Managing servers

Lenovo XClarity Administrator can manage several types of systems, including ThinkAgile, ThinkSystem, Converged, Flex System, NeXtScale, System x®, and ThinkServer® servers.

Before you begin

Note: Flex compute nodes are discovered and managed automatically when you manage the chassis that contains them. You cannot discover and managed Flex compute nodes independent of the chassis.

You can discover and manage Flex Power Systems compute nodes; however, you can use XClarity Administrator only to view properties and status for those servers. You must use other management alternative (such as Flex System Manager or Flex Power Systems Hardware Management Console) to take any management-related actions on the devices, such as updating firmware or configuring the device. You cannot use the Flex System Manager management node and the XClarity Administrator to manage compute nodes in the same chassis.

Note: If you have a managed chassis that contains both Flex System and Flex Power System compute nodes, and you cannot log in to the Flex Power System compute nodes directly, see Cannot log in to managed Flex Power System servers.
Before managing servers, ensure that the following conditions are met:
  • Review the management considerations before managing a device. For information, see Management considerations.

  • Certain ports must be available to communicate with devices. Ensure that all required ports are available before you attempt to manage servers. For information about ports, see Port availability.

  • Ensure that the minimum required firmware is installed on each server that you want to manage using XClarity Administrator. For information about firmware requirements, see Supported firmware.

  • Ensure that CIM over HTTPS is enabled on the device.
    1. Log in to the management web interface for the server using the RECOVERY_ID user account,

    2. Click IMM Management > Security.

    3. Click the CIM Over HTTPS tab, and ensure that Enable CIM Over HTTPS is selected.

  • For ThinkSystem SR635 and SR655 servers, ensure that IPMI over LAN is enabled. IPMI over LAN is disabled by default on these servers and must be manually enabled before the servers can be managed. To enable IPMI over LAN using TSM, click Settings > IPMI Configuration. You might need to restart the server to activate the change.

  • If the device's server certificate is signed by an external certificate authority, ensure that the certificate authority certificate and any intermediate certificates are imported into the XClarity Administrator trust store (see Deploying customized server certificates to managed devices).

  • To discover a server that is on a different subnet from XClarity Administrator, ensure that one of the following conditions are met:
    • Ensure that you enable multicast SLP forwarding on the top-of-rack switches, as well as the routers in your environment. See the documentation that was provided with your specific switch or router to determine whether multicast SLP forwarding is enabled and to find procedures to enable it if it is disabled.

    • If SLP is disabled on the endpoint or on the network, you can use DNS discovery method instead by manually adding a service record (SRV record) to your domain name server (DNS), for XClarity Administrator for example

      _lxca._tcp.labs.lenovo.com  service = 0 0 443 fvt-xhmc3.labs.lenovo.com.

      Then, enable DNS discovery on the baseboard management console from the management web interface, by clicking IMM Management > Network Protocol, clicking the DNS tab, and selecting Use DNS to discover Lenovo XClarity Administrator.

      Note:
      • The management controller must be running a firmware level dated May 2017 or later to support automatic discovery using DNS.

      • If there are multiple XClarity Administrator instances in your environment, the server is discovered only by the instance that is the first to respond to the discovery request. The server is not discovered by all instances.

  • To discover and manage ThinkServer servers, ensure that the following requirements are met. For more information, see Cannot discover a device and Cannot manage a device.
    • The hostname of the server must be configured using a valid hostname or IP address if you want XClarity Administrator to discover the servers automatically.

    • The network configuration must allow SLP traffic between XClarity Administrator and the server.

    • Unicast SLP is required.

    • If you want XClarity Administrator to automatically discover ThinkServer servers, multicast SLP is required. In addition, SLP must be enabled on the ThinkServer System Manager (TSM).

    • If ThinkServer servers are on a different network than XClarity Administrator, ensure that the network is configured to allow inbound UDP through port 162 so that XClarity Administrator can receive events for those devices.

  • For ThinkAgile, ThinkSystem, Converged, Flex System. NeXtScale, and System x servers, if you remove, replace, or configure any adapters in the server, restart the server at least once to update the new adapter information in the baseboard management controller and XClarity Administrator reports (Powering on and off a server).

  • When performing management actions on a server, ensure that the server is either powered off or powered on to the BIOS/UEFI Setup or to a running operating system. (You can boot to BIOS/UEFI Setup from the Servers page in XClarity Administrator by clicking All Actions > Power Actions > Restart to BIOS/UEFI Setup.) If server is powered on without an operating system, the management controller continuously resets the server in an attempt to find an operating system.

  • Ensure that all UEFI_Ethernet_* and UEFI_Slot_* settings are enabled in the server UEFI Settings. To verify the settings, restart the server and when the prompt <F1> Setup is displayed, press F1 to start the Setup utility. Navigate to System Settings > Devices and I/O Ports > Enable / Disable Adapter Option ROM Support, and then locate the Enable / Disable UEFI Option ROM(s) section to verify that the settings are enabled.
    Note: If supported, you can also use the Remote Console feature in the baseboard management interface to review and modify the settings remotely.
  • System x3950 X6 servers must be managed as two 4U enclosures, each with its own baseboard management controller.

About this task

XClarity Administrator can automatically discover rack and tower servers in your environment by probing for manageable devices that are on the same IP subnet as XClarity Administrator. To discover rack and tower servers that are in other subnets, specify an IP address or range of IP addresses, or import information from a spreadsheet.

Important: For System x3850 and x3950 X6 servers, you must manage each server in the scalable rack environment.

After the servers are managed by XClarity Administrator, Lenovo XClarity Administrator polls each managed server periodically to collect information, such as inventory, vital product data, and status. You can view and monitor each managed server and perform management actions (such as configuring system settings, deploying operating-system images, and powering on and off).

By default, devices are managed using XClarity Administrator managed authentication to log in to the devices. When managing rack servers and Lenovo chassis, you can choose to use local authentication or managed authentication to log in to the devices.
  • When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device. The stored credential can be an active user account on the device or a user account in an Active Directory server.

    You must create a stored credential in XClarity Administrator that matches an active user account on the device or a user account in an Active Directory server before managing the device using local authentication (see Managing stored credentials).

    Note: RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.
  • Using managed authentication allows you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When managed authentication is used for a device (other than ThinkServer servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to use the XClarity Administrator authentication server for centralized management.

    • When managed authentication is enabled, you can manage devices using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).

      The stored credential is used only until XClarity Administrator configures the LDAP settings on the device. After that, any change to the stored credential has no impact the management or monitoring of that device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
    • If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts are disabled.

    • If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible to managed devices. However, when using an SAML identity provider and an LDAP server together, if the identity provider uses accounts that exist in the LDAP server, LDAP user accounts can be used to log into the managed devices while the more advanced authentication methods that are provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be used to log into XClarity Administrator.

    • For ThinkServer and System x M4 servers, the XClarity Administrator authentication server is not used. Instead, an IPMI account is created on the device with the prefix "LXCA_" followed by a random string. (The existing local IPMI user accounts are not disabled.) When you unmanage a ThinkServer server, the "LXCA_" user account is disabled, and the prefix "LXCA_" is replaced with the prefix "DISABLED_". To determine whether a ThinkServer server is managed by another instance, XClarity Administrator checks for IPMI accounts with the prefix "LXCA_". If you choose to force management of a managed ThinkServer server, all the IPMI accounts on the device with the "LXCA_" prefix are disabled and renamed. Consider manually clearing IPMI accounts that are no longer used.

      In XClarity Administrator v2.4 and later, if you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that stored credential to manage the device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
      • Each time you manage a device using manually-entered credentials, a new stored credential is created for that device, even if another stored credential was created for that device during a previous management process.

      • When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically created for that device during the management process.

A device can be managed by only one XClarity Administrator instance at a time. Management by multiple XClarity Administrator instances is not supported. If a device is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the device on the initial XClarity Administrator, and then manage it with the new XClarity Administrator. If an error occurs during the unmanagement process, you can select the Force management option during management on the new XClarity Administrator.

Note: When scanning the network for manageable devices, XClarity Administrator does not know whether a device is already managed by another manager until after it attempts to manage the device.
Note: When scanning the network for manageable devices, XClarity Administrator does not know whether a ThinkServer device is already managed; therefore, managed ThinkServer devices might appear in the list of manageable devices.
During the management process, XClarity Administrator performs the following actions:
  • Logs in to the server using the provided credentials.
  • Collects inventory for each server.
    Note: Some inventory data is collected after the management process completes. You cannot perform certain tasks on a managed server (such as deploying a server pattern) until all inventory data is collected for that server and the server is no longer in the Pending state.
  • Configures settings for the NTP server so all managed devices use the same NTP server configuration that is configured on XClarity Administrator.
  • (System x and NeXtScale severs only) Assigns the last-edited firmware-compliance policy to the server.
  • (Lenovo System x and NeXtScale severs only) Optionally configures the devices firewall rules so that incoming requests from only XClarity Administrator are accepted.
  • (System x and NeXtScale severs only) Exchanges security certificates with the management controller, copying the CIM server certificate and the LDAP client certificate from the management controller into the XClarity Administrator trust store and sending the XClarity Administrator CA security certificate and LDAP trust certificates to the management controller. The management controller loads the certificates into the management-controller trust store so that the management controller can trust connections to the LDAP and CIM servers on the XClarity Administrator.
    Note: If the CIM server certificate or LDAP client certificate does not exist, it is created during the management process.
  • Configures managed authentication, if applicable. For more information about managed authentication, see Managing the authentication server.

  • Creates the recovery user account (RECOVERY_ID), when applicable. For more information about the RECOVERY_ID account, see Managing the authentication server.

Note: The XClarity Administrator does not modify the security settings or cryptographic settings (cryptographic mode and the mode used for secure communications) during the management process. You can modify the cryptographic settings after the server is managed (see Configuring cryptography settings).
Important: If you change the IP address of a server after the server is managed by XClarity Administrator, XClarity Administrator recognizes the new IP address and continue to manage the server. however, XClarity Administrator does not recognize the IP address change for some servers. If XClarity Administrator shows that the server is offline after the IP address was changed, manage the server again using the Force Management option.

Procedure

To manage your rack and tower servers using XClarity Administrator, complete one of the following procedures.

What to do next