Black Box Value-Line and Advanced Console Servers manual

B L A C K B O X ® S e c u r e l y m a n a g e d a t a c e n t e r a n d n e tw o r k equ ipm en t f rom an y where in the wo rld. V alue-Line and Advanced Console Servers User’ s Manual L E S110 8 A L E S12 0 8 A - R 2 L E S13 0 8 A L E S14 0 8 A L E S15 0 8 A L E S11 1 6 A L E S121 6 A - R 2 L E S131 6 A L E S141 6 A LES 1 1 32 A LES 1 232 A LE[...]

72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 2 V alue- Lin e and Adv anc ed Console Ser vers Man ua l T rademarks Used in this Manual Black Box and the D ouble Diamond lo go are registered trademarks of B B T echnologies, Inc. C isco is a registered trademark of Cisc o T echnology , Inc. Mac is a register ed tradema[...]

72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 3 V alue- Lin e and Adv anc ed Console Ser vers Man ua l W e ‘ re h er e t o he l p! I f y o u h a v e a n y q ue st io n s a bo ut y ou r a p pl i ca ti o n or o ur p rodu c t s, c on tac t Bl ack Bo x T ech S uppo r t at 7 2 4 -74 6 - 5 5 0 0 or go t o blackbox.c om a[...]

72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 4 V alue- Lin e and Adv anc ed Console Ser vers Man ua l Feder al Com mun icat ions Co mmissi on and Industr y Canada Rad io Fr equency Interference S tatements This e quipmen t generates, uses, and can radiat e radio-frequency energy , and if not installed and use d prop[...]

72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 5 V alue- Lin e and Adv anc ed Console Ser vers Man ua l Instrucc iones de Seguri dad ( Normas Ofici ales Mexican as E lec tr ical Sa fety Statemen t ) 1 . T o das las instrucciones de s eguridad y op eración deb erán ser leídas antes de que el aparato eléc trico s ea[...]

INDEX INTRODUCTION 13 INSTALLATION 18 2.1 Models 18 2.1.1 Kit components LES1508A Console Server 19 2.1.2 Kit componen ts LES1308A - LES1348A a nd LES1408A - LES1448A Advance d Console Se rvers 19 2.1.3 Kit componen ts LES1208A - R 2, LES1216A - R2, LES1232 A and LES12 48A - R2 Advanced Co nsole Servers 20 2.1.4 Kit component s LES1116A, LES1132 A [...]

4.1.8 Cisco USB conso le conn e ction 56 4.2 Add/ Edit Use rs 56 4.3 Authenticati on 60 4.4 Network Hos ts 60 4.5 Trusted Ne tworks 61 4.6 Serial Por t Cascading 62 4.6.1 Automatically gener ate and upload SSH keys 62 4.6.2 Manually gener ate and upload S SH keys 63 4.6.3 Configure the s laves and their ser ial ports 65 4.6.4 Managing the Slaves 66[...]

6.2.1 SDT Connector installa tion 104 6.2.2 Configuring a new console server g ateway in th e SDT Conn ector client 1 05 6.2.3 Auto - configure SD T Connector client with the user’s access pri vileges 106 6.2.4 Make an SDT c onnection through t he gateway t o a host 107 6.2.5 Ma nually adding h osts to the SDT C onnector gateway 108 6.2.6 Manuall[...]

8.1 Remote P ower Control (RPC) 149 8.1.1 RPC connecti on 149 8.1.2 RPC access priv ileges and alert s 152 8.1.3 User power management 152 8.1.4 RPC status 153 8.2 Uninterrup tible Power Supply C ontrol ( UPS) 153 8.2.1 Managed UPS connectio ns 154 8.2.2 Remote UPS man agement 157 8.2.3 Controlling UPS powered computers 158 8.2.4 UPS alerts 159 8.2[...]

11.3 Configure Date and Time 197 11.4 Confi guration Bac kup 198 11.5 Delayed Config uration Comm it 201 11.6 FIPS Mode 202 STATUS REPORTS 203 12.1 Port Access a nd Active Use rs 203 12.2 Statistics 203 12.3 Support Reports 204 12.4 Syslog 204 12.5 Dashboard 205 12.5.1 Configuri ng the Dashboard 205 12.5.2 Creating c ustom widgets for the Dashboar [...]

15.1.8 Backing - u p the configura tion and restori ng using a loc al USB stick 243 15.1.9 Backing - up the configur ation off - box 244 15.2 Advanced Portmanager 245 15.2.1 Portmanager commands 245 15.2.2 External Scripts and Alerts 246 15.3 Raw Ac cess to S erial Por ts 247 15.3.1 Acc ess to serial ports 247 15.3.2 Acces sing the console/mod em p[...]

APPENDIX A. CLI Commands and Source Co de B. Hardware Sp ecification C. Safety an d Certifica tions D. Connec tivity and Serial I/ O E. Terminolog y F. End User Lice nse Agreeme nt G. Service and W arranty ________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 12[...]

Chapter 1 Introduction INTRODUCTIO N This Manual This User’s M anual walks y ou through in stalling and configuring your Black Box Console S erver ( LES1108A , LES1116A, LES1132A, LES1148A, LES1508A ) or Adva nced Console S erver ( LES120 8A - R2 , LES1216A - R2 , LES1232A, LES1248A - R2 , LES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416[...]

10. Nagios Int egration Des cribes how to s et Nagios centra l manageme nt with SDT e xtensions and configur e the console serv er as a distributed Nagios server. 11. System M anagement Covers access to and configuration of services th at will run on the console server. 12. Status Re ports View a dashbo ard summary a nd detailed sta tus and l ogs o[...]

ports and serially connected devices, network conne cted hosts, and connected power devices; a nd to view associated logs and configure alerts . A Us er can also use the Management C onsole , but has limited menu access to control select devices, review their logs and ac cess them using the built - in j ava termin al or control power to them . The [...]

Date Revision Update details September 20 11 1.1 Prere lease October 2011 2.0 Release for V2.8 firmware and later December 2012 3.0 Release for V3.5 firmware and late r ________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 16[...]

Copyright © Black Box Corpora tion 2011 . All Rights Reserved. Information i n this docum ent is subject to change wi thout notice and does not represent a co mmitment on the part o f Black Box. Black Box provides this document “as is,” wit ho ut warranty of an y kind, ei ther expressed or implied, in cluding, but not limited to, the implied w[...]

Chapter 2 Installation INSTALLATION Introduction This chapter describes how to install the co nsole ser ver hardware a nd connect it to controlle d devices. To avoid physical and electrical hazards please read Appendix C on Safety. 2.1 Models There are multiple con sole server model s, each with a different nu mber of netwo rk and serial po rts or [...]

 If you are in stalling the cons ole server in a rac k, you will need to attach the ra ck mounti ng brackets supp lied with the uni t, then i nstall the uni t in the rack. Make sure yo u follow the S afety Precautions li sted in Appe ndix C.  Connect your console serv er to the ne twork, to the seri al ports o f the contr o lled devices, and [...]

DB9F - RJ45S straight and DB9F - RJ45S cro ss - over connectors USB micro - AB adapter cable A ntenna with 10 foot ex tension cabl e Dual IEC AC power cord s Printed Quick Start Guide a nd User’s Ma nual on CD - ROM 2.1. 3 Kit c omponents L ES1208A -R2 , LES121 6A - R2, LES1232A and LES1248A -R2 Advance d Console Server s LES1208A - R2 , LES1216A[...]

2.1. 4 Kit components LES1116A, LES1132A and LES1148A Console Serv ers LES1116A, LES1132A or LES1148A Console S erver (2) UTP CAT5 blue cab les DB9F - RJ45S straight and DB9F - RJ45S cr oss - ov er connectors IEC AC power co rd Printed Quick Start Guide a nd User’s Ma nual on CD - R OM 2.1. 5 Kit components LES11 08A Console Serv er LES1108A Cons[...]

VDC connecto r from the power supply plugs in to the 12VDC (P WR) power socket on t he side of the LES1508A. 2.2. 2 LES1408A - LES1448A, LES1308A - LES1348A and LES1208A - LES12 48A power The Advanced Conso le Server mo dels ( LES1208A - R2, LES1216A - R2, LES1232A, LES1248A - R2, LES1308A, LES1316A, LES1332A, LES1348A, L ES1408A, LES1416A, LES1432[...]

2.2. 4 LES1108A power The LE S1108A includes an external DC po wer supply unit. This unit accepts an AC input vol tage between 100 and 250 VAC with a frequency of 50Hz or 60Hz. The DC power supply has an IEC AC power so cket, which accepts a conventional IEC AC power cord. The power co rd for North America is i ncluded in the kit . The 5 - VDC conn[...]

PIN SIGNAL DEFINIT ION DIRECTION 1 RTS Request To S end Output 2 DSR Data Set Ready Input 3 DCD Data Carrier Detect Input 4 RXD Receive Data Input 5 TXD Transmit Data Output 6 GND Signal Groun d NA 7 DTR Data Terminal Ready O utput 8 CTS Clear To Send Input The LES1208A - R2, LES1216A - R2, LES1232A, LES1248A - R2, LES1308A, LES1316A, LES1332A, LES[...]

− connecting to USB consoles of Managed Devices (e.g. for managi ng UPS supplies) − att aching other extern al USB peripheral s (e.g. an external USB mem ory stick or modem) − adding supported S i er ra Wireless cellular US B modems − plugging in USB hubs t o pr ovide additional port s The USB1.1 port is best reserved for u s e with an exte[...]

Chapter 3 Initial System Configura tion SYSTEM CONFIGURATION Introduction This chapter provides step - by - step instructions for the console server’s initial configuration, and fo r connectin g it to the M anagement or O perational LAN. The Admi nistrator must:  Activate the Manageme nt Console.  Change the Administrator password.  Set [...]

o Subnet mask: 255.255.255.0  If you want t o retain your existing IP se ttings for this network co nnectio n, click Advanced and Add the a bove as a seco ndary IP conn ection.  If it is not convenient to change your PC /workstatio n network addr ess, you can use the ARP -Ping command to reset the con sole server IP address. To do this from a[...]

 You will be p rompted to lo g in. Enter the defa ult administratio n username a nd administra tion password: Username: root Password: default Note Console server s are factor y configured with HTTP S access enabled and HTTP access disab led. A Welcome s creen, which lists initial ins tallation configuratio n steps, will be dis played: - Change [...]

After completing ea ch of the abo ve steps, you ca n return to the confi guration list by cli cking in th e top left corner of the screen o n the Black Box logo. Note If you are not able to connect t o t he Man agement Console at 192.168.0.1 or if t he default Username/Passwo rd were not accepted, t hen re set your console server (re fer to Chapter[...]

 Click Apply . Since you have cha nged the pas sword you w ill be prompte d to log i n again. This time, use the new password. Note If you are not confident t hat your console server has the current firmwar e rel ease, you can upgrade. Refer to Upg rade Firm ware — Chapter 10 . 3.2.1 Set up new admini strator It is also re commended that yo u [...]

The next step is to enter a n IP address for the prin cipal Ethernet ( LAN/Netw ork/Networ k1 ) port on the console s erver ; or enable its DHCP client so that it automatically obtai ns an IP address from a DHCP server on the network it will connect to.  On th e System : IP menu, select t he Network Interfac e page then c heck dhcp or static for[...]

3.3.1 IPv6 config uration You can also configure th e console serv er Network a nd Management L AN Interfaces for IPv6 opera tion:  On the Syste m: IP menu select G eneral Settings page and check Enable IPv 6.  Then, configu re the IPv6 pa rameters on each Interface page . 3.3.2 Dynamic DNS (DDNS) conf iguration With Dynami c DNS (DDNS) a con[...]

3.4 System Se rvice s The Administrator can acc ess and configure the co nsole s erver (and conn ected devices) u sing a range of access p rotocols/servi ces – and for eac h such access, the particular service must be running with a ccess through the firew all enabled. Service A ccess specifies which access proto cols/services can be used to acce[...]

The Services Acces s settings specify wh ich services the Administrato r can use over whi ch net work interface to access the c onsole server. It also nominates the en able d s ervices that t he A dministrato r and the User can use t o c onnect through the console server to att ach ed serial and networ k c onne cted devices.  The following gener[...]

in rack mount models. To modify the default SNMP settings , the Administrator mus t make the edits at the co mmand line as descri bed in Chapter 15 —Advanced Configuration. TFTP This s ervice will set up the default tf tp server on the USB flash card (and i s relevan t to LE S1508 A , LES1408A, LES1416A, LES1432 A , LES1448 A , LES1308A, LES1316A[...]

 To enable a service che ck Enable . For s ome servces you will be as ked to specify the TCP/IP port to be used for thie s ervice.  T here are also some serial po rt access pa rameters that yo u can configur e on this menu: Base The cons ole server uses specific defaul t ranges for the TCP/ IP ports for the various access services t hat Users[...]

Black Box provides the SDT Connector Java applet as the recomme nded client software tool . Y ou can use other generic tools such a s PuTTY and S SHTerm. Thes e tools are all described below as well. 3.5.1 SDT Connector Each console server has an unli mited number o f SDT Connector licenses to us e with tha t console ser ver . SDT Connector is a li[...]

 To use PuTTY fo r an SSH terminal s ession from a Windows client, enter the cons ole server ’s IP address as the ”Host Name ( or IP address).”  To ac cess the co nsole serv er command line, select “SSH” as the pr otocol, and use the default IP Port 22.  Click “Open” and the consol e server login prompt will appear. (You may [...]

3.6.1 Enable the Managemen t LAN The LES15 08 A , LES1408A, LES1416A, LE S1432 A , LES1448 A , LES1308A, LES1316A, LES1332 A , LES1348 A , LES1208A - R2, LES1216A - R2, LES1232A and LES1248A - R2 console serve rs pro vi de a firewall, router, and DHCP server . You need to conne ct an external L AN switch to Netw ork 2 to atta ch hos ts to this mana[...]

Note You can configure the se co nd Ethernet port as eithe r a gateway port or as a n OO B/Failover port ( but not both ) . Make s ure you did not allocate N etw ork 2 as the Failover Interface when you configured the principal Network connection on the Sy stem : I P menu. The management gateway functio n is now ena bled with d efault firewa ll and[...]

 Enter the Default Lease t ime and Maxi mum Lease time in seconds. The lease time is the tim e that a dynam ically assigne d IP address is valid befo re the client must request i t again.  Click Apply. The DHCP server will sequ entially issue IP address es from a specifi ed address pool(s):  Click Add in the Dynamic Address All ocation Po [...]

 By default, the failover is not enabled. To ena ble, select the Netw ork page on t he System: IP menu.  S elect the Failover In terface to be used i f the main fai ls. This can be: o Manageme nt LAN - an al ternate broadb and Ethernet connection ( w hich would be the Network2 po rt on the L ES15 08A, LES1408A, LES1416A, LES1432 A , LES14 48 [...]

 Click Apply . You hav e selected the failo ver method. It is no t active until you specify t he external sites to be probed to trigger failover, and set up t he failover ports themselves. This is cover ed in Chapter 5 . Note Y ou can configure the seco nd Ethernet port as eithe r a gateway port or as an OO B/Failover port, but not both. Make su[...]

 Select Enable Bridging on the System: IP Gener al Settings menu.  Select Bridge Interfac es or Bond Interfac es o When bridgin g is enabled, network traffic is forwarded a cross all Et hernet ports w ith no firewall restrictions. All the Ethernet ports are all transparently connected a t the data link layer (layer 2) so they do retain their [...]

To add to the static ro ut e to the route table of t he system:  Select the Route Settings tab on the System: IP General Setting s menu .  Enter a meaningful Rou te Name for the route .  In the Destination N etwork/Host f ield enter the IP addre ss of the destination net work/host tha t the route provides a ccess to.  Enter a value in t[...]

Chapter 4 Serial Port, Host, Devi ce & Use r Configuration SERIAL PORT AND N ETWORK HOST Introduction The Black Box console s erver enable s access and control of s erially attached devices a nd networ k attached dev ices ( host s ). The Administrator must configure acce ss privileges for each of these devices , and specify th e services tha t [...]

1) Conso le S erver Mode is t he default and this enable s general access to serial console port on the serially attached devices. 2) Device Mode sets the serial port up to communicate with an int elligent serial controlled PDU, UPS, or Enviro nmental Monito r Device (EMD). 3) SDT Mode enables graphical c onsole access (wit h RDP, VNC, HTTPS, etc.)[...]

 Specify a label for the po rt.  Select the appropriate Baud R ate , Parity , Data Bits , Stop Bi ts, and Flow Contr ol for each port. (Note: The RS - 485/RS - 422 option is not relevant for console server s .)  Before proceeding with further serial p ort configuration, connect the ports to the serial devices they will be controlling, a nd[...]

Logging Lev el This specifies the level of info rmation to be logged and moni tored (referto Cha pter 7 — Alerts and Logging). T elnet When the Telnet service is enabled on the cons ole server , a Telnet client on a Us er or Administrator ’s computer can connect to a s erial device attached to thi s serial por t on the console serv er . The Tel[...]

I f the remot e co mmunic ations are tunneled with SDT Connector , then you can use Tel net to securely access these attached devices (refer to the N ote below). Note In Console S erver mode, Users and Administrator s can us e SDT Conn ector to set up secure Telnet connecti ons that are SSH tunnel ed from their client P C/workstations t o the seria[...]

PuTTY can be downloaded at http:/ /www.t ucows.com/previe w/195286.html SSH We r ecommend that you use SSH as the pro tocol where the User or Administrator co nnects to the consol e server (or connects through the co nsole serv er to the attached seria l consoles) over the Internet or a ny other p ublic ne twork. This will provide authentica ted SS[...]

For a User named “ fred” to access serial po rt 2, when s etting up the S SHTerm or the PuTTY SSH client, instead of typin g username = fred and ssh port = 3002 , the al ternate i s to type username = fred:port02 ( or username = fred:ttyS1) an d ssh port = 22. Or, by typing username=fred:serial and ssh por t = 22. A port selection option a ppea[...]

Web Terminal Selecting Web Terminal ena bles web browser acc ess to the serial port via Manage : Devices: Serial usin g the Manage ment Conso le's built in AJA X terminal. W eb Terminal connects as th e currently au thenticated Management Cons ole user and does not re - authenticate. See section 13.3 for more details. Authenticat e Enable for [...]

For configuration details, r efer to Chapter 6.6 — Usin g SDT Con nector to Telnet o r SSH con nect to d evices that are s erially at tached t o the conso le server . 4.1.4 Device (R PC, UPS, EM D) Mode This mode configures the s elected serial port to communicate with a serial controlled Uninterruptabl e Power Supply ( UPS), Remot e Power Contro[...]

4.1.6 Serial Bridging Mode With serial bri dging, the serial da ta on a nominated s erial port on on e console serv er is encapsulated into netwo rk packets and the n transp orted ove r a networ k to a se cond con sole server . It is then represented on its serial port aga in as serial data. Th e two console ser ver s effectively act as a virt ual [...]

For example, if the com puter attached to s erial port 3 should nev er send anything out on i ts serial console po rt, the Adminis trator can set th e Facility for that port to local0 ( local0 .. local7 are for site local values), and the Priority to critical . At this priority, if the co nsole serv er syslog server do es receive a message, it will[...]

Users can be author ized to access specified co nsole ser ver serial ports and spe cified network- atta ched hosts. These u sers can also b e give n full Administra tor status (wit h full config uration and management and access privileges). To simplify u s er set up, the y can be conf igured as me mbers of Group s. There are six Groups set u p by [...]

3. If a user is set up wit h pptd, dialin, ftp or pmshell gr oup membership they will h ave restricted user shell a ccess to the nominat ed m ana ged devices but t hey will not have any direct access to t he con sole server itself. To add this the users mus t also be a member of t he "users" or "admin" grou ps 4. The Administrat[...]

Note The User Name can contain from 1 to 127 alphanumeric chara cter s ( you can al so use the special characte r s “ - ”, “_”, and “.” ). There are no restrictio ns on the charact ers that you c an us e in the user Password (each can contain up to 254 char acters). Only the f i rst ei ght Password char act ers are used to make the pass[...]

4.3 Authenticat ion Refer to Chapt er 9.1 — Remote Authentication C onfiguration for authentication configuratio n details. 4.4 Network Hosts To access a locally networked computer o r device (referred to a s a Host ), you must identify the Host a nd specify the TCP or UDP ports/ser vices that wil l be used to control that Ho st.  Selecting Se[...]

 If the console ser ver has been co nfigured with dis tributed Nagio s monitorin g enabled, then you wil l also be presented with Nag ios Settings options to ena ble nominated services on the Ho st to be monitored (refer to Ch apter 10 — Nagios Integration ).  Click Apply . This will create the new Host and als o create a new Managed D evic[...]

Network Mask 255.255.255.255  If, however, you want to allow all th e users operating from within a specifi c range of IP addresses (for example, any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection t o the nomina ted port: Host /Subnet Address 204.15.5.128 Subnet Mask 255.255.255.224  Click Apply. Note Th[...]

 Select System : Administr ation on Master’s Management Console.  Check Gene rate SSH k eys autom atically a nd c lick Apply. Next, you must select wh ether to generate keys using RSA and/or DSA (if unsure, select only RSA ). Generating each set of key s will re quire app roximately two m inutes, an d the new keys will destroy any old keys [...]

Next, you mu st register the P ublic Key as an Authoriz ed Key on the Sl ave. In a ca se that has o nly one Master with multiple Slaves, you only need to uplo ad the one RS A or DSA public key for each Slave. Note Using key pairs can be con fusing since one fil e (P ubl i c Key) fulfills two roles — Public Key and Authorized Key. For a more detai[...]

Once the SSH connection h as been esta blished, the s ystem asks you to accept the key. Answer ye s and the fingerprint will be added to the list of known host s. For more details o n Fingerprinting, refer to Chapter 15.6 .  If the system asks you to s upply a pas sword, then t here is a pro blem with upl oading keys . The keys should r emove an[...]

Once you hav e added all th e Slave conso le server s, you can assign and access the Slave serial ports and the connecte d devices fro m the Master’ s Management Co nsole menu. Yo u can als o access them through the Master’s IP addr ess.  Select the appropriate S erial & N etwork: S erial Por t and Edit to config ure the serial ports on [...]

This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device that’s c onnected to the remo te consol e server as if i t were connected to your lo cal serial port. 4.8 Managed Devices Managed Devices p resents a consolidate d view of all the c onnections to a devic e that you can acce ss and monitor t[...]

 Select the connection type for the new conne ction (Serial, Network Ho st, U PS, or RPC) and then select the specific connection f rom the presented list o f configured una llocated hosts/ ports/outlets. T o add a new network - connected Managed Devi ce:  The Administrator adds a new netwo rk - connected Managed Devi ce using Ad d Host on th[...]

Note To set up a new serially conne cted RPC UPS or EM D device, configure the serial port, design ate it as a Device, t hen ent er a Name and Descriptio n for that device in the Serial & Net w ork: RPC Connections (or UPS Connections or Env ironmental ). When applied, t his will automatically create a correspondi ng ne w Managed Device wit h t[...]

console s erve r s provide a simple GUI int erface for basic set up a s described belo w. Ho wever for more detailed informat ion on configuring Ope nswan IPsec at t he comm a nd line and interconne cting with other IPsec VPN gateway s and road warrior IPsec sof t w are refer http:/ /wi ki.opens wan.org 4.9.1 Enable the V PN gateway  Select IPse[...]

 If the VPN gat eway i s s erv i ng as a VPN gateway to a local subnet (e. g. the console server has a Management LAN co nf igured) enter the private subnet detai l s in Le ft Subnet. Use the CIDR notation (where the I P addr ess number is follow ed by a slash and the number of ‘one’ bits in the binary notation of t he netmask). For exam pl [...]

 Enter any descript i v e name you wish to identi f y the OpenVPN Tun nel y ou are adding, for example NorthS tOutlet - VPN  Select the Dev i ce Driver to be used, either Tun - IP or Tap-E thernet . The TUN (network tunn el ) and TAP (network tap ) drivers are virtual net work drivers that support IP tunneling and Ethe r net tunneling, respec[...]

o If Server has been selected , enter the IP Pool Netwo rk address and the IP P ool Network mask for the IP Pool. The network defined by t he IP Pool Network addre s s/mask is used to provide the addres ses for connect ing client s.  Click App ly to save changes  To enter authent ication certif i cat es an d files, Edit the OpenVP N t unnel .[...]

When the OpenVPN s of tware is started, t he C: Program Fil es OpenVPN config f ol der will be scanned for “ .opvn ” files. This folder w ill be rechecked for ne w configuration files w hen ever the OpenVP N GUI icon is right - clicked. So once OpenVPN is insta lled, a configuration file wil l need to be created:  Using a text edit or,[...]

5 = helps with debugging connection problem s 9 = extremely verbos e, excellent for troubl es hooting dev tun dev tap Select ‘dev tun’ to create a routed IP tunnel or ‘dev t a p’ to create an Ethernet tunnel. T he cli ent and server must use t he same settings. remote <host> The hostname/IP of OpenVPN server when op erat i n g as a cl[...]

 The log file will be di spl ayed as the connection i s established  Once established, the OpenVPN icon wi l l di splay a m essage notifying of the successful connection and assig ned IP. This infor mation, as well as the t i m e t he connection was estab lished, is available anytim e by scrolling over the OpenVP N icon. Note: An alternate Op[...]

4.11 PPTP VPN The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A - R2, LES1216A - R2, LES1232 and LES1248A - R2 console ser ver s include a PPTP (Point - to - Point Tunneling Protocol ) server. PPTP i s t y pically used for communicat ions over a physical or v irtual serial link. The PPP endpoint [...]

 Select the Enable check b ox to enable the PPTP Server  Select the Minimum Authentication Required . A c cess is denied to remot e u sers attempting t o connect using an authe ntication scheme wea ker than the selecte d scheme. The scheme s a re described below, f rom st r ongest to wea ke st. • Encrypted Authentication (MS - CHAP v 2): Th[...]

 Enable Verbose Logging to assist in debugging con nection problems  Click Apply S ettings 4.11.2 Add a PPTP user  Select Users & Groups on the Serial & Networks m enu and complete t he f ields as covered in section 4.2.  Ensure the pptpd Group has been chec ked, t o al low access to the PPTP VPN s erver. Note - users in this gr[...]

Note: To connect remote V PN clients to the lo cal net work, you need to know the user name and password for t he P P TP account you added, as w el l as the Internet IP addre s s of the console server . I f your ISP has not allocat ed y ou a static IP add re ss, co n sid er usi ng a dy namic DNS service. Otherwi se y ou m u st modify the PPT P clie[...]

Chapter 5 F irewall, F ailover an d OoB Dial Access FIREWALL, FAIL OV ER A ND OoB DIAL - IN Introduction The c onsole s erver has a number of fa il - over and out - of - band access capabilities to make sure it’s available if there are dif ficulties accessing the console server through the pr incipal network path. The console s erver also h as ro[...]

external modem v ia a serial cable to the DB9 po rt, and you can confi gur e the second Ethern et port for broadband OoB ac cess. Make sure you unplu g the console server po wer before installi ng t he modem. When it nex t boots, it will detect the mode m an d a PC Card Modem tab will ap pear under System - > Dial. The LES1508A, LES1408A, LES141[...]

 In the Remote Ad dress field, enter t he IP a ddress to be assigned t o the dial - in client. You can select any add ress for the Remote IP Ad dress. It, and the Local IP Ad dress, must both be in th e same network ra nge ( e.g. 200.100.1.12 and 200.100.1.67).  In the Local Addre ss field, enter the IP address for the Dial-In PPP Server. Thi[...]

Note: The User na me and Passw ord to be used for the dial - in PPP link are setup when the User is initially set up wit h dialin Group membership . The dialin Group support s multiple dial - in users . A ny dial - back phone n umbers are also configured when the U ser is set up . Note Chapter 15 — Advanced C onfiguration ) has examples of Linux [...]

 Enter the PPP U ser name a nd Password you set up fo r the console s erver. 5.1.4 Set up earlier Windows c lients  For Windows 2 000, the PPP cli ent set up pro cedure is the same as a bove, except yo u get to t he Dial - Up Network ing Fold er by clickin g the Start but ton and sel ecting Setting s. Then, click Network an d Dial - up C onne[...]

active broadband acce ss paths to the console s erver , if yo u are unable to a ccess it through the primary management networ k ( Network or Network1 ), you can still acces s it through the altern ate broadba nd path (for exa mple, a T1 lin k) .  On the Syste m: IP menu select Network 2 and conf igure the IP A ddress, Subn et Mask , Gateway, an[...]

 On the Managem ent LAN Inter face - Netw ork 2, conf igure the IP Address / Su bnet Mask / G ateway the same as Network I nterface - Network 1 . In this mode, Network 2 (e th1) is avai lable as the tra nsparent ba ck - up port to Network 1 (eth0) for accessing the management ne twork. Networ k 2 will auto matically and transparen tly take over [...]

________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 88[...]

5.4.2 Failover dial- out T he c onsole s erver modem can be configured so a dia l - out PPP connect ion i s automati cally s et up in th e event of a dis ruption in the principal management n etwork.  When configuring the pri ncipal network co nnection in System: IP specify the Failover Interface that will be us ed when a fault has been detected[...]

Note: Yo ur 3G car rier ma y h ave provided you with de tails for configuring t he co nnection including A P N (Access Point Name ), Pin Code (option al PIN code which may be requi red to unlock the SI M card ), Phone Number (the seq uence to dial to establi s h the connecti on, d efaults to *99***1# ) , Username/ Password (optional ) an d Dial str[...]

5.6.2 Connect to the CD MA EV - DO carrier net w ork The LES1408A , LES1416A, LES1432A and LES1448A cons ole s ervers have an int ernal CDMA modem. The LES1508A, LES1208A - R2, LES12 1 6A - R2, LES1232A and LE S1248A - R2 console server s also support attaching an ext ernal USB CDMA cellul a r modem from Sierr a Wireless to one of it s US B 2. 0 po[...]

 Navigate to the I ntern al C ellular Modem tab on Sy stem: Dial . To conne ct to your carriers 3G network enter the appro priate phone number ( usually #777 ) and a Username and Password if directed to by your accou nt/plan documentat i on  Select Enable and then click Apply t o initi at e t he Al way s On Out -of- Band connection 5.6.3 Veri[...]

5.7 Cellular Operation When set up as a console ser ver the 3G cellular modem can b e set up to connect to t he car rier in either: - Failover mode . I n this case a dial - out ce llular connection is only established in event of a ping failure - OOB mode . In this mod e the dial - out conne ction to the carrier ce llular network is alway s on - aw[...]

 Specify the Probe Addres ses of two sites ( the Primary and Secondar y ) that the con sole server is to ping to determine if t he principal network is still operational  In event of a failure of the principal network the 3 G network connecti on is activated as the access path to the console s erver (and its Man aged Devices). Only HTTPS and [...]

5.8 Firewall & Forwarding The cons ole s erver has routi ng, NAT, packet f iltering a nd port forwa rding suppo rt on all phys ical and virtual network interfaces. This enables t he console se rver to functi on as an Inter net or extern al network ga teway : − Network For warding allo ws the netwo rk packe ts on one n etwork interface (i.e. L[...]

− With Firewall Rules , pa cket filtering inspects each packet passing through the firewall and accepts or rejects i t based on user - defin ed rules. − Then Service Acc ess Rules can be set for co nnecting to the co nsole s erver/ro uter itself 5.8.1 Configuring n etwork forwarding and IP mas querading To use a cons ole server as an Interne t [...]

IP Masquerading performs So urce Network Addres s Translatio n (SNAT) on o utgoing pa ckets, to make them appear like they've come from the consol e server (rat her than devi ces on the in ternal network ). When respon se packets come ba ck devices o n the external network, the consol e server will tra nslate the packet addre ss back to the in[...]

 Click on the Disabled lin k next to D HCP Server which will bring up the System: DHCP Server pa ge  Check Enable DHCP Server  To configure the DHCP ser ver, tick the Use i nterface ad dress as g ateway c heck bo x  Set the DNS s erver address(es) to be the s ame as used on the externa l network i.e. if the consol e server is actin g as[...]

Source Address : This allows the user to restrict access to a port forward to a specific address. In most cases, thi s should be left blank Input Port Range : T he range of por ts to for ward to the desti nation IP. Thes e will be the port(s) specified when a ccessing the port forw ard. These por ts need not be the same a s the outpu t port ra nge.[...]

 Click New Fir ewa ll Rule  Fill in the following fields : Name: Name the rul e. This name sho uld describe the policy the firewall rule is being used to implement ( e.g. block ftp, Allow Tony) Interface: Sele ct the interface tha t the firewall rule will be applied to (i.e. Any, Dialout/Cellular, VPN, Net work Interf ace, Dial -in etc) Port [...]

Pro tocol: TCP Dire ction: Egress Action: Block The firewall rules are pro cessed in a set o rder - from top to bottom. So r ule placemen t is impor tant. For example with the following rules, a ll traffic coming in over the Network Interface is blocke d except when it comes from two nominated IP addresses ( SysAdmin and Tony ): To allow all incomi[...]

Chapter 6 Secure S SH Tunneling & SDT Connector SECURE SSH TUNNELING A ND SDT CONNECT O R Introduction Each Black Box console se rver has an embedded S SH server and uses SSH tun neling so remote users can securely con nect throug h the consol e server to Man aged Device s — using text - based console tools (such as SSH, telnet, SoL) or graph[...]

 Using SDT Co nnector to Telnet or SSH connect to devices that are serially a ttached to the console s erver ( S ection 6 .4 ). The chapter then cover s more advanced SDT Co nnector and SS H tunneling topics :  Using SDT Co nnector for out - of - band access ( Section 6.5 ).  Automatic im porting and e xporting conf igurations ( Section 6.[...]

6.2.1 SDT Connec tor installation  The SDT Connector set up progra m ( SDTConnector Setup - 1.n.exe or sdtco n - 1.n.tar.gz ) is included on t he CD supplie d with your B lack Box console server .  Run the set - u p program. Note For Windows clients, the SDTConnector Setup - 1.n.exe applicat i on will install the SDT Con nector 1.n.exe and th[...]

configure cli ents to r un on the P C that w ill use the serv ice to conn ect to the ho sts and serial port devic es (refer to Section 6.2. 7 and 6.2.9 ). Yo u can also set up SDT Connector to connect out - of - band to the console s erver ( refer to Section 6.2.9 ). 6.2.2 Configuring a new console server gateway i n the SDT Co nnector client To cr[...]

 Or, enter a D escriptive Name to dis play instead of the IP or DNS addres s, and any Notes or a Description of this gateway (such as its firmware version, sit e location, or anything spe cial about its network c onfiguration) .  Click OK and an icon fo r the new gateway will now a ppear in the SDT Connector home p age. Note For an SDT Connec[...]

 configu re access to network c o nnected H osts that the us er is au thorized to access and set up (f or each of th ese H osts) the services (for example , HTTPS, IPMI2.0) and the related IP ports be ing redirected.  configur e access to the console serv er itself (this is s hown as a Local Services host).  configure access with the enabl[...]

Note T he SDT Connector client can b e configured with unli mited number of Gateways (that is, console servers ) . You can configu re each Gateway t o port forward to an unl im i t ed number o f locally networked Hosts. Th ere i s no limit on the number of SDT Connect or clients that can be configured to acce ss t he o ne Gateway. Nor are the re li[...]

6.2.6 Manually adding new services to the new hosts To extend th e range of ser vices that yo u can use wh en accessing hosts with SDT Connector :  Select Edit: Prefere nces and clic k the Servic es tab. Cl ick Add.  Enter a Serv ice Name an d click A dd.  Under the General tab, ent er the TCP P ort tha t this se rvi ce runs on (for exampl[...]

An example is the Dell RAC service. The first re direction is for the HTTPS connection to t he RAC server — it has a client ass ociated with it (web bro wser) that it launches im mediately when you click t he button for this service. The second redir ection is fo r the VNC ser vice that you may choose to later launch fr om the RAC we b consol e. [...]

Note SDT Connector can als o tunnel UDP services. S DT Conne ctor tunnels the UDP t raffic through the TCP SSH redirect i o n, so it is a “tunnel wit hin a tunnel.” Enter the UDP port whe re the service is runni ng on t he host. This will als o be t he local UDP port that SDT Connector binds as the local endpoint of the tunnel. Note that for UD[...]

 Enter a Nam e for the client. E nter the Path to the ex ecutable file f or the client (or click Br owse to locate the executa ble).  Enter a C ommand Line associated wi th launching the client application. SDT Connector typically launches a cli ent using co mmand line a rguments to point it at the local e ndpoint of the redirection. There ar[...]

 Click OK. 6.2.8 Dial in configuration If the client PC is dialing into Local/Cons ole port on t he console server, you will need to set up a dial -in PPP link:  Configure the co nsole serv er for dial - in access (following the step s in the Configuring for Dial - In PPP Acces s section in Cha pter 5 , Configuring D ial In Access ).  Set [...]

 Click the HTT P or HTTPS Services ic on to access the Management Console, and/ or click SSH or Telnet to acce ss the co mmand line c onsole. Note : To enable S D T access to the console, y ou must also configure t he c onsole server t o al l ow t h e port forwarded netwo rk access to itself:  Browse to the c on sole serv er and sele ct Net w[...]

 Assuming you h ave alread y set up the t arget console server as a gatew ay in your SDT Connector client (with username/ passwo rd etc), select this gateway and clic k the Host icon to cr eate a host. Or, s elect File - > New Host .  Enter 127.0.0.1 as the Host Address and select Serial Port 2 for Serv ice. In Descriptive Name , enter som[...]

Description, and Passwo rd/Confirm . Select 1 27.0.0.1 from Acces sible Host (s) and s e lect Por t 2 from Accessible Port(s). C lick Apply. 6.5 Using SDT Connector for out - of - band connection to t he gateway You can also set up SDT Connec tor to co nnect to th e consol e server (gateway) out - of - band (OoB). OoB a ccess uses a n alter nate pa[...]

where network_co nnectio n is the name of the netwo rk connection as displayed in Control Panel - > Network Connections , login is the dial- in username, and p assword is th e dial -in pa ssword fo r the connectio n.  To initiate a pre- conf igured dial -up connection under Linux, use the follo wing Start Command: pon network_connection where[...]

To enable the distribution of pre - configured client config files, SDT Connector has an Export/Import facility:  To save a con figuration.xm l file (for bac kup or for i mporting into other SDT C onnector cl ients) select File - > Expo rt Preferenc es and select the location where you want to save the configuration file.  To import a conf[...]

6.8 Setting up SD T for Remote De sktop access The Microso ft Remote Des ktop Proto col (RDP) ena bles th e system manager to securel y access and manage remote Windo ws computers — to reconfigure applica tions and user pro files, upgrade the server’s operating system, reboot the machine, etc. Black B ox ’s Secu re Tun neling uses SSH t unnel[...]

 To set the user(s) w ho can remotely acc ess the system with RDP, click Ad d on the Re mote Desktop User s dialog box. Note If you need to set up new users for Remote Desktop ac ce ss, open User Accoun ts i n t he Control Panel and follow the ste ps to nominate the ne w us er’ s name, password, and a ccount type ( Administrator or Limited). N[...]

 In Computer , enter the ap propriate IP Addr ess and P ort Number:  Where there i s a direct lo cal or enterpri se VPN conne ction, enter t he IP Address of the console s erver , and t he Port Number of the SDT S ecure Tunnel for the con sole ser ver serial port that you attach to th e Windows co mputer you wa nt to control. F or example, i [...]

 Click Connect. Note The Remote Desktop Co n nection software is p re - installed with Wi ndows XP, Vista and Se rver 2003/2008 . For ea rli er Windows PCs, you need t o download the RDP client :  Go to the Microsof t Download Center sit e http://www.mi crosoft.com/downl oads/details.a spx?familyid=80111F 21 - D48D - 426E - 96C2 - 08AA2BD23A4[...]

Note The rdesktop client is sup plied with Red Hat 9. 0:  rpm - ivh rdesktop - 1.2.0 - 1.i386.rp m For Red Hat 8.0 or othe r d istributions of Linux ; download source, u nt ar, configure, make, ma ke, then install. rdesk top currently runs on most UNI X base d platforms with the X Wind ow System and can b e downloaded from http://www.rdesktop.or[...]

6.9 SDT S SH Tunnel f or VNC With SDT and Vir tual Network C omputing (VNC), Us ers and Administrators can securely access and control Wi ndow s 98/NT/2000/XP/2003, Linu x, Macintosh, Solaris, and UNI X computers. There’s a range of popular free and c ommercial VNC software avai lable (UltraVNC, RealVN C, TightVNC). To set up a secure VNC connect[...]

 To set up a pers istent VNC server on Re d Hat Enterprise Linux 4: o Set a passwo rd using vncpasswd o Edit /etc/sysconfig/vncservers o Enable the service with chkconfig vncserver on o Start the s ervice wi th service v ncserver start o Edit /home/ username /.vnc/xstartup if you want a more advanc ed session than just twm and an xter m . C. For[...]

 To establish the VNC con nection, first configure the VNC Viewer , entering the VNC Server IP address. A. When the Viewer P C is connect ed to the conso le server thru an S SH tunnel (over the publ ic Internet, or a dia l - in connection, or private network conn ection), enter local host (or 127.0.0.1) as the IP VN C Server IP address; and the [...]

Note For general background re ading on Remote Deskto p and VNC access we re c ommend the following:  The Microsoft Remote Desktop How -To.  http://www.microsoft.com /windowsxp/using/mobili ty/getstarted/remoteintr o.mspx  The Illustrate d Network Remote Deskto p help page. http://theill ustratednetwork.mv ps.org/RemoteDeskt op/RemoteDeskt[...]

B. For Windows XP a nd 2003 computers, fo llow the steps below to set up a n advanced network connection between the Windows co mputer, through its COM port to th e console serv er . Both Windows 2003 and Windows XP Professional allow you to create a simple d ial in service whi ch can be used for t he Remote Des ktop/VNC/HTTP/X connection to the co[...]

 Specify which Users will be allowed to use this connection. This s hould be the s ame Users who were given Remote Desktop a ccess privileges in the earlier step. Click Nex t.  On the Network Connecti on screen select TCP/IP an d click Pr opertie s.  Select Specify TCP/ IP addresses on the Incom ing TCP/ IP Proper ties screen, select T CP/[...]

Or, you can set the adv anced connection and a ccess on the Window s com puter to use the console server default s:  Specify 10.233. 111.254 as the From: address  Select Allow calling compu t er to specify its own addr e ss Also, you could use the console server def aul t us ername and password whe n you set up the new Remote Desktop User and[...]

C. For earlier version Windows computers , follow the steps in Section B. above . To get to the Make New Connecti on button:  For Windows 2000, click Start , and sele ct Settings . At the Dial - Up Networking Folder, click Network and Dia l- up Connec tions, and cl ick Make Ne w Connection. You ma y need to firs t set up a connectio n over the C[...]

6.10.3 Set up SDT C onnector to SSH port forward over the console server Serial Port In the SDT C onnector software running on your remote computer, specify the gateway IP address of your console server and a usern ame/passwo rd for a user yo u set up on the console server that has access to the d esired por t. Next, add a N ew SDT Host. In the Hos[...]

 In the Session menu, ente r the IP addre ss of the co nsole serv er in the Host N ame or I P addre ss field.  For dial- in connec tions, this IP address w ill be the Loc al Address that y ou assigned to the console s erver when yo u set it up a s the Dial - In PPP Server.  For Internet (o r local/VPN connections) connections, this will be[...]

Destination as portXX:3389 (where XX is the SDT enabled serial po rt number). Fo r example, if port 4 is on the consol e server is to carry the RDP tr affic, then specify port04:3389 Note http://www.jfi tz.com/tips/putty_confi g.html has useful examples on configuring PuTTY f or SSH tunneling .  Select Local and click the A dd button.  Cl ick[...]

Chapter 7 Alerts , Auto -response and Logging ALERTS AND LOGGI NG Introduction This chapter describes the automated response, alert generat ion and logging featur es of the console server . The new Auto - Res ponse facility (in f irmware V3.5.1 and later) extend s on the basic Ale rt facility availabl e in earlier firmware rev isions. With the n ew[...]

To configure a new Aut o - Response:  Select New Auto - Response in the Configured Auto - Response fie ld. You will be presente d with a new Auto - Response Setti ng s menu  Enter a unique Name for th e new A ut o - Response  Specify the Re set Timeo ut for the time in se conds after resolut ion to delay before this A ut o - Response can b[...]

7.2 Check C onditions To configure the condi t ion that will trigge r t he Auto - Response:  Click on the Check Condi tion type (e.g. Environmental , UPS Status or ICMP ping ) to be configured as the t rigger f or this new Auto - Res ponse in the Auto - Response Set tings menu 7.2.1 UPS / Power Supply To use the properties of an y attached UPS a[...]

7.2. 3 Serial Login/Logout To monitor serial po rt s an d check for login/logout or pattern match es for Auto - Response trigg ers events:  Click on Serial Login/Logout as the Check C ondi ti on . Then in the Serial Login/ Logout Check menu select Trigger on Login (to trigger wh e n any user logs into the s erial port) or Trigg er on Logout and [...]

 Click on Custom Check as the Check Condition  Create an executa ble trigger check sc ri pt file e.g. /etc/config/test.sh #!/bin/sh logger "A test scr ipt" logger Argument 1 = $1 logger Argument 2 = $2 logger Argument 3 = $3 logger Argument 4 = $4 if [ - f /etc/config/customscr ipt.0 ]; then rm /etc/config/cus tomscript.0 exit 7 fi [...]

Note: The SMS command trigger co nd ition can only be set if t here is an internal or ext ernal USB cellular modem detected 7.3 Trigger Actions To configure the seque nce of actions tha t is to be taken in the event of the trigger condition:  For a nominated A uto - Response - with a defined Ch eck Condit ion - click on Add Trigger Action (e.g. [...]

 Specify the Recipient Email Address to send this email t o and the Subject of the email. For multiple recipient s y ou c an enter comma sep arat e d addresses  Edit the Email Text message t o send and click Sav e Ne w Action Note An SMS alert can also be sent via an S MTP (email) gateway. You will need to specify t he Recipient Email Addre s[...]

 Click Save Ne w Action Note: To notify the central Nagios server of Aler ts, NSCA must be enable d unde r System: Nagios and Nagios must be enabled f o r each applicable ho st or p ort 7.4 Resolve Actions Actions can also be sched uled to be taken a trigge r c ondi t ion has been resolv e d:  For a nominated A uto - Response - with a defined[...]

 In the SMTP Server field, enter the out going mail Se rver ’s IP address .  If this mail server uses a Secure Con nection , specify its ty pe.  You may ente r a Sender email addres s which will appea r as the “ from” address in all email notificatio ns sent fr om this console serv er . Many SMTP s ervers check the sender’ s email [...]

 Select a Secure Co nnection (if appli cable) and s pecify the S MTP port to be used (if other than the default port 25)  You may also enter a Sender e mail address which will appear as the “ from” address in all email notificatio ns sent fr om this console serv er . Some SMS gateway service providers only forward email to SMS when the em[...]

Note The option to directly send SMS alerts via the cellul ar modem was included i n t he Management GUI in V3.4. Advance d console servers al ready had the gateway s oftware ( SMS S erve r Tools 3) emb edded however you t his could only be ac ce ssed from the comm and line to send SMS messages . 7.5 .3 Send SNMP trap alerts The Administrator can c[...]

Note All console server s have the snm ptrap daemon to se nd traps/notification s to remote SN MP servers on defined t rigge r events as deta i led abov e. LES1408A, LE S 1416A, LES1432A, LES1448A, LES 1308A , LES1316A, LES1332A , LES1348A, LES 1208A - R2 , LES1216A - R2 , LES1232 and LES 1248A - R2 console server s al so embed the net - snmp d dae[...]

 Select the Al erts & Logging: Port Log menu opti on and specify the Server Ty pe to be used, and the details to enabl e log server acce ss From the Manage: Dev ic es menu the Adm inistrator will can vie w seri al, network and pow er device logs stored in the conso l e reserve memory (o r f lash USB). The User will only see logs f or t he Ma[...]

Level 4 Logs all data transferred to t he port and all changes in hard wa re flow control status and all Use r connection event s  Click Apply Note A cache of the most recent 8K of logged data per serial port i s mai ntained locally (in addition to the Logs which are tra nsmi t ted for remote/USB flash storage). To v iew the local cache of logge[...]

Chapter 8 Power & Environmental Management POWER & ENVI RONMENTAL MANAGE MENT Introduction Black Box console server s mana ge embedded so ftware that yo u can use to ma nage connected Po wer Distribution Systems ( PD Us ) , IPMI devices, an d Uninterruptibl e Power Supplies (UPSs) supplied by a number of ve ndors, and some e nvironmental mo[...]

 Select the Serial & Network: RPC C onnections menu. This will dis play all the RPC connec tions that have alrea dy been configured.  Click Add RPC .  Connected Via presents a list of serial ports and network Host connections tha t you have set up with device type RPC ( b ut have yet to co nnect to a s pecific RPC device):  When you[...]

 Select the appropriate R PC Type for the PDU (or IP MI) being co nnected:  If you are connecting to the RPC via the network, you will be pr esented with the IPMI protocol opti ons and the S NMP RPC Typ es currently sup ported by the e mbedded Network UPS T ools.  If you are connecting to the RPC by a se rial port, you will be prese nted w[...]

 Enter the Username and Password use d to login i nto the RPC (Note that t hes e login credentials are not rela ted to the Users and access privileges you co nfigured in Serial & Networks: Users & Groups ).  If you selected SNMP pro tocol, enter the SNMP v1 or v2c Commun ity for Read/Write access (by default thi s w ould be “ pr iva[...]

Turn OFF Cycle Status You will only be presented with icons fo r those opera tions that a re supported b y the Targe t you have selected . 8.1. 4 RPC status You can m oni tor the curre nt status of y our netw ork and s erially connected PDUs and IPMI RPCs.  Selec t the Status: R PC Stat us menu and a table with the summary status of all connecte[...]

8.2.1 Managed UP S connec tions A Managed UPS is a UPS that i s directl y connected as a Managed Device to the console se rver . You ca n connect i t via serial or U SB cable or by the netwo rk. The consol e server be comes the mas ter of this UPS, and runs a up sd server to allow other computers that are drawing power through the UPS ( slaves ) to[...]

 For serial UPSes attach the U PS to the se lected seria l port o n the con sole serv er . F rom the Se rial and Networ k: Serial Port menu, configure the C ommon Se ttings of th at port with the RS - 232 p roperties, et c. required by the U PS (refer to Chapt er 4.1.1 — Common Settings ). The n s elect UPS as the Device Type .  For each ne[...]

 S elect if the UPS will be Connected Vi a USB, over a pr e-configured serial port, o r via SNMP/ HTTP/ HTTPS over the pr econfigured network Host con nection.  W hen you sel ect a n etwork UPS con nection, then the correspondi ng Host Name/ Description that you set up for that connection wil l be entere d as the Nam e and Description for the[...]

Note : T hese login credentials are not re lated to the Users and access privileg es you configured in S erial & Networks: Us ers & Grou ps.  If you have m ultiple UPSes and require them to be sh ut down in a specific or der, specify the Shutdown Order for this UPS. This is a whole positive number, or -1 . 0s shut do wn first, then 1s , [...]

 E nter the Name of the particul ar remote UPS that you wa nt to remotely monitor. This name must be the name that the remot e UPS was configur ed with on the remote co nsole serv er (because the r emot e console s erver may itself hav e multiple UPSe s attached that it manages locally with NUT). Optional ly, enter a De scription.  Enter the [...]

on battery. In contrast, mo re critical ser vers may not be shut dow n until a lo w battery war ning is received). Refer to t he online N UT documenta tion for detail s on how to do this : http://eu1.networkupstools.org/doc/2.2 .0/INSTALL.html http://linux.die.net/man/5/upsmon .conf http://linux.die.net/man/8/upsmon An example u psmon.conf e ntry m[...]

 Click on any particular All Data for any UPS System i n the table fo r more status and configuration information about the se l ected UPS S ystem.  Select UPS Logs and you will be presented wit h the log table of the load, battery charge level , temperature, an d other status information f rom all the Managed and Monitored UPS systems. This [...]

NUT is built on a networke d model with a layered scheme of drivers , server and clients:  The driver pro grams talk di rectly to the UPS equipme nt and run on the same ho st as the NUT network server ( upsd ). Drivers are provided for a wide assortment of equipment from most of the popular UPS ve ndo rs and understa nd the specifi c language o [...]

 The latest relea se of NUT (2.4) also controls PDU systems. It can do this either nativel y using SNMP or thro ugh a binding to Po werman (open source software from Li vermore Labs that also is embedded in Black Box console server s). These NUT clients and serv ers all are embedded i n each Black Box console serve r ( with a Mana gement Console[...]

8.3.1 Connecting the EMD The Environmental Monit or Device (EMD) connects to any serial port on the console server via a special EMD Adapter and s tandard CAT5 ca ble. The EMD is powered ov er this seri al connection and commun icates using a custom hand shake protoco l. It is not a n RS - 232 devic e and should not be conne cted withou t the a dap[...]

Note : You can attach two ext ernal se nsors onto the termi nal s on EMDs that a re connected to LE S1108A, LES1116A, LES1132 and LES1148A console server s. LES 1508A, LES1408A, LES 1416A , LES1432A, LES 1448A , LES1308A, LES1316A , LES1332A, LES 13 48A, LES1208A - R2 , LES1216A - R2 , LES1232 and LES1248A - R2 console server s only support attachi[...]

 Check Log S tatus and spe cify the Log Rate (minutes between sam ples) if you w ant to log th e status from this EMD. These logs c an be views from the Status: E nvironmen tal Status screen.  Click Apply . This will also create a new M an aged Device (with the sa me name). 8.3.2 Environmental al erts You can now set temperatu re, humidity an[...]

Chapter 9 Authentication AUTHENTICAT ION Introduction The consol e server is a dedicated Li nux computer with a myr iad of popula r and proven Linux softwa re modules for networking, secure acces s (OpenSSH), an d communica tions (OpenSSL ), and sophistica ted user authentica tion (PAM, RADIUS, TACAC S+ and LDAP ).  This chapter deta ils how the[...]

You can confi gure the con sole server to the default ( L ocal ) or using an alternate auth entication method ( TACACS , RADIUS, or LDAP ). Optio nally, you can select the order in which local and remo te authentication is used: Local TACACS /RADIUS/LD AP : Tries local authenticatio n first, falling back to rem ote if local fails. TACACS /RADIUS/ L[...]

 In addition to multiple rem ote servers, you can also enter se parate lists of Authentica tion/ Authorization serve rs and A ccounting servers. If no Accounting serv ers are specified, the Authenticatio n/Authorizati on servers ar e used instead.  Enter and confirm the Serv er Password . T he n select t he method to be used to authent i c at[...]

 Enter the S erver Address (IP or host na me) of the re mote Authenti cation/ Autho rization serv er. Multiple remote servers ma y be specified in a comma - separated list. Ea ch server is tried in succession.  In addition to multiple rem ote server s, you can also enter separate lists of Authenti cation/ Authorization servers and Accounting [...]

 Enter the S erver Address (IP or host name ) of the remote Aut hentication server. Multiple remote servers may be sp ecified in a comma - sepa rated list. Each server is tried in successio n.  Enter the S erver Pas sword. Note To interact with LDAP requ i res t hat t he u ser account exist on our console server t o work with the remote serve[...]

9.1.5 RADIUS/TACACS User Conf iguration Users may be added to the l ocal console server applia nce. If they ar e not added a nd they log i n via remote AAA, a user will be added for the m. This user will not s how up in the Black Box configurators unless they are specifically added, at which po int they are tr ansformed i nto a complet ely local us[...]

 Select Serial & Netw ork: Authentication  Select the relev ant Aut he ntication Method  Check the Use Remot e Groups button 9.1.7 Remote gr oups with RA DIUS aut henticati on  Enter the RADIUS A uthentication and Authorization S erv er Address and Server P ass w ord  Click Apply.  Edit the Radius u ser’s file to include gro[...]

For example, in an exi st ing Active Directory setup, a group of use rs may be part of the “ UPS Admin ” and “ Router Admin ” group s. On the consol e serve r , t hese users will be required t o hav e access to a group “ Router_Admi n ”, with access to port 1 (conne cted to the router), an d anot her group “ UPS_Admin ”, with access[...]

9.1.9 Remote groups w ith TACACS+ authentication When using TACACS + authenticatio n, there are two ways to g rant a remotely authenticated user privileges. The f i rst is t o se t the priv - lvl and port att ributes of the racces s s erv i c e to 12, this is discu ss ed further in section 9.2 of this document. A ddit ionally or alternativ ely , gr[...]

Note: Kerberos is very sensit i v e to time difference s bet ween the Key Distribution Center (K D C) authentication serv e r and the client devi ce. P lease make sure that NTP is enabled, and the ti me zone is set correctly on the console server . When authenti cat i ng ag ainst Active Dire ct ory , the Kerberos Realm will be the domain name, and [...]

TACACS+ - pam_tacplu s ( http://ec helon.pl/pubs /pam_tacplus.h tml ) LDAP - pam_ldap ( http://www.pa dl.com/OSS/ pam_ldap.html ) Further modul es can be a dded as requir ed. Changes may be made to fi le s in /etc/config/pam.d/ t hat will persist, even if the authentication configurator runs .  Users added o n demand: When a user a ttempts to l [...]

If there is already a Fram ed -Filter- Id, simpl y add the list of group_ names after the existing entries, includ ing the s eparating co lon “:”. 9.3 SSL Certifi cate The co nsole server uses the Secure Socket Layer (SSL) pro tocol for encrypte d network tr affic betw een itself and a conne cted user . When es tablishing the conne ction, the c[...]

 Select System : SSL Certif icate and fill out the fields as explained below: Common name This is the network name o f the consol e server onc e it is installed in the network (usually the fully qualified do main name). It is identical to the name tha t is used to access the c onsole server w ith a web browser (without the “ht tp://” prefix)[...]

Key length T his is the length o f the generated key in bits. 1024 Bits a re supposed to be sufficient for most cases. Lo nger keys may result in slower respo nse time of the console server when establishing connection.  Once this is do ne, click on the but ton Generate C SR w hich will initiate the Certificate Signing Reques t generation. The C[...]

Chapter 10 Nagios Integration NAGIOS INTE GRATION Introduction Nagios is a po werful, high ly extensible open sourc e tool for mo nitoring netwo rk hosts and s ervices. The core Nagios software packa ge will typically be install ed on a server o r virtual server, the centra l Nagios server. Console serve r s operate i n conju nctio n wi th a centra[...]

10.1 Nagios Overv iew Nagios provides central monito ring of the hosts and services in your dis tributed network. Nagios is freely downloadable, open sourc e software. This section of fers a quick b ackground of Nagios and i ts capabilities. A complete o verview, FAQ, and compre hensive documentation ar e available at: http://w w w.nagios.or g Nagi[...]

Distribute d console server s  Black Box console server s .  Serial and network hosts a re attached to each c onsole s erver.  Each runs Nagi os plug - ins, NRPE, and NSCA add - ons, but not a full Nagios server. Clients  Typically a cl ient PC, lap top, etc., runni ng Windows, Linux, or Mac OS X.  Ru ns SDT Co nnector client softwar[...]

10.2.2 Set up distrib uted console server s This section provi des a brief wal kthrough on configuring a s ingle con sole server to monitor the status of one attached netwo rk host (a Windows IIS server running HTTP and HT TPS services ) and one s erially attached device (th e conso le port of a network r outer), and to s en d alerts back to the Na[...]

 Remove all Permitted Services . This s erver will be accessible using Terminal Services, so check TCP , Port 3389 and log level 1 and cl ick Add . Remove a nd re - add the serv ice to enable logging.  Scro ll down to Nagios Settin gs and check Enabl e Nagios.  Click New Ch eck and selec t Check Ping . C lick check - host -alive.  Click[...]

 Select Users & Gr oups fro m the Serial & Network menu.  Click Add User.  In Username , enter: s dtnagiosuser , the n enter and c onfirm a Pass word.  In Access ible Hosts click the IP address /DNS name of the IIS server, and in Acces sible Ports click the serial port tha t has the router co nsole port a ttache d.  Click App[...]

 When NRPE a nd NSCA are bo th enabled, NSC A is preferr ed method for co mmunicating w ith the upstream Nagios serve r— check Prefer NRPE to use NRPE whenever possible (that is, for all communica tion ex cept for al erts). 10.3.2 Enable NRPE m onitoring Enabling NRP E allows you to execute pl ug - ins (such as check_tcp an d check_ping ) on t[...]

 Select System: Nagios and chec k NSCA Enable d.  Select the Encryption to b e used from t he drop dow n menu, then ent er a Secret pa ssword and specify a check Inte rval.  Refer to the s ample Nagios co nfiguration s ection belo w for some exa mples of co nfiguring specific NSCA checks. 10.3.4 Configure S elected S erial Por ts for Nag i[...]

10.3.6 Configure the upstream Nagios monitoring ho st Refer to the Nagios documentation ( http://www.nagios.org/docs/ ) for co nfiguring the upstream ser ver:  The section en titled Distributed Moni toring steps thr ough what you ne ed to do to configure NSCA on the upstream serv er (under Central S erver Configuration ).  NRPE Docum entation[...]

service_de scription NRPE Da emon host_name Black Box use generic - service check_command check_nrpe_daemon } ; Serial Status define command { command_name check_serial_status command_line $USER1 $/check_nr pe - H 192.168.254.147 - p 5666 - c check_serial_$HOSTNAM E$ } define serv ice { service_descri ption Serial Status host_name server use generi[...]

} define serv ice { service_descri ption port-log- ser ver host_name server use generic - service check_command check_port_log active_checks_ena bled 0 passive_checks_ enabled 1 } define serv icedepend ency{ name Black Box _nrpe_daemon_dep host_name Black Box dependent _host_nam e serv er dependent _service_d escriptio n Port Log service_descri pti[...]

execution_failure_criteria w,u,c } ; SSH Port define command{ comm and_name check_conn_via _ Black Box command_line $USER1$/ch eck_nrpe - H 192.168.254.147 - p 5666 - c host_$HOSTNAME$_$ARG1$_$ARG2$ } define serv ice { service_descri ption SSH Port host_name server use generic - service check_command check_conn_via_ Black Box !tcp!22 } defin e serv[...]

check_serial_signals is use d to monitor the handshak ing lines on the serial po rts check_port_log is used to monitor the data logged fo r a serial po rt. 10.4.3 Additional plug -ins Additional Na gios plug - ins (lis ted below) are available for Advanced Co nsole S erver s ( LES1208A - R2 , LES1216A - R2 , LES1232A, LES1248A - R2 : check_apt chec[...]

Time No encryptio n 3DES SSH tunnel NSCA for single check ~ ½ second ~ ½ second ~ ½ second NSCA for 100 sequential c hecks 100 seconds 100 seconds 100 seconds NSCA for 10 sequenti al checks, batche d upload 1 ½ seconds 2 seconds 1 second NSCA for 100 sequential c hecks, batche d upload 7 seconds 11 seconds 6 seconds No encryptio n SSL no encryp[...]

II. Remote site In this scenar io, configu re the console s erver NRPE server o r NSCA client to actively check configured services and upload the checks to the Nagios server that’s wait ing passively. You can also configure it to service NRPE commands to perform chec ks on demand. In this situa tion, the con sole ser ver will perform chec ks bas[...]

Remote site with no network ac cess In this scenar io the conso le server allows dial-in access for the Nagios server. Periodically, the Nagios server will establish a co nnection to th e con sole serv er and execute a ny NRPE com mands, befor e dropping the connection. ________________________ __________________ _____________________ ______ 724 - [...]

Chapter 11 System Management SYSTEM MANAGEMENT Introduction This chapter describes how the Administrator can p erform a range of general console server system administrat ion and configuration tasks such as:  Applying Soft and Hard Re sets to t he gateway.  Re - flashing the Firmware.  Configuring t he Date, Time a nd NTP.  Setting up B[...]

 Pushing the Erase button on the rea r panel twice . A ball - p oint pen o r bent paper clip is a suitable tool for this pro cedure. Do not use a grap hite pencil. P ress the button gently twice (within a couple of se conds) while the unit is powered ON. This will reset the con sole ser ver back to its factory default s ettings and clear t he co[...]

 Select the System: Da te & Time menu o ption.  Manually set the Year , M onth , Day , Hour and Minut e using the D ate and Time s election boxes, then click Set Time . The gate way can synchronize its s ystem time with a remote time server using the Network Time Protocol (NTP). Co nfiguring the NTP time server en sures that the co nsole [...]

With all cons ole server s , you can s ave the backup file remotely o n your PC a nd you can res tore configuration s from remote lo cations:  Click Save Backup in the Remote Co nfiguration Ba ckup menu.  The config ba ckup file ( Sy stem Name_date_config.op g ) will be do wnloaded to your PC and saved in the location you nominate. To restore[...]

 To backup to the USB, e nter a brief Desc ription of the backup in the Local Configuration Ba ckup s menu and select S ave Backup.  The Local Conf iguration Ba ckup menu will di splay all the configura tion backup files you have stored on to the USB flash.  To restore a b ackup from the USB simply s elect Restore on the particular back up[...]

11.5 Delayed Configuration Comm it With Advanced Console Servers ( LES1208A - R2 , LES1216A - R2 , LES1232A, LES1248A - R2 ), a Delayed Co nfig Commit mod e i s available which a llows the groupin g or queuing o f configura tion changes a nd the simultaneous application o f these chang es to a specif ic device. For example, changes to auth enticati[...]

 Click Apply to run the systemset tings configura tor The Commit Config button will no lo nger be displ ayed in the top right - ha nd corner of t he screen and configuration s will no lon ger be queued . 11.6 FIPS Mode The Advanced Console Servers ( LE S1208A - R2 , LES1216A - R2 , LES1232A, LES1248A - R2 ) all use an embedded crypto graphic mod[...]

Chapter 12 Status Reports STATUS REPORTS Introduction This chapter describes the dashboard fe ature and the status reports that are availabl e :  Port A ccess and Acti ve Users  Statistics  Support Repo rts  Syslog  Dashboard Other status reports that are covered elsewhere include:  UPS Status ( Chapter 8.2 )  RPC Status ( Chap[...]

 Select the Status: St atistics  You can find detailed s tatistics report s by s electing the va rious submen us. 12.3 Support Reports The Support Repo rt provides useful statu s information that wi ll assist the Blac k Box Technical Support team to solve a ny problems you may exper ience with yo ur console server . If you do experien ce a pr[...]

 Enter the re mote Syslog Server Address and S yslog Serv er Port details and click Apply. The console maintains a l ocal Syslog. To view the local Sys log file:  Select Status : Syslog To make it easier to fin d information in the local Syslog file, use th e provided p attern matchi ng filter tool.  Specify the Match Pattern tha t you wan[...]

 Select System : Configure Dashboar d and select th e user (or group) you are configuring thi s custom dash board layout for.  Click Next. Note: Yo u can configure a custom da shboard for any adm in user or for the admi n group or you can reconfigure the def aul t dashboard. The Status:Dashboa rd screen is the fi r st screen displayed wh en a[...]

Note : The Alerts widget is a new sc ree n that shows the curre nt alerts status. When an al ert gets triggered, a correspon ding .XML file i s cr eat ed in /var/run/alerts/. The dashboard scans all these f i les and displays a summary st at us in the alerts widg et. When an alert is delet ed, the correspondi ng . XML files that belong to that aler[...]

12.5. 2 C reating custo m widgets for the Dashboard T o run a cust om script insi de a dashbo ard widget : Create a file called " widg et- <name>.sh " in the folder /etc/ co nfig/scripts/ where < nam e > can be anything. You can have as many custom dashboard fil es as you wa nt. Inside this fil e you can put any code yo u want[...]

Chapter 13 Management MANAGEMENT Introduction The console s erver has a small number of Manage reports a nd too ls that are available to bo th Administrator s and Users :  Access an d contro l authori zed devices.  View serial port logs and host logs for those devices.  Use SDT C onnector o r the Web t erminal to access seria lly attached [...]

13.2 Port and Host L ogs Administrators and User s can view logs of data transfers to c onnected devices.  Select Manage : Port Logs and the serial Port # to be display ed.  To display Host logs, s elect Manage : Host Logs and t he Host to be displayed. 13.3 Serial Port Terminal Co nnectio n There are two method s av ai labl e f or accessing [...]

13.3.1.2 Web T erm inal to Serial Devic e To enable the Web Te rmi n al service for each se rial p or t you want to ac cess:  Select Serial & Netw ork: Serial Port and click Edit . Ensure the serial po rt is in Console Ser ver Mode  Check Web Terminal and click A pply Administrator and Users can communicate directly wit h serial p ort att[...]

13.4 Power Management Administrators and User s can access and manage the connected power de vices.  Select Manage : Power ________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 212[...]

Chapter 14 Command Line Configu ration CONFIGURATION FROM THE COMMAND LINE Introduction For those who prefer to configure their console server at the Linu x command line level (rather than use a browser and the Managemen t Consol e), this chapter describes how to us e command line access and the config tool to manage the c onsole serv er and confi [...]

o If you are connec ting over the L AN, then you wil l need to in terconnect th e Ethernet ports and direct your termina l emulator p rogram to the IP addres s of the console serv er (192.168.0.1 by default).  Log on to the console serv er by pressing “ return” a f ew times. The co nsole s erver will request a username an d password. Enter t[...]

- v –verbose Log extra deb ug informatio n. - d – del=id Remove the given conf iguration eleme nt specified b y a '.' sepa rated identifier. - g – ge t=id Displa y the value of a configuratio n element. - p – path=file Specify an a lternate configuration f ile to use. The def ault file is located at /etc/config/config.xml. - r –[...]

Note: The c onfig command does not v erify whether the node s edited/added by t he user are valid. Thi s means that any node may be add ed to the tree. If a user run s the following com m and: # /bin/config - s config. fruit.apple=sweet T he configurator will not complain, but this comman d is useless. When the configurators ar e run (to turn the c[...]

Console server mode The comman d to set the p ort in portmanager mode: # config - s config.ports.por t5.mode=portmanager To set the fo llowing option al config ele ments for this mode: Data accumulation period 100 ms Escape chara cter % (default is ~) log level 2 (default is 0) Shell power command m enu Enabl ed RFC2217 access Enabled Limit pot to [...]

Terminal serv er mode Enable a TTY login for a lo cal term inal attached to serial port 5: # config - s config.ports.por t5.mode=terminal # config - s confi g.ports.port5.t er minal=[vt220 | vt102 | vt100 | linux | an si] The default terminal is v t220. Serial bridge mode Create a network connectio n to a remote ser ial port via RFC- 2217 on port 5[...]

14.3 Adding and Removing U sers First, determine the total number of existing Users (if you have no existing Users you can ass ume this is 0 ): # config - g conf ig.users.total This command s hould disp lay con fig.user s.total 1 . Note that if yo u see config.us ers.total t his means you have 0 Users configure d. Y our new User w ill be the existi[...]

# config - s confi g.sdt.hosts.ho st5.users.user1= John # config - s config.sdt.ho sts.host5.users.total=1 (total number of u sers having access to host) To give another user called “Peter” access to the same host: # config - s confi g.sdt.hosts.ho st5.users.user2=P eter # config - s config.sdt.ho sts.host5.users.total=2 (total number of u sers[...]

Attention: The rmuser scr ipt is a generic scri pt to re move any co nfig ele ment fro m config.x ml correctly . However, any dependencies or references to this gro up will not be affected. Only the group details are deleted. The Administrator is responsible f or goi ng through config.xml and remo ving group dependencies and referen ces manually, s[...]

14.6 Network Ho sts To determine the total nu mber of currently configur ed hosts: # config - g co nfig.sdt.hosts .total Assume this value is equal to 3. If you add ano ther host, make sure yo u increment the tot al number of hosts from 3 to 4: # config - s confi g.sdt.hosts.to tal=4 If the output is config.sdt.hosts .total then assume 0 hosts ar e[...]

If you want t o add the ne w host as a ma naged device, ma ke sure you us e the current total number of managed devices + 1, fo r the new device number. To get the cu rrent number o f managed dev ices: # config - g co nfig.devices.to tal Assuming we alr eady have one ma naged device, our new devi ce will be dev ice 2. Issue the following commands: [...]

# config - s confi g.cascade.slaves .slave1.addre ss=192.168.0.15 3 # config - s "config.ca scade.slaves.slave1.descriptio n=CM in office 42" # config - s config.cascad e.slaves.slave1.label= les1 11 6 -5 # config - s conf i g.cascade.slaves .slave1.ports=1 6 The total nu mber of slaves must also be i ncremented. If this is th e first sla[...]

M ake sure to incremen t the total monito rs: # con fig - s conf ig.ups.monitors.to tal=1 The five commands bel ow will add the UPS to Managed devices . Assuming there a re already two managed devices configured: # config - s "config.d evices.device3.connections.conn ection1.name=My UPS" # config - s "co nfig.devices. device3 .connec[...]

Logging Ena bled Log interval 600 second Number of po wer outlets 4 (depends on the type/ model of the RPC) # config - s config.ports.port2.power.type=APC 7900 # config - s confi g.p orts.port2.power.name=MyRPC # config - s "config.ports.port2.power.description=RPC in room 5" # config - s config.ports.por t2.power.username=rpclo gin # con[...]

To get the to tal number of m anag ed devices: # config - g co nfig.devices.to tal Make sure yo u use the tota l + 1 for the new device b elow: # config - s config. devic es.device5.connections.connection1. name=Envi4 # config - s "config. devices.devic e5.connections.connection1. type=EMD Unit" # config - s config. devices. device5.name=[...]

Error Notice Warning Assume the remo te log serv er needs a user name 'name1' a nd passwor d 'secret': # config - s con fig.eventlo g.server.u sernam e=name1 # config - s confi g.eventlog.serv er.password=secr et To set the remote p ath as '/ Black Box /lo gs' to save logged data: # config - s config.eventlo g.server.p[...]

# config - s config.al erts.alert2.signal=[ DSR | DCD | CTS ] # config - s config.al erts.alert2.type=signal Pattern Ma tch Alert To trigger an alert if the regular expressi on '.*0.0% id' is found in s erial port 10 's character s tream. # config - s "co nfig.alerts.al ert2.pattern=.*0.0 % id" # config - s config.al erts.a[...]

# config - s config.al erts.alert2.enviro.high.critical=300 # config - s config.al erts.alert2.enviro.high.warning=2 80 # config - s config.al erts.alert2.enviro.hysteresis=20 # config - s co nfig.al erts.alert2.enviro.low.critical=50 # config - s config.al erts.alert2.enviro.low.warning=70 # config - s config.al erts.alert2.rpc1=RPCInRoom20 # conf[...]

# config - s config.system .smtp.encryption2=SSL (can also be TLS o r None ) # config - s confi g.system.smtp.s ender2=John@ Black Box .com # config - s config.sys tem.smtp.usernam e2=john # config - s confi g.system.smtp.pa ssword2=secret # config - s con fig.system .smtp.sub ject2=SMT P alerts The following co mmand wi ll synchronize the live sys[...]

# config - s config.interfaces.wan.address=192.168.0.23 # config - s config.interfaces.wan.netmask=255.255.255.0 # config - s config.interfac es.wan.gateway=192.16 8.0 .1 # config - s confi g.interfaces.wan. dns1=192.168 .0.1 # config - s confi g.interfaces.wan. dns2=192.168 .0.2 # config - s config.interfac es.wan.mode=static # config - s confi g.[...]

To change th e timezone: # config - s con fig.system .timezone= US/Easter n The following co mmand wi ll synchronize the live syste m with the n ew configura tion: # config - r ti me 14.20 Dial - in set tings To enable dia l - in access on the DB9 seri al port from the comman d line with the follow ing attributes: Local IP Address 172.24.1.1 Remote[...]

DNS server1 192.168.2.3 DNS server2 192.168.2.4 Domain name company.com Default gateway 192.168.0.1 IP pool 1 star t address 192.168.0.20 IP pool 1 end address 192.168.0.100 Reserved IP a ddress 192.168.0.50 MAC to reserve IP for 00:1e:67:82:72:d9 Name to iden tify this hos t Jo hn - PC I ssue the comma nds: # config - s config.interfac es.lan.dhcp[...]

# config - s config.services .rfc2217.portbase='port ba se number' Default: 5000 # config - s config.services .unauthtel.portbase='port b ase number Default: 6000 The following co mmand wi ll synchronize the live syste m with the n ew configura tion: # config -a 14.23 NA GIOS To configure NAGIOS with the following settings: NAGIOS ho[...]

Chapter 15 Advanced Configuration ADVANCED CONF I GURATION Introduction Black Box console server s ru n the embedded Linux op erating system. So Administrator class users can configure the console serv er and monit or and manage a ttached seria l console an d host devices from the command line us ing Linux commands and th e config utility as des cr[...]

# dos2unix /etc/config/rc.l ocal Another s cen ario wou ld be to call anothe r custom scr ipt from the /etc/config/rc. local file, maki ng sure that your custom script wi ll run whenever the sys tem is booted. 15.1.2 Running custom sc ripts when aler ts are trigg ered Whenever an alert gets triggered, specific scripts get called. These scripts all [...]

15.1.3 Example script - Power Cycli ng on Patte rn Match For example , we have an RP C (PDU) connected to port 1 o n a consol e server and also have some telecommunications devic e c onnected to por t 2 (which is powered by the RPC outlet 3 ). Now assume the telecom device trans mits a chara cter stream " EMERGENC Y" out on its serial con[...]

delete -node is a general scr ipt for deleting a ny n ode you desire (users, groups, hosts, UPSes, e tc.) from the command line. The sc ript deletes t he specified node and shu ffles the rema inder of the node values. For example, if we have five users configured a nd we use the scrip t to delete user 3, then user 4 will become user 3 , and user 5 [...]

NUM BER=`echo $L ASTFIELD | s ed 's/^[a - zA - Z]*// g'` TOTALNODE=`echo ${1%.*} | sed 's/ (.* )/ 1.total/'` TOTAL=`config - g $TOTALNOD E | sed 's/.* //' ` NEWTOTAL=$[ $TOTAL - 1 ] # Make backup copy of config file cp /etc/config/config.xml /etc/config/config.bak echo "backup of / etc/config/config.xml save[...]

config - g $RO OTNODE.$LA STFIELDT EXT$((NU MBER+COUN TER)) | while read LINE do config - s "`echo "$LI NE" | s ed - e "s/$L ASTFIELDTEX T$((NUMB ER+ COUNTER))/$LA STFIELDTEXT$( (NUMBER+COUNTE R - 1))/" - e 's/ /=/'`" done let COUNT ER++ done # deleting last user config - d $ROOTNODE.$LASTFIELDTEXT$TO[...]

The above co mmand will c ause the ping - detect script to continuously ping the hos t at 192.168.22.2 which is the r outer. If the r outer crashes , it will no lo nger respond t o ping reques ts. If this ha ppens, the two comma nds pmpower a nd date will run. The outp ut from these comma nds is sent to the fi le /tmp/output.log so tha t we have a [...]

15.1.7 Running custom sc ripts when a c onfigurator is invoked A configurator is responsib le for reading the va lues in /etc/config/c onfig.xml and making the appropriate c hanges live. S ome changes ma de by the configurators are part of t he Linux conf iguration itself, such as user p a sswords or ipconfig . Currently ther e are nineteen co nfig[...]

To save the c onfiguration: # /etc/scripts/backup- usb save config- 2 0May To check i f the bac k up was saved correctly: # /etc/scripts/backup-usb l ist If this comma nd does not d isplay "* conf ig - 20May" then there was an error savi ng the configur ation. The set - defaul t command takes an inpu t file as an a rgument and renames it [...]

This will extract the contents of the previously created backup to /tmp , and then synchr onize the /etc/confi g directory with the copy in /tmp . One problem that can crop up here is that there is not enough room in /tmp to extract files to. The following command will tempor arily increase the size of /tmp : mount - t tmpfs - o remount,size=204 8k[...]

For more info rmation on u sing chat (an d pmchat ) you s hould cons ult the UNIX ma n pages: http://techpubs.sgi.com/libr ary/tpl/cgibin/getdoc.cgi?coll=lin ux&db=man&fname=/usr/sh are/catman/ man8/chat.8.html pmusers The pmusers command is used to quer y the portma nager for acti ve user session s. Example: To dete ct which user s are cur[...]

- The portmanager will attempt to execute /etc/ config/scripts/portXX.alert (where XX is the port number, e.g. 0 8) - The script is r un with STD IN containin g the data wh ich triggered t he alert, and S TDOUT redire cted to /dev/null, NO T to the seria l port. If you want to com municate with th e port, us e pmshell or pmchat from within the scri[...]

With stty , the changes made to the port only “s tick” until that port is clo sed and o pened again. P eople probably will not want to use stty f or more than initial deb ugging of the seria l connection. If you want t o use stty to configure the port, you ca n put stty commands in /etc/config/scripts/portXX.init which gets run whenever po rtma[...]

system. - Rules are added which explicitly allow networ k traffic to access ena bled services , for example, TTP, SNMP , etc. - Rules are added that explicitly allow traffic networ k traffic access to serial ports over enabled protocols e.g. Telnet, SSH and raw TCP. If the standar d system fire wall configur ation is not adequate for your needs y o[...]

sysname Not defined ( edit /etc/default/snmpd.c onf) syslocation Not defin ed (edit /etc/default/snmpd. conf) Simply change the values of sysdescr, sy scontact, sysname and syslocation to th e desired settings and restart snmp d . The sn mpd.conf provides is extremely powerful and too flexible to completely co ver here. The configuration file itsel[...]

.. replacing y ourusername with the us ername config.system.snmp.userna me2 (3 only) To set the Engine ID field (SNMP version 3 only ) config -- set config.syst em.snmp.passwo rd2=yourpassword .. replacing y ourpassword with the p assword Once the fiel ds are set, ap ply the config uration with the following command: config -- run snmp You can add [...]

15.6.2 Generating Public Keys (Linux) To generate new SSH key pairs use the Linux ss h - keygen co mmand. This will produ ce an RSA or DSA public/privat e key pair and you will be prompted for a path to store the two ke y files, for example, id_d sa.pub (the pu blic key) and id_dsa (the priva te key). For example: $ ssh - keygen - t [rsa|dsa] Gener[...]

15.6.4 Installing SS H Public Key Authen tication (Li nux) Alternately, the public key can be installed on the unit remotely fr om the linux hos t with the scp utility as follo ws. Assuming the us er on the Management C onsole is ca lled "fred"; th e IP address o f the conso le server is 192.168.0.1 (def ault); and the public ke y is on t[...]

If the Black Box device selected to be the server will only have one client devic e, then the authorized _keys file is simply a copy of the public key fo r that device. If one o r more devices will b e clients of the server, then the authori zed_keys file wi ll contain a copy o f all of the public key s. RSA and DSA keys may be freely mi xed in the[...]

More documentati on on OpenS SH can be fou nd at: http://openssh.org/portable.htm l http://www.openbsd.org/ cgi-bin/man.cgi?query=ssh&sektion =1 http://www openbsd.org/cgi -bin/m an.cgi?query=sshd. 15.6.5 Generat ing public/private keys for SSH (Windows) This section describes ho w to generate and configure SSH keys usin g Windows. First create[...]

- Execute the P UTTYGEN.EXE pro gram. - Select the desired key typ e SSH2 DSA (you may use RSA or D SA) within the Pa rameters se ction. - It is importan t that you lea ve the passp hrase field b lank. - Click on the Gener ate button. - Follow the instruction to move the mouse over the blank area of the pro gram in order to create random data used [...]

To automate connection of the SSH tun nel from the client on ever y power - up y ou need to m ake the clients /etc/config/rc.local look like the following: #!/bin/sh ssh - L9001:127.0.0.1:4001 -N - o StrictH ostKeyC hecking=no testuser @<server - i p> & This will run the tunnel redirecting local port 9001 to the server port 4001. 15.6.6 F[...]

If the host ke y has been le gitimately ch anged, it can be removed f rom the ~/.ssh/ known_hosts file a nd the new finge rprint added. If it has not changed, this i ndicates a ser ious problem that shoul d be investigated immediately. 15.6.7 SSH tunneled seri al bridging You have the option to a pply SSH tunn eling when two Black Box console serve[...]

For simplicity going forw ard, the term private key will be used to re fer to either id_rsa or id_dsa and public key to refer to either id_rsa.pub or id_dsa.pu b. To generate t he keys using Ope nBSD's OpenSS H suite, we use the ssh - k eygen progr am: $ ssh - keygen - t [rsa|dsa] Generating pub lic/private [r sa|dsa] key pair. Enter file in w[...]

then the a uthorized _keys file will contai n a copy of al l of the public keys. RSA and DSA keys ma y be freely mixed in the a utho rized_key s file. For example, assume we al ready have one server, cal led bridge_server , and two sets of keys, for the control_room and the plant_entrance : $ ls /home/user/keys control_r oom control_room.pub plant_[...]

The consol e server includes OpenSSL. The OpenSSL Project is a collaborative effort to develop a robus t, commercial - grade, f ull - featured, and Open Source toolkit implementi ng the Secure Sockets Layer (SSL v2/v3) and Transport Layer Sec urity (TLS v1) protocols as well as a full - strength general purpos e cryptography libr ary. The project i[...]

15.8.3 Installing the key and certific ate We recommend t hat you use a n SCP (Secure C opying Pro tocol) client to copy fil es securel y to the console s erver unit. T he scp utility is distribut ed with OpenSSH for most Unix distributio ns, while Windows use rs can use so mething like t he PSCP command l ine utility a vailable with P uTTY. You ca[...]

15.9.1 The PowerM an tool PowerMan provi d es power manage ment in a data center or comp ute cluster en vironment. It perf orms operations su ch as power on, power of f, and power c ycle via remo te power controller (RPC) devices. Synopsis powerman [- option] [ta rgets] pm [- option] [targets] Options - 1, -- on Po wer ON targets. - 0, -- off Power[...]

should not b e confused w ith regular ex pression char acter classes (al so denoted by ''[]''). For exam ple, foo[19] does not represent foo1 or foo9, but rather represents a degenerate range: foo19. This range sy ntax is mean t only as a convenience on clusters wit h a prefix NN naming conven tion and specification of ranges sh[...]

The first is to have scrip ts to support the particular RPC included in either t he open sourc e PowerMa n project (http://sourceforge.net/projects/powerman ) or the open source NUT UPS Tools p roject. Th e PowerMan d evice specifications are rat her weird and it is sug gested that you leav e the actual writing of these scripts to the PowerMan au t[...]

15.10 IPMItool The console s erver includ es the ipmitool utili ty for managing and confi guring devices tha t support th e Intelligent Pla tform Manag ement Interfa ce (IPMI) versio n 1.5 and v ersion 2.0 specifi cations. IPMI is an op en standard f or monitorin g, logging, re covery, invento ry, and con trol o f hardware that is implemented in de[...]

-A < a uthtype > Specify an au thentication ty pe to use du ring IPMIv1.5 lan s ession activation. Su pported types are NONE, PASS WORD, MD5, o r OEM. -c Present output in CSV (comma sep arated variable) format. This is not available wit h all commands. -C < ciphersuite > The remote serv er authenticatio n, integrity, an d encryptio n a[...]

The ipmitool documentation high lights that there ar e several security issues t o be considered befor e enabling the I PMI LAN interf ace. A remote sta tion has the ability to contr ol a system's power state as well as being able to gather certain platf orm informat ion. To reduc e vulnerabilit y, we strongl y advise that the IPMI LAN interfa[...]

channels sessio n Prin t session in formation exec Run list of commands fro m file set Set r untime variable for shell a nd exec ipmitool chassis h elp Chassis Commands: st atus, power, identify, policy, restart _cause, poh, bootdev ipmit ool chassis po wer help chassis power Commands: stat us, on, off, cycle, reset, diag, soft You will find mor e [...]

This script wo uld, for exa mple , parse each po rt log file line by line, each time it sees 'LO GIN: username' , it adds username to the list of connected us ers for that port, ea ch time it sees 'LO GOUT: user name' it removes it from the list. T he list can then be ni cely formatted and displa yed. Y ou can run th e script o [...]

Appendix A Linux Commands & Source Code The con sole server platform is a dedicated L inux computer, o ptimized to provide monito ring and secur e access to serial and network consoles of critical serve r systems and their supportin g power an d networking inf rastructure . Black Box console server s a re built on the 2 .4 uCLinux kernel as dev[...]

flashw Write data to individual f lash devices flatfsd Daemon to save RAM file systems back to FLASH ftp Internet file transfer program gen - keys SSH key generation progra m getopt * Parses comma nd options gettyd Getty daemo n grep * Print lines ma tching a pat tern gunzip * Compress or exp and files gzip * Compress or exp and files hd ASCII, dec[...]

pgrep Display proce ss(es) selected by regex pattern pidof Find the proc ess ID of a ru nning progra m ping Send ICMP E CHO_REQUEST pa ckets to networ k hosts ping6 IPv6 ping pkill Sends a signal to pro cess(es) selected by regex pattern pmchat Black Box command similar to the s tandard chat command (via portmanager) pmdeny pminetd pmloggerd pmshel[...]

sync * Flush file system buffers sysctl Configure kernel paramet er s at runtime syslogd System logging utility tar * The tar archiving utility tc Show traffic control settings tcpdump Dump traffic on a network telnetd Telnet protocol server tftp Client to transfer a file fro m/to tftp server tftpd Trivial file T ransfer Protocol (tftp) server tip [...]

There are also a number of o ther CLI comma nds related to other o pen source to ols embedded in t he console s erver includin g : • PowerMan p rovides power mana gement for many preconfigure d remote pow er controller (RPC) devices. For CLI detai ls refer http://linux.die.net /man/1/powerman • Network U PS Tools (N UT) provides reliable mo nit[...]

false fc [- e ename] [ - nlr] [first] [last] fg [job_spec] for NAME [in WORDS ... ;] do COMMA function NAME { COMMANDS ; } or NA getopts opts t ring name [arg] hash [ - r] [- p pathnam e] [name .. .] help [ - s] [pattern ...] history [ - c] [- d off s et ] [n] or hi if COMMANDS; then COM M A NDS ; [ elif jobs [ - lnprs] [ jobspec ...] or job k ill [...]

Appendix B Hardware Specifications FEATURE VALUE Dimensions LES1408A /16A/32A/ 48A , LES1308A /16A/32A/4 8A, LES120 8A - R2 /16A - R2 / 32A/48A - R2 : 17 x 12 x 1.75 i n (43.2 x 3 1.3. x 4.5 cm ) LES 11 16 A/ 32A/48 A : 17 x 8.5 x 1.75 in (43. 2 x 21x 4. 5 cm) LES1108A : 8.2 x 4.9 x 1.2 in (20.8 x 12. 6 x 4.5 cm) Weight LES1408A /16A/32A/ 48A, LES1[...]

Appendix C Safety & Certifications Plea se take care to follow the safe ty precautions below when installin g and operating the console server : - Do not remove the m etal covers. There are no operato r serviceable compo nents insi de. Opening or removing the co ver may expose y ou to dangerous voltage wh ich may cause fire or electric shock. R[...]

Appendix F End User L icense Agreement READ BEFORE USIN G THE ACCOMPANY ING SOFTWARE YOU SHOULD CAREFUL LY READ THE FO LLOWING TERMS AND CONDIT IONS BEFORE USING THE ACCOMPANYING SOFTWARE, THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE T O THE TERMS AND CONDIT IONS OF THIS AGREEMENT , DO NOT USE THE SOFTWARE. IF Y[...]

Sale of Goods is hereby exclu ded in its entirety and does not apply to this EULA. If you acquired th is Software in a country outs ide of th e United St ates, that country’s laws may apply. In a ny action or suit to enforce a ny right or remedy under t his EULA or to inter pret any prov ision of this EULA , the prevailin g party will be ent itle[...]

2. Redistributi ons in binar y form must reprod uce the above c op yright notic e, this list of c onditions and th e following disclaimer in the documentati on and/or other materials prov i ded with the di s tributi o n. 3. The names of the aut hors may not be us ed to endorse or promote pro duc t s deriv ed f rom this soft ware without specific pr[...]

b) You must cause an y work that you dist ribute or pu bl ish, that in whol e or in part conta ins or is derive d from the Program or an y part thereof, t o be licensed a s a whole at no charge t o all third par t ies under the ter m s of this License. c) If the modified pr ogr am normally re ads commands i nt eractivel y when run, you must c aus e[...]

6. Each time you red istribute t he Program (or an y work based on t he P rogram), t he r ecipient aut om aticall y rec eives a license from t he original lic ensor to cop y, di stribute or mod ify the Program subject to thes e terms and condi t ions. You may not impos e a ny further r es trictions on the recipie nts' exercise of the rights gr[...]

OUT OF THE USE OR INABILIT Y TO USE T HE PROGRAM (INCLUDIN G BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH AN Y OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIO[...]

________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 285[...]

72 4 - 7 4 6 -5500 | blac kbox. com About Bl ack B ox Black Box Net work Ser v ices is your source for an ex tensive range of n etworking and inf rastructure product s. Y ou’ll find every thing from cabinet s and rack s and p ower and surge prot ec tion product s to media converters and Ethernet s witches all suppor ted by free , live 24 / 7 T e [...]