Skip to main content

Managing devices

Lenovo XClarity Administrator can manage several types of systems, including the Flex System chassis, rack and tower servers, RackSwitch switches, and storage devices. You easily can discover and manage a large number of devices that are in your environment by importing information about your devices using a bulk-import file.

Before you begin

Important

  • You can manage a maximum of 300 devices at one time. Do not include more than 300 devices in a bulk import file.

  • After you initiate a device-management operation, wait for the entire management job to complete before initiating another device-management operation.

Chassis components (such as CMMs, compute nodes, switches, and storage devices) are discovered and managed automatically when you manage the chassis that contains them. You cannot discover and managed chassis components separate from the chassis.

Certain ports must be available to communicate with the CMMs in the chassis and baseboard management controllers in the servers. Ensure that these ports are available before you attempt to manage systems. For more information about ports, see Port availability.

Ensure that the minimum required firmware is installed on each system that you want to manage using XClarity Administrator. You can find minimum required firmware levels from the XClarity Administrator Support – Compatibility webpage by clicking the Compatibility tab and then clicking the link for the appropriate device types.

Ensure that there are at least three TCP command-mode sessions set for out-of-band communication with the CMM. For information about setting the number of sessions, see tcpcmdmode command in the CMM online documentation.

Consider implementing either IPv4 or IPv6 addresses for all CMMs and Flex switches that are managed by XClarity Administrator. If you implement IPv4 for some CMMs and Flex switches and IPv6 for others, some events might not be received in the audit log (or as audit traps).

Ensure that you enable multicast SLP forwarding on the top-of-rack switches, as well as the routers in your environment. See the documentation that was provided with your specific switch or router to determine whether multicast SLP forwarding is enabled and to find procedures to enable it if it is disabled.

Important

  • Depending on the firmware version of the RackSwitch switch, you might need to enable multicast SLP forwarding and SSH on each RackSwitch switch manually using the following commands before the switch can be discovered and managed by XClarity Administrator. For more information, see the Rack switches in the System x online documentation.

  • Multicast SLP forwarding must be enabled on each storage device before it can be discovered by XClarity Administrator.

  • If you plan to use a customized server certificate that includes your own information or use an externally signed certificate, generate and deploy the new certificate before you begin managing systems. For information about generating your own security certificate, see Working with security certificates.

  • If you intend to use other management software in addition to Lenovo XClarity Administrator to monitor your chassis, and if that management software uses SNMPv3 communication, you must first create a local CMM user ID that is configured with the appropriate SNMPv3 information and then log in to the CMM using that user ID and change the password. For more information, see Management considerations.

  • Service discovery protocols, such as SLP and SSDP, enable XClarity Administrator to automatically discover the type of the device that is about to be managed and then use the appropriate mechanism to manage the device. Some device types do not support service discovery protocols, and in some environments, service discovery protocols are purposely turned off. In either case, you must choose the appropriate device type to complete the manage process. The following device types must be explicitly identified.
    • Lenovo ThinkSystem DB Series Switch
    • NVIDIA Mellanox Switch

About this task

XClarity Administrator can discover systems in your environment by probing for manageable devices that are on the same IP subnet as XClarity Administrator, by using a specified IP address or range of IP addresses, or by importing information from a spreadsheet.

By default, devices are managed using XClarity Administrator managed authentication to log in to the devices. When managing rack servers and Lenovo chassis, you can choose to use local authentication or managed authentication to log in to the devices.

  • When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device. The stored credential can be an active user account on the device or a user account in an Active Directory server.

    You must create a stored credential in XClarity Administrator that matches an active user account on the device or a user account in an Active Directory server before managing the device using local authentication (see Managing stored credentials).

    Note
    RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.

  • Using managed authentication allows you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When managed authentication is used for a device (other than ThinkServer servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to use the XClarity Administrator authentication server for centralized management.

    • When managed authentication is enabled, you can manage devices using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).

      The stored credential is used only until XClarity Administrator configures the LDAP settings on the device. After that, any change to the stored credential has no impact the management or monitoring of that device.

      Note
      When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
    • If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts are disabled.
      Note
      For Think Edge SE450, SE350 V2, and SE360 V2 servers, the default local user account remains enabled and all other local accounts are disabled.
    • If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible to managed devices. However, when using an SAML identity provider and an LDAP server together, if the identity provider uses accounts that exist in the LDAP server, LDAP user accounts can be used to log into the managed devices while the more advanced authentication methods that are provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be used to log into XClarity Administrator.
    • Single sign-on allows a user that is already logged in to XClarity Administrator to automatically log in to the baseboard management control. Single sign-on is enabled by default when a ThinkSystem or ThinkAgile server is brought into management by XClarity Administrator (unless the server is managed with CyberArk passwords). You can configure the global setting to enable or disable single sign-on for all managed ThinkSystem and ThinkAgile servers. Enabling single sign-on for a specific ThinkSystem and ThinkAgile server overrides the global setting for all ThinkSystem and ThinkAgile servers (see Managing servers).
      Note
      Single sign-on is disabled automatically when using the CyberArk identity-management system for authentication.
    • When managed authentication is enabled for ThinkSystem SR635 and SR655 servers:
      • Baseboard management-controller firmware supports up to five LDAP user roles. XClarity Administrator adds these LDAP user roles to the servers during management: lxc-supervisor, lxc-sysmgr, lxc-admin, lxc-fw-admin, and lxc-os-admin.

        Users must be assigned to at least one of the specified LDAP user roles to communicate with ThinkSystem SR635 and SR655 servers.

      • Management-controller firmware does not support LDAP users with the same username as local user of the sever.

    • For ThinkServer and System x M4 servers, the XClarity Administrator authentication server is not used. Instead, an IPMI account is created on the device with the prefix LXCA_ followed by a random string. (The existing local IPMI user accounts are not disabled.) When you unmanage a ThinkServer server, the LXCA_ user account is disabled, and the prefix LXCA_ is replaced with the prefix DISABLED_. To determine whether a ThinkServer server is managed by another instance, XClarity Administrator checks for IPMI accounts with the prefix LXCA_. If you choose to force management of a managed ThinkServer server, all the IPMI accounts on the device with the LXCA_ prefix are disabled and renamed. Consider manually clearing IPMI accounts that are no longer used.

      If you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that stored credential to manage the device.

      Note
      When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
      • Each time you manage a device using manually-entered credentials, a new stored credential is created for that device, even if another stored credential was created for that device during a previous management process.
      • When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically created for that device during the management process.

After systems are managed by XClarity Administrator, XClarity Administrator polls each managed system periodically to collect information, such as inventory, vital product data, and status. You can view and monitor each managed system and perform management actions (such as configuring system settings, deploying operating-system images, and powering on and off).

A system can be managed by only one XClarity Administrator at a time. Management by multiple managers is not supported. If a system is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the system on the current XClarity Administrator. Then, you are can manage the system with another XClarity Administrator. For information about unmanaging a system, see Unmanaging a chassis, Unmanaging a rack or tower server, Unmanaging a switch and Unmanaging a storage device.

Note
The XClarity Administrator does not modify the security settings or cryptographic settings (cryptographic mode and the mode used for secure communications) during the management process. You can modify the cryptographic settings after the system is managed (see Configuring cryptography settings on the management server).
Note
XClarity Administrator can be pre-populated with hardware inventory for a demo chassis (including CMM, compute nodes, and switches) and a demo rack or tower server that simulates real hardware. The demo devices are populated in the web interface pages and can be used to demonstrate management operations; however, the management operations will fail. For example, you can create a configuration pattern and deploy the pattern to a demo server, but the deployment will fail. You can remove the demo devices by unmanaging them (see Unmanaging a chassis and Unmanaging a rack or tower server). After the demo devices are deleted, they cannot be managed again..

For information about managing specific device types, see the following topics:

Procedure

To discover and manage your systems in XClarity Administrator using a bulk-import file, complete the following steps.

Note
When managing switches using bulk import, HTTPS is enabled on the switch, and NTP clients on the switch are configured to use the NTP settings from the management server. To change these setting, you must manually manage the switches.

  1. From the XClarity Administrator menu bar, click Hardware > Discover and Manage New Devices. The Discover and Manage page is displayed.

  2. Click the Enable encapsulation on all future managed devices checkbox to change the firewall rules on all devices during the management process so that incoming requests are accepted from only XClarity Administrator.

    Note

    • Encapsulation is not supported on switches, storage devices, and non-Lenovo chassis and servers.

    • When the management network interface is configured to use the Dynamic Host Configuration Protocol (DHCP) and when encapsulation enabled, managing a rack server can take a long time.

    Encapsulation can be enabled or disabled on specific devices after they are managed.

    Attention
    If encapsulation is enabled and XClarity Administrator becomes unavailable before a device is unmanaged, necessary steps must be taken to disable encapsulation to establish communication with the device. For recovery procedures, see lenovoMgrAlert.mib file and Recovering management with a CMM after a management server failure.

  3. Click Bulk Import. The Bulk Import wizard is displayed.


    Illustrates example devices that are defined in the bulk-import file.

  4. Click the in Excel or in CSV link on the Import Data File page to download the template bulk-import file in Excel or CSV format.

    Important
    The template file might change from one release to the next. Ensure that you always use the latest template.

  5. Fill in the data worksheet in the template file, and save the file in comma-delimited CSV format.

    Tip
    The Excel template includes a Data worksheet and a Readme worksheet. Use the Data worksheet to fill in your device data. The Readme worksheet provides information about how to fill in each field on the Data worksheet (including which fields are required) and sample data.
    Important

    • Devices are managed in the order that is listed in the bulk-import file.

    • XClarity Administrator uses rack-assignment information that is defined in the device configuration when the device is managed. If you change the rack assignment in XClarity Administrator, XClarity Administrator updates the device configuration. If you update the device configuration after the device is managed, the changes are reflected in XClarity Administrator.

    • It is recommended but not required to explicitly create a rack in the spreadsheet before assigning the rack to a device. If a rack is not explicitly defined and the rack does not already exist in XClarity Administrator, the rack-assignment information that is specified for a device is used to create the rack with a default height of 52U.

      If you want to use another height for the rack, you must explicitly define the rack in the spreadsheet before assigning it to a device.

    To define your devices in the bulk-import file, complete the following columns.

    • (Columns A - C) For basic discovery, you must specify the device type and either the current IP address or serial number for the device. The following types are supported:
      • filler. Placeholders for an unmanaged device. In the rack view, this device is shown as generic filler graphic. See the Readme worksheet in the Excel template for additional filler types.
      • flexchassis. 10U Flex System chassis
      • server. Rack and tower servers that are supported by XClarity Administrator
      • rack. 6U, 12U, 18U, 25U, 37U, 42U, 45U, 46U, 48U, 50U, and 52U racks. Other rack heights are not supported. 52U is used by default.
      • storage. Storage devices
      • switch. RackSwitch switches
      Note
      Flex System compute nodes, switches, and storage devices are considered part of the chassis discovery and management process.
    • (Columns D - H) If you choose to use manually entered credentials instead of stored credentials (Columns Z) or identity (Columns AF – AJ), specify the current username and password. Manually entered credentials are useful if the credentials are different for some devices. If you do not specify credentials for one or more devices in the bulk-import file, the global credentials that you specify in the Bulk Import dialog are used instead. For more information about manually entered users and managed authentication, see Managing user accounts.
      Note
      • To use manually entered credentials, you must select XClarity Administrator managed authentication.

      • Some fields do not apply to some devices.

      • (For chassis) If you choose managed authentication (in column AA or in the Bulk Import dialog), you can must specify the RECOVERY_ID password either in column G of the bulk import file or in the Bulk Import dialog. If you choose local authentication, the recovery password is not allowed; do not specify the recovery password in column G of the bulk import file or in the Bulk Import dialog.

      • (For rack servers) If you choose managed authentication (in column AA or in the Bulk Import dialog), you can optionally specify a recovery password either in column G of the bulk import file or in the Bulk Import dialog. If you choose local authentication, the recovery password is not allowed; do not specify the recovery password in column G of the bulk import file or in the Bulk Import dialog.

      • (For rack switches) RackSwitch devices support only stored credentials (in column Z) for authenticating to the switches. Manual user credentials are not supported.

    • (Columns I -U) You can optionally provide additional information if you want to apply changes to the device upon successful management.
      Note
      Some fields do not apply to some devices. These fields do not apply to RackSwitch switches.
    • (Columns V- Z) You can optionally provide information for rack creation and assignment, including the rack name, location, room, lowest rack unit, and height.
      Note

      • When creating a rack, you must specify the rack name and rack height. The following rack heights are supported: 6U, 12U, 18U, 25U, 37U, 42U, 45U, 46U, 48U, 50U, and 52U. Other rack heights are not supported.

      • When creating a generic filler, you must specify the rack name and filler height. The following filler heights are supported: 1U, 2U, and 4U.

      • When creating a specific filler, the filler height is ignored. XClarity Administrator knows the height of each specific filler. See the template spreadsheet for filler types and heights.

      • When assigning a device to rack, the device height is ignored. The device height is retrieved from the device inventory.

    • (Column AA) If management was not successful due to one of the following error conditions, repeat this procedure using the force-management option.

      • If the managing XClarity Administrator failed and cannot be recovered.

        Note
        If the replacement XClarity Administrator instance uses the same IP address as the failed XClarity Administrator, you can manage the device again using the RECOVERY_ID account and password (if applicable) and the Force management option.

      • If the managing XClarity Administrator was taken down before the devices were unmanaged.

      • If the devices were not unmanaged successfully.

      Devices can be managed by only one XClarity Administrator instance at a time. Management by multiple XClarity Administrator instances is not supported. If a device is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the device from the original XClarity Administrator, and then manage it with the new XClarity Administrator.

      Important
      If you change the IP address of a server after the server is managed by XClarity Administrator, XClarity Administrator recognizes the new IP address and continue to manage the server. however, XClarity Administrator does not recognize the IP address change for some servers. If XClarity Administrator shows that the server is offline after the IP address was changed, manage the server again using the Force Management option.

    • (Column AB) If you choose to use stored credentials instead of manually entered credentials (Columns D – H) or identity (Columns AF – AJ), specify a stored credential ID. You can find the stored credential ID on the Stored Credentials page by clicking Administration > Security from the XClarity Administrator menu and then clicking Stored Credentials from the left navigation. For more information about stored credentials and local authentication, see Managing stored credentials.

      Note

      • RackSwtich devices support only stored credentials for authentication. Manual user credentials (in column D) are not supported.

      • If you manage a device using stored credentials and enable managed authentication, you cannot edit those stored credentials.

    • (Column AC) For chassis and rack servers, you chose to use choose managed authentication, you can must specify the RECOVERY_ID password either in column G of the bulk import file or in the Bulk Import dialog. If you choose local authentication, the recovery password is not allowed; do not specify the recovery password in column G of the bulk import file or in the Bulk Import dialog.

    • (Column AD) For rack servers, you can optionally choose to use local authentication instead of XClarity Administrator managed authentication by specifying FALSE in this column. For more information about managed and local authentication, see Managing the authentication server.

    • (Column AE) You can optionally specify a list of role groups that are permitted to view and manage the device. You can specify only role groups to which the current user belongs.

      Note
      If you add devices to a managed chassis, the new devices will belong to the same role groups as the chassis.

    • (Column AF – AJ) If you choose to use an identity management system instead of manually entered credentials (Columns D – H) or stored credentials (Columns AB), specify IP address or host name of the managed server, user name, and optionally application ID, safe and folder.

      If you specify the application ID, you must also specify the safe and folder, if applicable.

      If you do not specify the application ID, XClarity Administrator uses the paths that were defined when you setup CyberArk to identify the onboarded accounts in CyberArk (see Setting up a CyberArk identity-management systemSetting up a CyberArk identity-management system in the XClarity Administrator online documentation).

      Note
      Only ThinkSystem or ThinkAgile servers are supported. The identity management system must be configured in XClarity Administrator, and the Lenovo XClarity Controller for the managed ThinkSystem or ThinkAgile servers must be integrated with CyberArk (see Setting up a CyberArk identity-management systemSetting up a CyberArk identity-management system in the XClarity Administrator online documentation).
    The following figure shows an example bulk-import file:

    Illustrates example devices that are defined in the bulk-import file.

  6. From the Bulk Import wizard, enter the name of the CSV file to upload file for processing. You can click Browse to help you find the file.

  7. Click Upload to upload and validate the file.

  8. Click Next to display the Input Summary page with a list of devices to be managed.


    Illustrates example devices that are defined in the bulk-import file.

  9. Review the summary of devices that you want to manage.

    Select Show only rows with potential issues to list row with incomplete data. Fix any issues in the bulk-import file, and then click Back to upload the corrected CSV file.

    Note

    • If required data is not provided in the bulk-import file, the associated devices are not managed.

    • The Input Summary page flags rows that do not have credential information. If you do not specify credentials in the bulk-import file, the global credentials that you specify in the Bulk Import wizard are used instead.

  10. Click Next to display the Device Credentials page.


    Illustrates example devices that are defined in the bulk-import file.

  11. Click on each tab, and optionally specify global settings and credentials to use for all devices of a specific type. The devices that will use the global settings and credentials are listed on right side of each tab.

    If you choose to use the global credentials, the credentials for a specific device type must be the same for all devices of the same type that do not have credentials entered in the bulk-import file. For example, CMM credentials must be the same for all chassis, and the storage-management credentials must be the same for all storage devices. If the credentials are not the same, you must enter credentials in the bulk-import file.

    • Chassis. Specify the authentication mode and credentials type. Specify current credentials for logging in to all chassis that are defined in the bulk-import file. Specify the new password to use if the current CMM credentials are expired.

      If you force manage a chassis, specify the RECOVERY_ID account and password for the device credentials.

    • Servers. Specify the authentication mode and credentials type. Specify current credentials for logging in to all rack and tower servers that are defined in the bulk-import file. Specify new password to use if the current baseboard-management controller credentials are expired.

      If you force manage a server, specify the RECOVERY_ID account and password for the device credentials.

    • Switches. Specify the stored credentials for logging in to all RackSwitch switches that are defined in the bulk-import file. If set, also specify the "enable" password that is used to enter Privileged Exec Mode on the switch.

    • Storage. Specify current credentials for logging in to all storage devices that are defined in the bulk-import file.

    • Recovery. Specify recovery password for logging in to all servers and chassis that are defined in the bulk import file.

      You can choose to use a local user account or stored recovery credential. In either case, the user name is always RECOVERY_ID.

      When a password is specified, the RECOVERY_ID account is created on the device, and all local user accounts are disabled.

      • For chassis, the recovery password is required.

      • For servers, the recovery password is optional if you choose to use managed authentication and is not allowed if you if you choose to use local authentication.

      • Ensure that the password follows the security and password policies for the device. Security and password policies might vary.

      • Ensure that you record the recovery password for future use.

      • The recovery account is not supported for ThinkServer and System x M4 servers.

    Information that you specify in the bulk-import file overrides similar information that you specify on the Device Credentials page.

    You can optionally choose to force manage each type of device if:

    • The devices are currently managed by another management system, such as another XClarity Administrator instance or IBM Flex System Manager

    • XClarity Administrator was taken down but the devices were not unmanaged before it went down

    • The devices were not unmanaged correctly, and the CIM subscription was not cleared

    Note
    If the device is managed by another XClarity Administrator instance, the device appears to be managed by the original instance for a period of time after the forced management occurs. You can unmanage the device to remove it from the original XClarity Administrator instance.

  12. Click Manage. The Monitoring Results page is displayed with information about the management status of each device in the bulk-import file.

    A job is created for the management process. If you close the Bulk-Import wizard, the management process continues running in the background. You can monitor the status of the management process from the jobs log. For information about the jobs log, see Monitoring jobs.

    If XClarity Administrator cannot log in to a device using the credentials that are specified in the bulk-import file or the global credentials that are specified in the dialog, the management of that device fails, and XClarity Administrator moves on to the next device in the bulk-import file.

    Note
    If management was not successful due to one of the following error conditions, repeat this procedure using the Force management option.

    • If the managing XClarity Administrator failed and cannot be recovered.

      Note
      If the replacement XClarity Administrator instance uses the same IP address as the failed XClarity Administrator, you can manage the device again using the RECOVERY_ID account and password (if applicable) and the Force management option.

    • If the managing XClarity Administrator was taken down before the devices were unmanaged.

    • If the devices were not unmanaged successfully.

    Attention
    Devices can be managed by only one XClarity Administrator instance at a time. Management by multiple XClarity Administrator instances is not supported. If a device is managed by one XClarity Administrator, and you want to manage it with another XClarity Administrator, you must first unmanage the device from the original XClarity Administrator, and then manage it with the new XClarity Administrator.

  13. If the bulk-import file includes a new chassis, validate and change management network settings for the entire chassis (including compute nodes and Flex switches) and configure the compute node information, local storage, I/O adapters, boot targets, and firmware settings by creating and deploying server patterns. For more information, see Modifying the management-IP settings for a chassis and Configuring servers using configuration patterns.

After you finish

After managing your systems, you can perform the following actions:

  • Discover and manage additional systems (see Managing chassis, Managing racks, Managing servers, Managing storage devices, and Managing switches).
  • Configure the system information, local storage, I/O adapters, boot settings, and firmware settings by creating and deploying server patterns (see Configuring servers using configuration patterns).
  • Deploy operating-system images to the servers that do not already have an operating system installed (see Installing operating systems on bare-metal servers).
  • Update firmware on devices that are not in compliance with current policies (see Updating firmware on managed devices).
  • Add the newly managed systems to the appropriate rack to reflect the physical environment (see Managing racks).
  • Monitor hardware status and details (see Viewing the status of a managed server).
  • Monitor events and alerts (see Working with events and Working with alerts).
  • Disable or enable single sign-on for managed ThinkSystem and ThinkAgile servers.

    • For all managed ThinkSystem and ThinkAgile servers (globally), click Administration > Security from the XClarity Administrator menu bar, click Active Sessions, and then enable or disable Single Sign-On

    • For a specific ThinkSystem and ThinkAgile server, click Hardware > Server from the XClarity Administrator menu bar, and then click All Actions > Security > Enable Single Sign-On or All Actions > Security > Disable Single Sign-On.

    Note
    Single sign-on allows a user that is already logged in to XClarity Administrator to automatically log in to the baseboard management control. Single sign-on is enabled by default when a ThinkSystem or ThinkAgile server is brought into management by XClarity Administrator (unless the server is managed with CyberArk passwords). You can configure the global setting to enable or disable single sign-on for all managed ThinkSystem and ThinkAgile servers. Enabling single sign-on for a specific ThinkSystem and ThinkAgile server overrides the global setting for all ThinkSystem and ThinkAgile servers.