Go to Opengear
IPMI
 Serial over LAN
 IBM RSA
 Dell DRAC
 HP iLO
 SUN ALOM
  
SERVICE PROCESSOR MANAGEMENT

If you look under the cover of most next-generation servers and blade computers you’ll find a management or service processor - either embedded on the motherboard or on a plug-in card.

This BMC (Baseboard Management Controller) or Service Processor is quite separate from, and not at all dependant on, the main processor. It is not involved in day-to-day production tasks running applications or manipulating data. Its role is to provide a connection between the administrator of the server and the server's internal management processes. The management/ service processor can be used even in the event of operating system break down or the processor stopping to: 		  Sun Fire X2100 - click for larger image
  • Redirect serial console to Serial over LAN (SOL)
  • Monitor and control the power (for power off/on/cycle) and software reset
  • Provide sensor information (temperature, fans, current, etc) and alarms
  • Maintain a system and hardware event log
  • Configure BIOS and view POST and boot messages
  • Manage SNMP
  • Provide full graphic remote control using KVM over IP
  • Access virtual media

Types of service processors
Almost all servers today ship with embedded management/ service processor capabilities. And these processors come in many shapes and sizes; most commonly as an embedded processor chip, daughter card off the main board or a separate PCI card.

The service processors also have a variety of interfaces. The most common external interface is a dedicated Ethernet (TCP/IP) port which would generally be connected to the management LAN. Some management/service processors use side band Ethernet technology to provide a separate communications channel over the main production LAN. Others offer RS232 serial or daisy chained serial which could be managed through a console server.

Most server solutions now have a baseboard management controller (BMC) built-in as a default system component. These management processors offer basic monitoring and control. However it is the more advanced service processors which really enable system administrators to better monitor and troubleshoot servers by providing extended power control, KVM and serial console access in addition to hardware monitoring and alerts. Most servers shipped in the last few years have service processors embedded within them and these are based on the IPMI standard and proprietary extensions to this technology. Some of the more popular offerings in the market are:
  • IPMI (Intelligent Platform Management Interface – which is supported by HP, IBM, Dell, Sun, etc – more than 186 companies)
  • IBM RSA (Remote Supervisor Adapter - RSAI, II and RSA SlimLine)
  • HP iLO (integrated LightsOut – embedded version of HP RiLOe Remote Insight Lights Out Edition)
  • Sun ALOM (Advanced Lights Out Manager an updated version of Remote System Controller)
  • Dell DRAC (Dell Remote Access Controller I, II, III, IV, V)
  • and some client PCs now have embedded AMT out of band management technology from Intel

Service processor management
Service processors are becoming the standard out-of-band management interface for server administration. As a technology that is embedded in the server, they provide a level of intimacy and access unavailable with external KVM switches, console servers or intelligent power strip solutions. So the service processor is set to displace these older administration solutions to become the default access path used by system and network administrators for central or remote control of their server and storage devices.

However we are not quite there yet. Service processor offerings are still evolving and there are some challenges. The management/service processor concept is built on IPMI as the standard and this standard's base itself is evolving with the likes of SMASH and WS-Manangement taking form as future standards. Also, there are multiple non-standard extensions to the IPMI protocol and different ways of interfacing to the service processor environment (Ethernet LAN/Sideband/dual LAN /RS23 serial/modem connections/RS422); and there's a spectrum of security and authentication options offered by various vendors.

Service processors also necessitate additional LAN infrastructure costs. For security and to provide out-of-band management access, the service processors need to be on the management network (physically or VLAN isolated from production networks). Such a separate management network facility may not be present in a branch office or smaller remote sites. And in the data center with an existing managament LAN you still need an extra Ethernet connection per server plus extra IP addresses.

Lastly, server processor access security is still evolving. From some vendors SSL, SSH or HTTPS is mandated, but often it is only an option. There are few authentication options (e.g. some vendors offer LDAP). And generally there's no centralized logging of access with audit trails etc.

Software administration tools
There’s a rich selection of management client/server software evolving which manage down through the service processors. The server vendors all offer their own proprietary management software such as HP's Insight Manager, IBM's Director and Dell's OpenManage. These solutions generally incorporate a number of management layers (provisioning, monitoring and alerts, deployment, configuration management, update control) and they invariably integrate with higher level system management software tools (Tivoli, OpenView, Altiris, SMS). So it possible to create a central point of management for globally distributed networks of servers.

At a lower level there are also selections of open IPMI software tools like OpenIPMI, freeIPMI and ipmitool which provide control of BMC processors. The ipmitool program for example provides a simple command-line interface to the BMC. ipmitool can read the sensor data repository (SDR) and print sensor values, display the contents of the System Event Log (SEL), print Field Replaceable Unit (FRU) inventory information, read and set LAN configuration parameters, and perform remote chassis power control. For more details refer ipmitool.sf.net

However there are issues when using standard vendor software tools. Security is one important consideration as you do not want to have your service processors accessible at all over the product LAN. Some service processor communications are not secure e.g. a major IPMI1.5 -> IPMI2.0 change was to add encryption but it is an option, not mandatory. However some solutions are very secure e.g. the latest HP iLO is an excellent example as all data transmitted between iLO processors (basic and advanced) and client browsers or command line interfaces is secure using SSL and SSH encryption. Also a key feature of iLO Advanced is two-factor authentication, so iLO access is restricted using advanced security requiring the possession of a smartcard or USB flash key and a PIN. But other service processors (at this stage) are not this secure.

Remote access is another important consideration. In some circumstances there is a need for a separate management gateway for remote access to the service processors.

The management gateway solution
Opengear has an IM4200 gateway line that provides seamless secure native access to remote service processors. The IM4200:
  • authenticates prospective users
  • provides a secure remote connection to service processor
  • enables transparent access to the service processor using the native applications (IPMI, OpenManage, Director etc)
  • provides an audit trail log of all accesses
  • provides secure tunneled remote SOL connection
  • runs ipmitools to give remote administrators command line access to this tool
  • adds a web GUI for IPMI power switch control ... and Opengear has built push-n-click support for these secure access tunnels into the SDTConnector client supplied with their gateways.


    • © Opengear 2007| Privacy Policy