This section provides information about the DRAC 5 command line console (or serial/telnet/ssh console) features, and explains how to set up your system so you can perform systems management actions through the console.
Command Line Console Features
The DRAC 5 supports the following serial and telnet console features:
One serial client connection and up to four, simultaneous telnet client connections
Up to four simultaneous SSH client connections
Access to the managed system consoles through the system serial port and through the DRAC 5 NIC
Console commands that allow you to power-on, power-off, power-cycle, reset, view logs, or configure the DRAC 5
Supports the RACADM command, which is useful for scripting
Command-line editing and history
The connect com2 serial command to connect, view, and interact with the managed system text console that is being output through a serial port (including BIOS and the operating system)
NOTE: If you are running Linux on the managed system, the connect com2
serial command provides a true Linux console stream interface.
Session timeout control on all console interfaces
Enabling and Configuring the Managed System to Use a Serial or Telnet Console
The following subsections provide information about how to enable and configure a serial/telnet/ssh console on the managed system.
Using the connect com2 Serial Command
When using the connect com2 serial command, the following must be configured properly:
The Serial Communication→ Serial Port setting in the BIOS Setup program.
The DRAC configuration settings.
When a telnet session is established to the DRAC 5 and these settings are incorrect, connect com2 may display a blank screen.
Configuring the BIOS Setup Program for a Serial Connection on the
Managed System
Perform the following steps to configure your BIOS Setup program to redirect output to a serial port.
NOTE: You must configure the System Setup program in conjunction with the
connect com2 command.
Turn on or restart your system.
Press <F2> immediately after you see the following message:
<F2> = System Setup
Scroll down and select Serial Communication by pressing <Enter>.
Set the Serial Communication screen to the following settings:
External Serial Connector — Remote Access Device
Redirection After Boot — Disabled
Press <Esc> to exit the System Setup program to complete the System
Setup program configuration.
Using the Remote Access Serial Interface
When establishing a serial connection to the RAC device, the following interfaces are available:
IPMI serial interface
RAC serial interface
IPMI Serial Interface
In the IPMI serial interface, the following modes are available:
IPMI terminal mode — Supports ASCII commands that are submitted from a serial terminal. The command set is limited to a limited number of commands (including power control) and supports raw IPMI commands that are entered as hexadecimal ASCII characters.
IPMI basic mode — Supports a binary interface for program access, such as the IPMI shell (IPMISH) that is included with the Baseboard Management Utility (BMU).
To configure the IPMI mode using RACADM, perform the following steps:
RAC also supports a serial console interface (or RAC Serial Console) that provides a RAC CLI, which is not defined by IPMI. If your system includes a RAC card with Serial Console enabled, the RAC card will override the IPMI serial settings and display the RAC CLI serial interface.
To enable the RAC serial terminal interface, set the cfgSerialConsoleEnable property to 1 (TRUE).
Configuring Linux for Serial Console Redirection During Boot
The following steps are specific to the Linux GRand Unified Bootloader (GRUB). Similar changes would be necessary for using a different boot loader.
NOTE: When you configure the client VT100 emulation window, set the window or
application that is displaying the redirected console to 25 rows x 80 columns to
ensure proper text display; otherwise, some text screens may be garbled.
Edit the /etc/grub.conf file as follows:
Locate the general setting sections in the file and add the following two
new lines:
serial --unit=1 --speed=57600 terminal --timeout=10 serial
Append two options to the kernel line:
kernel ............. console=ttyS1,57600
If the /etc/grub.conf contains a splashimage directive, comment it out.
Table 3-2 provides a sample /etc/grub.conf file that show the changes described in this procedure.
Table 3-2. Sample File: /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after
making changes
# to this file
# NOTICE: You do not have a /boot partition. This
means that
# all kernel and initrd paths are relative
to /, e.g.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=
/dev/sdal
# initrd /boot/initrd-version.img
#
#boot=/dev/sda
default=0
timeout=10
#splashimage=(hd0,2)/grub/splash.xpm.gz
serial --unit=1 --speed=57600
terminal --timeout=10 serial
title Red Hat Linux Advanced Server (2.4.9-e.3smp)
root (hd0,0)
kernel /boot/vmlinuz-2.4.9-e.3smp ro root=
/dev/sda1 hda=ide-scsi console=ttyS0 console=
ttyS1,57600
initrd /boot/initrd-2.4.9-e.3smp.img
title Red Hat Linux Advanced Server-up (2.4.9-e.3)
root (hd0,00)
kernel /boot/vmlinuz-2.4.9-e.3 ro root=/dev/sda1
s
initrd /boot/initrd-2.4.9-e.3.im
When you edit the /etc/grub.conf file, use the following guidelines:
Disable GRUB's graphical interface and use the text-based interface;
otherwise, the GRUB screen will not be displayed in RAC console
redirection. To disable the graphical interface, comment out the line
starting with splashimage.
To start multiple GRUB options to start console sessions through the RAC
serial connection, add the following line to all options:
console=ttyS1,57600
Table 3-2 shows console=ttyS1,57600 added to only the first option.
Enabling Login to the Console After Boot
Edit the file /etc/inittab, as follows:
Add a new line to configure agetty on the COM2 serial port:
#
# inittab This file describes how the INIT process
should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg
# Modified for RHS Linux by Marc Ewing and
Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if
you do not have
# networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
# Things to run in every runlevel.
ud::once:/sbin/update
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we
have a few
# minutes of power left. Schedule a shutdown for 2
minutes from now.
# This does, of course, assume you have power
installed and your
# UPS is connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 "Power
Failure; System Shutting Down"
# If power was restored before the shutdown kicked
in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c "Power
Restored; Shutdown Cancelled"
# Run gettys in standard runlevels co:2345:respawn:/sbin/agetty -h -L 57600 ttyS1 ansi 1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
# xdm is now a separate service
x:5:respawn:/etc/X11/prefdm -nodaemon
Edit the file /etc/securetty, as follows:
Add a new line, with the name of the serial tty for COM2:
Using the RACADM Command to Configure the Settings for the Serial
and Telnet Console
This subsection provides steps to configure the default configuration settings for serial/telnet/ssh console redirection.
To configure the settings, type the RACADM config command with the appropriate group, property, and property value(s) for the setting that you want to configure.
You can type RACADM commands locally or remotely. When using RACADM commands remotely, you must include the user name, password, and managed system DRAC 5 IP address.
Ensure that your web server is configured with a DRAC 5 card before you use RACADM remotely. Otherwise, RACADM times out and the following message appears:
Unable to connect to RAC at specified IP address.
To enable your web server using Secure Shell (SSH), telnet or local RACADM, type the following command from a command prompt on a management station:
Table 3-5 provides the actions and related commands to display your configuration settings. To run the commands, open a command prompt on the managed system, type the command, and press <Enter>.
Table 3-5. Displaying Configuration Settings
Action
Command
List the available groups.
racadm getconfig -h
Display the current settings for a particular group.
racadm getconfig -g <group>
For example, to display a list of all cfgSerial group settings, type the following command:
racadm getconfig -g cfgSerial
Display the current settings for a particular group remotely.
Type the following command to change the telnet port number on the DRAC 5.
racadm config -g cfgRacTuning -o cfgRacTuneTelnetPort <new port number>
Using the Secure Shell (SSH)
It is critical that your system's devices and device management is secure. Embedded connected devices are the core of many business processes. If these devices are compromised, the customer's business may be at risk, which requires new security demands for command line interface (CLI) device management software.
Secure Shell (SSH) is a command line session that includes the same capabilities as a telnet session, but with improved security. The DRAC 5 supports SSH version 2 with password authentication. SSH is enabled on the DRAC 5 when you install or update your DRAC 5 firmware.
You can use either PuTTY or OpenSSH on the management station to connect to the managed system's DRAC 5. When an error occurs during the login procedure, the secure shell client issues an error message. The message text is dependent on the client and is not controlled by the DRAC 5.
NOTE: OpenSSH should be run from a VT100 or ANSI terminal emulator on
Windows. Running OpenSSH at the Windows command prompt does not result in
full functionality (that is, some keys do not respond and no graphics are displayed).
Additionally, use these features in conjunction with the appropriate session idle time-out values and a defined security plan for your network.
The following subsections provide additional information about these features.
IP Filtering (IpRange)
IP address filtering (or IP Range Checking) allows DRAC 5 access only from clients or management workstations whose IP addresses are within a user-specific range. All other logins are denied.
IP filtering compares the IP address of an incoming login to the IP address range that is specified in the following cfgRacTuning properties:
cfgRacTuneIpRangeAddr
cfgRacTuneIpRangeMask
The cfgRacTuneIpRangeMask property is applied to both the incoming IP address and to the cfgRacTuneIpRangeAddr properties. If the results of both properties are identical, the incoming login request is allowed to access the DRAC 5. Logins from IP addresses outside this range receive an error.
The login proceeds if the following expression equals zero:
Table 3-7. IP Address Filtering (IpRange) Properties
Property
Description
cfgRacTuneIpRangeEnable
Enables the IP range checking feature.
cfgRacTuneIpRangeAddr
Determines the acceptable IP address bit pattern, depending on the 1's in the subnet mask.
This property is bitwise AND'd with cfgRacTuneIpRangeMask to determine the upper portion of the allowed IP address. Any IP address that contains this bit pattern in its upper bits is allowed to establish a DRAC 5 session. Logins from IP addresses that are outside this range will fail. The default values in each property allow an address range from 192.168.1.0 to 192.168.1.255 to establish a DRAC 5 session.
cfgRacTuneIpRangeMask
Defines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1's with a single transition to all zeros in the lower-order bits.
Enabling IP Filtering
Below is an example command for IP filtering setup.
See "Using RACADM" for more information about RACADM and RACADM commands.
NOTE: The following RACADM commands block all IP addresses except
192.168.0.57)
To restrict the login to a single IP address (for example, 192.168.0.57), use the full mask, as shown below.
To restrict logins to a small set of four adjacent IP addresses (for example, 192.168.0.212 through 192.168.0.215), select all but the lowest two bits in the mask, as shown below:
Use the following guidelines when enabling IP filtering:
Ensure that cfgRacTuneIpRangeMask is configured in the form of a netmask, where all most significant bits are 1's (which defines the subnet in the mask) with a transition of all 0's in the lower-order bits.
Use the desired range's base address as the value of cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should have zeros in all the low-order bits where there are zeros in the mask.
IP Blocking
IP blocking dynamically determines when excessive login failures occur from a particular IP address and blocks (or prevents) the address from logging into the DRAC 5 for a preselected time span.
The IP blocking parameter uses cfgRacTuning group features that include:
The amount of time in seconds when the "guilty" IP address is prevented from establishing a session after the total allowable number of failures is exceeded ("cfgRacTuneIpBlkPenaltyTime")
As login failures accumulate from a specific IP address, they are "aged" by an internal counter. When the user logs in successfully, the failure history is cleared and the internal counter is reset.
NOTE: When login attempts are refused from the client IP address, some SSH
clients may display the following message: ssh exchange
identification: Connection closed by remote host.
When consecutive failures (cfgRacTuneIpBlkFailCount) from a single IP address are encountered within a specific amount of time (cfgRacTuneIpBlkFailWindow), all further attempts to establish a session from that address are rejected for a certain timespan (cfgRacTuneIpBlkPenaltyTime).
cfgRacTuneIpBlkFailCount
Sets the number of login failures from an IP address before the login attempts are rejected.
cfgRacTuneIpBlkFailWindow
The timeframe in seconds when the failure attempts are counted. When the failures exceed this limit, they are dropped from the counter.
crgRacTuneIpBlkPenaltyTime
Defines the timespan in seconds when all login attempts from an IP address with excessive failures are rejected.
Enabling IP Blocking
The following example prevents a client IP address from establishing a session for five minutes if that client has failed its five login attempts in a one-minute period of time.
DRAC 5 version 1.30 includes new security features that provide system administrators with flexible tools to augment the data center security without compromising on the manageability.
Disabling Local Configuration During System Reboot
This feature enables the DRAC administrator to disable the ability of a local user to configure the DRAC 5 from the BIOS power-on self test (POST) option-ROM.
NOTE: This command is available only through the remote racadm.
NOTE: This option is supported only on the Remot Access Configuration Utility
version 1.13 and later. To upgrade to this version, upgrade your BIOS using the BIOS
update package from the Dell Server Updates DVD or the Dell Support Website at
support.dell.com.
Disabling Local Configuration From Local racadm
This feature disables the ability of the managed system's user to configure the DRAC 5 using the local racadm or the Dell OpenManage Server Administrator utilities.
NOTICE: Use these features discreetly as they severely limit the ability of the local
user to configure the DRAC 5 from the local system, including performing a reset to
default of the configuration.
NOTE: This command is available only through the remote racadm.
NOTE: See the white paper on Effectively Using the New Security Options in the
DRAC 5 Firmware and Software Version 1.30 on the Dell Support site at
support.dell.com for more information.
Disabling Console Redirection
The disable console redirection option allows the administrator of the local DRAC 5 to disable the console redirection to the management station.The disable console redirection option provides a secure mechanism for the local DRAC 5 administrator to configure BIOS and DRAC settings without the risk of someone else being able to view the administrator's actions over a console redirection session.
To disable console redirection:
racadm localConRedirDisable 1
NOTE: To enable console redirection, use the argument 0.
NOTE: The disable console redirection option is only available to local racadm
users.
Connecting to the Managed System Through the Local Serial Port or Telnet Management Station (Client System)
The managed system provides access between the DRAC 5 and the serial port on your system to enable you to power on, power off, or reset the managed system, and access logs.
The serial console is available on the DRAC 5 through the managed system external serial connector. Only one serial client system (management station) may be active at any given time. The telnet and SSH consoles are available on the DRAC 5 through the DRAC modes (see "DRAC Modes"). Up to four telnet client systems and four SSH clients may connect at any given time. The management station connection to the managed system serial or telnet console requires management station terminal emulation software. See "Configuring the Management Station Terminal Emulation Software" for more information.
The following subsections explain how to connect your management station to the managed system using the following methods:
A managed system external serial port using terminal software and a null modem cable
A telnet connection using terminal software through the managed system DRAC 5 NIC or the shared, teamed NIC
Connecting the DB-9 Cable for the Serial Console
To access the managed system using a serial text console, connect a DB-9 null modem cable to the COM port on the managed system. Not all DB-9 cables carry the pinout/signals necessary for this connection. The DB-9 cable for this connection must conform to the specification shown in Table 3-9.
NOTE: The DB-9 cable can also be used for BIOS text console redirection.
Table 3-9. Required Pinout for DB-9 Null Modem Cable
Signal Name
DB-9 Pin (server pin)
DB-9 Pin (workstation pin)
FG (Frame Ground)
–
–
TD (Transmit data)
3
2
RD (Receive Data)
2
3
RTS (Request To Send)
7
8
CTS (Clear To Send)
8
7
SG (Signal Ground)
5
5
DSR (Data Set Ready)
6
4
CD (Carrier Detect)
1
4
DTR (Data Terminal Ready)
4
1 and 6
Configuring the Management Station Terminal Emulation Software
Your DRAC 5 supports a serial or telnet text console from a management station running one of the following types of terminal emulation software:
Perform the steps in the following subsections to configure your type of terminal software. If you are using Microsoft Telnet, configuration is not required.
Configuring Linux Minicom for Serial Console Emulation
Minicom is the serial port access utility for Linux. The following steps are valid for configuring Minicom version 2.0. Other Minicom versions may differ slightly but require the same basic settings. Use the information in "Required Minicom Settings for Serial Console Emulation" to configure other versions of Minicom.
Configuring Minicom Version 2.0 for Serial Console Emulation
NOTE: To ensure that the text displays properly, Dell recommends that you use an
Xterm window to display the telnet console instead of the default console provided
by the Linux installation.
To start a new Xterm session, type xterm & at the command prompt.
In the Xterm window, move your mouse arrow to the lower right-hand
corner of the window and resize the window to 80 x 25.
If you do not have a Minicom configuration file, go to the next step.
If you have a Minicom configuration file, type minicom<Minicomconfig file name> and skip to step 17.
At the Xterm command prompt, type minicom -s.
Select Serial Port Setup and press <Enter>.
Press <a> and select the appropriate serial device (for example,
/dev/ttyS0).
Press <e> and set the Bps/Par/Bits option to 57600 8N1.
Press <f> and set Hardware Flow Control to Yes and set Software Flow
Control to No.
To exit the Serial Port Setup menu, press <Enter>.
Select Modem and Dialing and press <Enter>.
In the Modem Dialing and Parameter Setup menu, press <Backspace>
to clear the init, reset, connect, and hangup settings so that they are blank.
Press <Enter> to save each blank value.
When all specified fields are clear, press <Enter> to exit the Modem
Dialing and Parameter Setup menu.
Select Save setup as config_name and press <Enter>.
Select Exit From Minicom and press <Enter>.
At the command shell prompt, type minicom <Minicomconfig
file name>.
To expand the Minicom window to 80 x 25, drag the corner of the window.
Press <Ctrl+a>, <z>, <x> to exit Minicom.
NOTE: If you are using Minicom for serial text console redirection to configure the
managed system BIOS, it is recommended to turn on color in Minicom. To turn on
color, type the following command in the command prompt: minicom -c on
Ensure that the Minicom window displays a command prompt such as [DRAC 5\root]#. When the command prompt appears, your connection is successful and you are ready to connect to the managed system console using the connect serial command.
Required Minicom Settings for Serial Console Emulation
Use Table 3-10 to configure any version of Minicom.
Table 3-10. Minicom Settings for Serial Console Emulation
Setting Description
Required Setting
Bps/Par/Bits
57600 8N1
Hardware flow control
Yes
Software flow control
No
Terminal emulation
ANSI
Modem dialing and parameter settings
Clear the init, reset, connect, and hangup settings so that they are blank
Window size
80 x 25 (to resize, drag the corner of the window)
Configuring HyperTerminal for Serial Console Redirection
HyperTerminal is the Microsoft Windows serial port access utility. To set the size of your console screen appropriately, use Hilgraeve's HyperTerminal Private Edition version 6.3.
To configure HyperTerminal for serial console redirection, perform the following steps:
Start the HyperTerminal program.
Type a name for the new connection and click OK.
Next to Connect using:, select the COM port on the management station
(for example, COM2) to which you have connected the DB-9 null modem
cable and click OK.
Configure the COM port settings as shown in Table 3-11.
Click OK.
Click File → Properties, and then click the Settings tab.
Set the Telnet terminal ID: to ANSI.
Click Terminal Setup and set Screen Rows to 26.
Set Columns to 80 and click OK.
Table 3-11. Management Station COM Port Settings
Setting Description
Required Setting
Bits per second
57600
Data bits
8
Parity
None
Stop bits
1
Flow control
Hardware
The HyperTerminal window displays a command prompt such as [DRAC 5\root]#. When the command prompt appears, your connection is successful and you are ready to connect to the managed system console using the connect com2 serial command.
Configuring Linux XTerm for Telnet Console Redirection
Use the following guidelines when performing the steps in this section:
When you are using the connect com2 command through a telnet console to display the System Setup screens, set the terminal type to ANSI in System Setup and for the telnet session.
To ensure that the text is properly displayed, Dell recommends that you use an Xterm window to display the telnet console instead of the default console provided by the Linux installation.
To run telnet with Linux, perform the following steps:
Start a new Xterm session.
At the command prompt, type xterm &
Using the mouse arrow, click on the lower right-hand corner of the XTerm
window and resize the window to 80 x 25.
Connect to the DRAC 5 in the managed system.
At the Xterm prompt, type telnet <DRAC 5 IP address>
Enabling Microsoft Telnet for Telnet Console Redirection
NOTE: Some telnet clients on Microsoft operating systems may not display the
BIOS setup screen correctly when BIOS console redirection is set for VT100
emulation. If this issue occurs, update the display by changing BIOS console
redirection to ANSI mode. To perform this procedure in the BIOS setup menu, select
Console Redirection → Remote Terminal Type → ANSI.
Enable Telnet in Windows Component Services.
Connect to the DRAC 5 in the management station.
Open a command prompt, type the following, and press <Enter>:
telnet <IP address>:<port number>
where IP address is the IP address for the DRAC 5 and port number is the telnet port number (if you are using a new port).
Configuring the Backspace Key For Your Telnet Session
Depending on the telnet client, using the <Backspace> key may produce unexpected results. For example, the session may echo ^h. However, most Microsoft and Linux telnet clients can be configured to use the <Backspace> key.
To configure Microsoft telnet clients to use the <Backspace> key, perform the following steps:
Open a command prompt window (if required).
If you are not running a telnet session, type:
telnet
If you are running a telnet session, press <Ctrl><]>.
At the prompt, type:
set bsasdel
The following message appears:
Backspace will be sent as delete.
To configure a Linux telnet session to use the <Backspace> key, perform the following steps:
Open a command prompt and type:
stty erase ^h
At the prompt, type:
telnet
Using a Serial or Telnet Console
Serial and telnet commands, and RACADM CLI can be typed in a serial or telnet console and executed on the server locally or remotely. The local RACADM CLI is installed for use by a root user only.
If your management station is running Windows XP or Windows 2003, you may experience an issue with the characters in a DRAC 5 telnet session.This issue may occur as a frozen login where the return key does not respond and the password prompt does not appear.
To fix this issue, download hotfix 824810 from the Microsoft Support website at support.microsoft.com. See Microsoft Knowledge Base article 824810 for more information.
Running Telnet Using Windows 2000
If your management station is running Windows 2000, you cannot access BIOS setup by pressing the <F2> key. To fix this issue, use the telnet client supplied with the Windows Services for UNIX® 3.5—a recommended free download from Microsoft. Browse to www.microsoft.com/downloads/ and search for "Windows Services for UNIX 3.5."
