Tag Archives: proliant

Power on HP ProLiant servers with iLO, SSH & Plink

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Some weeks ago, Frank Denneman wrote a short blog post about accessing his Supermicro IPMI with SSH. He used this access to power on his lab servers.I don’t use Supermicro boards in my lab, but I have four HP ProLiants with iLO and iLO has a also a SSH interface. This way to power on my servers seemed very practical, especially because the iLO web interface isn’t the fastest. But I wanted it a bit more automated, so I decided to use Plink to send commands via SSH.

Create a new user account

I created a new user account in the iLO user database. This user has only the rights to change the power state of the server. Login into the iLO web interface. Click on “Administration”, then “User Administration” and “New”.

ilo_create_sshlogin_1

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Fill in the required fields. You have to enter a password, even if you later login with SSH public key authorization. Only allow “Virtual Power and Reset”. All other rights should be disallowed. Click “Save User Information”.

ilo_create_sshlogin_2

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Create SSH key pair

I used the PuTTY Key Generator to create the necessary SSH key pair. Click “Generate” and move the mouse in the blank field.

ilo_create_sshlogin_3

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Enter the username of the new created user in the “Key comment” field. Copy the public key into a textfile. You need this file for the key import into iLO. Then save the public and private key.

ilo_create_sshlogin_4

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Key import

To import the key, login into the iLO web interface again. Click “Administration”, then “Security” in the “Settings” area on the left. Click “Browse…” and select the text file with the SSH public key. The key that is shown in the “Key” area of the PuTTY Key Generator differs from the saved public key. Both are public keys, but they have a different format. You have to import the key, that is shown in the “Key” area.

ilo_create_sshlogin_5

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you have imported the right key, the key is automatically assigned to the new user.

ilo_create_sshlogin_6

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The test

Open a CMD and change to the directory with the Plink executable and the SSH private key. The following command turns the server on.

To turn off, simply use this command:

A warm reset can be requested by using this command:

A cold reset can be requested by using this command:

You can put these commands into a batchfile to power on/ off a couple of servers with a single click.

Replace HP iLO security certificates

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

When you access the HP iLO webinterface, you will be redirected to a HTTPS website. This connection is usually secured by a self-signed SSL certificate. To replace this certificate with a certificate that was issued by your own CA, you have to complete several steps. I will guide you to the steps. I focused on HP ilO 2, but the steps are similar for iLO 3 or iLO 4.

The requirements

We need:

  • an iLO interface that is connected to the network and that has an ip address assigned
  • access to this iLO interface
  • a CA and access to it
  • a web browser

Create the Certificate Signing Request (CSR)

Before we can issue the certificate, we need to create a certificate signing request. This request is used by the CA to create the digital certificate. The CSR contains information to identifying the applicant. This is e.g. the distinguished name (DN), which is the FQDN for a webserver. To create a CSR we have to login into the iLO webinterface.

Create the CSR, issue and install the certificate

I use a Microsoft Windows Server 2012 R2 CA in my lab. This CA is integrated into my Active Directory and I use it to issue certificates for my lab infrastructure. Because it’s my lab, I don’t use a two-tier CA with an offline root CA. ;) But if you are interested in how to setup this, I recommend this two excellent articles written by Derek Seaman and posted on his blog: Windows Server 2012 R2 Two-Tier PKI CA Pt. 1 & Windows Server 2012 R2 Two-Tier PKI CA Pt. 2.

To create a CSR we have to login into iLO and access the “Administration” tab. Then select “Security” from the left menu.

ilo2_ssl_cert_1

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Usually the lower fields are greyed out, so you have to enable “Customized CSR”. Then you can fill the lower, now enabled fields, with values. Don’t forget to hit apply.

A little further down the page, you can create a certificate request.

ilo2_ssl_cert_2

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click the “Create Certificate Request” button. The certificate request will be generated and you will forwarded to the next page. Now you have to copy the request into a text file or you can past it directly into you CA. I use a W2K12 R2 CA which is running on another host. So I copied the text into a file and saved the file as ilo-esx1.csr.

ilo2_ssl_cert_3

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

No it’s time to issue the certificate. I copied the CSR to my CA into a temp directory. Open an elevated CMD, switch to the directory with the CSR and run the following command:

A windows will pop up where you have to chose the CA. Because I only have on CA, I can’t choose much… Select you CA and click “OK”. Copy the pem file to you client (or whereever you have the browser with the iLO open), click “Next Step” and then paste the content of the pem file into the text field.

ilo2_ssl_cert_4

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click “Install Certificate”.

ilo2_ssl_cert_5

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you click “Restart” a counter will appear. After 60 seconds you will be redirected to the login page. Please note, that you have to access the login page via the FQDN. Otherwise you will get a certificate error.

Summary

Essentially there is nothing special. It’s much more easier as to do this for a VMware environment… It’s a simple three-step plan: 1. Create the CSR, 2. issue a certificate by using the CSR and 3. install the certificate. Don’t forget to import the CA certificate into you browser. Otherwise you will furthermore get this nasty security warning…

Trouble with Broadcom NetXtreme II and VMware ESXi

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

I faced today a really nasty problem. I have four HP ProLiant DL360 G6 in my lab. This server type has two 1 GbE NICs with the Broadcom NetXtreme II BCM5709 chip onboard, which are usually claimed by the bnx2 driver. While applying a host profile to three of the hosts, one hosts reported an error. Supposedly the host hasn’t a vmnic0 and because of this the host profile couldn’t be applied. Okay, quick check in the vSphere Web Client: Only three NICs. C# client showed the same result. Now it was interesting:

Okay… lspci shows four NICs, esxcfg-nics only three.

Okay, vmnic0 is claimed by a driver. Quick check with another DL360 G6. Same firmware and driver. Lets dig deeper.

Ah, okay. That looks interesting:

At this point I asked Google and found a discussion in the VMTN, at which @VirtuallyMikeB had participated. Unfortunately the posted solution (power off the server and pull the power cables) didn’t helped (would have surprised me…). This solution was found in this blog article. Although this was not the solution, but it prompted me to start another attempt: A firmware update, because this may reset the NIC as well. I started the server from a USB stick with the current SPP 2014.02. The automatic firmware update updated the BIOS, the ILO board, NICs, the Smart Array controller, the whole damn server, every part of it. Okay, the server was a “bit” outdated… To make a long story short: The firmware update did the trick.

EDIT: And it seems that I’m not the only one…

A word of warning: Julian Wood wrote a blog article about a firmware update that kills Broadcom NICs in HP ProLiant G2 up to G7 servers. He also links to a customer advisory from HP. Following NICs are affected:

  • HP NC373T PCIe Multifunction Gig Server Adapter
  • HP NC373F PCIe Multifunction Gig Server Adapter
  • HP NC373i Multifunction Gigabit Server Adapter
  • HP NC374m PCIe Multifunction Adapter
  • HP NC373m Multifunction Gigabit Server Adapter
  • HP NC324i PCIe Dual Port Gigabit Server Adapter
  • HP NC326i PCIe Dual Port Gigabit Server Adapter
  • HP NC326m PCI Express Dual Port Gigabit Server Adapter
  • HP NC325m PCIe Quad Port Gigabit Server Adapter
  • HP NC320i PCIe Gigabit Server Adapter
  • HP NC320m PCI Express Gigabit Server Adapter
  • HP NC382i DP Multifunction Gigabit Server Adapter
  • HP NC382T PCIe DP Multifunction Gigabit Server Adapter
  • HP NC382m DP 1GbE Multifunction BL-c Adapter
  • HP NC105i PCIe Gigabit Server Adapter

Don’t update the affected NICs with the HP Smart Update Manager (HP SUM) or the HP Service Pack for ProLiant (HP SPP) 2014.2.0. If you update one of the affected NICs with the firmware smart component be sure to avoid updating the Comprehensive Configuration Management (CCM) firmware to version 7.8.21.

EDIT: Hewlett-Packard published HP Service Pack for ProLiant (SPP) Version 2014.02.0(B), which addresses several issues, not only the Issue with Broadcom NICs. This is taken from the HP website:

This updated version of the SPP was released to address the OpenSSL issue.  See HPN Customer Notice: OpenSSL HeartBleed Vulnerability.  Additionally for Red Hat Enterprise Linux 6 customers, please reference the Red Hat knowledge base article, OpenSSL CVE-2014-0160.  Products affected:

  • HP Onboard Administrator for Windows and Linux version 4.12 replaced 4.11
  • HP System Management Homepage for Windows and Linux version 7.3.2 replaced 7.3.1.4
  • HP Integrated Lights-Out 2 for Windows and Linux version 2.25 replaced 2.23
  • HP BladeSystem c-Class Virtual Connect Firmware, Ethernet plus 4/8Gb 20-port and 8Gb 24-port FC Edition Component for Windows and Linux version 4.10(b) replaced 4.10
  • HP Smart Update Manager version 6.3.1 replaced 6.2.0

This release also resolves the Broadcom Comprehensive Configuration Management Firmware issue with version 7.8.21 found in the Service Pack for ProLiant 2014.02.0.  See Customer Advisory c04258304 for additional information.

Thanks to Rotem Agmon, who has posted a comment with this information.