IBM Remote Supervisor Adapter

Remote supervisor adapter (RSA) is the out-of-band management interface card optional on most IBM x86 [1]-based server machines sold under the IBM System x brand.

Remote management is independent of the status of the managed server.

An IBM Remote Supervisor Adapter II installed in an eServer 326
An IBM Remote Supervisor Adapter II

Features

Adapter Versions

Advanced Systems Management Adapter (ASMA)

This is a full-length ISA or PCI adapter. The ISA version is very rare, and was only ever supported in one or two servers. This adapter can be accessed either in-band through a device driver, or out-band over serial or 10Mbit Ethernet.

In addition, this adapter supports chaining of IBM Servers with Advanced Systems Management Processors (ASMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required. A total of 12 systems can be controlled this way using a single adapter.

The PCI version is supported under Linux through the ibmasm driver.

Supported servers:

Remote Supervisor Adapter (RSA) 59P2952

This is a half-length PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.

In addition, this adapter supports the chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.

The adapter is supported under Linux through the ibmasm driver.

This is the first version to support remote KVM over Ethernet. But when chaining is used, only the server with the adapter installed supports the remote KVM function.

Supported servers:

Remote Supervisor Adapter II (RSA-II) 73P9265

This is a half-length full-height PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.

In addition, this adapter supports chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.

This adapter (when properly cabled) can be accessed for in-band management through a USB driver.

This adapter has its own ATI video chip, and will cause the onboard video chip to get disabled. The reason for this was to resolve some of the problems with capturing the video for the remote KVM function that the original RSA experienced. Just like the original RSA, in the event of chaining the remote KVM function is only supported on the server with the adapter installed.

Supported servers:

Cable

The RSA-II requires a 20-pin cable to attach to the motherboard of the server. Without this cable the remote video facilities will still work, and if the external USB cable is connected, the remote keyboard and mouse will work—but nothing else (including power control) will function properly. Moreover, some servers will pause for 30–120 seconds after power-on if the RSA-II is installed but the cable is missing.

Different cables are required for different servers, and as of April 2008 it appears that the cards themselves are far more plentiful on the used market than certain cables—often the cables sell for more than the cards themselves!

Here is a table of known server/cablenumber combinations:

Older servers use what is known as the "planar cable". Newer servers use the cable shown in the image to the right:

One type of IBM Remote Supervisor Adapter II internal cable (73P9312)

Remote Supervisor Adapter II Slimline (RSA-II Slimline)

This is a special version of the RSA-II that does not need a PCI slot. Instead it is plugged into a dedicated slot on the systemboard, like a mini-pci adapter. This version also does not have a video controller anymore like the RSA-II.

Out-band management is provided by a dedicated Ethernet port on the server, which is not connected if the RSA-II Slimline is not installed. In-Band management is provided by the same USB driver as the RSA-II.

Supported servers:

Peculiarities

Maximum Password Length

A password can only be 15 characters max. If more characters are typed at the changing password form, there will be no error message but they won't be memorized.

Java 1.6 Incompatibility Bug

The RSA remote control is now broken IBM has issued a fix that only works some of the time.[1][2] Most users are advised to use Java JRE 1.60 U07 or earlier,[3] which is impossible if the user does not have administrative access to the client machine. IBM has been unresponsive. jre-1_5_0_21-windows-i586-p.exe generally gives good results on windows clients.

The Remote console works with the OpenJDK JRE and the IcedTea browser plugin. Tested on OpenJDK6 build 18 and IcedTea 1.1.

Passwords Sent in Clear Text

SSL is disabled by default, meaning that administrator passwords are sent in clear text. The administrator should to use the builtin functionality to generate a CSR and have it signed by an accepted CA.

Invisible to Traceroute

The network stack used by the RSAII does not respond to UDP packets sent to a closed port; therefore, it appears to be "invisible" to traceroutes based on UDP (the default for non-Windows systems).

Reliability Problems

A defect in the design of the RSA can cause it to go into a state in which the remote video capabilities are disabled. Unfortunately, once in this state the only way to correct the situation is to physically remove power from the RSA and the server; no amount of remote restarting will correct the problem. Because the point of the RSA is to eliminate the need for this sort of physical intervention to clear errors, this flaw calls into question the usefulness of the device.

This flaw is documented on IBM's website at [4]

The video forwarding also takes an initial reboot to take effect after the RSA was re-configured. At this point the operator would be in the BIOS menu but without the video functionality active. A reboot of the RSA will not suffice, the whole server has to be rebooted.

The card can also crash during some operations certificate generation.

Requires UDP

The remote control feature of the service processor requires that it be possible to exchange packets on UDP port 2000 between the adapter and the client.

No Video through NAT

The adapter does not cope well with NAT. The symptoms generally experienced are a lack of video when attempting to access remote control. If in doubt, ensure that the client (web browser) has its own public internet IP and is not behind any sort of NAT.

No Video when using a Cisco router or switch with Network Address Translation (NAT)

Problem

When using a Cisco router or switch with Network Address Translation (NAT) enabled, connection to the Remote Supervisor Adapter (RSA) II web UI is operational. When starting the remote control session, the user receives a blank screen.

Solution

The remote console port should be changed from 2000 to 5090 or any other value.

Log in to the RSA II web UI pages. In the RSA II web UI, go to Port Assignments in the left panel. Go to remote console and change the value to 5090. Save and restart the ASM. Port 2000 is being used by Cisco Skinny Client Control Protocol (SCCP). Since the default value for RSA II console port (remote video) is 2000, it needs be changed to another value such as 5090. [5]

Network Port Disabled By Default

The default state for the RSAII is to have the network port disabled.[6] This will also be the case if the card has been reset to factory defaults. To enable the network port, one must install an OS on the server (Linux or Windows) and use a software utility to enable the network port.

Difficult to Reset

Procedures for resetting the RSAII to factory defaults may be challenging for some users. The IBM forums list a procedure [7] for resetting an RSAII to factory defaults which appears to be simpler; it involves removing the card from the server and operating it from a non-PCI power supply. Most of the problems resolve around correct loading of the USB library. Ensuring this is properly loaded raises chances of success.

LDAP authentication generally unusable

LDAP authentication fails if a user is a member of more than one posixGroup, which is usually the case in non-trivial directories. IBM privately acknowledged the problem has existed for over four years, but still has not published a fix. The problem is that it considers only first posixGroup in resultset, so if you manage to reorganize directory to return your matching group first, you can succeed on the auth (with openldap ldif dump, delete and restore tends to keep results ordered).

Host OS tools

Like almost all IBM-provided management tools, software tools do not respect long established OS conventions for packaging, file paths and naming.

Firmware updates are incompatible with a non-executable /tmp directory, a commonly employed security setting.

Command line tools have many undocumented behaviors. "asu," the executable used to query or set parameters on the board, writes logs to the current directory with a hardcoded name, without warning and without basic sanity checks. It will thus silently overwrite the target of a symbolic link with that name.

Related

BladeCenter Management Module (BCMM)

This is the first management module of the IBM BladeCenter.

Its function is very similar to that of the RSA-II

The BCMM provides an external 10/100Mbit Ethernet connection (used for out-of-band management) and shared VGA, PS/2 Keyboard and PS/2 Mouse ports. Internally the VGA and PS/2 ports are switchable between blades. The PS/2 ports are internally seen to the blades as USB.

This has since been phased out and replaced by the BCAMM. It is no longer supported by IBM.

BladeCenter Advanced Management Module (BCAMM)

This is a hardware refresh of the management module for the IBM BladeCenter. The PS/2 ports for keyboard and mouse were replaced with two USB ports. The BCAMM is currently under active development and its firmware offers more capabilities than the original BCMM.

Advanced Systems Management Processor (ASMP)

This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the ISMP. Out-of-band management is possible using a serial port (shared with the OS), or by adding the Advanced Systems Management Adapter (ASMA).

These servers have ASMP functionality:

Integrated Systems Management Processor (ISMP)

This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the BMC. Out-of-band management is possible by adding the RSA or RSA-II.

These servers have ISMP functionality:

Baseboard Management Controller (BMC)

On the latest IBM Intel-based servers a BMC is standard, and optionally the RSA-II Slimline can be added.

Integrated Management Module (IMM)

IBM Integrated Management Module (IMM) comprises the legacy BMC (baseboard management processor) and RSA (Remote Supervisor Adapter) function in IBM uEFI machines. Also, it consolidates Super I/O controller, Video controller. It also incorporates most of the bugs present in RSA and BMC, as well as providing many of its own, unique problems. This works with System firmware (Unified Extensible Firmware Interface) to provide system management functions. some of its greatly improved features over BMC and RSA are:

See also

Default Password

The default login is "USERID" and the default password is "PASSW0RD" (note the zero rather than an "O").

References

This article is issued from Wikipedia - version of the Monday, April 11, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.