DCPG002 R 3
DCPG002 R 3
Certification
Systems Management
Notices
Lenovo may not offer the products, services, or features discussed in this document in all
countries. Consult your local Lenovo representative for information on the products and services
currently available in your area. Any reference to a Lenovo product, program, or service is not
intended to state or imply that only that Lenovo product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any Lenovo
intellectual property right may be used instead. However, it is the user’s responsibility to
evaluate and verify the operation of any other product, program, or service.
Lenovo may have patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not give you any license to these patents.
You can send license inquiries, in writing, to:
Morrisville, NC 27560
U.S.A.
LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new editions
of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time without notice.
The products described in this document are not intended for use in implantation or other life
support applications where malfunction may result in injury or death to persons. The information
contained in this document does not affect or change Lenovo product specifications or
warranties. Nothing in this document shall operate as an express or implied license or indemnity
under the intellectual property rights of Lenovo or third parties. All information contained in this
document was obtained in specific environments and is presented as an illustration. The result
obtained in other operating environments may vary.
Lenovo may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you. Any references in this publication to non-
Lenovo Web sites are provided for convenience only and do not in any manner serve as an
2
endorsement of those Web sites. The materials at those Web sites are not part of the materials
for this Lenovo product, and use of those Web sites is at your own risk.
Any performance data contained herein was determined in a controlled environment. Therefore,
the result obtained in other operating environments may vary significantly. Some measurements
may have been made on development-level systems and there is no guarantee that these
measurements will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific environment.
Trademarks
Lenovo, the Lenovo logo, and For Those Who Do are trademarks or registered trademarks of
Lenovo in the United States, other countries, or both. These and other Lenovo trademarked
terms are marked on their first occurrence in this information with the appropriate symbol (® or
™), indicating US registered or common law trademarks owned by Lenovo at the time this
information was published. Such trademarks may also be registered or common law trademarks
in other countries. A current list of Lenovo trademarks is available on the Web at
http://www.lenovo.com/legal/copytrade.html.
The following terms are trademarks of Lenovo in the United States, other countries, or both:
Blade Network Technologies®
BladeCenter®
BNT®
Flex System™
Lenovo®
RackSwitch™
Lenovo(logo)®
vNIC™
xSeries®
3
Table of Contents
LENOVO XCLARITY ADMINISTRATOR ............................................................................................................ 5
4
Lenovo XClarity Administrator
Lenovo XClarity™ Administrator is a centralized resource management solution that is aimed at
reducing complexity, speeding response, and enhancing the availability of Lenovo® server
systems and solutions. Lenovo XClarity Administrator provides agent-free hardware
management for our servers, storage, network switches, hyperconverged and ThinkAgile
solutions.
Migrating from v1.x.x? For information on migrating to XClarity Administrator v2.1.x from a previous
release (1.x.x) please refer to the Lenovo XClarity Administrator Quick Start Guide .
Tip: If running a version of XClarity v1.x.x you must update to v1.4.1 then you must migrate your system to
v2.0.0 then upgrade to v2.1.0.
5
Features
The XClarity Administrator dashboard is an HTML 5-based web interface that allows fast
location of resources so tasks can be run quickly. Because Lenovo XClarity Administrator does
not include any agent software that is installed on the managed endpoints, there are no CPU
cycles spent on agent execution and no memory is used, which means that up to 1GB of RAM
and 1 - 2% CPU usage is saved, compared to a typical managed system where an agent is
required.
Lenovo XClarity Administrator delivers Lenovo resources faster. With a simplified administration
dashboard, the following functions can be easily achieved:
• Discovery
• Inventory
• Monitoring
• Firmware compliance
• Firmware updates
• System x Servers
• ThinkServer Servers
• ThinkAgile solutions
• Hyperconverged solutions
• NeXtScale servers
• RackSwitch switches
6
• ThinkSystem storage
• Lenovo storage
Firmware management
Firmware management is simplified by assigning Firmware-compliance policies to supported
managed endpoints to ensure that firmware on those endpoints remains compliant. You can
also create and edit firmware-compliance policies when validated firmware levels do not match
the suggested predefined policies. Additionally you can also apply and activate firmware that is
later than the currently installed firmware on a single managed endpoint or group of endpoints
without using compliance policies.
OS Provisioning
OS Provisioning enables bare metal deployment. VMware ESXi, Windows Server, SUSE Linux
Enterprise Server (SLES) and Red Hat Linux images can be imported and held in a repository
for images. A maximum of 10 Images can be stored within the repository and it is possible to
deploy operating-system images to up to 28 bare-metal servers concurrently.
Security
Lenovo XClarity Administrator includes several features that can help you secure your
environment. These include:
• When you manage Lenovo chassis and servers in XClarity Administrator, you can
configure XClarity Administrator to change the firewall rules for the devices so that
7
incoming requests are accepted only from XClarity Administrator. This is referred to
as encapsulation.
• When changing cryptographic settings within XClarity Administrator you can choose
to apply the settings to the management server only, to the managed devices only, or
both.
• XClarity Administrator includes an audit log that provides a historical record of user
actions, such as logging on, creating users, or changing user passwords.
Integration
XClarity Administrator can be integrated into external, higher level management, automation,
and orchestration platforms through open REST application programming interfaces (APIs).
This means Lenovo XClarity can easily integrate with your existing management infrastructure.
• Lenovo XClarity Integrator for VMware vCenter (free download, support requires
XClarity Pro license)
https://datacentersupport.lenovo.com/documents/LNVO-VMWARE
• Lenovo XClarity Integrator for VMware vRealize Orchestrator (free download, support
requires XClarity Pro license)
https://datacentersupport.lenovo.com/documents/LNVO-VMRO
• Lenovo XClarity Integrator for VMware vRealize Log Insight (free download, support
requires XClarity Pro license)
https://marketplace.vmware.com/vsx/solutions/xclarity-integrator-for-vrealize-log-insight
• Lenovo XClarity Integrator for Microsoft System Center (free download, support
requires XClarity Pro license)
https://datacentersupport.lenovo.com/documents/LNVO-MANAGE
8
• Lenovo XClarity and Moogsoft AIOps Integration (as-is solution)
https://docs.moogsoft.com/en/lenovo-xclarity-lam.html
• Lenovo ThinkAgile XClarity Integrator for Red Hat Cloudforms (no download required)
The Lenovo Physical Infrastructure Provider provides IT administrators the ability to
integrate the management features of Lenovo XClarity Administrator with the hybrid-
cloud management capabilities of Red Hat CloudForms.
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html
/configuring_the_lenovo_physical_infrastructure_provider_for_red_hat_cloudforms/overview
• Lenovo XClarity Integrator for Microsoft Azure Log Analytics (free download)
https://support.lenovo.com/us/en/solutions/ht506712
• Lenovo XClarity Integrator for Nagios (free download, requires Lenovo XClarity
Administrator installed)
Lenovo XClarity Integrator for Nagios retrieves alerts from XClarity Administrator, and
makes them available to Nagios.
https://support.lenovo.com/us/en/solutions/ht507298
9
Lenovo XClarity Pro
Lenovo XClarity Pro provides the following entitlement:
Note: Service and Support for XClarity Administrator and XClarity Integrators is only available with an
XClarity Pro purchase.
Key Features
Real-time monitoring, fault handling, alert notification, and call home Yes Yes
10
Lenovo XClarity mobile app
The Lenovo XClarity mobile app provides management functions on Android and iOS devices:
• Monitor audit events, hardware and management events, alerts, and jobs.
• Take action on common system level tasks to minimize the risk of disruptions and
downtime
• IOS 8 is supported only for Lenovo XClarity Mobile v1.3.0 and earlier.
• iOS 9 is supported only for Lenovo XClarity Mobile v1.3.1 and earlier.
11
The following figure shows the Inventory screen of the mobile app.
The mobile app is available for download from these app stores:
• Google Play
• Apple iTunes
Management tasks
By using Lenovo XClarity, users can perform the following tasks that are described in this
section.
User Management
Lenovo XClarity Administrator provides a centralized authentication server to create and
manage all user accounts and to manage and authenticate user credentials. The authentication
server is created automatically when the management server first starts. The User accounts,
which are used to log on and manage the Lenovo XClarity Administrator, are also used for all
chassis and servers that are managed by the Lenovo XClarity Administrator. When you create a
user account, you control the level of access, such as whether the account has read/write
authority or read-only authority, by using role groups.
12
When devices are initially managed by Lenovo XClarity Administrator, a predefined set of role
groups have permission to access the devices by default. This predefined set is empty by
default until it is configured. You can change the role groups that can access specific managed
devices. When permission is given to certain role groups, only users that are members of those
role groups can see and act on those specific devices.
By default, devices are managed using XClarity Administrator managed authentication to log in
to the devices. When managing rack servers and Lenovo chassis, you can choose to use
managed authentication or local authentication to log in to the devices.
The following figure shows the Lenovo XClarity Administration interface for Security that
comprises User Management, roles, and other security settings.
Hardware monitoring
Lenovo XClarity Administrator provides a centralized view of events and alerts that are
generated from managed endpoints, such as chassis, servers, and Flex System switches.
When an issue is detected by the Chassis Management Module (CMM) or device that is
installed in the chassis, an event is passed to the Lenovo XClarity Administrator. That event is
displayed in the alerts list that is available within the user interface. A status bar also is available
that provides overall status information on the main XClarity Administrator interface. An example
list of alerts is shown in the following figure.
13
Figure 4. Alerts and actions
Hardware management
There are various management tasks for each supported endpoint, including viewing status and
properties, configuring system information and network settings, starting the CMM/IMM web
interface, and remote control for the System x or Flex system node. The interface with a single
System x Server selected and the power actions is shown in the following figure.
Configuration management
Configuration patterns provide a way to ensure that you have consistent configurations applied
to managed servers. Server patterns are used to provision or pre-provision a managed server
by configuring local storage, I/O adapters, boot setting, firmware, ports, IMM, and UEFI settings.
Server patterns also integrate support for virtualizing I/O addresses so you can virtualize Flex
System fabric connections or re- purpose servers without disruption to the fabric.
You can also determine whether the settings on a server are in compliance with the server
profile. The settings on a server can become out of compliance with its server profile if settings
are changed without using Configuration Patterns or if an issue occurred during deployment,
such a firmware issue or an invalid setting.
14
Operating system deployment
Lenovo XClarity Administrator can be used to manage the OS images repository and deploy
operating system images to managed servers. To deploy an operating system image from
Lenovo XClarity, at least one of the network interfaces (Eth0 or Eth1) must have IP network
connectivity to the server network interface that is used to access the host operating system. It
also must be configured with an IPv4 address. Additionally the Feature on Demand (FoD) key
for remote presence is required on ThinkSystem, ThinkAgile Solutions, NeXtScale, and System
x servers if not included as standard.
Firmware updates
Within Lenovo XClarity, you can manage the firmware updates repository and apply and
activate firmware updates for all managed endpoints. Compliance policies can be started to flag
managed endpoints that do not comply with the defined firmware rules. Refreshing the
repository and downloading updates requires an Internet connection. If Lenovo XClarity has no
Internet connection, you can manually import updates to the repository. The firmware apply and
activate interface is shown in the following figure.
• Managing a chassis
• Deploying an operating system image to one or more compute nodes or rack servers
15
• Configuring compute nodes and rack servers through the use of configuration
patterns
XClarity Administrator offers a PyLXCA toolkit which provides a Python-based library of
commands and APIs to automate provisioning and resource management from an OpenStack
environment, such as Ansible or Puppet.
The PyLXCA toolkit provides an interface to Lenovo XClarity Administrator REST APIs to
automate functions such as:
The free download includes a 90-day evaluation license for Configuration Patterns and
Operating System Deployment to allow you to evaluate these licensed components.
Lenovo XClarity Integrators for Microsoft System Center (MSSC) are also available to download
for free from the following link (XClarity Pro License required for technical support):
https://datacentersupport.lenovo.com/documents/lnvo-manage
Lenovo XClarity integrator for VMware vCenter is also available to download for free from the
following link (XClarity Pro License required for technical support):
https://datacentersupport.lenovo.com/documents/lnvo-vmware
Note: The free downloads do not include any entitlement for technical support.
To gain entitlement for technical support, purchase a license for Lenovo XClarity Pro to add
entitlement to use these features and gain technical support:
16
• Lenovo XClarity Administrator Operating System (OS) Deployment
• Red Hat Enterprise Linux 7.x with Kernel-based Virtual Machine (KVM) v1.2.17
installed
17
• VMware ESXi 6.5 U1 and U2
• 8 GB of memory
• System x Servers
• ThinkServer Servers
• Converged HX Servers
• NeXtScale servers
• RackSwitch switches
• ThinkSystem storage
• Lenovo storage
18
Before installing Lenovo XClarity Administrator, review the following considerations to help you
plan for installation and day-to-day management.
You can determine how many days are left in the trial license by clicking the user-actions menu (
) on the XClarity Administrator title bar, and then clicking About.
After 90 days, you can continue to use XClarity Administrator to manage and monitor your
hardware for free; however, you must purchase a full-function-enablement license to continue
using XClarity Administrator to configure your hardware using Configuration Patterns and to
deploy operating systems. Lenovo XClarity Pro provides entitlement to service and support and
the full-function-enablement license. For more information about purchasing Lenovo XClarity
Pro, contact your Lenovo representative or authorized business partner.
For information about installing the license, see Installing the full-function enablement license in
the XClarity Administrator online documentation.
Note: If the full-function-enablement license is already installed, a new license is not required
when upgrading to a new release of XClarity Administrator.
Hypervisor requirements
The following hypervisors are supported for installing XClarity Administrator:
19
• Microsoft Windows Server 2012 with Hyper-V installed
• Microsoft Windows Server Semi-Annual Channel (SAC) v1709 and v1803 with Hyper-
V installed
Note: XClarity Administrator is tested with only Windows versions that are supported by
Microsoft at the time when the XClarity Administrator version was released
• Red Hat v7.x with Kernel-based Virtual Machine (KVM) v1.2.17 installed
Hardware requirements
The following minimum requirements must be met for the virtual machine. Depending on the
size of your environment and your use of Configuration Patterns, additional resources might be
required for optimal performance.
• 8 GB of memory
The following table lists the minimum recommended virtual-machine configurations for a given
number of devices. Keep in mind that if you run the minimum configuration, you might
experience longer than expected completion times for management tasks. For initial deployment
tasks such as firmware updates and server configuration, you might need to increase the VM
resources temporarily.
20
Number of Managed Devices Virtual CPU/Memory Confi
0 - 100 devices 2 vCPUs, 8 GB RAM
100 - 200 devices 4 vCPUs, 10 GB RAM
200 - 400 devices 6 vCPUs, 12 GB RAM
400 - 600 devices 8 vCPUs, 16 GB RAM
600 - 800 devices 10 vCPUs, 20 GB RAM
800 – 1,000 devices 12 vCPUs, 24 GB RAM
Notes:
• For the latest recommendations and additional performance considerations, see the
XClarity Administrator: Performance Guide (White paper).
• Depending on the size of your managed environment and the pattern of use in your
installation, you might need to add resources to maintain acceptable performance. If
you frequently see processor usage in the system resources dashboard displaying
high or very high values, consider adding 1-2 virtual processor cores. If your memory
usage persists above 80% at idle, consider adding 1-2 GB of RAM. If your system is
responsive at a configuration as defined in the table, consider running the VM for a
longer period to assess system performance.
• For information about how to free up disk space by deleting XClarity Administrator
resources that are no longer needed, see Managing disk space in the XClarity
Administrator online documentation.
Software requirements
A Network Time Protocol (NTP) server is required to ensure that timestamps for all events and
alerts that are received from managed devices are synchronized with XClarity Administrator.
Ensure that the NTP server is accessible over the management network (typically the Eth0
interface).
If you choose to use an external authentication server, only Microsoft Active Directory running
on Windows Server 2008 or later is supported.
If you choose to use an SAML identify provider, only Microsoft Active Directory Federation
Services (AD FS) versions 2.0 or later running on Windows Server 2012 is supported.
Tip: Consider using the host system on which XClarity Administrator is installed as the NTP
server. If you do, ensure that the host system is accessible over the management network.
Restriction: If the host system on which XClarity Administrator is installed is a managed
compute node, you cannot use XClarity Administrator to apply firmware updates to that host
21
system or to the entire chassis at one time. When firmware updates are applied to the host
system, the host system must be restarted.
Restarting the host system also restarts XClarity Administrator, making XClarity Administrator unavailable
to complete the updates on the host system.
Supported devices
Before using Lenovo XClarity Administrator to manage your devices, ensure that devices are
supported and review any limitations.
For information about the number of devices that can be managed by each XClarity
Administrator instance, see the XClarity Administrator: Performance Guide (White paper).
For support and limitations information for manageable devices (such as servers, switches,
storage, and CMMs) and other I/O devices and options, see the following compatibility pages for
each device type:
• Converged HX, NeXtScale, System x, ThinkAgile, and ThinkSystem rack and tower
servers
• RackSwitch devices
• Storage devices
There are minimum levels of required firmware for each managed device. During installation
and discovery, XClarity Administrator prompts when firmware can be updated to enable devices
to be managed. For information about firmware requirements, see Supported firmware.
For general information about hardware configuration and options for a specific device, see the Lenovo
Server Proven webpage.
Supported firmware
Before using Lenovo XClarity Administrator to manage your devices, ensure that the firmware
on each device is at the minimum required level.
22
There are minimum levels of required firmware for each managed device. During installation
and discovery, XClarity Administrator prompts when firmware can be updated to enable devices
to be managed. For information about firmware requirements, see the following compatibility
pages for each device type:
• Converged HX, NeXtScale, System x, ThinkAgile and ThinkSystem rack and tower
servers
• RackSwitch devices
• Storage devices
For information about updating firmware on managed devices, see Updating firmware on managed
devices in the XClarity Administrator online documentation.
• Microsoft Edge
Firewalls
Ensure that the following DNS names and ports are open on the firewall. Note: IP addresses
are subject to change. Use DNS names when possible.
Table 1. Required Internet connections
23
DNS name IPv4 address IPv6 address Ports Protocols
Download management-server updates, firmware updates, UpdateXpress System Packs (OS device drivers), and
repository packs
80
80
80
80
80
Download firmware (Flex System x220, x222, x240, x280 X6, x440, x480 X6, x880 X6, some Flex switches, and first-
generation CMMs only)
129.42.58.216, 80
129.42.60.216,
129.42.160.51,
207.25.252.197
80
80
80
80
24
Table 1. Required Internet connections (continued)
80
129.35.224.104 80
170.225.15.115 80
170.225.15.105 80
52.6.12.38,
103.30.232.240
2:60:189,
2620:0:6C4:200:
129:4-
2:54:189
2620:0:6C4:1::10
00
25
logupload.lenovo.com/BLL/ N/A N/A 443 and https
Logupload.ashx
80
80
only)
80
Note: * These DNS names and IP addresses are not required to use Call Home for XClarity
Administrator v2.3.0 and later; however, they are needed to retrieve status for open service
tickets that were submitted prior to updating to v2.3.0.
Attention: For users in China, to retrieve warranty information for managed devices using
XClarity Administrator, you must upgrade to XClarity Administrator v1.3.1 or later.
Proxy server
If the management server does not have direct access to the Internet, ensure that the
management server is configured to use an HTTP proxy server (see Configuring network
access).
• Ensure that load balancers are configured to keep sessions with one proxy server
and not switch between them.
Port availability
Several ports must be available, depending on how the firewalls are implemented in your
environment. If the required ports are blocked or used by another process, some Lenovo
XClarity Administrator functions might not work.
To determine which ports must be opened based on your environment, review the following
sections. The tables in these sections include information about how each port is used in
XClarity Administrator, the managed device that is affected, the protocol (TCP or UDP), and the
direction of traffic flow between the managed device and XClarity Administrator. Inbound traffic
26
flows from the managed device to XClarity Administrator. Outbound traffic flows from XClarity
Administrator to the managed device.
The XClarity Administrator server listens on and responds through the following ports that are
listed in the following table.
Note: XClarity Administrator can be optionally configured to make outgoing connections to a
number of external services, such as LDAP, SMTP, or syslog. These connections might require
additional ports that are generally user configurable and not included in this list. They might also
require access to a domain name service (DNS) server on TCP or UDP port 53 to resolve
external server names.
Table 2. Ports that must be open for the XClarity Administrator server
TCP
or UDP
53 UDP Inbound/ Domain name service (DNS) Used for DNS resolution.
Outbound
83 TCP Inbound/ (China only) Warranty service Used when collecting warranty
Outbound information for devices that were
purchased in China.
Table 2. Ports that must be open for the XClarity Administrator server (continued)
27
TCP
or UDP
389 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.
443 TCP Inbound/ Client computers that access XClarity Used by HTTPS for web access and
Outbound Administrator REST communications.
Domain: android.googleapis.com
636 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.
3268 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.
3269 TCP Inbound/ External authentication server Used when an external authentication
Outbound server is configured.
Optionally, the ports that are listed in the following table must be open for event forwarding from
the Lenovo XClarity Administrator server to other event management tools.
28
TCP
or
21 UDP Outbound FTP server that is to receive events Used when FTP event forwarding is
configured.
25 UDP Outbound Email (SMTP) server that is to receive Used when email (SMTP) event
events forwarding is
configured.
TCP
or UDP
80 UDP Outbound REST interface that is to receive Used when REST event forwarding is
events configured.
161 UDP Inbound / SNMP manager that is to receive Used when SNMP event forwarding with
Outbound traps user authentication is configured.
162 UDP Inbound SNMP manager that is to receive Used when SNMP event forwarding is
traps configured.
443 UDP Outbound Microsoft®Azure Log Analytics Used when Azure Log Analytics event
interface that is to receive events forwarding is configured.
514 UDP Outbound Syslog server that is to receive events. Used when Syslog event forwarding is
configured.
29
2195 TCP Outbound Apple push server that is to receive Used when forwarding events to the
events Apple push notifications service and Wi-
Fi is behind a firewall or private Access
Point Name (APN) for cellular data. A
direct, unproxied connection is required to
the APN servers on this port.
5223 TCP Outbound Apple push server that is to receive Used when forwarding events to the
events Apple push notifications service and Wi-
Fi is behind a firewall or private Access
Point Name (APN) for cellular data. A
direct, unproxied connection is required to
the APN servers on this port.
5228 Outbound Google push server that is to receive Used when event forwarding to the
events. Google push service is configured. IP
address range: see Google ASN 15169
5229 Outbound Google push server that is to receive Used when event forwarding to the
events. Google push service is configured. IP
address range: see Google ASN 15169
5230 Outbound Google push server that is to receive Used when event forwarding to the
events. Google push service is configured. IP
address range: see Google ASN 15169
If you intend to install operating systems on managed devices using XClarity Administrator,
ensure that you review the list of ports in Access between XClarity Administrator and data
network for OS deployment.
30
Table 4. Ports that must be open between XClarity Administrator and managed devices
TCP
21 TCP Inbound/ Lenovo Storage controllers Used for FTP access when updating the
Outbound storage device firmware.
22 TCP Inbound/ Baseboard management controller in Used launch a remote SSH session and
Outbound each managed server (except for SFTP file transfer
ThinkServer)
(RackSwitch ENOS switches) Used to
CMMs in each managed chassis configure HoS credentials, activate the
firmware slot, and clear SSH host keys
Flex switches in each managed Flex before SFTP file transfer operations
System chassis
115 TCP Inbound/ Management controller in each Used to push maintenance mode images
Outbound managed ThinkSystem server to the management controller.
161 UDP Inbound/ Flex switches in each managed Flex Flex switches) Use to enable/disable ports
Outbound System chassis and to configure through configuration
patterns.
RackSwitch ENOS switches
(RackSwitch switches) Used to retrieve
inventory and to configure switches
through configuration patterns using the
SNMP protocol
162 UDP Inbound Flex switches in each managed Flex Used to receive SNMP traps from Flex
System chassis System and RackSwitch switches,
ThinkServer servers, and storage devices.
RackSwitch switches
Attention: If ThinkServer servers and
ThinkServer System Manager (TSM) in RackSwitch switches are on a different
each managed ThinkServer server network than XClarity Administrator, that
network must be configured to allow
Lenovo Storage controllers
inbound UDP through port 162 so that
XClarity Administrator can receive events
for those devices.
31
Table 4. Ports that must be open between XClarity Administrator and managed devices (continued)
TCP
427 UDP, Inbound/ Management controller in each Used by Service Location Protocol (SLP)
TCP Outbound managed server (except ThinkServer) for device discovery and initial
management.
CMMs in each managed Flex System
chassis
443 TCP Inbound/ Lenovo Storage controllers (M4 servers and storage devices) Used
Outbound for management
RackSwitch CNOS switches
(RackSwitch switches) Used for HTTPS
System x M4 server communication to retrieve inventory and
configuration
623 UDP Outbound Management controller in each Used for IPMI communication with the
managed ThinkServer and System x Management controller.
M4 servers
3888 TCP Inbound/ Management controller in each Used for remote-control tunneling.
Outbound managed server (except ThinkServer)
5988 TCP Inbound/ Management controller in each Used by HTTP for CIM communication.
Outbound managed server (except ThinkServer) Note: This port number is configurable
from the CMM and management-
CMMs in each managed Flex System controller interfaces.
chassis
5989 TCP Inbound/ Management controller in each Used by HTTPS for CIM communication.
Outbound managed server (except ThinkServer) Note: This port number is configurable
from the CMM and management-
CMMs in each managed Flex System controller interfaces.
chassis
6091 TCP Inbound/ CMMs in each managed Flex System Secure TCP Command Mode port. Note:
Outbound chassis This port number is configurable from the
CMM interface.
6990 TCP Inbound/ Management controller in each Used by HTTPS for CIM indications.
Outbound managed server (except ThinkServer)
32
9090 TCP Inbound/ Management controller in each Used by HTTPS for CIM indications.
Outbound managed server (except ThinkServer)
Table 4. Ports that must be open between XClarity Administrator and managed devices (continued)
TCP
or UDP
50636 TCP Inbound Management controller on each Used by the authentication server for
managed server (except ThinkServer) secure traffic. Receives client certificates.
50637 TCP Inbound Management controller in each Used by the authentication server for
managed server (except ThinkServer) secure traffic.
TCP
or UDP
3001 TCP Inbound/ Management controller and host on Used for operating-system deployment.
Outbound each managed server (except
ThinkServer)
3900 TCP Inbound/ Management controller and host on Used for operating-system deployment.
Outbound each managed server (IMM2 only)
33
8443 TCP Inbound/ Management controller and host in Used for operating-system deployment.
Outbound each managed server (except
ThinkServer)
For a list of ports that must be available for deploying operating systems, see Port availability for
deployed operating systems in the XClarity Administrator online documentation.
Additionally, if you are deploying Microsoft Windows, the ports that are listed in the following
table must also be available.
Table 6. Ports that must be available to deploy Microsoft Windows
TCP
or UDP
137 UDP Inbound/ Host operating system on each Used for Windows operating-system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).
138 UDP Inbound/ Host operating system on each Used for Windows operating-system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).
139 UDP Inbound/ Host operating system on each Used for Windows operating- system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).
445 TCP Inbound/ Host operating system on each Used for Windows operating-system
Outbound managed server to which Microsoft deployment (SMB client/server
Windows is deployed communications).
Access between XClarity Administrator and data network for device-driver updates
To update OS device drivers on managed devices, ensure that the ports that are listed in the
following table are open to the network that is used as the data network (or operating-system
deployment network).
34
Table 7. Ports that must be available to update OS device drivers
TCP
or UDP
5985 TCP Inbound/ Host operating system on each Use for Microsoft Windows OS device
Outbound managed server to which Microsoft driver updates to connect using Windows
Windows is deployed Remote Management (WinRM) listening
over HTTP.
5986 TCP Inbound/ Host operating system on each Use for Microsoft Windows OS device
Outbound managed server to which Microsoft driver updates to connect using WinRM
Windows is deployed listening over HTTPS.
Management considerations
There are several alternatives to choose from when managing devices. Depending on the
devices being managed, you might need multiple management solutions running at the same
time.
For a list of hardware that Lenovo XClarity Administrator can manage, see Supported devices.
Consider the following factors that are related to the management of devices by XClarity
Administrator:
• a device can be managed by only one instance of Lenovo XClarity Administrator.
• You cannot use the following management software to manage devices that XClarity
Administrator currently manages:
o Flex System Manager
o IBM Fabric Manager
o IBM Systems Director
However, you can use other management software (such as IBM device Manager or
Microsoft Systems Center Operations Manager) in tandem with XClarity
Administrator to monitor managed devices (see Using another management
software in tandem with Lenovo XClarity Administrator).
• You can discover and manage Flex Power Systems compute nodes and Flex System
v7000 Storage Node. Using XClarity Administrator, you can view properties and
status. Additionally for storage devices, you can also power on and off a storage
device, virtually reseat the storage controllers, and launch the management module.
However, you must use other management alternatives to take any management-
related actions on the devices, such as updating or configuring the device.
35
o Use the Flex Power Systems Hardware Management Console to manage Flex
Power Systems compute nodes. You can use the Power Systems Hardware
Management Console to manage these devices even if you are also managing that
chassis in which the devices are installed using XClarity Administrator.
o Use either the management controller web interface or the command-line interface
(CLI) that is provided with the Flex System v7000 Storage Node to manage that
device.
o LAN-over-USB is used when updating firmware. XClarity Administrator automatically
enables the LAN- over-USB interface.
o Intelligent Platform Management Interface (IPMI) is used to perform management
operations on System x M4 and ThinkServer servers. Disabling IMPI prevents
XClarity Administrator from managing these servers.
The following table compares the features and functions that are available with the Flex System
Manager and with the XClarity Administrator.
Table 8. Functional comparison between Flex System Manager and XClarity Administrator
Provide a graphical √ √
representation of all supported
managed devices.
36
Table 8. Functional comparison between Flex System Manager and XClarity Administrator (continued)
Manage Flex System servers √ √ Both Flex System Manager and XClarity Administrator
manage Flex System servers.
Manage Flex Power Systems √ If you are managing a chassis that contains both Flex
servers System servers and Flex Power Systems servers:
Manage storage devices, such √ If a Flex System v7000 Storage Node is installed in a
as the Flex System v7000 managed chassis, it is displayed in the graphical
Storage Node or external chassis view, and you can view properties and status
devices for the storage device. However, management of the
storage device must be done through the management
controller web interface or command- line interface for
the storage device.
Manage virtual addressing for √ √ On Flex System Manager, you can define virtual
servers address ranges and allocate those virtual addresses to
managed servers using IBM Fabric Manager (IFM).
37
Update firmware for managed √ √ Flex System Manager updates firmware and device
devices drivers.
Table 8. Functional comparison between Flex System Manager and XClarity Administrator (continued)
Manage virtualized resources √ √ XClarity Administrator can be used with Lenovo XClarity
Integrator options (previously known as Upward
Integration Modules or UIMs) to integrate with
virtualization managers.
Script management functions √ XClarity Administrator includes both REST APIs and
Microsoft PowerShell cmdlets to provide scripting
capabilities for management functions.
38
To ensure that XClarity Administrator can manage a chassis that was previously managed by
Flex System Manager, complete the following steps:
Optional: Prepare the chassis to be removed from management by Flex System Manager.If you
are using IBM Fabric Manager (IFM) to virtualize addresses, modify IFM to use push mode to
distribute virtual addresses through the CMM. If you are using IFM in pull mode and Flex
System Manager is powered off, the virtual addresses will no longer be available after the next
restart of the compute node.
Note: IFM supports the concept of a standby node. In the event of a hardware failure, IFM
assigns the virtual address of the failed compute node to the standby node so that it can
automatically take over the workload from the failed node. XClarity Administrator does not
support the concept of a standby node. Therefore, if you have implemented the standby node,
you must devise a different strategy for continuous availability when there is a failed compute
node.
Remember that if virtual addresses are changed, you must adjust infrastructure services as
well. For example:
• If the World Wide Port Name (WWPN) is changed for a compute node, adjust SAN
zoning and LUN mapping.
• If the MAC address for a port is changed, adjust the MAC-to-IP address binding in the
DHCP server or clustering software.
• IFM can configure a virtual boot-target WWN. If you do not migrate correctly, you
might lose the ability to start our operating system.
1. Remove the chassis from management by the Flex System Manager.
2. Manage the chassis from XClarity Administrator. For information about managing a
chassis, see Managing chassis in the XClarity Administrator online documentation.
3. Remove any agents that were installed on devices that are managed by the Flex
System Manager. The XClarity Administrator implements an agentless management
approach. Therefore, you do not need to install agents on managed compute nodes.
Although the installed agents have no effect on XClarity Administrator management
functions, you can choose to remove those agents and reclaim the space on the
compute node.
39
Attention: Extra care must be taken when using multiple management tools to manage your
devices to prevent unforeseen conflicts. For example, submitting power-state changes using
another tool might conflict with configuration or update jobs that are running in XClarity
Administrator.
• Log in to the management controller web interface for the chassis using the
RECOVERY_ID user name and password.
• If the security policy is set to Secure, change the user authentication method.
• Create a new local user with the correct SNMP or IPMI settings from the
management controller web interface.
• If the security policy is set to Secure, log out and then log in to the management
controller web interface using the new user name and password. When prompted,
change the password for the new user.
You can now use the new user as an active SNMP or IPMI user.
Note: If you unmanage and then manage the chassis again, this new user account becomes
locked and disabled. In this case, repeat these steps to create a new user account.
40
Network considerations
When planning the Lenovo XClarity Administrator installation, consider the network topology
that is implemented in your environment and how XClarity Administrator fits into that
topology.Important: Configure the servers and chassis components in ways that minimize IP
address changes. Consider using static IP addresses instead of Dynamic Host Configuration
Protocol (DHCP). If DHCP is used, ensure that IP address changes are minimized.
IP configuration limitations
For the following functions and managed devices, network interfaces must be configured with
an IPv4 address. IPv6 addresses are not supported.
• ThinkServer servers
Network address translation (NAT), which remaps one IP address space into another, is not
supported.
Network types
In general, most environments implement the following types of networks. Based on your
requirements, you might implement only one of these networks or you might implement all
three.
• Management network
The management network is typically reserved for communications between Lenovo
XClarity Administrator and the management processors for managed devices. For
example, the management network might be configured to include XClarity
Administrator, the CMMs for each managed chassis, and the baseboard management
controller of each server that XClarity Administrator manages.
• Data network
The data network is typically used for communications between the operating systems
that are installed on the servers and the company intranet, the Internet, or both.
41
combine this functionality in either the management network or the data network.
Network configurations
You can configure Lenovo XClarity Administrator to use one or two network interfaces.
• Attention:
• Changing the XClarity Administrator IP address after managing devices might cause
the devices to be placed in offline state in XClarity Administrator. Ensure that all
devices are unmanaged before changing the IP address.
• You can enable or disable checking for duplicate IP addresses in the same subnet by
clicking the Duplicate IP address checking toggle. It is disabled by default. When
enabled, XClarity Administrator raises an alert if you attempt to change the IP
address of XClarity Administrator or manage a device that has the same IP address
as another device that is under management or another device found in the same
subnet.
• If the network interface for the management network is configured to use the Dynamic
Host Configuration Protocol (DHCP), the management-interface IP address might
change when the DHCP lease expires. If the IP address changes, you must
unmanage the chassis, rack and tower servers, and then manage them again. To
avoid this problem, either change the management interface to a static IP address, or
ensure that the DHCP server configuration is set so that the DHCP address is based
on a MAC address or that the DHCP lease does not expire.
XClarity Administrator has two separate network interfaces (eth0 and eth1) that can be defined
for your environment, depending on the network topology that you implement.
42
o If you intend to collect service data or use automatic problem notification (including
Call Home), the interfaces must be connected to the Internet, preferably through a
firewall.
o If you intend to deploy operating-system images and update OS device drivers, the
interface must have IP network connectivity to the server network interface that is
used to access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed
43
The following table shows possible configurations for the XClarity Administrator network
interfaces based on the type of network topology that has been implemented in your
environment. Use this table to determine how to define each network interface.
Table 9. Role of each network interface based on network topology
Firmware updates
OS deployment
OS device-driver updates
OS deployment
OS device-driver updates
44
Facility) Facility)
OS deployment
OS device-driver updates
Server configuration
Firmware updates
45
on your network configuration (for example, if traffic from servers have a high priority and traffic
from the management controllers have a low priority). The management network uses UDP
traffic in addition TCP. UDP traffic can have a lower priority when the network traffic is high.
When you install Lenovo XClarity Administrator, define the eth0 network interface using the
following considerations:
• The interface must be configured to support the device discovery and management
(such as server configuration and firmware updates). It must be able to communicate
with the CMMs and Flex switches in each managed chassis, the baseboard
management controller in each managed server, and each RackSwitch switch.
• If you intend to collect service data or use automatic problem notification (including
Call Home), the interfaces must be connected to the Internet, preferably through a
firewall.
• If you intend to deploy operating-system images and update OS device drivers, the
interface must have IP network connectivity to the server network interface that is
used to access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed
• You can set up XClarity Administrator on any system that meets the requirements for
XClarity Administrator, including a managed server only when you implement either a
single data and management network topology or a virtually separate data and
management network topology; however, you cannot use XClarity Administrator to
apply firmware updates to that managed server. Even then, only some of the firmware
is applied with immediate activation, and XClarity Administrator forces the target
server to restart, which would restart XClarity Administrator as well. When applied
with deferred activation, only some firmware is applied when XClarity Administrator
host is restarted.
You can also configure a second network interface to connect to the same network from
XClarity Administrator to support redundancy.
The following figure shows an example implementation for a converged network topology.
46
Figure 1. Example implementation of a single network for management, data, and operating system deployment
For installation procedures that are related to this network topology, see the following
information:
When you install Lenovo XClarity Administrator, define network settings using the following
considerations:
• The first network interface (typically the Eth0 interface) must be connected to the
management network and configured to support the device discovery and
management (including server configuration and firmware updates. It must be able to
communicate with the CMMs and Flex switches in each managed chassis, the
management controller in each managed server, and each RackSwitch switch.
47
• The second network interface (typically the eth1 interface) can be configured to
communicate with an internal data network, a public data network, or both.
• If you intend to collect service data or use automatic problem notification (including
Call Home and Lenovo Upload Facility), at least one of the network interfaces must
be connected to the Internet, preferably through a firewall.
• If you intend to deploy operating-system images and update device drivers, you can
choose to use either eth1 or eth0 interface. However, the interface that you use must
have IP network connectivity to the server network interface that is used to access the
host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed
48
Figure 2 “Example implementation of physically separate data and management networks with
the operating-system network as part of the data network” on page 28 shows an example
implementation of separate management and data networks in which the operating-system
deployment network is configured as part of the data network.
Figure 2. Example implementation of physically separate data and management networks with the operating-system network as part of the data network
Figure 3 “Example implementation of physically separate data and management networks with
the operating-system network as part of the management network” on page 29 shows another
example implementation of separate management and data networks in which the operating-
system deployment network is configured as part of the management network. In this
implementation, XClarity Administrator does not need connectivity to the data network.
Note: If the operating-system deployment network does not have access to the data network,
configure an additional interface on the servers to provide connectivity from the host operating
system on the server to the data network, if needed.
49
Figure 3. Example implementation of physically separate data and management networks with the operating-system network as part of the management network
For installation procedures that are related to this network topology, see the following
information:
50
When you install XClarity Administrator, define network settings using the following
considerations:
• The first network interface (typically the Eth0 interface) must be connected to the
management network and configured to support the device discovery and
management (including server configuration and firmware updates. It must be able to
communicate with the CMMs and Flex switches in each managed chassis, the
management controller in each managed server, and each RackSwitch switch.
• The second network interface (typically the eth1 interface) can be configured to
communicate with an internal data network, a public data network, or both.
• If you intend to collect service data or use automatic problem notification (including
Call Home and Lenovo Upload Facility), at least one of the network interfaces must
be connected to the Internet, preferably through a firewall.
• If you intend to deploy operating-system images and update device drivers, you can
choose to use either eth1 or eth0 interface. However, the interface that you use must
have IP network connectivity to the server network interface that is used to access the
host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed
• You can set up XClarity Administrator on any system that meets the requirements for
XClarity Administrator, including a managed server only when you implement either a
single data and management network topology or a virtually separate data and
management network topology; however, you cannot use XClarity Administrator to
apply firmware updates to that managed server. Even then, only some of the firmware
is applied with immediate activation, and XClarity Administrator forces the target
server to restart, which would restart XClarity Administrator as well. When applied
with deferred activation, only some firmware is applied when XClarity Administrator
host is restarted.
51
Figure 4 “Example implementation of virtually separate data and management networks with the
operating- system network as part of the data network” on page 31 shows an example
implementation of virtually separate management and data networks in which the operating-
system deployment network is configured as part of the data network. In this example, XClarity
Administrator is installed on a managed server in a chassis.
Figure 4. Example implementation of virtually separate data and management networks with the operating-system network as part of the data network
Figure 5 “Example implementation of virtually separate management and data networks with the
operating- system network as part of the management network” on page 32 shows an example
implementation of virtually separate management and data networks in which the operating-
system deployment network is configured as part of the management network, and XClarity
Administrator is installed on a managed server in a chassis. In this implementation, XClarity
Administrator does not need connectivity to the data network.
Note: If the operating-system deployment network does not have access to the data network,
configure an additional interface on the servers to provide connectivity from the host operating
system on the server to the data network, if needed.
52
Figure 5. Example implementation of virtually separate management and data networks with the operating-system network as part of the management network
For installation procedures that are related to this network topology, see the following
information:
• VMware ESXi: Virtually separate data and management network topology (ESXi)
Management-only network
In this topology, Lenovo XClarity Administrator has access to only the management network. It
does not have access to the data network. However, XClarity Administrator must have access to
the operating-system deployment network if you intend to deploy operating-system images from
XClarity Administrator to managed servers.
When you install XClarity Administrator and define network settings, the eth0 network interface
must be configured to:
• The interface must be configured to support the device discovery and management
(such as server configuration and firmware updates). It must be able to communicate
53
with the CMMs and Flex switches in each managed chassis, the baseboard
management controller in each managed server, and each RackSwitch switch.
• If you intend to collect service data or use automatic problem notification (including
Call Home), the interfaces must be connected to the Internet, preferably through a
firewall.
• If you intend to deploy operating-system images and update OS device drivers, the
interface must have IP network connectivity to the server network interface that is
used to access the host operating system.
Note: If you implemented a separate network for OS deployment and OS device-driver updates,
you can configure the second network interface to connect to that network instead of the data
network. However, if the operating system on each server does not have access to the data
network, configure an additional interface on the servers to provide connectivity from the host
operating system to the data network for OS deployment and OS device-driver updates, if
needed
You can also configure a second network interface to connect to the same network from
XClarity Administrator to support redundancy.
54
Figure 6. Example implementation of a management-only network with no support for operating-system deployment
55
Figure 7. Example implementation of a management-only network with support for operating-system deployment
For installation procedures that are related to this network topology, see the following
information:
Security considerations
Plan for the security of Lenovo XClarity Administrator and all managed devices.
Encapsulation management
When you manage Lenovo chassis and servers in Lenovo XClarity Administrator, you can
configure Lenovo XClarity Administrator to change the firewall rules for the devices so that
incoming requests are accepted only from Lenovo XClarity Administrator. This is referred to as
encapsulation. You can also enable or disable encapsulation on chassis and servers that are
already managed by Lenovo XClarity Administrator.
When enabled on devices that support encapsulation, Lenovo XClarity Administrator changes
the device encapsulation mode to “encapsulationLite,” and changes the firewall rules on the
device to limit incoming requests from only this Lenovo XClarity Administrator.
When disabled, the encapsulation mode is set to “normal”. If encapsulation was previously
enabled on the devices, the encapsulation firewall rules are removed.
Attention: If encapsulation is enabled and XClarity Administrator becomes unavailable before a
device is unmanaged, necessary steps must be taken to disable encapsulation to establish
communication with the device. For recovery procedures, see Recovering chassis management with
a CMM after a management server failure and Recovering rack or tower server management after a
management server failure in the XClarity Administrator online documentation.
Notes:
• When the management network interface is configured to use the Dynamic Host
Configuration Protocol (DHCP) and when encapsulation enabled, managing a rack
server can take a long time.
56
For more information about encapsulation, see Enabling encapsulation in the XClarity
Administrator online documentation.
Cryptographic management
Cryptographic management is composed of communication modes and protocols that control
the way that secure communication is handled between Lenovo XClarity Administrator and the
managed devices (such as chassis, servers, and Flex switches).
The cryptographic mode determines the mode to use for secure communications. There are two
options:
• Compatibility. This mode is the default. It is compatible with older firmware versions,
browsers, and other network clients that do not implement strict security standards
that are required for compliance with NIST SP 800-131A.
• NIST SP 800-131A. This mode is designed to comply with the NIST SP 800-131A
standard. XClarity Administrator is designed to always use strong cryptography
internally and, where available, to use strong cryptography network connections.
However, in this mode, network connections using cryptography that is not approved
by NIST SP 800-131A is not permitted, including rejection of Transport Layer Security
(TLS) certificates that are signed with SHA-1 or weaker hash.
If you select this mode:
• You must also select TLSv1.2 for the minimum TLS client and server versions
The minimum TLS client mode determines the minimum TLS protocol version to use for client
connections to other servers (such as the LDAP client). There are two options:
57
This option enforces TLS v1.2 or later cryptography protocols on both XClarity Administrator
and all managed endpoints. If you choose NIST SP 800-131A for the cryptographic mode, this
option must be selected.
The minimum TLS server mode determines the minimum TLS protocol version to use for server
connections (such as the web server). . There are two options:
The minimum TLS mode determines the minimum TLS protocol version to for operating-system
deployment and device-driver updates. There are two options:
• TLSv1. TLS v1.0 and later can be used. You can deploy operating systems and
update OS device drivers on servers through XClarity Administrator, even if the OS-
image installer does not support the restricted settings that NIST SP 800-131A
requires.
When you change the cryptographic mode in the XClarity Administrator, the cryptographic mode
for all CMMs and baseboard management controllers in the managed devices are changed to
the same setting automatically. Consider the following implications of changing the
cryptographic mode:
• If you switch from compatibility mode to NIST SP 800-131A mode and the current
certificate authority on the managed CMMs and baseboard management controllers
use RSA-2048/SHA-1 (the default), an RSA- 2048/SHA-256 certificate is regenerated
on each managed chassis and server. This causes a mismatch between the newly
generated server certificates on the CMMs and baseboard management controllers
and the server certificate that is stored in the XClarity Administrator trust store. To
resolve this issue, go to the Chassis page and Servers page, and click All Actions ➙
Resolve Untrusted Certificate for each device (see Resolving an untrusted server
certificate in the XClarity Administrator online documentation).
• Not all Flex switches support NIST SP 800-131A mode. If a Flex switch does support
NIST SP 800-131A mode, you might need to change the configuration for the
switches through the Flex switch interface. For information about support for NIST SP
800-131A and about switching Flex switches between compatibility mode and NIST
58
SP 800-131A mode, see the product documentation that is available for the Flex
switches. For more information, see CMM Reset in the Flex Systems online documentation.
For more information about cryptography, see Setting the cryptography mode and
communication protocols in the XClarity Administrator online documentation.
Security certificates
Lenovo XClarity Administrator uses certificates to establish secure, trusted communications
between XClarity Administrator and its managed devices (such as chassis and service
processors in the System x servers) as well as communications with XClarity Administrator by
users. By default, XClarity Administrator, CMMs, and baseboard management controllers use
XClarity Administrator-generated certificates that are self-signed and issued by an internal
certificate authority.
The default server certificate, which is uniquely generated in every instance of XClarity
Administrator, provides sufficient security for many environments. You can choose to let Lenovo
XClarity Administrator manage certificates for you, or you can take a more active role and
customize or replace the server certificates. XClarity Administrator provides options for
customizing certificates for your environment. For example, you can choose to:
• Generate a new server key and certificate that uses values that are specific to your
organization.
• Generate a certificate signing request (CSR) that can be sent to your choice of
certificate authority to create a signed certificate that can then be uploaded to XClarity
Administrator trust store.
• Download the certificate to your local system so that you can import that certificate
into your web browser's list of trusted certificates.
For more information about certificates, see Working with security certificates in the XClarity
Administrator online documentation.
Authentication
59
• External LDAP server. Currently, only Microsoft Active Directory is supported. This
server must reside on an outboard Microsoft Windows server that is connected to the
management network.When an external LDAP server is used, the local authentication
server is disabled. Attention: To configure the Active Directory binding method to use
login credentials, the baseboard management controller for each managed server
must be running firmware from September 2016 or later.
For more information about authentication servers, see Managing the authentication server in the
XClarity Administrator online documentation.
• Device authentication
By default, devices are managed using XClarity Administrator managed authentication to log in
to the devices. When managing rack servers and Lenovo chassis, you can choose to use local
authentication or managed authentication to log in to the devices.
• When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack
switches, XClarity Administrator uses a stored credential to authenticate to the
device. The stored credential can be an active user account on the device or a user
account in an Active Directory server. You must create a stored credential in XClarity
Administrator that matches an active user account on the device or a user account in
an Active Directory server before managing the device using local authentication (see
Managing stored credentials in the Lenovo XClarity Administrator online documentation).
Note: RackSwitch devices support only stored credentials for authentication. XClarity
Administrator user credentials are not supported.
• Using managed authentication allows you to manage and monitor multiple devices
using credentials in the XClarity Administrator authentication server instead of local
credentials. When managed authentication is used for a device (other than switches,
System x M4, and ThinkServer, servers), XClarity Administrator configures the device
and its installed components to use the XClarity Administrator authentication server
for centralized management.
60
o If a local or external LDAP server is used as the XClarity Administrator
authentication server, user accounts that are defined in the authentication server are
used to log in to XClarity Administrator, CMMs and baseboard management
controllers in the XClarity Administrator domain. Local CMM and management
controller user accounts are disabled.
o If an SAML 2.0 identity provider is used as the XClarity Administrator authentication
server, SAML accounts are not accessible to managed devices. However, when
using an SAML identity provider and an LDAP server together, if the identity provider
uses accounts that exist in the LDAP server, LDAP user accounts can be used to log
into the managed devices while the more advanced authentication methods that are
provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be
used to log into XClarity Administrator.
o For ThinkServer servers, the XClarity Administrator authentication server is not
used. Instead, an IPMI account is created on the device with the prefix “LXCA_”
followed by a random string. (The existing local IPMI user accounts are not
disabled.) When you unmanage a ThinkServer server, the “LXCA_” user account is
disabled, and the prefix “LXCA_” is replaced with the prefix “DISABLED_”. To
determine whether a ThinkServer server is managed by another instance, XClarity
Administrator checks for IPMI accounts with the prefix “LXCA_”. If you choose to
force management of a managed ThinkServer server, all the IPMI accounts on the
device with the “LXCA_” prefix are disabled and renamed. Consider manually
clearing IPMI accounts that are no longer used.
When managed authentication is enabled, you can manage devices using either user
accounts in the XClarity Administrator authentication server or stored credentials (see
Managing user accounts and Managing stored credentials in the Lenovo XClarity Administrator
online documentation).
If managed authentication is enabled, and you manage a device using a stored
credential, the stored credential is used only until XClarity Administrator configures the
LDAP settings on the device. After that, changes to the stored credential do not impact
the management or monitoring of that device.
Note: When managed authentication is enabled (devices are centrally managed), you
can edit only XClarity Administrator user accounts. You cannot edit stored credentials
using XClarity Administrator.
61
If you unmanage a device that has a RECOVERY_ID user account, all local user accounts are
enabled, and the RECOVERY_ID account is deleted.
• If you change the disabled local user accounts (for example, if you change a
password), the changes have no effect on the RECOVERY_ID account. In managed-
authentication mode, the RECOVERY_ID account is the only user account that is
activated and operational.
• Use the RECOVERY_ID account only in an emergency, for example, if the management
server fails or if a network problem prevents the device from communicating with
XClarity Administrator to authenticate users.
• The RECOVERY_ID password is specified when you discover the device. Ensure that
you record the password for later use.
For information about recovering a device management, see Recovering chassis management
with a CMM after a management server failure and Recovering rack or tower server
management after a management server failure in the XClarity Administrator online
documentation.
• User accounts are used to log in and manage Lenovo XClarity Administrator and all
managed chassis and servers. XClarity Administrator user accounts are subjected to
two interdependent processes: authentication and authorization.
• Authorization checks the permissions of the authenticated user and controls access
to resources based on the users membership in a role group. Role groups are used to
assign specific roles to a set of user accounts that are defined and managed in the
authentication server. For example, if a user is a member of a role group that has
Supervisor permissions, that user can create, edit, and delete user accounts from
XClarity Administrator. If a user has Operator permissions, that user can only view
user-account information.
For more information about the user accounts and role groups, see Managing user accounts in
the XClarity Administrator online documentation.
• User-account security
62
User-account settings control the password complexity, account lockout, and web-session
inactivity time- out. You can change the values of the account-security settings.
For more information about the account-security settings, see Changing the user-account
security settings in the Lenovo XClarity Administrator online documentation.
Performance considerations
For information about the number of devices that can be managed by each Lenovo XClarity
Administrator instance and minimum and recommended hardware requirements based on the
number of managed devices in your environment, see Supported host systems.
If you have an environment with a large number of devices and a large number of concurrent
user sessions, and you experience reduced system performance, reduce the number of
concurrent user sessions to the XClarity Administrator web interface or increase the virtual CPU
resources that are allocated to the virtual appliance.
For additional performance considerations and tips, see the XClarity Administrator: Performance
Guide (White paper).
• VMware ESXi
In a VMware high-availability environment, multiple hosts are configured as a cluster. Shared
storage is used to make the disk image of a virtual machine (VM) available to the hosts in the
cluster. The VM runs on only one host at a time. When there is an issue with the VM, another
instance of that VM is started on a backup host.
• A minimum of two hosts on which ESXi is installed. These hosts become part of the
VMware cluster.
63
Tip: Ensure that you install a version of VMware vCenter that is compatible with the
versions of ESXi that are installed on the hosts to be used in the cluster.
VMware vCenter can be installed on one of the hosts that is used in the cluster.
However, if that host is powered off or not usable, you lose access to the VMware
vCenter interface as well.
• Shared storage (datastores) that can be accessed by all hosts in the cluster. You can
use any type of shared storage that VMware supports. The datastore is used by
VMware to determine if a VM should fail over to a different host (heartbeating).
For details about setting up a VMware high availability cluster (VMware 5.0), see the Setting up
HA for VMware webpage.
• Microsoft Hyper-V
For information about implementing high-availability, see Implementing high availability
(Microsoft Hyper-V).
Features on Demand
Features on Demand activates features without requiring the installation of hardware or the
purchase of new equipment. This activation is done by acquiring and installing the
corresponding Features on Demand key.
Some advanced server functions are activated using Features on Demand keys. If features
have configurable settings that are exposed during UEFI setup, you can configure the setting
using Configuration Patterns; however, the resulting configuration is not activated until the
corresponding Features on Demand key is installed.
64
Note: You cannot install or managed Features on Demand keys from XClarity Administrator;
however, you can view the list of Features on Demand keys that are currently installed on
managed servers. For more information about viewing installed Features on Demand keys, see
Viewing Feature on Demand keys in theXClarity Administrator online documentation.
• Purchase the Features on Demand upgrade using the appropriate part number.
• You can purchase keys from the Features on Demand portal. When your purchase is
complete, you will receive an authorization code by e-mail.
• On the Features on Demand portal, enter the authorization code that you received,
along with the unique system identifier of the server that you intend to upgrade.
• Upload the activation key to the management controller for the server.
• Restart the server. When the restart is complete, the feature is activated.
For more information about Features on Demand keys, see Using Lenovo Features on
Demand.
65
Lenovo XClarity Controller (XCC)
Lenovo ThinkSystem servers contain an integrated service processor, XClarity Controller
(XCC), which provides advanced service-processor control, monitoring, and alerting functions.
The XCC consolidates the service processor functionality, super I/O, video controller, and
remote presence capabilities into a single chip on the server system board. The XCC is based
on the Pilot4 XE401 baseboard management controller (BMC) using a dual-core ARM Cortex
A9 service processor.
Figure 1. ThinkSystem servers include the XClarity Controller integrated service processor
Features
There are three levels of features of XCC: Standard, Advanced and Enterprise:
XClarity Controller Standard offers the following capabilities:
• Event logging
• Configuring security
66
• Remotely controlling server power (Power on, Power off, Restart)
• Remotely accessing the server using the keyboard and mouse from a remote client
• Ability to record and replay the video from a remote control session
• Syslog alerting
• IP Address blocking
• Displaying graphics for real-time and historical power usage data and temperature
XClarity Controller Enterprise Upgrade adds the following functionality to the Advanced
features:
• Mapping the ISO and image files located on the local client as virtual drives for use by
the server
• Mounting the remote ISO and image files via HTTPFS, CIFS, and NFS
• Ability to capture and replay the server's video information leading up to the point
where the operating system may hang or crash.
67
Management interfaces
There are two ways to access the XCC management processor remotely:
• Command-line interface. To access the CLI interface, use SSH to log in to the
management processor.
• Web-based interface. To access the web-based interface, point your browser to the
IP address for the management processor. The new intuitive interface includes at-a-
glance visualizations and simple access to common system actions. The dashboard
is shown in the following figure.
• Redfish support (DMTF compliant) with specification version 1.2.0 and schema
version 2017.1
68
• Web browser - HTML 5-based browser interface (Java and ActiveX not required)
using a responsive design (content optimized for device being used - laptop, tablet,
phone) with NLS support
*Support for SNMP v1 requires updated XCC firmware. Depending on the server model, this is
v1.4.0, v2.10 or v2.12 (or newer). For specifics, consult the change history file for the XCC
firmware for your server at https://datacentersupport.lenovo.com.
Note: The ThinkSystem SD650 dense server does not support the use of the XClarity Mobile app.
• System status, firmware, network, health, and alerts information (read only, no login
required)
Part numbers
Models of ThinkSystem servers come with either XClarity Controller Standard, Advanced or
Enterprise, depending on the server type and the model. The servers will be delivered with the
stated version already active. The following table shows the field upgrades available for models
that come with XCC Standard or XCC Advanced.
Important considerations:
• If you will be using XClarity Administrator for tasks such as remote control and OS
deployment then the XCC Enterprise level must be used on the server.
69
• Lenovo ThinkSystem XClarity Controller Enterprise license includes license for
Lenovo XClarity Energy Manager
The Enterprise Upgrade requires that XCC already be at the Advanced level. If the server
currently has XCC Standard, you must first apply the XCC Standard to Advanced Upgrade
before applying the XCC Advanced to Enterprise Upgrade.
For configure-to-order (CTO) models, you can specify the XCC level you require by selecting
the appropriate XCC feature code as listed in the following table:
• XCC Standard - if both AVUT and AUPW are not in the order
• Collecting and viewing system inventory information Configuring UEFI system setup
settings
• Configuring RAID by using the RAID Setup Wizard or Advanced mode Installing an
operating system and device drivers automatically or manually
70
various power characteristics of racks, servers, and other devices. Capacity Planner can
dynamically calculate the power consumption, current, British Thermal Unit (BTU), and volt-
ampere (VA) rating at the rack level, improving the planning efficiency for large scale
deployments.
71
Chassis Management Module
The CMM provides single-chassis management and is used to communicate with the
management controller in each compute node. It provides system monitoring, event recording,
and alerts. It also manages the chassis, its devices, and the compute nodes. The chassis
supports up to two CMMs. If one CMM fails, the second CMM can detect its inactivity, self-
activate, and take control of the system without any disruption. The CMM is central to the
management of the chassis and is required in the Enterprise Chassis
CMM2 is the Chassis Management Module that is currently available from Lenovo. The original
CMM is now withdrawn from marketing.
Overview
The CMM is a hot-swap module that provides basic system management functions for all devices that are
installed in the Enterprise Chassis. A chassis includes at least one CMM and supports CMM redundancy.
Mixing of CMM versions: If two CMMs are installed in a Flex System chassis, they should be of the same type. If
a primary CMM2 is installed, the secondary must be a CMM2
Through an embedded firmware stack, the CMM implements functions to monitor, control, and
provide external user interfaces to manage all chassis resources. You can use the CMM to
perform the following functions:
72
• Configure security settings, such as data encryption and user account security. The
CMM contains an LDAP client that can be configured to provide user authentication
through one or more LDAP servers. The LDAP server (or servers) to be used for
authentication can be discovered dynamically or manually pre-configured.
• Set power policies and view power consumption history for chassis components.
Interfaces
The CMM supports a web-based graphical user interface (GUI) that provides a way to perform
chassis management functions within a supported web browser. You can also perform
management functions through the CMM command-line interface (CLI). The web-based and CLI
interfaces are accessible through the single RJ45 Ethernet connector on the CMM, or from any
system that is connected to the same network.
The CMM has the following default IPv4 settings:
• IP address: 192.168.70.100
• Subnet: 255.255.255.0
• Password: PASSW0RD (all capital letters, with a zero instead of the letter O)
The CMM does not have a fixed static IPv6 IP address by default. Initial access to the CMM in an
IPv6 environment can be done by using the IPv4 IP address or the IPv6 link-local address. The
IPv6 link-local address is automatically generated based on the MAC address of the CMM. By
default, the CMM is configured to respond to DHCP first before it uses its static IPv4 address. If
you do not want this operation to occur, connect locally to the CMM and change the default IP
settings. For example, you can connect locally by using a notebook.
The web-based GUI brings together all of the functionality that is needed to manage the chassis
elements in an easy-to-use fashion consistently across all System x IMM2 based platforms.
73
The CMM login window is shown in the following figure.
An example of the CMM home page after login is shown in Figure 2-5.
74
Security
Today’s world of computing demands tighter security standards and native integration with
computing platforms. For example, the push towards virtualization increased the need for more
security. This increase comes as more mission-critical workloads are consolidated on to fewer
and more powerful servers. The Flex System Enterprise Chassis takes a new approach to
security with a ground-up chassis management design to meet new security standards.
• The following security enhancements and features are provided in the chassis:
• Secure communications
• Insecure protocols are disabled by default in CMM, with Locks settings to prevent
user from inadvertently or maliciously enabling them
The Enterprise Chassis ships Secure and supports the following security policy settings:
• Secure: Default setting to ensure a secure chassis infrastructure and includes the
following features:
o Strong password policies with automatic validation and verification checks
o Updated passwords that replace the manufacturing default passwords after the initial
setup
o Only secure communication protocols, such as Secure Shell (SSH) and Secure
Sockets Layer (SSL)
75
o Certificates to establish secure, trusted connections for applications that run on the
management processors
• CMM: 192.168.70.100
XClarity Controller
With the announcement of the ThinkSystem brand, a new improved management controller was
launched, known as XClarity Controller or XCC.
XCC has many improvements over the previous generation IMM2. Boot times have been
improved to the extent that systems are twice as fast booting, some firmware updates can be
applied six times faster than the previous x240 M5 generation.
76
The User experience is much improved when managing a ThinkSystem node via the integrated
XCC management controller web interface. The GUI has intuitive dashboards featuring an “at a
glance” main screen giving access to most common system actions.
Other improvements include:
• Support access via the XClarity Mobile application, via the front USB port located on
the node front panel
• REST API (Redfish schema) support for additional web-related services and software
applications. It currently supports Redfish Scalable Platforms Management API
Specification 1.0.2 and schema 2016.2
There are three levels of features available with XCC:
• Standard
• Advanced
• Enterprise
ThinkSystem nodes ship with the enterprise level enabled as standard, which provides full
function, including mounting of local ISO/IMG files, remote virtual media mounting of ISO/IMG
files and most importantly, allow remote deployment when using XClarity Administrator.
Following figure shows the improved interface that is presented when logged into the XCC, on a
ThinkSystem SN550 node. Health summary, system information, settings and power utilization
can be quickly seen on this one screen with much further information and quick actions being
available with simple clicks of the mouse.
77
Figure 2-6 XClarity Controller web interface
• Google Play
• Apple iTunes
78
• Host only mode: USB port is only connected to the Server. This means the OS that is
running on the server will “see” the USB port.
• BMC only mode: USB port is connected only to XCC. This means the OS will not “see”
the USB port, as the port is dedicated to the XCC.
• Shared mode owned by BMC: USB port is shared by both the server and the XCC, but
the port is switched to the XCC
• Shared mode owned by the host: USB port is shared by both the server and the XCC
but the port is switched to the XCC
BMC and XCC: The terms BMC and XCC are used in interchangeably in some documentation. They both
refer to the onboard management processor.
The XCC USB port management functionality can be changed within the XCC web
management interface, as shown in Figure 2-7. Here the BMC configuration tab has been
selected and the front panel USB options are shown and can be changed:
Figure 2-7 XCC web interface front panel USB port management on SN550
As can be seen in Figure 2-7 there is a tick box for the ID button to be available for switching
between owned by BMC or owned by Server, when in shared mode.
Table 2-2 shows a summary of the different modes and operation of the ID button.
79
Table 2-2 ID button
Front panel USB port OS can use the USB Local management In shared mode, ID
mode port using XClarity Mobile button is required to
application switch modes
On the ThinkSystem SN550 and SN850 nodes, the ID button is also known as the USB
management button. The button is located on the front panel and it is identified with a spanner
symbol as shown in Figure 2-8.:
• IMM2 manageable “northbound” from outside the chassis, which enables consistent
• Remote presence:
o Increased color depth and resolution for more detailed server video
80
o Active X client in addition to Java client
o Increased memory capacity (~50 MB) provides convenience for remote software
• installations
• More detailed information for UEFI detected events enables easier problem
determination
• Support for Features on Demand (FoD) enablement of server functions, option card
features, and System x solutions and applications
• First Failure Data Capture: One button web press starts data collection and download
For more information, see Integrated Management Module II User’s Guide available from:
https://download.lenovo.com/servers_pdf/nn1jz_book.pdf
I/O modules
The I/O modules include the following base functions:
• Initialization
• Configuration
• Status Reporting
The following set of protocols and software features also are supported on the I/O modules:
81
• A configuration method over the Ethernet management port.
• A scriptable SSH CLI, a web server with SSL support, Simple Network Management
Protocol v3 (SNMPv3) Agent with alerts, and a sFTP client.
• Server ports that are used for Telnet, HTTP, SNMPv1 agents, TFTP, FTP, and other
insecure protocols are DISABLED by default.
• For Ethernet I/O modules, 802.1x enabled with policy enforcement point (PEP)
capability to allow support of TNC (Trusted Network Connect).
• The ability to capture and apply a switch configuration file and the ability to capture a
first failure data capture (FFDC) data file.
• Ability to transfer files by using URL update methods (HTTP, HTTPS, FTP, TFTP, and
sFTP).
• Various methods for firmware updates, including FTP, sFTP, and TFTP. In addition,
firmware updates by using a URL that includes protocol support for HTTP, HTTPs,
FTP, sFTP, and TFTP.
• Ability to detect firmware and hardware hangs and to pull a “crash-failure memory
dump” file to an FTP (sFTP) server.
• Selectable primary and backup firmware banks as the current operational firmware.
• Ability to send events, SNMP traps, and event logs to the CMM, including security
audit logs.
• The CMM management port supports IPv4 and IPv6 (IPV6 support includes the use
of link local addresses.
• Management virtual local area network (VLAN) for Ethernet switches: A configurable
management 802.1q tagged VLAN in the standard VLAN range of 1 - 4094. It includes
the CMM’s internal management ports and the I/O modules internal ports that are
connected to the nodes.
82