis. The node does not need to be powered up for this management
method to function. When a suitable connected USB device (iOS or Android) running XClarity
Administrator mobile application is connected, an Ethernet over USB connection can be
established between the mobile app running on the device and the XClarity Controller.
The mobile application can be downloaded from the relevant application stores:

• Google Play

• Apple iTunes

• Lenovo Store (China)

• Baidu Store (China)

The USB port on the Node can be enabled in a number of different modes:

78
 • Host only mode: USB port is only connected to the Server. This means the OS that is
running on the server will “see” the USB port.

• BMC only mode: USB port is connected only to XCC. This means the OS will not “see”
the USB port, as the port is dedicated to the XCC.

• Shared mode owned by BMC: USB port is shared by both the server and the XCC, but
the port is switched to the XCC

• Shared mode owned by the host: USB port is shared by both the server and the XCC
but the port is switched to the XCC

BMC and XCC: The terms BMC and XCC are used in interchangeably in some documentation. They both
refer to the onboard management processor.

The XCC USB port management functionality can be changed within the XCC web
management interface, as shown in Figure 2-7. Here the BMC configuration tab has been
selected and the front panel USB options are shown and can be changed:

Figure 2-7 XCC web interface front panel USB port management on SN550

As can be seen in Figure 2-7 there is a tick box for the ID button to be available for switching
between owned by BMC or owned by Server, when in shared mode.
Table 2-2 shows a summary of the different modes and operation of the ID button.

79
Table 2-2 ID button

Front panel USB port OS can use the USB Local management In shared mode, ID
mode port using XClarity Mobile button is required to
application switch modes

Host only Yes No Not Applicable

BMC only No Yes Not Applicable

Shared mode owned by Yes (when ID button Yes Yes

BMC pressed)

Shared mode owned by Yes Yes (when ID button Yes

host pressed)

On the ThinkSystem SN550 and SN850 nodes, the ID button is also known as the USB
management button. The button is located on the front panel and it is identified with a spanner
symbol as shown in Figure 2-8.:

Figure 2-8 USB Management button on the front of ThinkSystem SN550

Integrated Management Module II

The IMM2 is the management processor that is integrated into the x240 M5 nodes within the
chassis. The IMM2 incorporates a web-based user interface that provides a common
appearance and design across System x and Flex System products.
In addition to the interface, the following other major enhancements from the previous IMMv1
are included:
• Faster processor and more memory

• IMM2 manageable “northbound” from outside the chassis, which enables consistent

• management and scripting with System x rack servers

• Remote presence:
o Increased color depth and resolution for more detailed server video

80
 o Active X client in addition to Java client

o Increased memory capacity (~50 MB) provides convenience for remote software

• installations

• No IMM2 reset is required on configuration changes because they become effective

• immediately without restart

• Hardware management of non-volatile storage

• Faster Ethernet over USB

• 1 Gb Ethernet management capability

• Improved system power-on and boot time

• More detailed information for UEFI detected events enables easier problem
determination

• and fault isolation

• User interface meets accessibility standards (CI-162 compliant)

• Separate audit and event logs

• “Trusted” IMM with significant security enhancements (CRTM/TPM, signed updates,

authentication policies, and so on)

• Simplified update and flashing mechanism

• Syslog alerting mechanism provides an alternative to e-mail and SNMP traps

• Support for Features on Demand (FoD) enablement of server functions, option card
features, and System x solutions and applications

• First Failure Data Capture: One button web press starts data collection and download
For more information, see Integrated Management Module II User’s Guide available from:
https://download.lenovo.com/servers_pdf/nn1jz_book.pdf

I/O modules
The I/O modules include the following base functions:

• Initialization

• Configuration

• Diagnostic tests (power-on and concurrent)

• Status Reporting
The following set of protocols and software features also are supported on the I/O modules:

81
• A configuration method over the Ethernet management port.

• A scriptable SSH CLI, a web server with SSL support, Simple Network Management
Protocol v3 (SNMPv3) Agent with alerts, and a sFTP client.

• Server ports that are used for Telnet, HTTP, SNMPv1 agents, TFTP, FTP, and other
insecure protocols are DISABLED by default.

• LDAP authentication protocol support for user authentication.

• For Ethernet I/O modules, 802.1x enabled with policy enforcement point (PEP)
capability to allow support of TNC (Trusted Network Connect).

• The ability to capture and apply a switch configuration file and the ability to capture a
first failure data capture (FFDC) data file.

• Ability to transfer files by using URL update methods (HTTP, HTTPS, FTP, TFTP, and
sFTP).

• Various methods for firmware updates, including FTP, sFTP, and TFTP. In addition,
firmware updates by using a URL that includes protocol support for HTTP, HTTPs,
FTP, sFTP, and TFTP.

• SLP discovery and SNMPv3.

• Ability to detect firmware and hardware hangs and to pull a “crash-failure memory
dump” file to an FTP (sFTP) server.

• Selectable primary and backup firmware banks as the current operational firmware.

• Ability to send events, SNMP traps, and event logs to the CMM, including security
audit logs.

• IPv4 and IPv6 on by default.

• The CMM management port supports IPv4 and IPv6 (IPV6 support includes the use
of link local addresses.

• Port mirroring capabilities:

o Port mirroring of CMM ports to internal and external ports.
o For security reasons, the ability to mirror the CMM traffic is hidden and is available
to development and service personnel only.

• Management virtual local area network (VLAN) for Ethernet switches: A configurable
management 802.1q tagged VLAN in the standard VLAN range of 1 - 4094. It includes
the CMM’s internal management ports and the I/O modules internal ports that are
connected to the nodes.

82