Sun SPARC Enterprise M4000/M5000 Servers Product Notes for XCP Version 1091

This document covers changes introduced in the XCP 1090 and XCP 1091 firmware releases. This chapter contains the following sections:

• What’s New in XCP 1090 and 1091
• Minimum Required Firmware, Operating Systems and Browsers
• Solaris Patch Requirements
• Upgrading to XCP 1090 or XCP 1091
• Functionality Issues and Limitations
• Additional Information and Procedures

---

What’s New in XCP 1090 and 1091

• The XCP 1090 firmware is the first XCP release to support the XSCF command showdateoffset(8). For details, see the man page.
• The XCP 1090 firmware is the first XCP release to support the SPARC64 VII 2.53 GHz processor. Earlier XCP firmware releases do not support this faster version of the processor, which in other respects is functionally identical to all SPARC64 VII processors See Minimum Required Firmware, Operating Systems and Browsers.
• The XCP 1091 firmware introduces the Active Directory and LDAP over SSL features. See Active Directory and LDAP over SSL.

Active Directory and LDAP over SSL

The XCP 1091 release introduces support for the Active Directory and LDAP over SSL features.

• Active Directory is a distributed directory service from Microsoft Corporation. Like an LDAP directory service, it is used to authenticate users.
• LDAP over SSL offers enhanced security to LDAP users by way of Secure Socket Layer (SSL) technology. It uses LDAP directory service to authenticate users.

Active Directory and LDAP over SSL each provide both authentication of user credentials and authorization of the user access level to networked resources. They use authentication to verify the identity of users before they can access system resources, and to grant specific access privileges to users in order to control their rights to access networked resources.

User privileges are either configured on XSCF or learned from a server based on each user’s group membership in a network domain. A user can belong to more than one group. Active Directory or LDAP over SSL authenticates users in the order in which the users’ domains are configured. (A user domain is the authentication domain used to authenticate a user.)

Once authenticated, user privileges can be determined in the following ways:

• In the simplest case, users’ privileges are determined directly through the Active Directory or LDAP over SSL configuration on the XSCF. There is a defaultrole parameter for both Active Directory and LDAP over SSL. If this parameter is configured or set, all users authenticated via Active Directory or LDAP over SSL are assigned privileges set in this parameter. Setting up users in an Active Directory or LDAP over SSL server requires only a password with no regard to group membership.
• If the defaultrole parameter is not configured or set, user privileges are learned from the Active Directory or LDAP over SSL server based on the user’s group membership. On XSCF, the group parameter must be configured with the corresponding group name from the Active Directory or LDAP over SSL server. Each group has privileges associated with it which are configured on the XSCF. A user’s group membership is used to determine the user’s privileges once the user is authenticated.

Three types of groups can be configured: administrator, operator, and custom. To configure an administrator or operator group, only group name is required.

An administrator group has platadm, useradm, and auditadm privileges associated with it. An operator group has platop, and auditop privileges associated with it. To configure a custom group, both group name and privileges are required. For each type of group, up to five groups can be configured. A user assigned to more than one group receives the sum of all privileges associated with those groups.

To support these new features, two new configuration screens (Active Directory and LDAP over SSL) have been added to the Settings menu of the XSCF Web. Remote users can log in and use the XSCF Web once they have been authenticated by Active Directory or LDAP over SSL.

Configuring XSCF for Active Directory Support

The commands setad(8) and showad(8) let you set and view the Active Directory configuration from the command line.

By default, Active Directory support is disabled. To enable Active Directory support, use the following command:

XSCF> setad enable

To disable Active Directory support, use the following command:

XSCF> setad disable

To show if Active Directory support is enabled or disabled, enter: :

XSCF> showad

Use the setad command with its various parameters to configure Active Directory. For example, you can use it to set up one primary and five alternate Active Directory servers, assign group names and privileges, configure a particular user domain, control logging of diagnostic messages, and more. User domain can be configured explicitly through the setad userdomain command on XSCF, or entered at login prompt using the form, user@domain.

See the setad(8) and showad(8) man pages, and the note about these commands in TABLE 3-8.

Configuring XSCF for LDAP over SSL Support

The commands setldapssl(8) and showldapssl(8) let you set and view LDAP over SSL configuration from the command line. These commands do for LDAP over SSL what the setad(8) and showad(8) commands do for Active Directory, and support many of the same parameters.

For more information, see the setldapssl(8) and showldapssl(8) man pages.

New proxyuser System Account

To support Active Directory and LDAP over SSL, this release features a new system account named proxyuser. Verify that no user account of that name already exists. If one does, use the deleteuser(8) command to remove it, then reset XSCF before using the Active Directory or LDAP over SSL feature.

---

Minimum Required Firmware, Operating Systems and Browsers

The Solaris Operating System and Sun Java Enterprise System software are preinstalled on new Sun SPARC Enterprise M4000/M5000 servers.

TABLE 1-1 lists the first firmware and operating system (OS) versions that are required for SPARC64 VI and SPARC64 VII processors..

Many web browsers support the XSCF Web. The browsers in TABLE 1-2 have demonstrated compatibility with the XSCF Web through testing.

---

Solaris Patch Requirements

This section lists mandatory patches, patch bundles, and SunAlert patch clusters for the M4000/M5000 servers. Always refer to the patch README for information about patch requirements and special installation instructions.

The patch identifiers listed in this section represent the minimum level of the patches that must be installed. The two-digit suffix represents the minimum revision level of the patch. Check http://sunsolve.sun.com for the latest patch revision. Apply patches in the order listed.

Solaris 10 5/09 with SPARC64 VII 2.53 GHz Processors

The Solaris 10 10/09 Patch Bundle is required, and the SunAlert Patch Cluster is recommended. See:

http://sunsolve.sun.com/show.do?target=patches/patch-access

Solaris 10 10/08 with SPARC64 VII 2.53 GHz Processors

The Solaris 10 10/09 Patch Bundle is required, and and the SunAlert Patch Cluster is recommended. See:

http://sunsolve.sun.com/show.do?target=patches/patch-access

Solaris 10 5/08 with SPARC64 VII 2.53 GHz Processors

The Solaris 10 10/09 Patch Bundle is required, and and the SunAlert Patch Cluster is recommended. See:

http://sunsolve.sun.com/show.do?target=patches/patch-access

Solaris 10 5/08 with SPARC64 VII 2.4 GHz Processors, SPARC64 VI Processors, or Both

Patch 137137-09 - SunOS 5.10: kernel patch.

Solaris 10 8/07 with SPARC64 VII 2.53 GHz Processors

• The Solaris 10 10/09 Patch Bundle is required and the SunAlert Patch Cluster is recommended. See:

http://sunsolve.sun.com/show.do?target=patches/patch-access

• You cannot do a fresh install of the Solaris 10 8/07 OS on a domain that contains SPARC64 VII processors. The following two workarounds apply:
• Create a fully patched image, then use Jumpstart.
• Start the OS install on a domain that contains only SPARC64 VI processors, add the required patches, then add the SPARC64 VII processors to the domain.

Solaris 10 8/07 with SPARC64 VII 2.4 GHz Processors

The following patches are required for Solaris 10 8/07 OS only on servers containing SPARC64 VII 2.4 GHz processors. Install them in the order listed:

1. 119254-51 - SunOS 5.10: Install and Patch Utilities Patch

2. 125891-01 - SunOS 5.10: libc_psr_hwcap.so.1 patch

3. 127755-01 - SunOS 5.10: Fault Manager patch

4. 127127-11 - SunOS 5.10: kernel patch

Solaris 10 8/07 OS with patch 127127-11 might panic/trap during normal domain operation. (CR 6720261) To prevent this you must set the following parameter in the system specification file (/etc/system):

set heaplp_use_stlb=0

Then reboot the domain.

You cannot do a fresh install of the Solaris 10 8/07 OS on a domain that contains SPARC64 VII processors. The following two workarounds apply:

• Create a fully patched image, then use Jumpstart.
• Start the OS install on a domain that contains only SPARC64 VI processors, add the required patches, then add the SPARC64 VII processors to the domain.

Solaris 10 8/07 with SPARC64 VI Processors

None.

Solaris 10 11/06

Caution - For Sun SPARC Enterprise M4000/M5000 servers running the Solaris 10 11/06 OS, patches 123003-03 and 124171-06 must be installed on your system prior to using Sun Connection Update Manager. These patches can be downloaded from http://sunsolve.sun.com.

The following patches are required for Solaris 10 11/06 OS. Note that Solaris 10 11/06 does not support SPARC64 VII processors, even with these required patches. Install the patches in the order in which they are listed:

1. 118833-36 - Reboot your domain before proceeding.

2. 125100-10 - See the patch README file for a list of other patch requirements.

3. 123839-07

4. 120068-03

5. 125424-01

6. 118918-24

7. 120222-21

8. 125127-01 - Reboot your domain before proceeding.

9. 125670-02

10. 125166-05

---

Obtaining Solaris Patches

The Sun^sm Connection Update Manager can be used to reinstall the patches if necessary or to update the system with the latest set of mandatory patches. For more information about the Sun Connection Update Manager, refer to the Sun Update Connection System Administration Guide at:

http://docs.sun.com/app/docs/prod/updconn.sys

Or visit:

http://wikis.sun.com/display/SunConnection/Update+Manager

Installation information and README files are included in the patch downloads.

There are two options available to register your system and to use the Sun Connection Update Manager to obtain the latest Solaris OS patches:

• Use the Update Manager GUI to obtain patches.

For more information, refer to the Sun Update Connection documentation at the links mentioned previously.

• Use the smpatch(1M) command to obtain patches.

For more information, refer to the smpatch(1M) man page or the reference manual collection for your version of the Solaris OS.

Caution - For Sun SPARC Enterprise M4000/M5000 servers running the Solaris 10 11/06 OS, patches 123003-03 and 124171-06 must be installed on your system prior to using Sun Connection Update Manager. These patches can be downloaded from http://sunsolve.sun.com.

---

Patches for Emulex PCI Express (PCIe) Cards

The following Emulex cards require drivers supplied in patch 120222-26:

• Sun StorageTek Enterprise Class 4-Gigabit Dual-Port Fiber Channel PCIe HBA (part SG-XPCIE2FC-EM4)
• Sun StorageTek Enterprise Class 4-Gigabit Single-Port Fiber Channel PCIe HBA (part SG-XPCIE1FC-EM4)

---

Patches for QLogic PCIe Cards

The following QLogic cards require drivers supplied in patch 125166-10:

• Sun StorageTek Enterprise Class 4-Gigabit Dual-Port Fiber Channel PCIe HBA (part SG-XPCIE2FC-QF4)
• Sun StorageTek Enterprise Class 4-Gigabit Single-Port Fiber Channel PCIe HBA (part SG-XPCIE1FC-QF4)

---

Upgrading to XCP 1090 or XCP 1091

You can upgrade to XCP 1090 or XCP 1091 from XCP version 1050 or higher. Refer to the Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide for instructions.

Updating From a Version Earlier Than XCP 1050

If you are currently running a version earlier than XCP 1050, you cannot directly update to XCP 1090 or XCP 1091. You must first update to an interim version of XCP (between 1050 and 1070, inclusive). Contact your Oracle representative for access to older XCP releases.

Domain Restart Required After Certain Type of XCP Upgrade

On a domain that has been in operation during the update to XCP 1090 or XCP 1091 from a version between XCP 1050 and 1070 (inclusive), when you perform dynamic reconfiguration (DR) to add or replace the SPARC64 VII processors, you need to update the OpenBoot PROM firmware. The OpenBoot PROM firmware is updated as you update the XCP and restart the domain. For this reason, restart all the domains after you update the firmware to the latest XCP release, regardless of whether you added or replaced the SPARC64 VII processors.

---

Functionality Issues and Limitations

This section describes known issues in this release.

Limitations for SPARC64 VII Processors

Caution - You must complete the upgrades to the XCP firmware and to the Solaris OS before inserting SPARC 64 VII processors into the chassis.

General Functionality Issues and Limitations

Caution - For dynamic reconfiguration (DR) and hot-plug issues, see Solaris OS Issues and Workarounds.

• The following functions displaying the power consumption and exhaust air are not supported on M4000/M5000 servers:
• The power and air operands of the showenvironment(8) command
• XSCF Web

• You cannot use the following user account names, as they are reserved for system use: adm, admin, apache, bin, daemon, default, ldap, nobody, ntp, operator, proxyuser, root, rpc, rpcuser, and sshd.
• Do not use the Service Processor (SP) as the Network Time Protocol (NTP) server. Using an independent NTP server provides optimal reliability in maintaining consistent time on the SP and the domains. For more information about NTP, see the Sun BluePrints document, Using NTP to Control and Synchronize System Clocks: http://www.sun.com/blueprints/0701/NTP.pdf
• When you use the external power control interface of the external power controller, the following notification signals are not supported:
• The OS panic or the server hardware error signal (*CPUN/RTNU)
• The server hardware error signal (power fail, temperature error, and fan error) (*ALARM)

• When you import XCP or update the firmware using the XSCF you might see Web session ID errors displayed on the web browser. When you specify the timeout period as over 30 minutes in the Autologout setting Internal Server Errors might be displayed. To reconnect to the XSCF Web, close the current browser and open the new browser.
• For this XCP release, the XSCF browser user interface (XSCF Web) does not support the External I/O Expansion Unit Manager feature.
• Contact your sales representative for tape drive unit options on SPARC Enterprise M4000/M5000 servers.
• Disable pop-up blocking and remove any plug-ins such as the search tool installed with the browser when you use the XSCF Web.
• XSCF-LAN is compliant with auto-negotiation. Set the network device which connects with XSCF-LAN to the auto-negotiation mode. Otherwise when you connect the XSCF-LAN and the network device (fixed to the full-duplex mode, according to the IEEE 802.3 rule) the XSCF-LAN communicates in half-duplex mode and network communication speed might slow down or communication errors may occur.
• Due to DR and ZFS file system interoperability issues, M4000/M5000 servers are shipped pre-installed using the UFS file system. See CR 6522017 in TABLE 3-2.
• The M4000/M5000 servers are cold service machines. Hot-swapping of the CPU module (CPUM), memory board (MEMB), I/O unit (IOU), or XSCF unit is not supported.
• For information about I/O options and storage, such as the number of cards supported in a domain, see the Sun Cross Platform IO Support page:

http://wikis.sun.com/display/PlatformIoSupport/Home/

• The use of the External I/O Expansion Unit to connect the host server to an external boot disk drive is not supported.
• The setsnmp(8) and showsnmp(8) commands do not notify the user of authorization failure. Upon such failure, confirm that the SNMP trap host is working and re-execute the command using the correct user name.

---

Additional Information and Procedures

This section describes additional known issues and limitations at the time of this release.

Logging In to the System

In addition to the standard default login, the servers are delivered with a temporary login called admin to enable remote initial login, through a serial port. The admin user privileges are fixed to useradm and cannot be changed. You cannot log in as temporary admin using the standard UNIX user name and password authentication or SSH public key authentication. The temporary admin account has no password, and one cannot be added for it.

The temporary admin account is disabled after someone logs in as the default user, or after someone logged in as temporary admin has successfully added the first user with valid password and privileges.

If, before the default login is used, you cannot log in as temporary admin, you can determine if someone else has done so by executing the showuser -l command.

Booting From a WAN Boot Server

The WAN boot installation method enables you to boot and install software over a wide area network (WAN) by using HTTP. To support booting the M4000/M5000 servers from a WAN boot server, you must have the appropriate wanboot executable installed and OpenBoot version 4.24 or above to provide the needed hardware support.

For information about WAN boot servers, refer to the Solaris 10 Installation Guide: Network-Based Installations for the version of Solaris 10 OS that you are using. You can find Solaris 10 OS documentation here:

http://docs.sun.com/app/docs/prod/solaris.10

If you do not upgrade the wanboot executable, the server will panic, with messages similar to the following:

krtld: load_exec: fail to expand cpu/$CPU
krtld: error during initial load/link phase
panic - boot: exitto64 returned from client program

Sun Java Enterprise System

The Sun Java Enterprise System is a comprehensive set of software and life cycle services that make the most of your software investment. For an overview and documentation, go to:

http://www.sun.com/service/javaes/index.xml

  Log in to a terminal as root, then enable the service.

# svcadm enable svc:/system/webconsole:console 

If you have to reload the software, go to the following web site for download and installation instructions:

http://www.sun.com/software/preinstall

If you download a fresh copy of software, that software might not include patches that are mandatory for your server. After installing the software, refer to Solaris Patch Requirements for information about checking for and installing required patches.

^{1 (TableFootnote) See Solaris Patch Requirements.
Check http://sunsolve.sun.com for the latest patch revision.}

Sun SPARC Enterprise M4000/M5000 Servers Product Notes for XCP Version 1091

821-1036-11

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.