This blog post is written by Shine KA and Sanjeev Singh from Dell iDRAC team.

           It is no longer difficult to configure or sync iDRAC7 time with respect to server time or to NTP servers.  There is no need to set complicated time zone and daylight offset setting on iDRAC now. In addition to iDRAC syncing time with server, iDRAC Firmware 1.30.30 release onwards user can configure iDRAC to sync time with NTP server as well. Also you can set time zone on iDRAC by selecting required time zone from a list of 500+ time zones. Based on time zone selected and current iDRAC date, daylight offset will be applied automatically if applicable. Both NTP and Time zone can be configured using Web GUI, Racadm or WSMAN interface. iDRAC should have minimum of Express License to use NTP and Time zone feature. 

          One of the main challenge users have on iDRAC was to sync/set the time of iDRAC. In Dell 12G servers, iDRAC can get time from system Real Time Clock (RTC) through the chipset even when the server is powered off.  After iDRAC gets time from RTC, user has to set time zone using racadm and if daylight offset is applicable for the selected time zone, user needs to set daylight offset object also using racadm. This offset needs to change whenever daylight offset change occurs. Because of this complexity, users have difficult time in configuring iDRAC for SSO, Smart Card, AD, LDAP and uploading newly created certificates.

With iDRAC 1.30.30 release onwards user can configure NTP/Time Zone on iDRAC in two ways

Only set time zone.

In this method, iDRAC will automatically have it’s time synced with server. And users only need to configure time zone on iDRAC without having to configure the daylight offset through racadm. You can configure time zone from "iDRAC Settings -> iDRAC Settings" Page of iDRAC Web Interface. From racadm you can use idrac.time group to configure various time zones.

Set Both NTP and Time zone

In this method user will configure NTP and Time zone. In this case iDRAC will sync the time with NTP server and selected Time zone will be also applied. iDRAC will sync NTP server’s UTC/GMT time, so it is important that you configure correct time zone while configuring NTP on iDRAC. You can configure up to three NTP servers. It is always recommended to configure all three NTP servers for accuracy. We support IPv4, IPv6 and FQDN format for configuring NTP server address When NTP mode is enabled and iDRAC has received time through this interface, iDRAC will ignore any attempts to set iDRAC time through the server (BIOS, Open Manage, etc.) or CMC (for blade servers).

 Additional Information:

iDRAC7 1.30.30 Firmware can be downloaded from here

iDRAC7 1.30.30 User Guide

More information on iDRAC

This blog post is written by Shine KA and Meghna Taneja from Dell iDRAC team.

We are excited to announce that the iDRAC7’s latest release(1.30.30 firmware onwards) now supports Safari and Chrome browser in addition to IE and FF.

Google Chrome Browser

            You can use Chrome browser (Version 22) from Windows 8 or Windows 2012 to manage and monitor iDRAC7. All iDRAC7 GUI features can be enjoyed through Chrome as well.

Apple Mac Book as iDRAC7 Client

            Now you can use Mac system to Manage and Monitor Dell Servers using iDRAC7. You can use either Firefox or Safari (Version 5.X) Browser to Manage iDRAC from Mac.  All iDRAC7 features accessible from the iDRAC GUI, example vConsole (Java Plugin), vMedia (Java Plugin), Boot Capture etc. can be accessed from Mac client.

 How to Configure Apple MacBook as an iDRAC7 Client

Launching iDRAC using IPv6 Address

       You can not launch iDRAC GUI when IPv6 address is used to launch iDRAC and iDRAC have deafult certificate. To use IPv6 to launch iDRAC, the user needs to either

1). Upload a SSL certificate from valid Certificate Authority to iDRAC and use IPv6 Address to launch iDRAC

Or

2). Register iDRAC on DNS and use iDRAC DNS name (FQDN) to launch iDRAC GUI.

“SingleCursor” and “Pass All Keystroke” mode in vConsole for iDRAC

          “Single Cursor” and “Pass All Keystroke” mode will not work if “Enable access for assistive devices” id disabled on MAC Client. This option can be enabled by selecting “Enable access for assistive devices” checkbox on the Universal Access System Properties page (see screenshot below).  If this option is not selected a warning message will be shown when user tries to launch Virtual Console.

Virtual Media – Mapping USB Key as Read Write

       When user connected a USB Key to MAC client and if it is mounted to MAC as R/W, then iDRAC Virtual Media can use this device as Read Only and R/W will not be supported from virtual media. To connect USB Key as R/W from virtual media, user needs unmount USB key from MAC client:

1). Open terminal window from MAC

2). Run the command to unmount: Diskutil unmountdrive /Volumes/drivename (sudo may be required for access).

Additional Information:

iDRAC7 1.30.30 Firmware can be downloaded from here

iDRAC7 1.30.30 User Guide

More information on iDRAC

This blog post is written by Shine KA and Meghna Taneja from Dell iDRAC team.

It is even easier to use Virtual Console with the iDRAC7 1.30.30 firmware release, which includes our scaling solution. Now you can easily view the entire server screen using virtual console without a scroll bar. The picture above shows how multiple servers can be easily managed using the virtual console scaling Solution.

This feature is enabled by default and no configuration is required. With this solution we have eliminated the need to scroll to view entire screen in the iDRAC7 vConsole or change server resolution for every client. The scaling solution is supported on both Active-X and the Java Plugin from all supported clients. 

While launching vConsole, if the server resolution is higher than the client resolution, then vConsole will automatically be scaled down to client resolution and the entire screen will be displayed without any scroll bar. If the server resolution is lesser than client resolution then the vConsole will be launched at the actual screen resolution. Users can perform all Keyboard and Mouse commands and use all vConsole features within this customized vConsole window.

You can also set vConsole to a custom size by resizing vConsole Window. In this case Server resolutions will be resized to fit the vConsole Window and the console will be shown without scroll bar.

After customizing the vConsole window if a user wants to go back to the actual resolution, users can use the “Fit option” on vConsole Window. This can be used to increase or decrease resolution on vConsole Client.

You can make use of this feature if you want to monitor multiple servers.You can set multiple vConsoles to custom sizes and can view all iDRAC sessions at the same time by placing the vConsole windows at different locations on the desktop.

Also, when you want to view one server in detail you can go into full screen mode and perform all required operations and come back to windows mode. When coming back out of full screen mode, the last saved resolution and window position is retained so that all vConsoles are still visible. There is no need to change the resolution and position after a full screen operation.

 Additional Information

Learn more about iDRAC7 at http://www.delltechcenter.com/iDRAC

This blog post has been written by Sanjeev Singh and Elie Jreij from the iDRAC team

Some of you may want to configure the iDRAC and other system components through the system serial interface. This blog explains how to do just that ...

With the iDRAC7 firmware version 1.30.30 or later  and BIOS 1.4.x or later installed, you can accomplish full deployment of your server through the serial interface (DB9 connector) on the server. Before you start please make sure External Serial Connector in BIOS is set to Serial Device 2. You can do this by going into F2 -> System BIOS -> Serial Communication -> External Serial Connector and set it to Serial Device 2. Here are the steps to configure through serial interface :

1. Connect AC power to the server. Note, the server doesn’t need to be powered on until you’ve completed the system configuration.
2. Wait for iDRAC to initialize (this may take up to 2 minutes).
3. Connect the management station to the serial connector on the server (example shown below).
4. Launch your terminal application and configure its baud rate to 57600, N,8,1  with no flow control.
5. Send  the "<Esc>” key followed by the “(“ key. The hexadecimal values for these keys are: 0x1b and 0x28 respectively. The management station should now be connected to the iDRAC and the iDRAC login prompt should be displayed in the terminal window..

At  this time, you can log in to the iDRAC as an administrator. To avoid having to log in each time and to prevent the log-in session from timing out, you may want to disable authentication. To do this, enter the following command:

racadm config -g cfgserial -o cfgserialconsolenoauth 1

To re-enable authentication, enter the same command, replacing the trailing “1” with a “0”.

 Once logged in, you may configure BIOS, iDRAC, NIC and other settings. This configuration can be done from the serial interface by using RACADM commands. For complete information on RACADM commands, see the RACADM Command Line Reference Guide here.

Here are a few sample commands to get you started:

BIOS configuration / status:

racadm get BIOS

racadm set bios.satasettings.SataPortB off

racadm set BIOS.SysSecurity.SysPassword "dell" 

iDRAC configuration / status:

racadm getconfig -g cfgSerial

racadm racresetcfg

racadm serveraction powercycle

racadm getsel

 NIC configuration / status:

racadm getniccfg

racadm config -g cfgLanNetworking  -o cfgNicEnable 1 [or 0]

racadm config -g cfgLanNetworking  -o cfgNicIPv4Enable 1 [or 0]

racadm config -g cfgLanNetworking　 -o cfgNicUseDhcp  0 [or 1] 

You might also want to update the firmware for BIOS, NIC, iDRAC, and / or the Power Edge Raid Controller (PERC) through the serial interface.

Here is a sample command to update the iDRAC7 firmware from a TFTP server: 

racadm fwupdate –g –u –a [TFTP IP Address] 

When you’re done making the desired configuration changes, power-up the server and the configuration  changes and firmware updates will be applied by the Lifecycle Controller. If the server is already on, you’ll need to reboot to apply the settings.

Stay Tuned: PERC configuration will be supported in a future iDRAC firmware release.

 Additional Information

More information on iDRAC

This post was authored by distinguished Advanced Security engineer, Chip Webb

Anti-virus software has traditionally used a blacklist approach. This means that the anti-virus (AV) software examines programs before they are run for “signatures” – bits of code – that are known to be associated with malware. If a program contains a signature indicating malware the AV package does not allow the program to run. In other words, any software that is determined to be in the signature list is not allowed to run. All other software is allowed to run. The signature list is the blacklist.

More recently some anti-virus software packages take the converse approach, called whitelisting. A whitelist AV package examines each program before it runs and if the program is determined to be in a list of known good programs it is allowed to run. All other programs are not allowed to run.

These two approaches require different management approaches. Blacklist AV packages require that their signature list be updated periodically to recognize newly developed malware. Whitelist AV packages require that a list of software packages that are allowed be created. In addition to lists, many whitelist programs support rules. A common rule is to allow software packages that are digitally signed by particular software publishers. If a software package complies with the rule set or it is in the list of known good packages it is allowed to execute.

iDRAC prevents foreign software from running in a whitelist manner. iDRAC firmware is packaged as a single binary “blob”. Only software in that blob is allowed to run. The whitelist is simply the single rule: only software in the blob can run.

An attacker might attempt to circumvent this rule by creating “rogue firmware” that looks like genuine Dell published firmware, but in fact contains malicious code.

Several best practices will prevent the introduction of rogue firmware on the iDRAC:

• Only obtain iDRAC firmware from Dell
• Store the firmware in a place with restricted access
• Only allow a firmware update to be initiated by an authorized user
• Require that the authorized user only use a firmware package that was stored in the place with restricted access

Note the following exceptions:

• a malicious administrator could flash a rogue firmware
• an administrator could be the victim of social engineering and be fooled into updating with non-authentic firmware
• an administrator could have his credentials compromised

Of course all three of these exceptions are not unique to iDRAC and underscore the importance of the human factor in maintaining good security.

To account for these exceptions and further enhance security, iDRAC7 (present in Dell PowerEdge 12th Generation servers) improves upon previous iDRAC versions by requiring that the firmware image also be digitally signed, robustly ensuring that even in the face of the three exceptions noted above, iDRAC7 will reject unauthorized firmware. Thanks to the design factors discussed above, iDRAC is highly resistant to the kinds of viruses and malware that are typically seen on PCs and industry standard servers.

To learn more about the Dell Remote Access Controller, visit www.delltechcenter.com/iDRAC

A quick start guide has been published that covers iDRAC7 with firmware version 1.30.30 or later.

The guide is intended to simplify the setup process for new iDRAC7 users, and it also covers use of some of the fundamental iDRAC7 features.

It walks the user step-by-step through:

• Initial network setup
• Logging in to the web interface
• Checking the license level / upgrading the license
• Managing user accounts
• Firmware updates
• Using Virtual console
• Viewing Logs
• Setting the iDRAC time
• Resetting the iDRAC to its factory default settings

The guide can be downloaded from the following link:

iDRAC7 with Lifecycle Controller 2 Quick Start Guide

It is also available for ftp download here.

For more information about Lifecycle Controller and Dell iDRAC7, visit:

• http://www.delltechcenter.com/iDRAC
• http://www.delltechcenter.com/LC

This blog post has been written by Dave Collier and Ananthanarayanan AK from iDRAC team.

When using the iDRAC7 virtual Console, you may find that many of the macros you’ve become accustomed to using have disappeared. Where did they go?

 With the release of the iDRAC7 1.30.30 firmwareor later, many of the macros have been eliminated. They’ve been replaced by an enhanced Pass all keystrokes to server feature, which is now enabled by default. With this new design, in most cases, rather than having to break your normal workflow by going to the virtual Console Macros menu, you can now just use your keyboard as if you were working directly on the server. The Macro keys are now only required when your client operating system would intercept the keystrokes instead of allowing them to pass. Since different client operating systems intercept different keystrokes, the virtual Console Macro menu is now client OS context sensitive, listing only the keystroke combinations that the client OS will intercept and act on. For example the Macros menu for all clients will show the <Ctrl><Alt><Del> and <Alt><SysRq>b key combinations. Linux clients add a cascade menu for <Ctrl><Alt><Fn> keys. Mac OS clients have the two standard key combinations plus 5 others.

The Pass all keystrokes to server feature can be disabled by going to the Tools menu, selecting Session Options and clearing the feature checkbox.

Note that, even if the Pass all keystrokes to server feature is disabled in this manner, when the virtual Console window is put in full-screen mode, all keystrokes will be passed to the server (temporarily re-enabling the feature). Also note that the state of the Pass all keystrokes to server feature is not persistent; each time virtual Console is launched, the feature will be defaulted to on.

We at Dell hope you find this enhanced and refined key combinations and Pass all keystrokes to server feature to streamline your server management processes. Please give us feedback on how we’re doing and what new features you’d like to see.

Additional Information

More information on iDRAC

This blog post has been written by Dave Collier from the iDRAC team.

With the release of iDRAC7 1.30.30 and later firmware for iDRAC7 on the 12th generation PowerEdge Servers, you no longer have to use the F9 key to exit Single Cursor mode. In fact, the Escape key is now the default to exit Single Cursor mode, but this is configurable.

 For those unfamiliar with Single Cursor Mode, depending on your Virtual Console’s mouse acceleration and your host system’s operating system (and configuration), there may be times when two mouse cursors are displayed on the Virtual Console. A quick and easy way to address this is to switch to Single Cursor Mode in the Virtual Console. To switch to Single Cursor mode, go to the Virtual Console’s Tools menu and select Single Cursor. Once in single cursor mode, the client cursor will be hidden;  only the managed host’s cursor will be displayed, and that cursor will be captured within the boundaries of the Virtual Console window. In order to reactivate the client’s cursor (to work outside the boundaries of the Virtual Console window) you’ll need to exit Single Cursor mode.

 As explained above, the Escape key is now the default for exiting Single Cursor mode. You may decide that the Escape key is not the best choice for the way you work… If that’s the case and you want to change the key, here’s how to do it: In Virtual Console, open the Tools menu and select Session Options. Click on the Mouse tab, and in the Termination Key field, select the key you want to use, then click Apply.

We at Dell hope you find that this feature enhancement helps streamline your server management processes. Please give us feedback on how we’re doing and what new features and enhancements you’d like to see.

Additional Information

More information on iDRAC

As more and more management functionalities are being added into iDRAC (Service Processor), there is a lesser and lesser need for fat proprietary agents to be running in the Operating Systems to enable system management/monitoring. In pursuit of this idea, multiple management capabilities are pushed to iDRAC and Dell has started working on enabling system management with thinner and thinner agents in the OS. https://fedoraproject.org/wiki/Features/AgentFreeManagement describes some of these initiatives and one of them is Wsman Request redirection.

Recently a new plugin was pushed to openwsman which enables the redirection of wsman requests from the host to iDRAC(or any remote wsman server). Essentially, the openwsman service running in the host will act as a proxy, filters the incoming requests based on the ResourceUri and forwards the right requests to iDRAC. The host's openwsman daemon (the proxy) eventually captures the response from iDRAC(or the remote server) and forwards the same to primary client. This setup will enable system management and monitoring without having to install any proprietary management agents in the OSes.

NOTE: the redirection plugin is only available in 2.3.6 and higher versions of openwsman.

To enable the WSMAN request redirection to idrac, the following section has to be added to openwsman.conf file:

[redirect]

#mandatory fields

server='192.168.1.120'

resource='http://schemas.dell.com/wbem/wscim/1/cim-schema/2'

port=443

cacert='/etc/idrac.cert'

username='root'

password='calvin'

#optional Fields

#default is /wsman

url_path='/wsman'

#default is basic

authentication_method='basic'

#default is root/cimv2

cim_namespace='root/cimv2'

#default is 0

noverifypeer=0

#default is 0

noverifyhost=0

#default is NULL

sslkey=NULL

#default is NULL

cl_cert=NULL

With the above configuraiton section added to opewsman.conf any WSMAN requests coming to the host with ResourceURI http://schemas.dell.com/wbem/wscim/1/cim-schema/2/* will be redirected to iDRAC and all the other requests will be handled by one of the other openwsman plugins in the host. In the above example 192.168.1.120 is the ip address of iDRAC, listening at port 443.

iDRAC has SSL enabled by default. So, the server's identify certificate has to be provided to the redirect plugin. Please note, even in the case noverifypeer is set to 1 (where the servercert is not verified), a dummy cert has to be provided in the redirect section. For production servers, it is always recommended to have noverifypeer=0 and noverifyhost=0.

The username and password values will be imported from the primary wsman request if none are provided in the redirect. The rest of the values pick up default values as shown above configuraiton. Now an example:

wsman enumerate http://schemas.dell.com/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_ComputerSystem -h host_ip -V -v -c dummy.cert -P 5986 -u root -p password -y -O out

NOTE: The username, password, cert provided in the primary wsman command are to autheticate to the host. The details captured in the openwsman.conf file are to authenticate to iDRAC.

Sending the above request to a host, output similar to the following will be noticed:

<?xml version="1.0" encoding="UTF-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:n1="http://schemas.dell.com/wbem/wscim/1/cim-schema/2/DCIM_ComputerSystem">

<s:Header>

<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>

<wsa:Action>http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateResponse</wsa:Action>

<wsa:RelatesTo>uuid:c987c6d4-d8c4-18c4-8002-a52924d9bed4</wsa:RelatesTo>

<wsman:TotalItemsCountEstimate>1</wsman:TotalItemsCountEstimate>

<wsa:MessageID>uuid:c4910753-d8c9-18c9-8258-b12ca052aed4</wsa:MessageID>

<wsman:TotalItemsCountEstimate>1</wsman:TotalItemsCountEstimate>

</s:Header>

<s:Body>

<wsen:EnumerateResponse>

<wsman:Items>

<n1:DCIM_ComputerSystem>

<n1:CreationClassName>DCIM_ComputerSystem</n1:CreationClassName>

<n1:Dedicated>0</n1:Dedicated>

<n1:ElementName>host-8-23.lab</n1:ElementName>

<n1:EnabledState>5</n1:EnabledState>

<n1:HealthState>25</n1:HealthState>

<n1:IdentifyingDescriptions>CIM:GUID</n1:IdentifyingDescriptions>

<n1:IdentifyingDescriptions>CIM:Tag</n1:IdentifyingDescriptions>

<n1:IdentifyingDescriptions>DCIM:ServiceTag</n1:IdentifyingDescriptions>

<n1:Name>srv:system</n1:Name>

<n1:OperationalStatus>6</n1:OperationalStatus>

<n1:OtherIdentifyingInfo>4c4c4544-0036-4710-8046-c3c04f515631</n1:OtherIdentifyingInfo>

<n1:OtherIdentifyingInfo>mainsystemchassis</n1:OtherIdentifyingInfo>

<n1:OtherIdentifyingInfo>ABCDEFG</n1:OtherIdentifyingInfo>

<n1:PrimaryStatus>3</n1:PrimaryStatus>

<n1:RequestedState>0</n1:RequestedState>

</n1:DCIM_ComputerSystem>

</wsman:Items>

<wsen:EnumerationContext/>

<wsman:EndOfSequence/>

<wsen:EnumerationContext/>

<wsman:EndOfSequence/>

</wsen:EnumerateResponse>

</s:Body>

</s:Envelope>

The wsman redirection works with the standard Actions like enumerate, get, put, create, delete and invoke. The requests for associations on iDRAC CANNOT be redirected. Also, redirection for WSMAN indications is not enabled yet.

On a side note, OpenLMI( https://fedorahosted.org/openlmi/ ) is an initiative to provide common infrastructure to enable Management & monitoring of Linux Systems. This project provides low level interfaces to hardware and software management and monitoring in the form of CIMOM providers. The targets of this effort are the in-band components like Services, Network, Storage, etc. After registering these providers to a CIMOM they can be accessed via WSMAN too.

Having the wsman redirection enabled (to iDRAC) and openlmi providers registered, will enable the Admins to have a single interface for managing both in-band and out-of-band components via WSMAN.

For 11G and 12G PowerEdge systems, the backup and restore methods have an optional parameter to enter a passphrase. If a passphrase is used, it must be correctly entered in order for the restore operation to be successful. Passphrases shall be validated against the following rules:

1.         Must be 8-32 characters in length

2.         Must contain 1 Uppercase letter

3.         Must contain 1 Lowercase letter

4.         Must contain 1 Number

5.         Must contain 1 Special character

See more about Lifecycle Controller (LC), here.

See more about Backup and Restore in the LC Best Practice Guide, here.

Dell OpenManage System Administrator 7.3 for Ubuntu and Debian

Dell OpenManage System Administrator (OMSA) 7.3 for Ubuntu and Debian is now published. When we recently published OMSA 7.2, we switched to a new apt repository format to better work with both Ubuntu and Debian and to allow packages for multiple OS releases in the same repository. OMSA 7.3 continues that. Furthermore, OMSA 7.3 is now built on both Ubuntu 12.04 and Debian Wheezy to increase compatibility with Debian. All packages that are in the Ubuntu distribution but are not in Debian are rebuilt for Debian and included in OMSA Wheezy repository for convenience.

(Please note that OMSA 7.2 and above are not built for Ubuntu 10.04 and Debian Squeeze. The last OMSA release tested with Ubuntu 10.04 and Debian Squeeze is OMSA 7.1, which is also provided in the new apt repository for convenience.)

Additionally, OMSA's Integrated Tunnel Provider (srvadmin-itunnel) is now built for Ubuntu and Debian. This brings Ubuntu and Debian closer to parity with RHEL and SLES in terms of the System Administrator functionality in OMSA.

Dell Deployment Toolkit 4.3 for Ubuntu and Debian

Also included in this release is version 4.3 of the Dell Deployment Toolkit (DTK) 4.3 for Ubuntu and Debian. DTK is lighter-weight than OMSA and is meant to assist with system deployment. The packages are named syscfg, raidcfg, and dtk-scripts. syscfg is a tool to configure server BIOS, BMC/iDRAC settings, DTK state settings, and to do PCI device detection. raidcfg, as the name suggests, is a tool to configure RAID on Dell PowerEdge servers. dtk-scripts contains sample DTK scripts and tools to build a bootable Dell utility partition for DOS-based firmware updates.

Where to get it

More information on where to download these packages is at http://linux.dell.com/repo/community/ubuntu/.

Getting help

Please join us on the linux-poweredge@lists.us.dell.com mailing list for support and feedback. You can sign up at <https://lists.us.dell.com/mailman/listinfo/linux-poweredge>.

By Kareem Fazal and Virender Sharma of the Dell iDRAC team 

The new 12th generation Dell PowerEdge servers offer Auto Dedicated NIC feature in iDRAC7 version 1.3x.3x which helps the customers to automatically configure the iDRAC7 network connection.

Many customers route iDRAC management traffic via the shared LOM to save on ports and limit cables.  Dell offers additional flexibility in this case via the Auto Dedicated NIC feature, as described in this paper.  Now, customers can connect a crash cart directly to the dedicated NIC port, and the DRAC will automatically switch from shared mode to dedicated mode, and then back again once the cable has been removed.

In iDRAC versions 1.2x.2x and below, selection of iDRAC network connection could either be a dedicated NIC port or a shared LOM port. To use the dedicated port, it was necessary to change the setting via the iDRAC web interface or command line, as well as physically connect a cable to the server.

With latest iDRAC versions 1.3x.3x and above, the Auto Dedicated NIC feature is available as an enhanced functionality and does not change the existing behavior of manual NIC selection. User intervention to change the NIC setting using the iDRAC7 web interface or a command line is not needed as Auto Dedicated NIC switches to the correct network automatically.

 Requirements:

• Feature is offered on PowerEdge rack and tower servers only (not on blades)
• iDRAC7 Enterprise license is required to enable the feature
• For PowerEdge rack and tower servers 500 series and below (R520, R420, T420, R320, T320), add-in card is required to have the Dedicated NIC port.
• If iDRAC7 Enterprise license is ordered at point of sale, then add-in card comes along with the server.
• If iDRAC7 Enterprise license is ordered later than point of sale, then add-in card will need to be ordered.

This feature is disabled by default. It can be enabled using following interfaces:

• iDRAC Web Interface
• RACADM
• WSMAN
• HII

Following matrix describes the behavior when Auto Dedicated NIC is either on or off, plus the different NIC selections and their failover modes: 

By using this feature, customers have the flexibility to route server management traffic as needed—quickly and effortlessly. More information on the Auto Dedicated NIC can be found in this paper on Dell Tech Center.Additional information on iDRAC and Lifecycle Controller: Click here

This blog post is written by Shine KA and Meghna Taneja from Dell iDRAC team.

It is even easier to use Virtual Console with the iDRAC7 1.30.30 firmware release, which includes our scaling solution. Now you can easily view the entire server screen using virtual console without a scroll bar. The picture above shows how multiple servers can be easily managed using the virtual console scaling Solution.

This feature is enabled by default and no configuration is required. With this solution we have eliminated the need to scroll to view entire screen in the iDRAC7 vConsole or change server resolution for every client. The scaling solution is supported on both Active-X and the Java Plugin from all supported clients. 

While launching vConsole, if the server resolution is higher than the client resolution, then vConsole will automatically be scaled down to client resolution and the entire screen will be displayed without any scroll bar. If the server resolution is lesser than client resolution then the vConsole will be launched at the actual screen resolution. Users can perform all Keyboard and Mouse commands and use all vConsole features within this customized vConsole window.

You can also set vConsole to a custom size by resizing vConsole Window. In this case Server resolutions will be resized to fit the vConsole Window and the console will be shown without scroll bar.

After customizing the vConsole window if a user wants to go back to the actual resolution, users can use the “Fit option” on vConsole Window. This can be used to increase or decrease resolution on vConsole Client.

You can make use of this feature if you want to monitor multiple servers.You can set multiple vConsoles to custom sizes and can view all iDRAC sessions at the same time by placing the vConsole windows at different locations on the desktop.

Also, when you want to view one server in detail you can go into full screen mode and perform all required operations and come back to windows mode. When coming back out of full screen mode, the last saved resolution and window position is retained so that all vConsoles are still visible. There is no need to change the resolution and position after a full screen operation.

 Additional Information

Learn more about iDRAC7 at http://www.delltechcenter.com/iDRAC

This blog post has been written by Sanjeev Singh and Elie Jreij from the iDRAC team

Some of you may want to configure the iDRAC and other system components through the system serial interface. This blog explains how to do just that ...

With the iDRAC7 firmware version 1.30.30 or later  and BIOS 1.4.x or later installed, you can accomplish full deployment of your server through the serial interface (DB9 connector) on the server. Before you start please make sure External Serial Connector in BIOS is set to Serial Device 2. You can do this by going into F2 -> System BIOS -> Serial Communication -> External Serial Connector and set it to Serial Device 2. Here are the steps to configure through serial interface :

1. Connect AC power to the server. Note, the server doesn’t need to be powered on until you’ve completed the system configuration.
2. Wait for iDRAC to initialize (this may take up to 2 minutes).
3. Connect the management station to the serial connector on the server (example shown below).
4. Launch your terminal application and configure its baud rate to 57600, N,8,1  with no flow control.
5. Send  the "<Esc>” key followed by the “(“ key. The hexadecimal values for these keys are: 0x1b and 0x28 respectively. The management station should now be connected to the iDRAC and the iDRAC login prompt should be displayed in the terminal window..

At  this time, you can log in to the iDRAC as an administrator. To avoid having to log in each time and to prevent the log-in session from timing out, you may want to disable authentication. To do this, enter the following command:

racadm config -g cfgserial -o cfgserialconsolenoauth 1

To re-enable authentication, enter the same command, replacing the trailing “1” with a “0”.

 Once logged in, you may configure BIOS, iDRAC, NIC and other settings. This configuration can be done from the serial interface by using RACADM commands. For complete information on RACADM commands, see the RACADM Command Line Reference Guide here.

Here are a few sample commands to get you started:

BIOS configuration / status:

racadm get BIOS

racadm set bios.satasettings.SataPortB off

racadm set BIOS.SysSecurity.SysPassword "dell" 

iDRAC configuration / status:

racadm getconfig -g cfgSerial

racadm racresetcfg

racadm serveraction powercycle

racadm getsel

 NIC configuration / status:

racadm getniccfg

racadm config -g cfgLanNetworking  -o cfgNicEnable 1 [or 0]

racadm config -g cfgLanNetworking  -o cfgNicIPv4Enable 1 [or 0]

racadm config -g cfgLanNetworking　 -o cfgNicUseDhcp  0 [or 1] 

You might also want to update the firmware for BIOS, NIC, iDRAC, and / or the Power Edge Raid Controller (PERC) through the serial interface.

Here is a sample command to update the iDRAC7 firmware from a TFTP server: 

racadm fwupdate –g –u –a [TFTP IP Address] 

When you’re done making the desired configuration changes, power-up the server and the configuration  changes and firmware updates will be applied by the Lifecycle Controller. If the server is already on, you’ll need to reboot to apply the settings.

Stay Tuned: PERC configuration will be supported in a future iDRAC firmware release.

 Additional Information

More information on iDRAC

This post was authored by distinguished Advanced Security engineer, Chip Webb

Anti-virus software has traditionally used a blacklist approach. This means that the anti-virus (AV) software examines programs before they are run for “signatures” – bits of code – that are known to be associated with malware. If a program contains a signature indicating malware the AV package does not allow the program to run. In other words, any software that is determined to be in the signature list is not allowed to run. All other software is allowed to run. The signature list is the blacklist.

More recently some anti-virus software packages take the converse approach, called whitelisting. A whitelist AV package examines each program before it runs and if the program is determined to be in a list of known good programs it is allowed to run. All other programs are not allowed to run.

These two approaches require different management approaches. Blacklist AV packages require that their signature list be updated periodically to recognize newly developed malware. Whitelist AV packages require that a list of software packages that are allowed be created. In addition to lists, many whitelist programs support rules. A common rule is to allow software packages that are digitally signed by particular software publishers. If a software package complies with the rule set or it is in the list of known good packages it is allowed to execute.

iDRAC prevents foreign software from running in a whitelist manner. iDRAC firmware is packaged as a single binary “blob”. Only software in that blob is allowed to run. The whitelist is simply the single rule: only software in the blob can run.

An attacker might attempt to circumvent this rule by creating “rogue firmware” that looks like genuine Dell published firmware, but in fact contains malicious code.

Several best practices will prevent the introduction of rogue firmware on the iDRAC:

• Only obtain iDRAC firmware from Dell
• Store the firmware in a place with restricted access
• Only allow a firmware update to be initiated by an authorized user
• Require that the authorized user only use a firmware package that was stored in the place with restricted access

Note the following exceptions:

• a malicious administrator could flash a rogue firmware
• an administrator could be the victim of social engineering and be fooled into updating with non-authentic firmware
• an administrator could have his credentials compromised

Of course all three of these exceptions are not unique to iDRAC and underscore the importance of the human factor in maintaining good security.

To account for these exceptions and further enhance security, iDRAC7 (present in Dell PowerEdge 12th Generation servers) improves upon previous iDRAC versions by requiring that the firmware image also be digitally signed, robustly ensuring that even in the face of the three exceptions noted above, iDRAC7 will reject unauthorized firmware. Thanks to the design factors discussed above, iDRAC is highly resistant to the kinds of viruses and malware that are typically seen on PCs and industry standard servers.

To learn more about the Dell Remote Access Controller, visit www.delltechcenter.com/iDRAC

A quick start guide has been published that covers iDRAC7 with firmware version 1.30.30 or later.

The guide is intended to simplify the setup process for new iDRAC7 users, and it also covers use of some of the fundamental iDRAC7 features.

It walks the user step-by-step through:

• Initial network setup
• Logging in to the web interface
• Checking the license level / upgrading the license
• Managing user accounts
• Firmware updates
• Using Virtual console
• Viewing Logs
• Setting the iDRAC time
• Resetting the iDRAC to its factory default settings

The guide can be downloaded from the following link:

iDRAC7 with Lifecycle Controller 2 Quick Start Guide

It is also available for ftp download here.

For more information about Lifecycle Controller and Dell iDRAC7, visit:

• http://www.delltechcenter.com/iDRAC
• http://www.delltechcenter.com/LC

This blog post has been written by Dave Collier and Ananthanarayanan AK from iDRAC team.

When using the iDRAC7 virtual Console, you may find that many of the macros you’ve become accustomed to using have disappeared. Where did they go?

 With the release of the iDRAC7 1.30.30 firmwareor later, many of the macros have been eliminated. They’ve been replaced by an enhanced Pass all keystrokes to server feature, which is now enabled by default. With this new design, in most cases, rather than having to break your normal workflow by going to the virtual Console Macros menu, you can now just use your keyboard as if you were working directly on the server. The Macro keys are now only required when your client operating system would intercept the keystrokes instead of allowing them to pass. Since different client operating systems intercept different keystrokes, the virtual Console Macro menu is now client OS context sensitive, listing only the keystroke combinations that the client OS will intercept and act on. For example the Macros menu for all clients will show the <Ctrl><Alt><Del> and <Alt><SysRq>b key combinations. Linux clients add a cascade menu for <Ctrl><Alt><Fn> keys. Mac OS clients have the two standard key combinations plus 5 others.

The Pass all keystrokes to server feature can be disabled by going to the Tools menu, selecting Session Options and clearing the feature checkbox.

Note that, even if the Pass all keystrokes to server feature is disabled in this manner, when the virtual Console window is put in full-screen mode, all keystrokes will be passed to the server (temporarily re-enabling the feature). Also note that the state of the Pass all keystrokes to server feature is not persistent; each time virtual Console is launched, the feature will be defaulted to on.

We at Dell hope you find this enhanced and refined key combinations and Pass all keystrokes to server feature to streamline your server management processes. Please give us feedback on how we’re doing and what new features you’d like to see.

Additional Information

More information on iDRAC

This blog post has been written by Dave Collier from the iDRAC team.

With the release of iDRAC7 1.30.30 and later firmware for iDRAC7 on the 12th generation PowerEdge Servers, you no longer have to use the F9 key to exit Single Cursor mode. In fact, the Escape key is now the default to exit Single Cursor mode, but this is configurable.

 For those unfamiliar with Single Cursor Mode, depending on your Virtual Console’s mouse acceleration and your host system’s operating system (and configuration), there may be times when two mouse cursors are displayed on the Virtual Console. A quick and easy way to address this is to switch to Single Cursor Mode in the Virtual Console. To switch to Single Cursor mode, go to the Virtual Console’s Tools menu and select Single Cursor. Once in single cursor mode, the client cursor will be hidden;  only the managed host’s cursor will be displayed, and that cursor will be captured within the boundaries of the Virtual Console window. In order to reactivate the client’s cursor (to work outside the boundaries of the Virtual Console window) you’ll need to exit Single Cursor mode.

 As explained above, the Escape key is now the default for exiting Single Cursor mode. You may decide that the Escape key is not the best choice for the way you work… If that’s the case and you want to change the key, here’s how to do it: In Virtual Console, open the Tools menu and select Session Options. Click on the Mouse tab, and in the Termination Key field, select the key you want to use, then click Apply.

We at Dell hope you find that this feature enhancement helps streamline your server management processes. Please give us feedback on how we’re doing and what new features and enhancements you’d like to see.

Additional Information

More information on iDRAC

As more and more management functionalities are being added into iDRAC (Service Processor), there is a lesser and lesser need for fat proprietary agents to be running in the Operating Systems to enable system management/monitoring. In pursuit of this idea, multiple management capabilities are pushed to iDRAC and Dell has started working on enabling system management with thinner and thinner agents in the OS. https://fedoraproject.org/wiki/Features/AgentFreeManagement describes some of these initiatives and one of them is Wsman Request redirection.

Recently a new plugin was pushed to openwsman which enables the redirection of wsman requests from the host to iDRAC(or any remote wsman server). Essentially, the openwsman service running in the host will act as a proxy, filters the incoming requests based on the ResourceUri and forwards the right requests to iDRAC. The host's openwsman daemon (the proxy) eventually captures the response from iDRAC(or the remote server) and forwards the same to primary client. This setup will enable system management and monitoring without having to install any proprietary management agents in the OSes.

NOTE: the redirection plugin is only available in 2.3.6 and higher versions of openwsman.

To enable the WSMAN request redirection to idrac, the following section has to be added to openwsman.conf file:

[redirect]

#mandatory fields

server='192.168.1.120'

resource='http://schemas.dell.com/wbem/wscim/1/cim-schema/2'

port=443

cacert='/etc/idrac.cert'

username='root'

password='calvin'

#optional Fields

#default is /wsman

url_path='/wsman'

#default is basic

authentication_method='basic'

#default is root/cimv2

cim_namespace='root/cimv2'

#default is 0

noverifypeer=0

#default is 0

noverifyhost=0

#default is NULL

sslkey=NULL

#default is NULL

cl_cert=NULL

With the above configuraiton section added to opewsman.conf any WSMAN requests coming to the host with ResourceURI http://schemas.dell.com/wbem/wscim/1/cim-schema/2/* will be redirected to iDRAC and all the other requests will be handled by one of the other openwsman plugins in the host. In the above example 192.168.1.120 is the ip address of iDRAC, listening at port 443.

iDRAC has SSL enabled by default. So, the server's identify certificate has to be provided to the redirect plugin. Please note, even in the case noverifypeer is set to 1 (where the servercert is not verified), a dummy cert has to be provided in the redirect section. For production servers, it is always recommended to have noverifypeer=0 and noverifyhost=0.

The username and password values will be imported from the primary wsman request if none are provided in the redirect. The rest of the values pick up default values as shown above configuraiton. Now an example:

wsman enumerate http://schemas.dell.com/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_ComputerSystem -h host_ip -V -v -c dummy.cert -P 5986 -u root -p password -y -O out

NOTE: The username, password, cert provided in the primary wsman command are to autheticate to the host. The details captured in the openwsman.conf file are to authenticate to iDRAC.

Sending the above request to a host, output similar to the following will be noticed:

<?xml version="1.0" encoding="UTF-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:n1="http://schemas.dell.com/wbem/wscim/1/cim-schema/2/DCIM_ComputerSystem">

<s:Header>

<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>

<wsa:Action>http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateResponse</wsa:Action>

<wsa:RelatesTo>uuid:c987c6d4-d8c4-18c4-8002-a52924d9bed4</wsa:RelatesTo>

<wsman:TotalItemsCountEstimate>1</wsman:TotalItemsCountEstimate>

<wsa:MessageID>uuid:c4910753-d8c9-18c9-8258-b12ca052aed4</wsa:MessageID>

<wsman:TotalItemsCountEstimate>1</wsman:TotalItemsCountEstimate>

</s:Header>

<s:Body>

<wsen:EnumerateResponse>

<wsman:Items>

<n1:DCIM_ComputerSystem>

<n1:CreationClassName>DCIM_ComputerSystem</n1:CreationClassName>

<n1:Dedicated>0</n1:Dedicated>

<n1:ElementName>host-8-23.lab</n1:ElementName>

<n1:EnabledState>5</n1:EnabledState>

<n1:HealthState>25</n1:HealthState>

<n1:IdentifyingDescriptions>CIM:GUID</n1:IdentifyingDescriptions>

<n1:IdentifyingDescriptions>CIM:Tag</n1:IdentifyingDescriptions>

<n1:IdentifyingDescriptions>DCIM:ServiceTag</n1:IdentifyingDescriptions>

<n1:Name>srv:system</n1:Name>

<n1:OperationalStatus>6</n1:OperationalStatus>

<n1:OtherIdentifyingInfo>4c4c4544-0036-4710-8046-c3c04f515631</n1:OtherIdentifyingInfo>

<n1:OtherIdentifyingInfo>mainsystemchassis</n1:OtherIdentifyingInfo>

<n1:OtherIdentifyingInfo>ABCDEFG</n1:OtherIdentifyingInfo>

<n1:PrimaryStatus>3</n1:PrimaryStatus>

<n1:RequestedState>0</n1:RequestedState>

</n1:DCIM_ComputerSystem>

</wsman:Items>

<wsen:EnumerationContext/>

<wsman:EndOfSequence/>

<wsen:EnumerationContext/>

<wsman:EndOfSequence/>

</wsen:EnumerateResponse>

</s:Body>

</s:Envelope>

The wsman redirection works with the standard Actions like enumerate, get, put, create, delete and invoke. The requests for associations on iDRAC CANNOT be redirected. Also, redirection for WSMAN indications is not enabled yet.

On a side note, OpenLMI( https://fedorahosted.org/openlmi/ ) is an initiative to provide common infrastructure to enable Management & monitoring of Linux Systems. This project provides low level interfaces to hardware and software management and monitoring in the form of CIMOM providers. The targets of this effort are the in-band components like Services, Network, Storage, etc. After registering these providers to a CIMOM they can be accessed via WSMAN too.

Having the wsman redirection enabled (to iDRAC) and openlmi providers registered, will enable the Admins to have a single interface for managing both in-band and out-of-band components via WSMAN.

For 11G and 12G PowerEdge systems, the backup and restore methods have an optional parameter to enter a passphrase. If a passphrase is used, it must be correctly entered in order for the restore operation to be successful. Passphrases shall be validated against the following rules:

1.         Must be 8-32 characters in length

2.         Must contain 1 Uppercase letter

3.         Must contain 1 Lowercase letter

4.         Must contain 1 Number

5.         Must contain 1 Special character

See more about Lifecycle Controller (LC), here.

See more about Backup and Restore in the LC Best Practice Guide, here.