Managing systems

Lenovo XClarity Administrator can manage several types of systems, including the Flex System chassis, rack and tower servers, RackSwitch switches, and storage devices. You easily can discover and manage a large number of devices that are in your environment by importing information about your devices using a bulk-import file.

Before you begin

Chassis components (such as CMMs, compute nodes, switches, and storage devices) are discovered and managed automatically when you manage the chassis that contains them. You cannot discover and managed chassis components separate from the chassis.

Certain ports must be available to communicate with the CMMs in the chassis and baseboard management controllers in the servers. Ensure that these ports are available before you attempt to manage systems. For more information about ports, see Port availability.

Ensure that the minimum required firmware is installed on each system that you want to manage using XClarity Administrator. For information about firmware requirements, see Supported firmware.

Ensure that there are at least three TCP command-mode sessions set for out-of-band communication with the CMM. For information about setting the number of sessions, see tcpcmdmode command in the CMM online documentation.

Consider implementing either IPv4 or IPv6 addresses for all CMMs and Flex switches that are managed by XClarity Administrator. If you implement IPv4 for some CMMs and Flex switches and IPv6 for others, some events might not be received in the audit log (or as audit traps).

Ensure that you enable multicast SLP forwarding on the top-of-rack switches, as well as the routers in your environment. See the documentation that was provided with your specific switch or router to determine whether multicast SLP forwarding is enabled and to find procedures to enable it if it is disabled.

Important:
  • Depending on the firmware version of the RackSwitch switch, you might need to enable multicast SLP forwarding and SSH on each RackSwitch switch manually using the following commands before the switch can be discovered and managed by XClarity Administrator. For more information, see the Rack switches in the System x online documentation.

  • Multicast SLP forwarding must be enabled on each storage device before it can be discovered by XClarity Administrator.

  • If you plan to use a customized server certificate that includes your own information or use an externally signed certificate, generate and deploy the new certificate before you begin managing systems. For information about generating your own security certificate, see Working with security certificates.

  • If you intend to use other management software in addition to Lenovo XClarity Administrator to monitor your chassis, and if that management software uses SNMPv3 communication, you must first create a local CMM user ID that is configured with the appropriate SNMPv3 information and then log in to the CMM using that user ID and change the password. For more information, see Using another management software in tandem with Lenovo XClarity Administrator.

About this task

XClarity Administrator can discover systems in your environment by probing for manageable devices that are on the same IP subnet as XClarity Administrator, by using a specified IP address or range of IP addresses, or by importing information from a spreadsheet.

By default, devices are managed using XClarity Administrator managed authentication to log in to the devices. When managing rack servers and Lenovo chassis, you can choose to use local authentication or managed authentication to log in to the devices.
  • When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device. The stored credential can be an active user account on the device or a user account in an Active Directory server.

    You must create a stored credential in XClarity Administrator that matches an active user account on the device or a user account in an Active Directory server before managing the device using local authentication (see Managing stored credentials).

    Note: RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.
  • Using managed authentication allows you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When managed authentication is used for a device (other than ThinkServer servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to use the XClarity Administrator authentication server for centralized management.

    • When managed authentication is enabled, you can manage devices using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).

      The stored credential is used only until XClarity Administrator configures the LDAP settings on the device. After that, any change to the stored credential has no impact the management or monitoring of that device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
    • If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts are disabled.

    • If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible to managed devices. However, when using an SAML identity provider and an LDAP server together, if the identity provider uses accounts that exist in the LDAP server, LDAP user accounts can be used to log into the managed devices while the more advanced authentication methods that are provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be used to log into XClarity Administrator.

    • For ThinkServer and System x M4 servers, the XClarity Administrator authentication server is not used. Instead, an IPMI account is created on the device with the prefix "LXCA_" followed by a random string. (The existing local IPMI user accounts are not disabled.) When you unmanage a ThinkServer server, the "LXCA_" user account is disabled, and the prefix "LXCA_" is replaced with the prefix "DISABLED_". To determine whether a ThinkServer server is managed by another instance, XClarity Administrator checks for IPMI accounts with the prefix "LXCA_". If you choose to force management of a managed ThinkServer server, all the IPMI accounts on the device with the "LXCA_" prefix are disabled and renamed. Consider manually clearing IPMI accounts that are no longer used.

      In XClarity Administrator v2.4 and later, if you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that stored credential to manage the device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
      • Each time you manage a device using manually-entered credentials, a new stored credential is created for that device, even if another stored credential was created for that device during a previous management process.

      • When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically created for that device during the management process.

After systems are managed by XClarity Administrator, XClarity Administrator polls each managed system periodically to collect information, such as inventory, vital product data, and status. You can view and monitor each managed system and perform management actions (such as configuring system settings, deploying operating-system images, and powering on and off).

A system can be managed by only one XClarity Administrator at a time. Management by multiple managers is not supported. If a system is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the system on the current XClarity Administrator. Then, you are can manage the system with another XClarity Administrator. For information about unmanaging a system, see Unmanaging a chassis, Unmanaging a rack or tower server, Unmanaging a RackSwitch switch and Unmanaging a Lenovo Storage or Nimble storage system.

Note: The XClarity Administrator does not modify the security settings or cryptographic settings (cryptographic mode and the mode used for secure communications) during the management process. You can modify the cryptographic settings after the system is managed (see Configuring cryptography settings).
Note: XClarity Administrator can be pre-populated with hardware inventory for a demo chassis (including CMM, compute nodes, and switches) and a demo rack or tower server that simulates real hardware. The demo devices are populated in the web interface pages and can be used to demonstrate management operations; however, the management operations will fail. For example, you can create a configuration pattern and deploy the pattern to a demo server, but the deployment will fail. You can remove the demo devices by unmanaging them (see Unmanaging a chassis and Unmanaging a rack or tower server). After the demo devices are deleted, they cannot be managed again..

For information about managing specific device types, see the following topics:

Procedure

To discover and manage your systems in XClarity Administrator using a bulk-import file, complete the following steps.

Note: When managing switches using bulk import, HTTPS is enabled on the switch, and NTP clients on the switch are configured to use the NTP settings from the management server. To change these setting, you must manually manage the switches.
  1. From the XClarity Administrator menu bar, click Hardware > Discover and Manage New Devices. The Discover and Manage page is displayed.

  2. Click the Enable encapsulation on all future managed devices checkbox to change the firewall rules on all devices during the management process so that incoming requests are accepted from only XClarity Administrator.

    Note:
    • Encapsulation is not supported on switches, storage devices, and non-Lenovo chassis and servers.

    • When the management network interface is configured to use the Dynamic Host Configuration Protocol (DHCP) and when encapsulation enabled, managing a rack server can take a long time.

    Encapsulation can be enabled or disabled on specific devices after they are managed.

    Attention: If encapsulation is enabled and XClarity Administrator becomes unavailable before a device is unmanaged, necessary steps must be taken to disable encapsulation to establish communication with the device. For recovery procedures, see Recovering management with a CMM after a management server failure and Recovering rack or tower server management after a management server failure.
  3. Click Bulk Import. The Bulk Import wizard is displayed.


    Illustrates example devices that are defined in the bulk-import file.
  4. Click the in Excel or in CSV link on the Import Data File page to download the template bulk-import file in Excel or CSV format.

    Important: The template file might change from one release to the next. Ensure that you always use the latest template.
  5. Fill in the data worksheet in the template file, and save the file in CSV format.

    Tip: The Excel template includes a Data worksheet and a Readme worksheet. Use the Data worksheet to fill in your device data. The Readme worksheet provides information about how to fill in each field on the Data worksheet (including which fields are required) and sample data.
    Important:
    • Devices are managed in the order that is listed in the bulk-import file.

    • XClarity Administrator uses rack-assignment information that is defined in the device configuration when the device is managed. If you change the rack assignment in XClarity Administrator, XClarity Administrator updates the device configuration. If you update the device configuration after the device is managed, the changes are reflected in XClarity Administrator.

    • It is recommended but not required to explicitly create a rack in the spreadsheet before assigning the rack to a device. If a rack is not explicitly defined and the rack does not already exist in XClarity Administrator, the rack-assignment information that is specified for a device is used to create the rack with a default height of 52U.

      If you want to use another height for the rack, you must explicitly define the rack in the spreadsheet before assigning it to a device.

    To define your devices in the bulk-import file, complete the following columns.

    • (Columns A - C) For basic discovery, you must specify the device type and either the current IP address or serial number for the device. The following types are supported:
      • filler. Placeholders for an unmanaged device. In the rack view, this device is shown as generic filler graphic. See the Readme worksheet in the Excel template for additional filler types.
      • flexchassis. 10U Flex System chassis
      • server. Rack and tower servers that are supported by XClarity Administrator
      • rack. 6U, 12U, 18U, 25U, 37U, 42U, 45U, 46U, 48U, 50U, and 52U racks. Other rack heights are not supported. 52U is used by default.
      • storage. Lenovo Storage device
      • switch. RackSwitch switches
      Note: Flex System compute nodes, switches, and storage devices are considered part of the chassis discovery and management process.
    • (Columns D - H) You can optionally specify user credentials for each device in the bulk-import file. This is useful if the credentials are different for some devices. If you do not specify credentials for one or more devices in the bulk-import file, the global credentials that you specify in the Bulk Import dialog are used instead. For more information about manually entered users and managed authentication, see Managing user accounts.
      Note:
      • Some fields do not apply to some devices.

      • (For chassis) If you choose managed authentication (in column AA or in the Bulk Import dialog), you can must specify the RECOVERY_ID password either in column G of the bulk import file or in the Bulk Import dialog. If you choose local authentication, the recovery password is not allowed; do not specify the recovery password in column G of the bulk import file or in the Bulk Import dialog.

      • (For rack servers) If you choose managed authentication (in column AA or in the Bulk Import dialog), you can optionally specify a recovery password either in column G of the bulk import file or in the Bulk Import dialog. If you choose local authentication, the recovery password is not allowed; do not specify the recovery password in column G of the bulk import file or in the Bulk Import dialog.

      • (For rack switches) RackSwitch devices support only stored credentials (in column Z) for authenticating to the switches. Manual user credentials are not supported.

    • (Columns I -U) You can optionally provide additional information if you want to apply changes to the device upon successful management.
      Note: Some fields do not apply to some devices. These fields do not apply to RackSwitch switches.
    • (Columns V- X) You can optionally provide information for rack creation and assignment, including the rack name, lowest rack unit, and height.
      Note:
      • When creating a rack, you must specify the rack name and rack height. The following rack heights are supported: 6U, 12U, 18U, 25U, 37U, 42U, 45U, 46U, 48U, 50U, and 52U. Other rack heights are not supported.

      • When creating a generic filler, you must specify the rack name and filler height. The following filler heights are supported: 1U, 2U, and 4U.

      • When creating a specific filler, the filler height is ignored. XClarity Administrator knows the height of each specific filler. See the template spreadsheet for filler types and heights.

      • When assigning a device to rack, the device height is ignored. The device height is retrieved from the device inventory.

    • (Column Z) You can optionally choose to use stored credentials instead of manually entered credentials (in columns D - H) by specifying a stored credential ID. You can find the stored credential ID on the Stored Credentials page by clicking Administration > Security from the XClarity Administrator menu and then clicking Stored Credentials from the left navigation. For more information about stored credentials and local authentication, see Managing stored credentials.

      Note:
      • RackSwtich devices support only stored credentials for authentication. Manual user credentials (in column D) are not supported.

      • If you manage a device using stored credentials and enable managed authentication, you cannot edit those stored credentials.

    • (Column AA) For rack servers, you can optionally choose to use local authentication instead of XClarity Administrator managed authentication by specifying FALSE in this column. For more information about managed and local authentication, see Managing the authentication server.

    • (Column AB) You can optionally specify a list of role groups that are permitted to view and manage the device. You can specify only role groups to which the current user belongs.

      Note: If you add devices to a managed chassis, the new devices will belong to the same role groups as the chassis.
    The following figure shows an example bulk-import file:

    Illustrates example devices that are defined in the bulk-import file.
  6. From the Bulk Import wizard, enter the name of the CSV file to upload file for processing. You can click Browse to help you find the file.

  7. Click Upload to upload and validate the file.

  8. Click Next to display the Input Summary page with a list of devices to be managed.


    Illustrates example devices that are defined in the bulk-import file.
  9. Review the summary of devices that you want to manage.

    Select Show only rows with potential issues to list row with incomplete data. Fix any issues in the bulk-import file, and then click Back to upload the corrected CSV file.

    Note:
    • If required data is not provided in the bulk-import file, the associated devices are not managed.

    • The Input Summary page flags rows that do not have credential information. If you do not specify credentials in the bulk-import file, the global credentials that you specify in the Bulk Import wizard are used instead.

  10. Click Next to display the Device Credentials page.


    Illustrates example devices that are defined in the bulk-import file.
  11. Click on each tab, and optionally specify global settings and credentials to use for all devices of a specific type. The devices that will use the global settings and credentials are listed on right side of each tab.

    If you choose to use the global credentials, the credentials for a specific device type must be the same for all devices of the same type that do not have credentials entered in the bulk-import file. For example, CMM credentials must be the same for all chassis, and the storage-management credentials must be the same for all Lenovo Storage devices. If the credentials are not the same, you must enter credentials in the bulk-import file.

    • Chassis. Specify the authentication mode and credentials type. Specify current credentials for logging in to all chassis that are defined in the bulk-import file. Specify the new password to use if the current CMM credentials are expired.

      If you force manage a chassis, specify the RECOVERY_ID account and password for the device credentials.

    • Servers. Specify the authentication mode and credentials type. Specify current credentials for logging in to all rack and tower servers that are defined in the bulk-import file. Specify new password to use if the current baseboard-management controller credentials are expired.

      If you force manage a server, specify the RECOVERY_ID account and password for the device credentials.

    • Switches. Specify the stored credentials for logging in to all RackSwitch switches that are defined in the bulk-import file. If set, also specify the "enable" password that is used to enter Privileged Exec Mode on the switch.

    • Storage. Specify current credentials for logging in to all Lenovo Storage devices that are defined in the bulk-import file.

    • Recovery. Specify recovery password for logging in to all servers and chassis that are defined in the bulk import file.

      When a password is specified, the RECOVERY_ID account is created on the device, and all local user accounts are disabled.

      • For chassis, the recovery password is required.

      • For servers, the recovery password is optional if you choose to use managed authentication and is not allowed if you if you choose to use local authentication.

      • Ensure that the password follows the security and password policies for the device. Security and password policies might vary.

      • Ensure that you record the recovery password for future use.

      • The recovery account is not supported for ThinkServer and System x M4 servers.

    Information that you specify in the bulk-import file overrides similar information that you specify on the Device Credentials page.

    You can optionally choose to force manage each type of device if:

    • The devices are currently managed by another management system, such as another XClarity Administrator instance or IBM Flex System Manager

    • XClarity Administrator was taken down but the devices were not unmanaged before it went down

    • The devices were not unmanaged correctly, and the CIM subscription was not cleared

    Note: If the device is managed by another XClarity Administrator instance, the device appears to be managed by the original instance for a period of time after the forced management occurs. You can unmanage the device to remove it from the original XClarity Administrator instance.
  12. Click Manage. The Monitoring Results page is displayed with information about the management status of each device in the bulk-import file.

    A job is created for the management process. If you close the Bulk-Import wizard, the management process continues running in the background. You can monitor the status of the management process from the jobs log. For information about the jobs log, see Monitoring jobs.

    If XClarity Administrator cannot log in to a device using the credentials that are specified in the bulk-import file or the global credentials that are specified in the dialog, the management of that device fails, and XClarity Administrator moves on to the next device in the bulk-import file.

    Note: If management was not successful due to one of the following error conditions, repeat this procedure using the Force management option.
    • If the managing XClarity Administrator failed and cannot be recovered.

      Note: If the replacement XClarity Administrator instance uses the same IP address as the failed XClarity Administrator, you can manage the device again using the RECOVERY_ID account and password (if applicable) and the Force management option.
    • If the managing XClarity Administrator was taken down before the devices were unmanaged.

    • If the devices were not unmanaged successfully.

    Attention: Devices can be managed by only one XClarity Administrator instance at a time. Management by multiple XClarity Administrator instances is not supported. If a device is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the device from the original XClarity Administrator, and then manage it with the new XClarity Administrator.
  13. If the bulk-import file includes a new chassis, validate and change management network settings for the entire chassis (including compute nodes and Flex switches) and configure the compute node information, local storage, I/O adapters, boot targets, and firmware settings by creating and deploying server patterns. For more information, see Modifying the management-IP settings for a chassis and Configuring servers using configuration patterns.

What to do next

After managing your systems, you can perform the following actions: