Read the installation requirements to ensure that your system meets or exceeds the minimum requirements.
Read the Dell OpenManage Server Administrator Compatibility Guide. This document contains compatibility information about Dell OpenManage™ software installation and operation on various hardware platforms (systems) running supported Microsoft® Windows®, Novell® NetWare®, and Red Hat® Enterprise Linux operating systems.
Read the applicable Dell OpenManage readme files on the Dell OpenManage Server Support kit CDs that are shipped with your system. These files contain the latest information about software, firmware, and driver versions, in addition to information about known issues. The installation readme file also contains a list of supported servers.
Read the installation instructions for your operating system.
Installation Requirements
The following sections describe the Dell OpenManage Systems Management software general requirements. Operating system-specific installation prerequisites are listed as part of the installation procedures.
Dell OpenManage Systems Management software runs, at a minimum, on each of the following operating systems:
Microsoft Windows 2000 Server family (with SP4) — Includes Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional, and Windows 2000 Small Business Server (SBS)
Microsoft Windows Server™ 2003 family — Includes Web, Standard, and Enterprise editions) and Windows Server 2003 SBS
Microsoft Windows Server 2003 x64 — Includes Standard and Enterprise editions
Red Hat Enterprise Linux (AS and ES), version 3
NOTE: Support for updated kernels released by Red Hat and for later versions of Red Hat
Enterprise Linux may require the use of Dynamic Kernel Support (see "Dynamic Kernel Support
(DKS)" for a description of this feature).
Red Hat Enterprise Linux (version 3) for Intel® Extended Memory 64 Technology (Intel EM64T)
Red Hat Enterprise Linux (version 4) for Intel x86
Red Hat Enterprise Linux (version 4) for Intel EM64T
Novell NetWare, version 6.5
System Requirements
Dell OpenManage Server Administrator software must be installed on each system to be managed. You can then manage each system running Server Administrator locally or remotely through a supported Web browser.
A mouse, keyboard, and monitor to manage a system locally. The monitor requires a minimum screen resolution of 800 x 600. The recommended screen resolution setting is 1024 x 768.
The Server Administrator Remote Access Service requires that a remote access controller (RAC) be installed on the system to be managed. See the Dell Remote Access Controller 4 User's Guide and the Dell Remote Access Controller Installation and Setup Guide or the Dell Embedded Remote Access/MC Controller User's Guide for complete software and hardware requirements.
NOTE: The RAC software is installed as part of the Express Setup and Custom Setup installation
options when installing managed system software from the Dell PowerEdge Installation and Server
Management CD provided that the managed system meets all of the RAC installation prerequisites.
See "Remote Access Controller Service" and the Dell Remote Access Controller Installation and
Setup Guide or the Dell Embedded Remote Access/MC Controller User's Guide for complete
software and hardware requirements.
Remote Management System Requirements
One of the supported Web browsers to manage a system remotely from a graphical user interface (GUI).
A TCP/IP connection on the managed system and the remote system to facilitate remote system management.
A minimum screen resolution of 800 x 600. The recommended screen resolution setting is 1024 x 768.
Supported Web Browser Requirements
Microsoft Internet Explorer 6.0 (Windows only)
Mozilla 1.7.1 and 1.7.3 (Red Hat Enterprise Linux and Windows)
NOTE: IT Assistant supports the Mozilla 1.7.3 browser only on systems running Red Hat Enterprise Linux.
Supported Systems Management Protocol Standards
A supported systems management protocol standard must be installed on the managed system before installing your management station or managed system software. On supported Microsoft Windows operating systems, Dell OpenManage software supports these two systems management standards: Common Information Model/Windows Management Instrumentation (CIM/WMI) and Simple Network Management Protocol (SNMP). On supported Red Hat Enterprise Linux and Novell NetWare operating systems, Dell OpenManage software supports the SNMP systems management standard.
NOTE: For information about installing a supported system management protocol standard on your
managed system, see your operating system documentation.
Table 3-1 shows the availability of the systems management standards for each supported operating system.
Table 3-1. Availability of Systems Management Protocol by Operating Systems
Operating System
SNMP
CIM/WMI
Supported Microsoft Windows operating systems.
Available from the operating system installation media.
Always installed.
Supported Red Hat Enterprise Linux operating systems.
You must install the SNMP package provided with the operating system.
Unavailable.
Supported Novell NetWare operating systems.
Always installed.
Unavailable.
Dependencies and Prerequisites
Upgrading from Dell OpenManage Software Versions 1.x, 2.x, and 3.x–4.2
Upgrades from Dell OpenManage software versions 1.x, 2.x, and 3.x – 4.2 are not supported. You must manually uninstall Dell OpenManage software versions 1.x, 2.x, and 3.x –4.2 before launching the Dell OpenManage software installation. The installer will notify you if it detects Dell OpenManage software versions 1.x, 2.x, and 3.x –4.2 on the system.
Configuring a Supported Web Browser
The following sections provide instructions for configuring the supported Web browsers. For a list of supported Web browsers, see "Supported Web Browser Requirements."
Configuring Internet Explorer to Connect to the Web-Based Interface
If you are connecting to a Web-based interface from a management station that connects to the Internet through a proxy server, you need to configure the Web browser to connect properly. If you are using Microsoft's Internet Explorer browser, follow these steps:
From the Internet Explorer main window, click Tools, and then click Internet Options.
From the Internet Options window, click the Connections tab.
Under Local Area Network (LAN) settings, click LAN Settings.
If the Use a proxy server box is selected, select the Bypass proxy server for local addresses box.
Click OK twice.
Configure other browsers for the same functionality.
Viewing Localized Versions of the Web-Based Interface
When using Internet Explorer or Netscape Navigator on systems running Microsoft Windows, to view localized versions of the Web-based interface, do the following:
Open the Windows Control Panel and double-click the Regional Options icon.
Select the desired locale from the Your locale (location) drop-down menu.
Assigning User Privileges
To ensure critical system component security, you must properly assign user privileges to all Dell OpenManage software users before installing Dell OpenManage software.
The following sections provide step-by-step instructions for creating users and assigning user privileges for each supported operating system.
NOTICE: To protect access to your critical system components, you must assign a password to every
user account that can access Dell OpenManage software.
Creating Users for Supported Windows Operating Systems
NOTE: You must be logged in with Administrator privileges to perform these procedures.
The following procedures create user accounts, assign user privileges, and add users to domains.
Creating Users and Assigning User Privileges for Supported Windows Server 2003 Operating Systems
NOTE: For questions about creating users and assigning user group privileges, or for more detailed
instructions, see your operating system documentation.
Click the Start button, right-click My Computer, and point to Manage.
In the console tree, expand Local Users and Groups, and then click Users.
Click Action, and then click New User.
Type the appropriate information in the dialog box, select or clear the appropriate check
boxes, and then click Create.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components. Additionally, users who do not have
an assigned password cannot log into Dell OpenManage software on a system running
Windows Server 2003 due to operating system constraints.
In the console tree, under Local Users and Groups, click Groups.
Click the group to which you want to add the new user: Users, Power Users, or
Administrators.
Click Action, and then click Properties.
Click Add.
Type the user name that you are adding and click Check Names to validate.
Click OK.
New users can log into Dell OpenManage software with the user privileges for their assigned group.
Creating Users and Assigning User Privileges for Supported Windows 2000 Operating Systems
NOTE: For questions about creating users and assigning user group privileges, or for more detailed
instructions, see your operating system documentation.
Right-click My Computer and point to Manage.
In the console tree, expand Local Users and Groups, and then click Users.
Click Action, and then click New User.
Type the appropriate information in the dialog box, select or clear the appropriate check
boxes, and then click Create.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components. Additionally, users who do not have an
assigned password cannot log into Dell OpenManage software on a system running Windows
Server 2003 because of operating system constraints.
In the console tree, under Local Users and Groups, click Groups.
Click the group to which you want to add the new user: Users, Power Users,
or Administrators.
Click Action, and then click Properties.
Click Add.
Click the name of the user you want to add, and then click Add.
Click Check Names to validate the user name that you are adding.
Click OK.
New users can log into Dell OpenManage software with the user privileges for their assigned group.
Adding Users to a Domain
NOTE: For questions about creating users and assigning user group privileges or for more detailed
instructions, see your operating system documentation.
NOTE: You must have Active Directory installed on your system to perform the following procedures.
See "Microsoft Active Directory" for more information about using Active Directory.
Click the Start button, and then point to Control Panel→ Administrative Tools→ Active
Directory Users and Computers.
In the console tree, right-click Users or right-click the container in which you want to add the
new user, and then point to New→ User.
Type the appropriate user name information in the dialog box, and then click Next.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components. Additionally, users who do not have
an assigned password cannot log into Dell OpenManage software on a system running
Windows Server 2003 due to operating system constraints.
Click Next, and then click Finish.
Double-click the icon representing the user that you just created.
Click the Member of tab.
Click Add.
Select the appropriate group and click Add.
Click OK, and then click OK again.
New users can log into Dell OpenManage software with the user privileges for their assigned group and domain.
Disabling Guest and Anonymous Accounts in Supported Windows Operating Systems
NOTE: You must be logged in with Administrator privileges to perform this procedure.
If your system is running Windows Server 2003, click the Start button, right-click
My Computer, and point to Manage.
If your system is running Windows 2000, right-click My Computer and point to Manage.
In the console tree, expand Local Users and Groups and click Users.
Click the Guest or IUSR_system name user account.
Click Action and point to Properties.
Select Account is disabled and click OK.
A red circle with an X appears over the user name. The account is disabled.
NOTE: Consider renaming the accounts so that remote scripts cannot enable the accounts using
the name.
Creating Users for Supported Red Hat Enterprise Linux Operating Systems
Administrator access privileges are assigned to the user logged in as root. To create users with User and Power User privileges, perform the following steps.
NOTE: You must be logged in as root to perform these procedures.
NOTE: You must have the useradd utility installed on your system to perform these procedures.
Creating Users
NOTE: For questions about creating users and assigning user group privileges, or for more detailed
instructions, see your operating system documentation.
Creating Users With User Privileges
Run the following command from the command line:
useradd -d <home-directory> -g <group> <username>
where <group> is notroot.
NOTE: If <group> does not exist, you must create it by using the groupadd command.
Type passwd<username> and press <Enter>.
When prompted, enter a password for the new user.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components.
The new user can now log in to Dell OpenManage software with User group privileges.
Creating Users With Power User Privileges
Run the following command from the command line:
useradd -d <home-directory> -g root <username>
NOTE: You must set root as the primary group.
Type passwd<username> and press <Enter>.
When prompted, enter a password for the new user.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components.
The new user can now log in to Dell OpenManage software with Power User group privileges.
Creating Users for Supported NetWare Operating Systems
NOTE: For questions about creating users and assigning user group privileges or for more detailed
instructions, see your operating system documentation.
Creating Users With User Privileges
Log in with Administrator privileges.
Right-click the container in which you want to create a user account.
Click NEW and select USER.
Complete the required fields and click OK.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components.
An icon labeled with the new user name appears in the current container.
Right-click the icon labeled with the new user name and click Trustees of this Object.
Select username.contextName and click Assigned Rights.
By default, three entries in the Assigned Rights category are available: Login Script, Print Job Configuration, and [All Attribute Rights].
Select Login Script, and enable the Read and Add Self fields.
Select Print Job Configuration, and enable the Read and Add Self fields.
Select All Attribute Rights, and enable the Read and Add Self fields.
New users can now log into Dell OpenManage software with User privileges.
Creating Users With Power User Privileges
Log in with Administrator privileges.
Right-click the container in which you want to create a user account.
Click NEW and select USER.
Complete the required fields and click OK.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components.
An icon labeled with the new user name appears in the current container.
Right-click the icon labeled with the new user name and click Properties.
Click NDS Rights.
Select username.contextName and click Assigned Rights.
Click Add Property.
Select ACL and click OK.
Enable the Read and Write fields by putting a check mark in the check box.
Click OK.
New users can now log into Dell OpenManage software with Power User privileges.
Creating Users With Administrator Privileges
Log in with Administrator privileges.
Right-click the container in which you want to create a user account.
Click NEW and point to USER.
Complete the required fields and click OK.
NOTICE: You must assign a password to every user account that can access Dell OpenManage
software to protect access to your critical system components.
An icon labeled with the new user name appears in the current container.
Right-click the icon labeled with the new user name and click Trustees of this Object.
Select username.contextName and click Assigned Rights.
By default, three entries in the Assigned Rights category are available: Login Script, Print Job Configuration, and All Attribute Rights.
Select Login Script, and enable the Read, Write, Add Self, and Supervisor fields.
Select Print Job Configuration, and enable the Read, Write, Add Self, and Supervisor fields.
Select All Attribute Rights, and enable the Read, Write, Add Self, and Supervisor fields.
New users can now log into Dell OpenManage software with Administrator privileges.
Microsoft Active Directory
If you use Microsoft Active Directory service software, you can configure it to control access to your network. Dell has modified the Active Directory database to support remote management authentication and authorization. IT Assistant and Server Administrator, as well as Dell remote access controllers, can now interface with Active Directory. With this tool, you can add and control users and privileges from one central database.
NOTE: Using Active Directory to recognize RAC, IT Assistant, or Server Administrator users is supported
on the Microsoft Windows 2000 and Windows Server 2003 operating systems.
Active Directory Schema Extensions
The Active Directory data exists in a distributed database of Attributes and Classes. An example of a Active Directory Class is the User class. Some example Attributes of the user class might be the user's first name, last name, phone number, and so on. Every Attribute or Class that is added to an existing Active Directory schema must be defined with a unique ID. To maintain unique IDs throughout the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs).
The Active Directory schema defines the rules for what data can be included in the database. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and unique linked attribute IDs for the new attributes and classes in the directory service.
Dell extension is: dell
Dell base OID is: 1.2.840.113556.1.8000.1280
Dell LinkID range is: 12070 to 12079
The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension, Dell.
Overview of the Active Directory Schema Extensions
Dell created Classes, or groups of objects, that can be configured by the user to meet their unique needs. New Classes in the schema include an Association, a Product, and a Privilege class. An Association object links the users or groups to a given set of privileges and to systems (Product Objects) in your network. This model gives an administrator control over the different combinations of users, privileges, and systems or RAC devices on the network, without adding complexity.
Active Directory Object Overview
For each of the systems that you want to integrate with Active Directory for Authentication and Authorization, there must be at least one Association Object and one Product Object. The Product Object represents the system. The Association Object links it with users and privileges. You can create as many Association Objects as you need.
Each Association Object can be linked to as many users, groups of users, and Product Objects as desired. The users and Product Objects can be from any domain. However, each Association Object may only link to one Privilege Object. This behavior allows an Administrator to control which users have which rights on specific systems.
The Product Object links the system to Active Directory for authentication and authorization queries. When a system is added to the network, the Administrator must configure the system and its product object with its Active Directory name so that users can perform authentication and authorization with Active Directory. The Administrator must also add the system to at least one Association Object in order for users to authenticate.
Figure 3-1 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.
Figure 3-1. Typical Setup for Active Directory Objects
In addition, you can set up Active Directory objects in a single domain or in multiple domains. Setting up objects in a single domain does not vary, whether you are setting up RAC, Server Admistrator, or IT Assistant objects. When multiple domains are involved, however, there are some differences.
For example, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an Administrator privilege on both DRAC 4 cards and give user3 a Login privilege on the RAC2 card. Figure 3-2 shows how you set up the Active Directory objects in this scenario.
Figure 3-2. Setting Up Active Directory Objects in a Single Domain
To set up the objects for the single domain scenario, perform the following tasks:
Create two Association Objects.
Create two RAC Product Objects, RAC1 and RAC2, to represent the two DRAC 4 cards.
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (Administrator)
and Priv2 has Login privileges.
Group user1 and user2 into Group1.
Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1,
and RAC1, RAC2 as RAC Products in AO1.
Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and
RAC2 as RAC Products in AO2.
Figure 3-3 shows how to setup the Active Directory objects in multiple domains for RAC. In this scenario, you have two DRAC 4 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, but user2 and user3 are in Domain2. You want to give user1 and user2 Administrator privileges on both the RAC1 and the RAC2 card and give user3 a Login privilege on the RAC2 card.
Figure 3-3. Setting Up RAC Active Directory Objects in Multiple Domains
To set up the objects for this multiple domain scenario, perform the following tasks:
Ensure that the domain forest function is in Native or Windows 2003 mode.
Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain. The
figure shows the objects in Domain2.
Create two RAC Device Objects, RAC1 and RAC2, to represent the two remote systems.
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (Administrator)
and Priv2 has Login privileges.
Group user1 and user2 into Group1. The group scope of Group1 must be Universal.
Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1,
and both RAC1 and RAC2 as Products in AO1.
Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and
RAC2 as a Product in AO2.
For Server Administrator or IT Assistant, on the other hand, the users in a single Association can be in separate domains without needing to be added to a universal group. The following is a very similar example to show how Server Administrator or IT Assistant systems in separate domains affect the setup of directory objects. Instead of RAC devices, you'll have two systems running Server Administrator (Server Administrator Products sys1 and sys2). Sys1 and sys2 are in different domains. You can use any existing Users or Groups that you have in Active Directory. Figure 3-3 shows how to set up the Server Administrator Active Directory objects for this example.
Figure 3-4. Setting Up Server Administrator Active Directory Objects in Multiple Domains
To set up the objects for this multiple domain scenario, perform the following tasks:
Ensure that the domain forest function is in Native or Windows 2003 mode.
Create two Association Objects, AO1 and AO2, in any domain. The figure shows the objects
in Domain1.
Create two Server Administrator Products, sys1 and sys2, to represent the two systems. Sys1 is
in Domain1 and sys2 is in Domain2.
Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (Administrator)
and Priv2 has Login privileges.
Group sys2 into Group1. The group scope of Group1 must be universal.
Add user1 and user2 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in
AO1, and both sys1 and Group1 as Products in AO1.
Add User3 as a Member in Association Object 2 (AO2), Priv2 as a Privilege object in AO2,
and Group1 as a Product in AO2.
Note that neither of the Association objects needs to be of Universal scope in this case.
Configuring Active Directory to Access Your Systems
Before you can use Active Directory to access your systems, you must configure both the Active Directory software and the systems.
Configure the system's Active Directory properties using either the Web-based interface or
the CLI (see "Configuring Your Systems or Devices").
Extending the Active Directory Schema
RAC, Server Administrator, and IT Assistant schema extensions are available. You only need to extend the schema for software or hardware that you are using. Each extension must be applied individually to receive the benefit of its software-specific settings. Extending your Active Directory schema will add schema classes and attributes, example privileges and association objects, and a Dell organizational unit to the schema.
NOTE: Before you extend the schema, you must have Schema Admin privileges on the Schema Master
Flexible Single Master Operation (FSMO) Role Owner of the domain forest.
You can extend your schema using two different methods. You can use the Dell Schema Extender utility, or you can use the Lightweight Directory Interchange Format (LDIF) script file.
NOTE: The Dell organizational unit will not be added if you use the LDIF script file.
The LDIF script files and Dell Schema Extender are located on your Dell PowerEdge Installation and Server Management CD in the following respective directories:
CD drive:\support\OMActiveDirectory Tools\installation type\LDIF Files
CD drive:\support\OMActiveDirectory Tools\installation type\Schema Extender
where installation type will be either RAC4, RAC3, Dell OpenManage Server Administrator, or IT Assistant version 7.0, depending on your choice of schema extension.
To use the LDIF files, see the instructions in the readme that is in the LDIF files directory. To use the Dell Schema Extender to extend the Active Directory Schema, perform the steps in "Using the Dell Schema Extender."
You can copy and run the Schema Extender or LDIF files from any location.
Using the Dell Schema Extender
NOTICE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the
Dell Schema Extender utility functions properly, do not modify the name or the contents of this file.
Click Next on the Welcome screen.
Read the warning and click Next again.
Either select Use Current Log In Credentials or enter a user name and password with schema
administrator rights.
Table 3-2. Class Definitions for Classes Added to the Active Directory Schema
Class Name
Assigned Object Identification Number (OID)
Class Type
dellRacDevice
1.2.840.113556.1.8000.1280.1.1.1.1
Structural Class
dellAssociationObject
1.2.840.113556.1.8000.1280.1.1.1.2
Structural Class
dellRAC4Privileges
1.2.840.113556.1.8000.1280.1.1.1.3
Auxiliary Class
dellPrivileges
1.2.840.113556.1.8000.1280.1.1.1.4
Structural Class
dellProduct
1.2.840.113556.1.8000.1280.1.1.1.5
Structural Class
dellRAC3Privileges
1.2.840.113556.1.8000.1280.1.1.1.6
Auxiliary Class
dellOmsa2AuxClass
1.2.840.113556.1.8000.1280.1.2.1.1
Auxiliary Class
dellOmsaApplication
1.2.840.113556.1.8000.1280.1.2.1.2
Structural Class
dellIta7AuxClass
1.2.840.113556.1.8000.1280.1.3.1.1
Auxiliary Class
dellItaApplication
1.2.840.113556.1.8000.1280.1.3.1.2
Structural Class
Table 3-3. dellRacDevice Class
OID
1.2.840.113556.1.8000.1280.1.1.1.1
Description
This class represents the Dell RAC device. The RAC Device must be configured as dellRacDevice in Active Directory. This configuration enables the DRAC 4 to send LDAP queries to Active Directory.
Class Type
Structural Class
SuperClasses
dellProduct
Attributes
dellSchemaVersion dellRacType
Table 3-4. dellAssociationObject Class
OID
1.2.840.113556.1.8000.1280.1.1.1.2
Description
This class represents the Dell Association Object. The Association Object provides the connection between the users and the devices or products.
Class Type
Structural Class
SuperClasses
Group
Attributes
dellProductMembers
dellPrivilegeMember
Table 3-5. dellRAC4Privileges Class
OID
1.2.840.113556.1.8000.1280.1.1.1.3
Description
This class is used to define the privileges (Authorization Rights) for the DRAC 4 device.
Class Type
Auxiliary Class
SuperClasses
None
Attributes
dellIsLoginUser
dellIsCardConfigAdmin
dellIsUserConfigAdmin
dellIsLogClearAdmin
dellIsServerResetUser
dellIsConsoleRedirectUser
dellIsVirtualMediaUser
dellIsTestAlertUser
dellIsDebugCommandAdmin
Table 3-6. dellPrivileges Class
OID
1.2.840.113556.1.8000.1280.1.1.1.4
Description
This class is used as a container Class for the Dell Privileges (Authorization Rights).
This is the main class from which all Dell products are derived.
Class Type
Structural Class
SuperClasses
Computer
Attributes
dellAssociationMembers
Table 3-8. dellRAC3Privileges Class
OID
1.2.840.113556.1.8000.1280.1.1.1.6
Description
This class is used to define the privileges (Authorization Rights) for the DRAC III, DRAC III/XT, ERA, ERA/O, and ERA/MC devices.
Class Type
Auxiliary Class
SuperClasses
None
Attributes
dellIsLoginUser
Table 3-9. dellOmsa2AuxClass Class
OID
1.2.840.113556.1.8000.1280.1.2.1.1
Description
This class is used to define the privileges (Authorization Rights) for Server Administrator.
Class Type
Auxiliary Class
SuperClasses
None
Attributes
dellOmsaIsReadOnlyUser
dellOmsaIsReadWriteUser
dellOmsaIsAdminUser
Table 3-10. dellOmsaApplication Class
OID
1.2.840.113556.1.8000.1280.1.2.1.2
Description
This class represents the Server Administrator application. Server Administrator must be configured as dellOmsaApplication in Active Directory. This configuration enables the Server Administrator application to send LDAP queries to Active Directory.
Class Type
Structural Class
SuperClasses
dellProduct
Attributes
dellAssociationMembers
Table 3-11. dellIta7AuxClass Class
OID
1.2.840.113556.1.8000.1280.1.3.1.1
Description
This class is used to define the privileges (Authorization Rights) for IT Assistant.
Class Type
Auxiliary Class
SuperClasses
None
Attributes
dellItaIsReadOnlyUser
dellItaIsReadWriteUser
dellItaIsAdminUser
Table 3-12. DellItaApplication Class
OID
1.2.840.113556.1.8000.1280.1.3.1.2
Description
This class represents the IT Assistant application. IT Assistant must be configured as dellItaApplication in Active Directory. This configuration enables IT Assistant to send LDAP queries to Active Directory.
Class Type
Structural Class
SuperClasses
dellProduct
Attributes
dellAssociationMembers
Table 3-13. General Attributes Added to the Active Directory Schema
Attribute Name/Description
Assigned OID/Syntax Object Identifier
Single Valued
dellPrivilegeMember
List of dellPrivilege Objects that belong to this Attribute.
1.2.840.113556.1.8000.1280.1.1.2.1
Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)
FALSE
dellProductMembers
List of dellRacDevices Objects that belong to this role. This attribute is the forward link to the dellAssociationMembers backward link.
Link ID: 12070
1.2.840.113556.1.8000.1280.1.1.2.2
Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)
FALSE
dellAssociationMembers
List of dellAssociationObjectMembers that belong to this Product. This attribute is the backward link to the dellProductMembers Linked attribute.
Link ID: 12071
1.2.840.113556.1.8000.1280.1.1.2.14
Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)
FALSE
Table 3-14. RAC-specific Attributes Added to the Active Directory Schema
Installing the Dell Extension to the Active Directory Users and Computers Snap-In
When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so that the administrator can manage Products, Users and User Groups, Associations, and Privileges. You only need to extend the snap-in once, even if you have added more than one schema extension. You must install the snap-in on each system that you intend to use for managing these objects. The Dell Extension to the Active Directory Users and Computers Snap-In is an option that can be installed when you install your systems management software using the Dell PowerEdge Installation and Server Management CD.
NOTE: You must install the Administrator Pack on each management station that is managing the new
Active Directory objects. The installation is described in the following section, "Opening the Active
Directory Users and Computers Snap-In." If you do not install the Administrator Pack, then you cannot
view the new object in the container.
NOTE: For more information about the Active Directory Users and Computers snap-in, see your
Microsoft documentation.
Opening the Active Directory Users and Computers Snap-In
To open the Active Directory Users and Computers snap-in, perform the following steps:
If you are on the domain controller, click StartAdmin Tools→ Active Directory Users and
Computers. If you are not on the domain controller, you must have the appropriate Microsoft
administrator pack installed on your local system. To install this administrator pack, click
Start→ Run, type MMC and press Enter.
The Microsoft Management Console (MMC) window opens.
Click File (or Console on systems running Windows 2000) in the Console 1 window.
Click Add/Remove Snap-in.
Select the Active Directory Users and Computers snap-in and click Add.
Click Close and click OK.
Adding Users and Privileges to Active Directory
The Dell-extended Active Directory Users and Computers snap-in allows you to add DRAC, Server Administrator, and IT Assistant users and privileges by creating RAC, Association, and Privilege objects. To add an object, perform the steps in the applicable subsection.
Creating a Product Object
NOTE: Server Administrator and IT Assistant users must use Universal-type Product Groups to span
domains with their product objects.
In the Console Root (MMC) window, right-click a container.
Select New.
Select a RAC, Server Administrator, or IT Assistant object, depending on which you have
installed.
Privilege Objects must be created in the same domain as the Association Object to which they are associated.
In the Console Root (MMC) window, right-click a container.
Select New.
Select a RAC, Server Administrator, or IT Assistant object, depending on which you have
installed.
The New Object window opens.
Type in a name for the new object.
Select the appropriate Privilege Object.
Click OK.
Right-click the privilege object that you created and select Properties.
Click the appropriate Privileges tab and select the privileges that you want the user to have
(for more information, see Table 3-5, Table 3-9, and Table 3-11).
Creating an Association Object
The Association Object is derived from a Group and must contain a group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, you must choose the Association Scope that applies to the type of objects you intend to add. Selecting Universal, for example, means that Association Objects are only available when the Active Directory Domain is functioning in Native Mode or above.
In the Console Root (MMC) window, right-click a container.
Select New.
Select a RAC, Server Administrator, or IT Assistant object, depending on which you have
installed.
The New Object window opens.
Type in a name for the new object.
Select Association Object.
Select the scope for the Association Object.
Click OK.
Adding Objects to an Association Object
By using the Association Object Properties window, you can associate users or user groups, privilege objects, systems, RAC devices, and system or device groups.
NOTE: RAC users must use Universal Groups to span domains with their users or RAC objects.
You can add groups of Users and Products. You can create Dell-related groups in the same way that you created other groups.
To add Users or User Groups:
Right-click the Association Object and select Properties.
Select the Users tab and click Add.
Type the User or User Group name or browse to select one and click OK.
Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a system.
NOTE: You can add only one Privilege Object to an association object.
To add a privilege:
Select the Privileges Object tab and click Add.
Type the Privilege Object name or browse for one and click OK.
Click the Products tab to add one or more systems or devices to the association. The associated objects specify the products connected to the network that are available for the defined users or user groups.
NOTE: You can add multiple systems or RAC devices to an Association Object.
To add Products:
Select the Products tab and click Add.
Type the system, device, or group name and click OK.
In the Properties window, click Apply and then OK.
Enabling SSL on a Domain Controller (RAC Only)
If you plan to use Microsoft Enterprise Root CA to automatically assign all your domain controllers SSL certificates, you must perform the following steps to enable SSL on each domain controller.
Install a Microsoft Enterprise Root CA on a Domain Controller.
Select Start→ Control Panel→ Add or Remove Programs.
Select Add/Remove Windows Components.
In the Windows ComponentsWizard, select the Certificate Services check box.
Select Enterprise root CA as CA Type and click Next.
Enter Common name for this CA, click Next, and click Finish.
Enable SSL on each of your domain controllers by installing the SSL certificate for
each controller.
Expand the Public Key Policies folder, right-click Automatic Certificate Request
Settings and click Automatic Certificate Request.
In the Automatic Certificate Request Setup Wizard, click Next and select
Domain Controller.
Click Next and click Finish.
Exporting the Domain Controller Root CA Certificate (RAC Only)
NOTE: The following steps may vary slightly if you are using Windows 2000.
Go to the domain controller on which you installed the Microsoft Enterprise CA service.
Click Start→ Run.
Type mmc and click OK.
In the Console 1 (MMC) window, click File (or Console on Windows 2000 machines) and
select Add/Remove Snap-in.
In the Add/Remove Snap-in window, click Add.
In the Standalone Snap-in window, select Certificates and click Add.
Select Computer account and click Next.
Select Local Computer and click Finish.
Click OK.
In the Console 1 window, expand the Certificates folder, expand the Personal folder, and
click the Certificates folder.
Locate and right-click the root CA certificate, select All Tasks, and click Export.
In the Certificate Export Wizard, click Next and select No do not export the private key.
Click Next and select Base-64 encoded X.509 (.cer) as the format.
Click Next and save the certificate to a location of your choice. You will need to upload this
certificate to the DRAC 4. To do this, go to the DRAC 4 Web-based interface→
Configuration tab→ Active Directory page. Or, you can use the racadm CLI commands(see
"Configuring the DRAC 4 Active Directory Settings Using the racadm CLI").
Click Finish and click OK.
Importing the DRAC 4 Firmware SSL Certificate to All Domain Controllers Trusted Certificate Lists
NOTE: If the DRAC 4 firmware SSL certificate is signed by a well-known CA, you do not need to perform
the steps described in this section.
NOTE: The following steps may vary slightly if you are using Windows 2000.
The DRAC 4 SSL certificate is the same certificate that is used for the DRAC 4 Web server.
All DRAC 4 controllers are shipped with a default self-signed certificate. You can get this
certificate from the DRAC 4 by selecting Download DRAC 4 Server Certificate (see the
DRAC 4 Web-based interface Configuration tab and the Active Directory subtab).
On the domain controller, open an MMC Console window and select Certificates →
Trusted Root Certification Authorities.
Right-click Certificates, select All Tasks and click Import.
Click Next and browse to the SSL certificate file.
Install the RAC SSL Certificate in each domain controller's Trusted Root
Certification Authority.
If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the CA is not in the list, you must install it on all your Domain Controllers.
Click Next and select whether you would like Windows to automatically select the certificate
store based on the type of certificate, or browse to a store of your choice.
NOTE: The systems on which Server Administrator and/or IT Assistant are installed must be a part of the
Active Directory domain and should also have computer accounts on the domain.
Configuring Active Directory Using CLI on Systems Running Server Administrator
You can use the omconfig preferences dirservice command to configure the Active Directory service. The <product>oem.ini file is modified to reflect these changes. If the adproductname is not present in the <product>oem.ini file, a default name will be assigned. The default value will be <system name>-<software-product name>, where <system name>is the name of the system running Server Administrator, and <software-product name> refers to the name of the software product defined in omprv32.ini (that is, computerName-omsa).
NOTE: This command is applicable only on systems running the Windows operating system.
NOTE: Restart the Server Administrator service after you have configured Active Directory.
Table 3-17 shows the valid parameters for the command.
Table 3-17. Active Directory Service Configuration Parameters
name=value pair
Description
prodname=<text>
Specifies the software product to which you want to apply the Active Directory configuration changes. Prodnamerefers to the name of the product defined in omprv32.ini. For Server Administrator, it is omsa.
enable=<true | false>
true: Enables Active Directory service authentication support.
false: Disables Active Directory service authentication support
adprodname=<text>
Specifies the name of the product as defined in the Active Directory service. This name links the product with the Active Directory privilege data for user authentication.
Configuring Active Directory on Systems Running IT Assistant
By default, the Active Directory product name corresponds to the <machinename>-ita, where <machinename> is the name of the system on which IT Assistant is installed. To configure a different name, locate the itaoem.ini file in your installation directory. Edit the file to add the line "adproductname=<text>" where <text> is the name of the product object that you created in Active Directory. For example, the itaoem.ini file will contain the following syntax if the Active Directory product name is configured to mgmtStationITA.
productname=IT Assistant
startmenu=Dell OpenManage Applications
autdbid=ita
accessmask=3
startlink=ITAUIServlet
adsupport=true
adproductname=mgmtStationITA
NOTE: Restart the IT Assistant services after saving the itaoem.ini file to the disk.
Configuring the DRAC 4 Using the Web-Based Interface
Log in to the Web-based interface using the default user, root, and its password.
Click the Configuration tab and select the Active Directory.
Type the Root Domain Name. The Root Domain Name is the fully qualified root domain
name for the forest.
Type the DRAC 4 Domain Name (for example, drac4.com). Do not use the
NetBIOS name. The DRAC 4 Domain Name is the fully qualified domain name of the
subdomain where the RAC Device Object is located.
Click Apply to save the Active Directory settings.
Click Upload Active Directory CA Certificate to upload your domain forest Root CA
certificate into the DRAC 4. Your domain forest domain controllers' SSL certificates need to
have signed this root CA certificate. Have the root CA certificate available on your local
system (see "Exporting the Domain Controller Root CA Certificate (RAC Only)"). Specify
the full path and filename of the root CA certificate and click Upload to upload the root
CA certificate to the DRAC 4 firmware. The DRAC 4 Web server automatically restarts after
you click Upload. You must log in again to complete the DRAC 4 Active Directory
feature configuration.
Click the Configuration tab and select Network.
If DRAC 4 NIC DHCP is enabled, place a check next to Use DHCP to obtain DNS server
address. If you want to input a DNS server IP address manually, remove the check next to Use
DHCP to obtain DNS server address and input your primary and alternate DNS Server
IP addresses.
Click Apply to complete the DRAC 4 Active Directory feature configuration.
Configuring the DRAC 4 Active Directory Settings Using the racadm CLI
Using the following commands to configure the DRAC 4 Active Directory feature using the racadm CLI instead of the Web-based interface.
Open a command prompt and type the following racadm commands:
racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>
racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>
Press Enter to complete the DRAC 4 Active Directory feature configuration.
See the Dell Remote Access Controller 4 User's Guide for more information.
Configuring the SNMP Agent
Dell OpenManage software supports the Simple Network Management Protocol (SNMP) systems management standard on all supported operating systems. In most cases, SNMP is installed as part of your operating system installation. An installed supported systems management protocol standard, such as SNMP, is required before installing Dell OpenManage software. See "Installation Requirements" for more information.
You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as the IT Assistant and Array Manager, perform the procedures described in the following sections.
NOTE: For IT Assistant to retrieve management information from a system running Server Administrator,
the community name used by IT Assistant must match a community name on the system running Server
Administrator. For IT Assistant to modify information or perform actions on a system running Server
Administrator, the community name used by IT Assistant must match a community name that allows Set
operations on the system running Server Administrator. For IT Assistant to receive traps (asynchronous
event notifications) from a system running Server Administrator, the system running Server
Administrator must be configured to send traps to the system running IT Assistant. For more information,
see the IT Assistant User's Guide.
The following sections provide step-by-step instructions for configuring the SNMP agent for each supported operating system:
Configuring the SNMP Agent for Systems Running Supported Windows
Operating Systems
Dell OpenManage software uses the SNMP services provided by the Windows SNMP agent. (SNMP is one of the two supported ways of connecting to a System Administrator session; the other is CIM/WMI.) You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant and Array Manager, perform the procedures described in the following sections.
NOTE: See your operating system documentation for additional details on SNMP configuration.
Enabling SNMP Access By Remote Hosts
Windows Server 2003, by default, does not accept SNMP packets from remote hosts. For systems running Windows Server 2003, you must configure the SNMP service to accept SNMP packets from remote hosts if you plan to manage the system by using SNMP management applications from remote hosts.
To enable a system running the Windows Server 2003 operating system to receive SNMP packets from a remote host, perform the following steps:
Click the Start button, right-click My Computer, and point to Manage.
The Computer Management window appears.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon and click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and
then click Properties.
The SNMP Service Properties window appears.
Click the Security tab.
Select Accept SNMP packets from any host, or add the remote host to the Accept SNMP
packets from these hosts list.
Changing the SNMP Community Name
Configuring the SNMP community names determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Dell OpenManage software system so that the management applications can retrieve management information from Dell OpenManage software.
If your system is running Windows Server 2003, click the Start button, right-click
My Computer, and point to Manage. If your system is running Windows 2000, right-click
My Computer and point to Manage.
The Computer Management window appears.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon and click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and
then click Properties.
The SNMP Service Properties window appears.
Click the Security tab to add or edit a community name.
To add a community name, click Add under the Accepted Community Names list.
The SNMP Service Configuration window appears.
Type the community name of a system that is able to manage your system (the default is
public) in the Community Name text box and click Add.
The SNMP Service Properties window appears.
To change a community name, select a community name in the Accepted Community
Names list and click Edit.
The SNMP Service Configuration window appears.
Make all necessary edits to the community name of the system that is able to manage
your system in the Community Name text box, and then click OK.
The SNMP Service Properties window appears.
Click OK to save the changes.
Enabling SNMP Set Operations
SNMP Set operations must be enabled on the Dell OpenManage software system to change Dell OpenManage software attributes using IT Assistant.
If your system is running Windows Server 2003, click the Start button, right-click
My Computer, and point to Manage. If your system is running Windows 2000, right-click
My Computer and point to Manage.
The Computer Management window opens.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon, and then click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and
click Properties.
The SNMP Service Properties window appears.
Click the Security tab to change the access rights for a community.
Select a community name in the Accepted Community Names list, and then click Edit.
The SNMP Service Configuration window opens.
Set the Community Rights to READ WRITE or READ CREATE, and click OK.
The SNMP Service Properties window opens.
Click OK to save the changes.
Configuring Your System to Send SNMP Traps to a Management Station
Dell OpenManage software generates SNMP traps in response to changes in the status of sensors and other monitored parameters. You must configure one or more trap destinations on the Dell OpenManage software system for SNMP traps to be sent to a management station.
If your system is running Windows Server 2003, click the Start button, right-click
My Computer, and point to Manage. If your system is running Windows 2000, right-click
My Computer and point to Manage.
The Computer Management window opens.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon and click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and
click Properties.
The SNMP Service Properties window opens.
Click the Traps tab to add a community for traps or to add a trap destination for a
trap community.
To add a community for traps, type the community name in the Community Name box
and click Add to list, which is located next to the Community Name box.
To add a trap destination for a trap community, select the community name from the
Community Name drop-down box and click Add under the Trap Destinations box.
The SNMP Service Configuration window opens.
Type in the trap destination and click Add.
The SNMP Service Properties window opens.
Click OK to save the changes.
Configuring the SNMP Agent on Systems Running Supported Red Hat Enterprise Linux
Operating Systems
Server Administrator uses the SNMP services provided by the ucd-snmp or net-snmp agent. You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant and Array Manager, perform the procedures described in the following sections.
NOTE: See your operating system documentation for additional details about SNMP configuration.
SNMP Agent Access Control Configuration
The management information base (MIB) branch implemented by the Server Administrator Instrumentation Service is identified by the 1.3.6.1.4.1.674.10892.1 OID. Management applications must have access to this branch of the MIB tree to manage systems running the Instrumentation Service.
For Red Hat Enterprise Linux operating systems, the default SNMP agent configuration gives read-only access for the "public" community only to the MIB-II "system" branch (identified by the 1.3.6.1.2.1.1 OID) of the MIB tree. This configuration does not allow management applications to retrieve or change Instrumentation Service or other systems management information outside of the MIB-II "system" branch.
If Server Administrator detects this configuration during installation, it attempts to modify the SNMP agent configuration to give read-only access to the entire MIB tree for the "public" community. Server Administrator modifies the /etc/snmp/snmpd.conf SNMP agent configuration file in two ways.
The first change is to create a view to the entire MIB tree by adding the following line if it does not exist:
view all included .1
The second change is to modify the default "access" line to give read-only access to the entire MIB tree for the "public" community. Server Administrator looks for the following line:
access notConfigGroup "" any noauth exact systemview none none
If Server Administrator finds the line above, it modifies the line so that it reads:
access notConfigGroup "" any noauth exact all none none
These changes to the default SNMP agent configuration give read-only access to the entire MIB tree for the "public" community.
NOTE: To ensure that Server Administrator is able to modify the SNMP agent configuration to provide
proper access to systems management data, it is recommended that any other SNMP agent
configuration changes be made after installing Server Administrator.
Changing the SNMP Community Name
Configuring the SNMP community names determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Dell OpenManage software system, so the management applications can retrieve management information from Dell OpenManage software.
To change the SNMP community name used for retrieving management information from a system running Dell OpenManage software, edit the SNMP agent configuration file, /etc/snmp/snmpd.conf, and perform the following steps:
Find the line that reads:
com2sec publicsec default public
or
com2sec notConfigUser default public
Edit this line, replacing public with the new SNMP community name. When edited, the
new line should read:
com2sec publicsec default community_name
or
com2sec notConfigUser defaultcommunity_name
To enable SNMP configuration changes, restart the SNMP agent by typing:
service snmpd restart
Enabling SNMP Set Operations
SNMP Set operations must be enabled on the system running Dell OpenManage software in order to change Dell OpenManage software attributes using IT Assistant.
To enable SNMP Set operations on the system running Dell OpenManage software, edit the /etc/snmp/snmpd.conf SNMP agent configuration file and perform the following steps:
Find the line that reads:
access publicgroup "" any noauth exact all none none
or
access notConfigGroup "" any noauth exact all none none
Edit this line, replacing the first none with all. When edited, the new line should read:
access publicgroup "" any noauth exact all all none
or
access notConfigGroup "" any noauth exact all all none
To enable SNMP configuration changes, restart the SNMP agent by typing:
service snmpd restart
Configuring Your System to Send Traps to a Management Station
Dell OpenManage software generates SNMP traps in response to changes in the status of sensors and other monitored parameters. One or more trap destinations must be configured on the system running Dell OpenManage software for SNMP traps to be sent to a management station.
To configure your system running Dell OpenManage software to send traps to a management station, edit the /etc/snmp/snmpd.conf SNMP agent configuration file and perform the following steps:
Add the following line to the file:
trapsinkIP_address community_name
where IP_address is the IP address of the management station and community_name is the SNMP community name
To enable SNMP configuration changes, restart the SNMP agent by typing:
service snmpd restart
Configuring the SNMP Agent on Systems Running Supported NetWare Operating Systems
Dell OpenManage software uses the SNMP services provided by the NetWare SNMP agent. You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management station applications such as IT Assistant and Array Manager, perform the following tasks.
NOTE: See your operating system documentation for additional details on SNMP configuration.
Changing the SNMP Community Name
The SNMP community name used by management applications must match an SNMP community name configured on the system running Dell OpenManage software, so the management station applications can retrieve management information from Dell OpenManage software.
To change the SNMP community name used for retrieving management information from a Dell OpenManage software system, perform the following steps:
At the NetWare command line console, type load inetcfg and press <Enter>.
The Internetworking Configuration menu opens.
Select the Manage Configuration menu item.
The Manage Configuration menu opens.
Select the Configure SNMP Parameters menu item.
The SNMP Parameters menu opens.
Select the Monitor State menu item to configure monitor community handling.
The Monitor Community Handling menu choices are Any Community May Read, Leave as Default Setting, No Community May Read, and Specified Community May Read.
NOTE: Press <F1> for more information about the Monitor State menu item. Press <Esc> to clear
the help window.
Press <Esc> to exit the SNMP Parameters menu.
A message box opens, prompting you to save changes.
Select Yes.
The Manage Configuration menu opens.
Press <Esc> to exit the Manage Configuration menu.
The Internetworking Configuration menu opens.
Select the Reinitialize System menu item to make the configuration changes active.
Enabling SNMP Set Operations
SNMP Set operations must be enabled on the system running Dell OpenManage software in order to change Dell OpenManage software attributes using IT Assistant.
To enable SNMP Set operations on the system running Dell OpenManage software, perform the following steps:
At the NetWare command line console, type load inetcfg and press <Enter>.
The Internetworking Configuration menu opens.
Select the Manage Configuration menu item.
The Manage Configuration menu opens.
Select the Configure SNMP Parameters menu item.
The SNMP Parameters menu opens.
Select the Control State menu item to configure control community handling.
The Control Community Handling menu choices are Any Community May Write, Leave as Default Setting, No Community May Write, and Specified Community May Write.
NOTE: Press <F1> for more information about the Control State menu item. Press <Esc> to clear
the help window.
Press <Esc> to exit the SNMP Parameters menu.
A message box opens, prompting you to save changes.
Select Yes.
The Manage Configuration menu opens.
Press <Esc> to exit the Manage Configuration menu.
The Internetworking Configuration menu opens.
Select the Reinitialize System menu item to make the configuration changes active.
Configuring Your System to Send SNMP Traps to a Management Station
Dell OpenManage software generates SNMP traps in response to changes in the status of sensors and other monitored parameters. One or more trap destinations must be configured on the system running Dell OpenManage software for SNMP traps to be sent to a management station.
To configure a system running Dell OpenManage software to send SNMP traps to a management station, perform the following steps:
At the NetWare command-line console, type load inetcfg and press <Enter>.
The Internetworking Configuration menu opens.
Select the Manage Configuration menu item.
The Manage Configuration menu opens.
Select the Configure SNMP Parameters menu item.
The SNMP Parameters menu opens.
Select the Trap State menu item to configure trap community handling.
The Trap Handling menu choices are Do Not Send Traps, Leave as Default Setting, and Send Traps With Specified Community.
NOTE: Press <F1> for more information about the Trap State menu item. Press <Esc> to clear the
help window.
Press <Esc> to exit the SNMP Parameters menu.
A message box opens, prompting you to save changes.
Select Yes.
The Manage Configuration menu opens.
Press <Esc> to exit the Manage Configuration menu.
The Internetworking Configuration menu opens.
Select the Protocols menu item.
The Protocol Configuration menu opens.
Select the TCP/IP menu item.
The TCP/IP Protocol Configuration menu opens.
Select the SNMP Manager Table menu item.
The SNMP Manager Table menu opens.
Select one of the following SNMP Manager Table menu items:
Press <Ins> to add SNMP trap destinations.
Press <Enter> to modify SNMP trap destinations.
Press <Del> to delete SNMP trap destinations.
NOTE: Press <F1> for more information about the SNMP Manager Table menu item. Press <Esc>
to clear the help window.
Press <Esc> to exit the SNMP Manager Table menu.
A message box opens, prompting you to update the database.
Select Yes.
The TCP/IP Protocol Configuration menu opens.
Press <Esc> twice to exit the TCP/IP Protocol Configuration menu.
The Internetworking Configuration menu opens.
Restart your system to make the configuration changes active.
You can set user and secure port server preferences from the Preferences home page (the Web server settings page available for Server Administrator and IT Assistant).
NOTE: You must be logged in with Admin privileges to set or reset user or server preferences.
Perform the following steps to set up your user preferences:
Click Preferences on the global navigation bar.
The Preferences home page appears.
Click General Settings.
To add a preselected e-mail recipient, type the e-mail address of your designated service
contact in the Mail To: field, and click Apply Changes.
NOTE: Clicking Email in any window sends an e-mail message with an attached HTML file of the
window to the designated e-mail address.
To change the home page appearance, select an alternative value in the skin or scheme fields
and click Apply Changes.
Perform the following steps to set up your secure port server preferences:
Click Preferences on the global navigation bar.
The Preferences home page appears.
Click General Settings, and the Web Server tab.
In the Server Preferences window, set options as necessary.
The Session Timeout feature can set a limit on the amount of time that a session can remain active. Select the Enable radio button to allow a time-out if there is no user interaction for a specified number of minutes. Users whose session time-out must log in again to continue. Select the Disable radio button to disable the Server Administrator session time-out feature.
The HTTPS Port field specifies the secure port for Server Administrator. The default secure port for Server Administrator is 1311.
NOTE: Changing the port number to an invalid or in-use port number might prevent other
applications or browsers from accessing Server Administrator on the managed system.
The IP Address to Bind to field specifies the IP address(es) for the managed system that Server Administrator binds to when starting a session. Select the All radio button to bind to all IP addresses applicable for your system. Select the Specific radio button to bind to a specific IP address.
NOTE: Changing the IP Address to Bind to value to a value other than All may prevent other
applications or browsers from accessing Server Administrator on the managed system.
The SMTP Server name and DNS Suffix for SMTP Server fields specify your company or organization's Simple Mail Transfer Protocol (SMTP) and domain name server (DNS) suffix. To enable Server Administrator to send e-mails, you must type the IP address and DNS suffix for the SMTP server for your company or organization in the appropriate fields.
NOTE: For security reasons, your company or organization might not allow e-mails to be sent
through the SMTP server to outside accounts.
The Command Log Size field specifies the largest file size in MB for the command log file.
The Support Link field specifies the Web address for the business entity that provides support for your managed system.
The Custom Delimiter field specifies the character used to separate the data fields in the files created using the Export button. The ; character is the default delimiter. Other options are !, @, #, $, %, ^, *, ~, ?, :,|, and ,.
When you finish setting options in the Server Preferences window, click Apply Changes.
X.509 Certificate Management
Web certificates are necessary to ensure the identity of a remote system and ensure that information exchanged with the remote system cannot be viewed or changed by others. To ensure system security, it is strongly recommended that you either generate a new X.509 certificate, reuse an existing X.509 certificate, or import a root certificate or certificate chain from a Certification Authority (CA).
NOTE: You must be logged in with Admin privileges to perform certificate management.
To manage X.509 certificates through the Preferences home page, click General Settings, click the Web Server tab, and click X.509 Certificate.
Use the X.509 certificate tool to either generate a new X.509 certificate, reuse an existing X.509 certificate, or import a root certificate or certificate chain from a CA. Authorized CAs include Verisign, Entrust, and Thawte.
Creating a New Server Certificate
Using ConsoleOne, you can create or recreate a server certificate if yours becomes corrupted.
NOTE: Back up your critical server certificate information before beginning the following procedures.
To create a new server certificate signed by the NDS Organizational CA, perform the following steps:
Log in with Administrator privileges to a NetWare client system and map a drive to the
sys:\public directory on the managed system.
Double-click ConsoleOne.
Right-click the container object that contains the system to be managed, select New, and
click Object.
The New Object window appears.
Select NDSPKI: Key Material and click OK.
The Create Server Certificate (KeyMaterial) window appears. The Standard creation method is selected by default.
Type the Certificate name, and click Next.
Click Finish.
Edit the sys:\system\dell\omanage\IWS\config\server_properties.ini and
sys:\system\dell\omanage\IWS\config\client_properties.ini files by editing the following line:
nssl.keystore =certificate name - hostname
where certificate name is the name of the certificate you just created and hostname is the name of the managed system running NetWare
Log into Server Administrator on the managed system.
The Security Alert window appears.
Click View Certificate.
The Certificate window appears. A white cross in a red circle appears over the certificate icon at the top of the window. This icon indicates that the certificate cannot be verified to a trusted certificate authority.
Click the Certification Path tab.
Select Organizational CA and click View Certificate.
Information about the organizational CA is displayed.
Click Install Certificate.
The Certificate Manager Import Wizard appears.
Click Next.
The Automatically select the certificate store based on the type of certificate option is selected by default.
Click Next.
Click Finish to complete the Certificate Manager Import Wizard.
The Root Certificate Store window appears.
Click Yes.
A window informs you that the import was successful.
Click OK.
The Java plug-in will now recognize the certificate as valid.
The Systems Management Log in window opens with a yellow lock (in the locked position) at the bottom corner of the window.
To create a new server certificate signed by an external Organizational Authority, perform the following steps:
Log in with Administrator privileges to a client system and map a drive to the sys:\public
directory on the managed system.
Double-click ConsoleOne.
Right-click the container object that contains the system to be managed with Server
Administrator, select New, and click Object.
The New Object window appears.
Select NDSPKI: Key Material and click OK.
The Create Server Certificate window appears. The Standard creation method is selected by default.
Select the Custom creation method, type the Certificate name, and click Next.
Click External Certificate Authority, and click Next.
Select the RSA key size, and click Next.
Type the Subject Name, choose the signature algorithm, and click Next (by default, the
signature algorithm is set to RSA Encryption with SHA-1 hash).
ConsoleOne generates a Certificate Signing Request (CSR).
Click Finish.
The Save Certificate Signing Request window appears.
Save the CSR.
Send the CSR to a trusted CA such as Verisign, Thawte, or Entrust.
The CA returns two files: one is the root certificate and the other is a response in a Public Key Cryptography Standard #7 (PKCS#7) format.
Right-click the certificate you named in step 5 and click Properties.
Click Import.
Paste the trusted root certificate in the edit box and click Next.
Paste the response in the edit box and click Next.
Edit the sys:\system\dell\omanage\IWS\config\server_properties.ini and the
sys:\system\dell\omanage\IWS\config\client_properties.ini files by editing the following line:
nssl.keystore =certificate name - hostname
where certificate name is the name of the certificate you just created and hostname is the name of the managed system running Novell NetWare.
The next time you log into Server Administrator, the Java plug-in recognizes the certificate as signed by an external trusted certificate authority.
Firewall Configuration on Systems Running Supported Red Hat Enterprise Linux Operating Systems
If you enable firewall security when installing Red Hat Enterprise Linux, the SNMP port on all external network interfaces is closed by default. To enable SNMP management applications such as IT Assistant to discover and retrieve information from Server Administrator, the SNMP port on at least one external network interface must be open. If Server Administrator detects that the SNMP port is not open in the firewall for any external network interface, Server Administrator displays a warning message and logs a message to the system log. See "Ports" for additional information.
You can open the SNMP port by disabling the firewall, opening an entire external network interface in the firewall, or opening the SNMP port for at least one external network interface in the firewall. You can perform this action before or after Server Administrator is started.
To open the SNMP port using one of the previously described methods, perform the following steps:
At the Red Hat Enterprise Linux command prompt, type setup and press <Enter> to start
the Text Mode Setup Utility.
NOTE: This command is available only if you have performed a default installation of the
operating system.
The Choose a Tool menu opens.
Select Firewall Configuration using the down arrow and press <Enter>.
The Firewall Configuration screen opens.
Select the Security Level by tabbing to it and pressing the spacebar. The selected Security
Level is indicated by an asterisk.
NOTE: Press <F1> for more information about the firewall security levels. The default SNMP port
number is 161. If you are using the X Windows GUI, pressing <F1> might not provide information
about firewall security levels on newer versions of the Red Hat Enterprise Linux operating system.
To disable the firewall, select No firewall or Disabled and go to step 7.
To open an entire network interface or the SNMP port, select High, Medium, or
Enabled and continue with step 4.
Tab to Customize and press <Enter>.
The Firewall Configuration - Customize screen opens.
Select whether to open an entire network interface or just the SNMP port on all
network interfaces.
To open an entire network interface, tab to one of the Trusted Devices and press the
spacebar. An asterisk in the box to the left of the device name indicates that the entire
interface will be opened.
To open the SNMP port on all network interfaces, tab to Other ports and type
snmp:udp.
