Managing chassis

Lenovo XClarity Administrator can manage several types of systems, including the Flex System chassis.

Before you begin

Note: Chassis components (such as CMMs, Flex compute nodes, and Flex switches) are discovered and managed automatically when you manage the chassis that contains them. You cannot discover and managed chassis components separate from the chassis.
Before managing chassis, ensure that the following conditions are met:
  • Review the management considerations before managing a device. For information, see Management considerations.

  • Certain ports must be available to communicate with the CMM for the chassis being managed. Ensure that these ports are available before you attempt to manage a chassis. For more information about ports, see Port availability.

  • Ensure that the minimum required firmware is installed on each chassis that you want to manage using XClarity Administrator. For information about firmware requirements, see Supported firmware.

  • Ensure that the Number of simultaneous active sessions for LDAP users setting in the CMM is set to 0 (zero) for the chassis. You can verify this setting from the CMM web interface by clicking Mgmt Module Management > User Accounts, click Global Login Settings, and then click the General tab.

  • Ensure that there are at least three TCP command-mode sessions set for out-of-band communication with the CMM. For information about setting the number of sessions, see tcpcmdmode command in the CMM online documentation.

  • To discover a chassis that is on a different subnet from XClarity Administrator, ensure that one of the following conditions are met:

    • Ensure that you enable multicast SLP forwarding on the top-of-rack switches, as well as the routers in your environment. See the documentation that was provided with your specific switch or router to determine whether multicast SLP forwarding is enabled and to find procedures to enable it if it is disabled.

    • If SLP is disabled on the endpoint or on the network, you can use DNS discovery method instead by manually adding a service record (SRV record) to your domain name server (DNS), for XClarity Administrator for example.     service = 0 0 443

      Then, enable DNS discovery on the CMM from the management web interface, by clicking Mgt Module Management > Network Protocol, clicking the DNS tab, and selecting Use DNS to discover Lenovo XClarity Administrator.

      • The CMM must be running a firmware level dated May 2017 to support automatic discovery using DNS.

      • If there are multiple XClarity Administrator instances in your environment, the chassis is discovered only by the instance that is the first to respond to the discovery request. The chassis is not discovered by all instances.

Consider implementing either IPv4 or IPv6 addresses for all CMMs and Flex switches that are managed by XClarity Administrator. If you implement IPv4 for some CMMs and Flex switches and IPv6 for others, some events might not be received in the audit log (or as audit traps).

Attention: If you intend to manage CMMs that are running a firmware level of Flex stack release 2PET12K through 2PET12Q, that have been running more than three weeks, and that are in a dual-CMM configuration, you must virtually reseat the CMMs before updating firmware using XClarity Administrator.
Important: If you intend to use other management software in addition to Lenovo XClarity Administrator to monitor your chassis, and if that management software uses SNMPv3 communication, you must first create a local CMM user ID that is configured with the appropriate SNMPv3 information and then log in to the CMM using that user ID and change the password. For more information, see Using another management software in tandem with Lenovo XClarity Administrator.

About this task

XClarity Administrator can automatically discover chassis in your environment by probing for manageable systems that are on the same IP subnet as XClarity Administrator. To discover chassis that are in other subnets, specify an IP address or range of IP addresses, or import information from a spreadsheet.

After the chassis are managed by XClarity Administrator, XClarity Administrator polls each managed chassis periodically to collect information, such as inventory, vital product data, and status. You can view and monitor each managed chassis and perform management action (such as configuring system information, network setting, and failover). For chassis that are in protected mode, management actions are disabled.

Chassis are managed using XClarity Administrator managed authentication.

By default, devices are managed using XClarity Administrator managed authentication to log in to the devices. When managing rack servers and Lenovo chassis, you can choose to use local authentication or managed authentication to log in to the devices.
  • When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device. The stored credential can be an active user account on the device or a user account in an Active Directory server.

    You must create a stored credential in XClarity Administrator that matches an active user account on the device or a user account in an Active Directory server before managing the device using local authentication (see Managing stored credentials).

    • RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.

  • Using managed authentication allows you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When managed authentication is used for a device (other than ThinkServer servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to use the XClarity Administrator authentication server for centralized management.

    • When managed authentication is enabled, you can manage devices using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).

      The stored credential is used only until XClarity Administrator configures the LDAP settings on the device. After that, any change to the stored credential has no impact the management or monitoring of that device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
    • If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts are disabled.

    • If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible to managed devices. However, when using an SAML identity provider and an LDAP server together, if the identity provider uses accounts that exist in the LDAP server, LDAP user accounts can be used to log into the managed devices while the more advanced authentication methods that are provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be used to log into XClarity Administrator.

    • Single sign-on allows a user that is already logged in to XClarity Administrator to automatically log in to the baseboard management control (XCC). Single sign-on is enabled by default when a ThinkSystem or ThinkAgile server is brought into management by XClarity Administrator (unless the server is managed with CyberArk passwords). You can configure the global setting to enable or disable single sign-on for all managed ThinkSystem and ThinkAgile servers. Enabling single sign-on for a specific ThinkSystem and ThinkAgile server overrides the global setting for all ThinkSystem and ThinkAgile servers (see Managing servers).

      Note: Single sign-on is disabled automatically when using the CyberArk identity-management system for authentication.
    • When managed authentication is enabled for ThinkSystem SR635 and SR655 servers:

      • Baseboard management-controller firmware supports up to five LDAP user roles. XClarity Administrator adds these LDAP user roles to the servers during management: lxc-supervisor, lxc-sysmgr, lxc-admin, lxc-fw-admin, and lxc-os-admin.

        Users must be assigned to at least one of the specified LDAP user roles to communicate with ThinkSystem SR635 and SR655 servers.

      • Management-controller firmware does not support LDAP users with the same username as local user of the sever.

    • For ThinkServer and System x M4 servers, the XClarity Administrator authentication server is not used. Instead, an IPMI account is created on the device with the prefix LXCA_ followed by a random string. (The existing local IPMI user accounts are not disabled.) When you unmanage a ThinkServer server, the LXCA_ user account is disabled, and the prefix LXCA_ is replaced with the prefix DISABLED_. To determine whether a ThinkServer server is managed by another instance, XClarity Administrator checks for IPMI accounts with the prefix LXCA_. If you choose to force management of a managed ThinkServer server, all the IPMI accounts on the device with the LXCA_ prefix are disabled and renamed. Consider manually clearing IPMI accounts that are no longer used.

      In XClarity Administrator v2.4 and later, if you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that stored credential to manage the device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
      • Each time you manage a device using manually-entered credentials, a new stored credential is created for that device, even if another stored credential was created for that device during a previous management process.

      • When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically created for that device during the management process.

A device can be managed by only one XClarity Administrator instance at a time. Management by multiple XClarity Administrator instances is not supported. If a device is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the device on the initial XClarity Administrator, and then manage it with the new XClarity Administrator. If an error occurs during the unmanagement process, you can select the Force management option during management on the new XClarity Administrator.

Note: When scanning the network for manageable devices, XClarity Administrator does not know whether a device is already managed by another manager until after it attempts to manage the device.
During the management process, XClarity Administrator performs the following actions:
  • Logs in to the chassis using the provided credentials.
  • Collects inventory for all components in each chassis, such as the CMM, compute nodes, storage devices, and Flex switches.
    Note: Some inventory data is collected after the management process completes. The chassis is in the Pending status until all inventory data is collected. You cannot perform certain tasks on a managed device (such as deploying a server pattern) until all inventory data is collected for that device and the chassis is no longer in the Pending state.
  • Configures the settings for the NTP server so that all managed devices use the NTP server from XClarity Administrator.
  • Assigns the last-edited firmware-compliance policy to the chassis.
  • For Lenovo Flex devices, optionally configures the devices firewall rules so that incoming requests are accepted from only XClarity Administrator.
  • Exchanges security certificates with the CMM, copying the CMM security certificate into the XClarity Administrator trust store and sending the XClarity Administrator CA security certificate to the CMM. The CMM loads the certificate into the CMM trust store and distributes it to the compute-node service processors for inclusion in their trust stores.
  • Configures managed authentication. The settings for the CMM LDAP client are changed to use XClarity Administrator as the authentication server, and the Global Login Settings in the CMM are changed to External Authentication Server Only. For more information about managed authentication, see Managing the authentication server.

  • Creates the recovery user account (RECOVERY_ID). For more information about the RECOVERY_ID account, see Managing the authentication server.

Attention: When managing a chassis, the XClarity Administrator changes the maximum number of simultaneous Secure TCP Command Mode connections to 15 and sets the maximum number of simultaneous Legacy TCP Command Mode connections to 0. This overrides settings that you might have already set on the CMM.
Note: XClarity Administrator does not modify the security settings or cryptographic settings (cryptographic mode and the mode used for secure communications) during the management process. You can modify the cryptographic settings after the chassis is managed (see Configuring cryptography settings).


Complete one of the following procedures to discover and manage your chassis using XClarity Administrator.

What to do next