Sun SPARC Enterprise M3000 Server Product Notes for XCP 1092

C H A P T E R 1

This document covers the XCP 1090, XCP 1091, and XCP 1092 firmware releases. This chapter contains the following sections:

What’s New in XCP 1090, 1091 and 1092

Minimum Required Firmware, Operating Systems, and Browsers

Solaris Patch Requirements

Obtaining Solaris Patches

Functionality Issues and Limitations

Additional Information and Procedures

What’s New in XCP 1090, 1091 and 1092

The XCP 1092 release updates information about the Active Directory and LDAP/SSL features that were were introduced in the XCP 1091 release..

The XCP 1092 firmware is the first XCP release to support the new commands setpacketfilters(8) and showpacketfilteres(8). See the new man pages using the man(1) command.

The XCP 1091 firmware was the first XCP release to support the 2.75GHz SPARC64 VII processor on the Sun SPARC Enterprise M3000 server. Earlier XCP firmware releases do not support this faster version of the processor, which in other respects is functionally identical to all SPARC64 VII processors.

The XCP 1091 firmware introduced the Active Directory and LDAP/SSL features. See Active Directory and LDAP/SSL and Documentation Updates.

The XCP 1090 firmware was the first XCP release to support the new XSCF command showdateoffset(8). For details, see the man page.

The XCP 1090 firmware was the first XCP release to support the Airflow and Power indicators. For more information, see Airflow Indicator and Power Consumption Monitoring.

Active Directory and LDAP/SSL

The XCP 1091 release introduced support for the Active Directory and LDAP/SSL features. Some changes to these features were introduced in the XCP 1092 release. This section contains the latest information about these features.

Active Directory is a distributed directory service from Microsoft® Corporation. Like an LDAP directory service, it is used to authenticate users.

LDAP/SSL (originally called LDAP over SSL) offers enhanced security to LDAP users by way of Secure Socket Layer (SSL) technology. It uses LDAP directory service to authenticate users.

Note - For security reasons, XSCF uses only LDAP over SSL to communicate with an Active Directory server or an LDAP/SSL server.

Active Directory and LDAP/SSL each provide both authentication of user credentials and authorization of the user access level to networked resources. They use authentication to verify the identity of users before they can access system resources, and to grant specific access privileges to users in order to control their rights to access networked resources.

User privileges are either configured on XSCF or learned from a server based on each user’s group membership in a network domain. A user can belong to more than one group. Active Directory or LDAP/SSL authenticates users in the order in which the users’ domains are configured. (A user domain is the authentication domain used to authenticate a user.)

Once authenticated, user privileges can be determined in the following ways:

In the simplest case, users’ privileges are determined directly through the Active Directory or LDAP/SSL configuration on the XSCF. There is a defaultrole parameter for both Active Directory and LDAP/SSL. If this parameter is configured or set, all users authenticated via Active Directory or LDAP/SSL are assigned privileges set in this parameter. Setting up users in an Active Directory or LDAP/SSL server requires only a password with no regard to group membership.

If the defaultrole parameter is not configured or set, user privileges are learned from the Active Directory or LDAP/SSL server based on the user’s group membership. On XSCF, the group parameter must be configured with the corresponding group name from the Active Directory or LDAP/SSL server. Each group has privileges associated with it which are configured on the XSCF. A user’s group membership is used to determine the user’s privileges once the user is authenticated.

Three types of groups can be configured: administrator, operator, and custom. To configure an administrator or operator group, only group name is required.

An administrator group has platadm, useradm, and auditadm privileges associated with it. An operator group has platop and auditop privileges associated with it. To configure a custom group, both group name and privileges are required. For each type of group, up to five groups can be configured. A user assigned to more than one group receives the sum of all privileges associated with those groups.

To support these new features, two new configuration screens (Active Directory and LDAP/SSL) have been added to the Settings menu of the XSCF Web. Remote users can log in and use the XSCF Web once they have been authenticated by Active Directory or LDAP/SSL.

Note - If you are an Active Directory or LDAP/SSL user, log in to the XSCF network using SSH and password rather than user public key. If you already uploaded a public key, use the following command to delete it:

XSCF> setssh -c delpubkey -a -u proxyuser

Configuring XSCF for Active Directory Support

The commands setad(8) and showad(8) let you set and view the Active Directory configuration from the command line.

By default, Active Directory support is disabled. To enable Active Directory support, use the following command:

XSCF> setad enable

To disable Active Directory support, use the following command:

XSCF> setad disable

To show if Active Directory support is enabled or disabled, enter: :

XSCF> showad

Use the setad(8) command with its various parameters to configure AD. For example, you can use it to set up one primary and five alternate Active Directory servers, assign group names and privileges, configure a particular user domain, control logging of diagnostic messages, and more. User domain can be configured explicitly through the setad userdomain command on XSCF, or entered at login prompt using the form, user@domain.

See the setad(8) and showad(8) man pages, and the notes about these commands in TABLE 3-7.

Note - Once Active Directory has been configured and used, downgrading the firmware is not advised. However, if you must downgrade to an earlier release, run the following command immediately after doing so:

restoredefaults -c xscfu.

Configuring XSCF for LDAP/SSL Support

The commands setldapssl(8) and showldapssl(8) let you set and view LDAP/SSL configuration from the command line. These commands do for LDAP/SSL what the setad(8) and showad(8) commands do for AD, and support many of the same parameters.

For more information, see the setldapssl(8) and showldapssl(8) man pages.

The `proxyuser` System Account

To support Active Directory and LDAP/SSL, the XCP 1091 release added a new system account named proxyuser. Before using the Active Directory or LDAP/SSL features, check to ensure that no user account of that name already exists. If one does, use the deleteuser(8) command to remove it, then reset XSCF before using these features.

Airflow Indicator

Introduced in the XCP 1091 release, the Airflow indicator value indicates the volume of air exhausted from the M3000 server while it is running. The value does not include air emitted from peripheral devices.

Note - Airflow monitoring measurement values are for reference only.

To display the amount of exhaust air, use the showenvironment air command.

XSCF> showenvironment air
Air Flow:63CMH

Note - Airflow measurements might be incorrect if taken during or shortly after server power-on or power-off, or during or shortly after replacement of the power supply. For best results, check these values after at least one minute has passed.

For details of the showenvironment(8) command, refer to the man page. For installation details of the SPARC Enterprise M3000 server, see the SPARC Enterprise M3000 Server Site Planning Guide and the SPARC Enterprise M3000 Server Installation Guide.

You can also obtain the exhaust air data using the SNMP agent function. To obtain the data of exhaust air using the SNMP agent function, install the latest XSCF extension MIB definition file to the SNMP manager. For details on the XSCF extension MIB definition file, see the
SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

Power Consumption Monitoring

Introduced in the XCP 1091 release, the power consumption monitoring function indicates the amount of power consumed while the SPARC Enterprise M3000 server is running. The value does not include that of peripheral devices.

Note - Power consumption monitoring measurement values are for reference only. The power consumption value of the server varies by the conditions such as the power supply in use, CPU types, system configurations, or system load. For more information, see the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

To display the power consumption, use the showenvironment power command.

XSCF> showenvironment power
Permitted AC power consumption:470W
Actual AC power consumption:450W

Note - Power measurements might be incorrect if taken during or shortly after server power-on or power-off, or during or shortly after replacement of the power supply.

For details of the showenvironment(8) command, see the man page. For installation details of the SPARC Enterprise M3000 server, see the SPARC Enterprise M3000 Server Site Planning Guide.

You can also obtain the power consumption data using the SNMP agent function. To obtain the power consumption data using the SNMP agent function, install the latest XSCF extension MIB definition file to the SNMP manager. For details on the XSCF extension MIB definition file, see the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

Upgrading and Downgrading XCP

Upgrading to XCP 1090, 1091 or XCP 1092

For information about upgrading your firmware, see the Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

Note - After upgrading XCP firmware, use the rebootxscf(8) command to reset the XSCF.

Downgrading XCP Firmware

Downgrading your XCP firmware to an earlier release is not advised. However, if you must downgrade your XCP 1092 firmware to the XCP 1091 or XCP 1090 release, or your XCP 1091 release to the XCP 1090 version, execute the following command afterward to clear old-style audit logs:

XSCF> restoredefaults -c xscfu

Minimum Required Firmware, Operating Systems, and Browsers

The Solaris Operating System is preinstalled on new M3000 servers.

TABLE 1-1 lists the earliest firmware and operating system (OS) versions that are required in this release. ..

TABLE 1-1 Minimum Required Firmware and Operating System Versions
Processor Type	Minimum XCP Version	Minimum Operating System Version
SPARC64 VII processors, 2.52GHz	XCP 1080	Solaris 10 10/08 - with no patches required
SPARC64 VII processors, 2.52GHz with 8GB DIMMs	XCP 1081	Solaris 10 10/08 - with no patches required
SPARC64 VII processors, 2.75GHz	XCP 1091	Solaris 10 10/08 - with the Solaris 10 10/09 Patch Bundle required. Solaris 10 10/09 - with no patches required

Note - As for all releases, installation of the SunAlert Patch Cluster is recommended. Also, note that the Solaris 10 10/09 Patch Bundle is also known as MU8.

Many web browsers support the XSCF Web. The browsers in TABLE 1-2 have demonstrated compatibility with the XSCF Web through testing.

TABLE 1-2 Tested Web Browser Versions
Web Browser Application	Version
Firefox	2.0 and 3.0
Microsoft Internet Explorer	6.0 , 7.0 and 8.0

Solaris Patch Requirements

This section lists mandatory patches, patch bundles, and SunAlert patch clusters for the M3000 server. Always refer to the patch README for information about patch requirements and special installation instructions.

The patch identifiers listed in this section represent the minimum level of the patches that must be installed. The two-digit suffix represents the minimum revision level of the patch. Check http://sunsolve.sun.com for the latest patch revision. Apply patches in the order listed.

Solaris 10 5/09 with SPARC64 VII 2.75 GHz Processors

The Solaris 10 10/09 Patch Bundle is required, and the SunAlert Patch Cluster is recommended. See:

http://sunsolve.sun.com/show.do?target=patches/patch-access

Solaris 10 10/08 with SPARC64 VII 2.75 GHz Processors

The Solaris 10 10/09 Patch Bundle is required, and the SunAlert Patch Cluster is recommended. See:

http://sunsolve.sun.com/show.do?target=patches/patch-access

Obtaining Solaris Patches

The Sun^s Connection Update Manager can be used to reinstall the patches if necessary or to update the system with the latest set of mandatory patches. For more information about the Sun Connection Update Manager, refer to the Sun Update Connection System Administration Guide at:

http://docs.sun.com/app/docs/prod/updconn.sys

Or visit:

http://wikis.sun.com/display/SunConnection/Update+Manager

Installation information and README files are included in the patch downloads.

Two options are available to register your system and to use the Sun Connection Update Manager to obtain the latest Solaris OS patches:

Use the Update Manager GUI to obtain patches. For more information, refer to the Sun Update Connection documentation at the links mentioned previously.

Use the smpatch(1M) command to obtain patches. For more information, refer to the smpatch(1M) man page or the reference manual collection for your version of Solaris.

Patches for Emulex PCI Express (PCIe) Cards

The following Emulex cards require drivers supplied in patch 120222-26 or later:

XSEFC402AF Sun StorageTek Enterprise Class 4-Gigabit Dual-Port Fiber Channel PCIe HBA

XSEFC401AF Sun StorageTek Enterprise Class 4-Gigabit Single-Port Fiber Channel PCIeHBA

Functionality Issues and Limitations

This section describes issues and limitations known at the time of this release.

Limitations for SPARC64 VII Processors

Caution - You must complete the upgrades to the XCP firmware and to the Solaris OS before inserting SPARC 64 VII processors into the chassis.

General Functionality Issues and Limitations

Note - Do not use the Service Processor (SP) as the Network Time Protocol (NTP) server. Using an independent NTP server provides optimal reliability in maintaining consistent time on the SP and the domains. For more information about NTP, see the Sun Blueprint document, Using NTP to Control and Synchronize System Clocks: http://www.sun.com/blueprints/0701/NTP.pdf

For power-on after power-off, wait at least 30 seconds before turning the system power back on by using the main line switch or the circuit breakers on the distribution panel.

You cannot use the following user account names, as they are reserved for system use: adm, admin, apache, bin, daemon, default, ldap, nobody, ntp, operator, proxyuser, root, rpc, rpcuser, and sshd.

An XSCF user account user name cannot match an LDAP user name, and an XSCF user account number (UID) cannot match an LDAP UID number.

If your M3000 server is running the Solaris 10 10/09 OS and IPMP, you must disable probe-based failure detection to correct for CR 6888928. See InfoDoc 211105 (86869).

When you use the external power control interface of the external power controller, the following notification signals are not supported:

The OS panic or the server hardware error signal (*CPUN/RTNU).

The server hardware error signal (power fail, temperature error, and fan error) (*ALARM).

When you import XCP or update the firmware using the XSCF you might see Web session ID errors displayed on the web browser. When you specify the timeout period as over 30 minutes in the Autologout setting, Internal Server Errors might be displayed. To reconnect to the XSCF Web close the current browser and open the new browser.

Before using the XSCF Web, disable pop-up blocking and remove any plug-ins such as the search tool installed with the browser.

XSCF-LAN is compliant with auto-negotiation. Set the network device that connects with XSCF-LAN to the auto-negotiation mode. Otherwise, when you connect the XSCF-LAN and the network device (fixed to the full-duplex mode, according to the IEEE 802.3 rule), the XSCF-LAN communicates in half-duplex mode and network communication speed might slow or communication errors may occur.

For information about I/O options and storage, such as the number of cards supported in a domain, see the Sun Cross Platform IO Support page:

http://wikis.sun.com/display/PlatformIoSupport/Home/

The setsnmp(8) and showsnmp(8) commands do not notify the user of authorization failure. Upon such failure, confirm that the SNMP trap host is working and re-execute the command using the correct user name.

Additional Information and Procedures

This section describes additional issues and limitations known at the time of this release.

Sun Java Enterprise System

The Sun Java trademark Enterprise System software is a comprehensive set of software and life cycle services that make the most of your software investment. The software and installation instructions can be found at the following web address:

http://www.sun.com/software/javaenterprisesystem/index.jsp

The software might not include patches that are mandatory for your server. After installing the software, refer to Solaris Patch Requirements for information about checking for and installing required patches.

For an overview and documentation, go to:

http://www.sun.com/service/javaes/index.xml

Note - Due to an issue that arises from the installation of the Java Enterprise System 5 Update 1 on your system, it might be necessary to enable the WebConsole SMF service.

Logging In to the System

In addition to the standard default login, M3000/M4000/M5000/M8000/M9000 servers are delivered with a temporary login called admin to enable remote initial login, through a serial port. The admin user privileges are fixed to useradm and cannot be changed. You cannot log in as temporary admin using the standard UNIX user name and password authentication or SSH public key authentication. The temporary admin account has no password, and one cannot be added for it.

The temporary admin account is disabled after someone logs in as the default user, or after someone logged in as temporary admin has successfully added the first user with valid password and privileges.

If, before the default login is used, you cannot log in as temporary admin, you can determine if someone else has done so by executing the showuser -l command.

Booting From a WAN Boot Server

The WAN boot installation method enables you to boot and install software over a wide area network (WAN) by using HTTP. To support booting the M3000 server from a WAN boot server, you must have the appropriate wanboot executable installed and OpenBoot version 4.24.10 or above to provide the needed hardware support.

For information about WAN boot servers, refer to the Solaris 10 Installation Guide: Network-Based Installations for the version of Solaris 10 OS that you are using. You can find Solaris 10 OS documentation here:

http://docs.sun.com/app/docs/prod/solaris.10

If you do not upgrade the wanboot executable, the server will panic, with messages similar to the following:

krtld: load_exec: fail to expand cpu/$CPU
krtld: error during initial load/link phase
panic - boot: exitto64 returned from client program

Enabling Web Console SMF Service

To Enable the Web Console SMF Service:

# svcadm enable svc:/system/webconsole:console

If you have to reload the software, go to the following web site for download and installation instructions:

http://www.sun.com/software/preinstall

If you download a fresh copy of software, that software might not include patches that are mandatory for your server. Before installing the software, refer to Solaris Patch Requirements for information about checking for and installing required patches.

Identifying Degraded Memory in a System

To Identify Degraded Memory in a System:

1. Log in to XSCF.

2. Type the following command:

XSCF> showstatus

3. The following example reveals that DIMM number 0A on the Motherboard unit has degraded memory:

XSCF> showstatus
    MBU_A Status: Normal;
      MEM#0A Status:Degraded