To manage Linux server, running on HP blades, you need to be able to access the ILO. Without it, you won't be able to remotely access the console or to reboot the server. If your ILO is on a separate network and your only access is through SSH, it can be difficult to access the ILO, since the web-based GUI is only supported in Microsoft Internet Explorer. By means of SSH tunneling however, it is possible to access the ILO.

First, you need to have a UNIX box which is capable of accessing the ILO directly through SSH (in our example called "jumpserver"). Also, you'll need to have the ILO's IP address.

On your Linux client in a system console (let's assume, this client is called "desktop"), create the SSH tunnel and forward the correct ports needed for ILO access, by running as user root:

# ssh -g -L 23:10.250.21.38:23 -L 443:10.250.21.38:443 -L 17988:10.250.21.38:17988 -L 3389:10.250.21.38:3389 jumpserver -N

This will create the SSH tunnel, open up ports 23, 443, 17988 and 3389 through host "jumpserver" to IP address 10.250.21.38. Of course, adjust the name of the jumpserver and the IP address of the ILO to your configuration.

Now open up an Internet Explorer on a Windows PC (which is capable of accessing the Linux client "desktop"), and point your browser to https://desktop. You should see the login screen of the ILO.

When you're done working on the ILO, simply type CTRL-C in the system console on "desktop".

Likewise, you can do something similar to this, if you don't have a Linux client (like "desktop" in the example above) to work with, by using PuTTY on a Windows PC. In this case, configure PuTTY to set up a SSH tunnel to the "jumpserver" and forward the same ports. Then open up Internet Explorer, and point your browser to https://localhost, which should then open up the ILO login screen.

HACMP 5.4 supports changing the default community name from "public" to something else. SNMP is used for clstatES communications. Using the "public" SNMP community name, can be a security vulnerability. So changing it is advisable.

First, find out what version of SNMP you are using:

# ls -l /usr/sbin/snmpd
lrwxrwxrwx 1 root system 9 Sep 08 2008 /usr/sbin/snmpd -> snmpdv3ne

(In this case, it is using version 3).

Make a copy of your configuration file. It is located on /etc.

/etc/snmpd.conf <- Version 1
/etc/snmpdv3.conf <- Version 3

Edit the file and replace wherever public is mentioned for your new community name. Make sure to use not more that 8 characters for the new community name.

Change subsystems and restart them:

# chssys -s snmpmibd -a "-c new"
# chssys -s hostmibd -a "-c new"
# chssys -s aixmibd -a "-c new"
# stopsrc -s snmpd
# stopsrc -s aixmibd
# stopsrc -s snmpmibd
# stopsrc -s hostmibd
# startsrc -s snmpd
# startsrc -s hostmibd
# startsrc -s snmpmibd
# startsrc -s aixmibd

Test using your locahost:

# snmpinfo -m dump -v -h localhost -c new -o /usr/es/sbin/cluster/hacmp.defs nodeTable

If the command hangs, something is wrong. Check the changes you made.

If everything works fine, perform the same change in the other node and test again. Now you can test from one server to the other using the snmpinfo command above.

If you need to backout, replace with the original configuration file and restart subsystems. Note in this case we use double-quotes. There is no space.

# chssys -s snmpmibd -a ""
# chssys -s hostmibd -a ""
# chssys -s aixmibd -a ""
# stopsrc -s snmpd
# stopsrc -s aixmibd
# stopsrc -s snmpmibd
# stopsrc -s hostmibd
# startsrc -s snmpd
# startsrc -s hostmibd
# startsrc -s snmpmibd
# startsrc -s aixmibd

Okay, now make the change to clinfoES and restart and both nodes:

# chssys -s clinfoES -a "-c new"
# stopsrc -s clinfoES
# startsrc -s clinfoES

Wait a few minutes and you should be able to use clstat again with the new community name.

Disclaimer: If you have any other application other than clinfoES that uses snmpd with the default community name, you should make changes to it as well. Check with your application team or software vendor.

Everybody is usually quite familiar with how to open an X11 windows GUI on a Windows PC. It involves running an X-server on the PC, for example Xming. Install this with all default settings. Make sure you have PuTTY installed on your PC before installing Xming. Then on your PC run Xlaunch, and make sure to set your DISPLAY to a higher value, for example "10" and to check "No Access Control".

Log in to the UNIX host through PuTTY, and before starting the session to your UNIX host, go to "Connection" -> "SSH" -> "X11" in PuTTY and select "Enable X11 forwarding", and then click "Open". Once logged in, set the DISPLAY variable to the IP address of your PC and set the correct display, for example:

# export DISPLAY="154.18.20.31:10"

And then, to test, run xclock or xeyes:

# xeyes

The program xeyes should open on your window.

Now, how do you get around opening an X window if you have to go through a jumpserver first to get to the correct UNIX server, where you would like to start an X-based program? That's not too difficult also. After logging in on the UNIX jumpserver, following the procedure described above, issue the following command:

# ssh -X -Y -C otherunixhost

Of course, replace "otherunixhost" with the hostname of the UNIX server you'd like to connect to through your jump server. Then, again, to test, run "xeyes" or "xclock" to test. It should open on your PC. Now you have X11 forwarding from a UNIX server, to a jumpserver, and back to your PC, in fact double X11 forwarding.

If your HMC is located behind a firewall and your only access is through SSH, then you have to use SSH tunneling to get browser-based access to your HMC. The ports you need to use for setting up the SSH tunnel are: 22, 23, 8443, 9960, 9735, 657, 443, 2300, 2301, 2302 and 12443. This applies to version 7 and up of the HMC. For example, if you're using a jump server to get access to the HMC, you need to run:

# ssh -l user -g -L 12443:10.48.32.99:12443 -L 8443:10.48.32.99:8443 -L 9960:10.48.32.99:9960 -L 9735:10.48.32.99:9735 -L 2300:10.48.32.99:2300 -L 2301:10.48.32.99:2301 -L 443:10.48.32.99:443 -L 2302:10.48.32.99:2302 -L 657:10.48.32.99:657 -L 22:10.48.32.99:22 -L 23:10.48.32.99:23 jumpserver.domain.com -N

When you've run the command above (and have logged in to your jumpserver), then point the browser to https://jumpserver.domain.com.

You can do something similar within PuTTY on your desktop system. Basically create a new PuTTY session to your HMC, and then in the SSH tunnel section, enter an entry for each port to the HMC, e.g. add port 12443 to 10.48.32.99:12443. Repeat this for all ports mentioned above and then save your PuTTY session. After that, login to your session, and open a browser to https://localhost, which should then redirect you to your HMC's web GUI.

If you wish to restrict the maximum number of login sessions for a specific user, you can do this by modifying the .profile of that user:

A=`w| grep $LOGNAME | wc -l`
if [ $A -ge 3 ] ; then
  exit
fi

This example restricts the number of logins to three. Make sure the user can't modify his/her own .profile by restricting access rights.