HP

Partition Manager Help

English
  Starting & Stopping   

Starting & Stopping

»Table of Contents
»Index
»Assistance
»Overview
»Features & Capabilities
»About Partitioning
Starting & Stopping
»Complex Scope
»Partition Scope
»Cell Scope
»I/O Chassis Scope
»Actions
»Status Indicators
»Messages
»Release Notes
»About Partition Manager
»Glossary
»Using Help
» Partition Manager Components
» The parmgr Command
» Start from HP System Management Homepage
» Start from HP Systems Insight Manager
» Start from HP Virtual Server Environment
» Start from SAM
» User Authentication
» Session Timeout
» WBEM Services
» Managing SSL Certificates
» nPartition Configuration Privilege
» IP Filtering and Firewalls
» Bastille
» Performance Issues

You can start Partition Manager in any of the following ways:

This help page gives a brief description of each of these methods. Refer to the assistance help topic for references to manpages and other related documents.

Partition Manager Components

Partition Manager runs within the Tomcat-based Servlet Engine. On HP-UX, the Tomcat-based Servlet Engine is a component of the HP-UX Web Server Suite. On Microsoft® Windows® this is provided by the JSP/Servlet Container for HP System Management Homepage. The Servlet Engine will be started automatically by HP System Management Homepage when Partition Manager starts.

Partition Manager uses HP WBEM Services to obtain information about nPartitions from the nPartition Provider. WBEM services are provided by the CIM Server on HP-UX and by WMI on Microsoft® Windows®. Refer to the WBEM services section below for information about configuring and running the WBEM services provider. Interaction with the service processor on the local complex occurs over the IPMI BT interface. Interaction with remote complexes occurs over the IPMI over LAN interfaces. See the User Authentication section below for additional information.

Partition Manager interacts with the user through a Web browser running on a client system. The client system may be the same as the server system, or it may be a separate workstation or PC. Not all Web browsers are supported by Partition Manager. On workstations and servers running HP-UX 11i v1 (B.11.11) or HP-UX 11i v2 (B.11.23), Partition Manager supports the use of the default Web browser that is installed by the Operating Environment bundle. On PCs, Partition Manager supports the use of Microsoft® Internet Explorer version 6.0 and Netscape version 7.0.

Partition Manager executes partition(1) commands to perform administration functions.

The parmgr Command

On HP-UX the /opt/parmgr/bin/parmgr command starts HP System Management Homepage and a client Web browser running Partition Manager. HP System Management Homepage automatically starts the Tomcat-based Servlet Engine when Partition Manager starts. Figure 1 shows the command syntax. Table 1 shows a quick summary of some of the command options. For a complete description of the parmgr command, refer to the parmgr(1M) manpage.

On Microsoft® Windows® the parmgr command is not available. The Tomcat-based Servlet Engine is automatically started by HP System Management Homepage.

Figure 1 parmgr Command Syntax

parmgr [-h] [-F] [-b]

parmgr -t create [-F] [-b]

parmgr -t modify -p nPartition_id [-F] [-b]

parmgr -t par_details -p nPartition_id [-F] [-b]

parmgr -t cell_details -c { cab_num/slot_num | global_cell_num } [-F] [-b]

parmgr -t io_details -i cab_num/bay_num/chassis_num [-F] [-b]

parmgr -t complex_details [-F] [-b]

The parmgr command will start the client Web browser if it is not already running. If the Web browser has been installed somewhere other than the default location, you must set the BROWSER environment variable to the path to the browser. If you are using the X Window System to manage the Web browser display, you must set the DISPLAY environment variable to the X server display name.

If the Web browser is already running, parmgr will attempt to use the existing browser window. The Web browser will display the login screen. After logging in and authenticating your identity, Partition Manager will start.

Table 1 parmgr Command Options (Summary)

-h Display help about the command line parameters, then exit.
-F Force a client Web browser to be used, even though parmgr cannot determine if the communication between the X server and the client browser is secure. Without this option, Partition Manager will only start the Web browser if it can determine that the communication between the X server and the client Web browser is secure.
-b Bypass HP System Management Homepage authentication if you are already logged in with Administrator (root) permissions.

To use this feature on HP-UX 11i v1, you must install KRNG11i (Strong Random Number Generator software for HP-UX 11i v1), available from HP Software Depot.

-t action_name action_options Start a specific Partition Manager tool. Normally, Partition Manager will start in the complex scope hardware view. Use this option to start Partition Manager in a different view or action.

 

Start from HP System Management Homepage

Procedure 1 Start Partition Manager from HP System Management Homepage

  1. Direct your Web browser to the HP System Management Homepage URL on a server with Partition Manager installed:

    http://server-hostname:2301/

    where server-hostname is the host name of the server.

    If the auto-start feature for HP System Management Homepage has been disabled on this server, you will need to start HP System Management Homepage first. Refer to smhstartconfig(1M) for details.

  2. Login to HP System Management Homepage.

  3. Select the Tools menu.

  4. Choose one of the following items from the list of nPartition Management tools. Partition Manager will run as a workspace in the HP System Management Homepage portal.

    • View and Manage Complex.  The complex scope hardware view will be displayed for the complex in which HP System Management Homepage is running.

      If the HP System Management Homepage server is not running on an nPartition, after selecting this menu item, you will be asked to login to the complex or nPartition that you want to manage. See the User Authentication section below for details.

    • View and Manage Remote Complex.  You will be asked to login to the complex or nPartition that you want to manage. See the User Authentication section below for details.

Start from HP Systems Insight Manager

Procedure 2 Start Partition Manager from HP Systems Insight Manager

  1. Direct your Web browser to the HP Systems Insight Manager URL on a server with Partition Manager installed:

    http://server-hostname:280/

    where server-hostname is the host name of the server.

  2. Login to HP Systems Insight Manager.

  3. Choose one of the following selections from the ConfigurePartition Management menu. You will be asked to select a target system to manage. Only a single target system can be selected. Partition Manager will run as a workspace in the HP Systems Insight Manager portal.

    • Create New nPartition.  The create nPartition wizard will be displayed for the target system.

    • Modify nPartition.  The modify nPartition action will be displayed for the target system.

    • View and Manage Complex.  The complex scope hardware view will be displayed for the target system.

    • View and Manage nPartition.  The partition scope hardware view will be displayed for the target system.

    • View and Manage Remote Complex.  You will be asked to login to the complex or nPartition that you want to manage. See the User Authentication section below for details.

Start from HP Virtual Server Environment

To start Partition Manager from a component in HP Virtual Server Environment (VSE), click the following links in the component System or General tabs.

  • nPar Complex. This link in the HP Integrity Essentials Virtualization Manager System tab launches Partition Manager to manage the complex through the complex scope hardware view. The complex scope details are provided by an nPartition Provider running on an nPartition in the complex (not via IPMI).

  • nPar or nPartition. These links in the Virtualization Manager System tab and HP Virtual Machines Manager General tabs launch Partition Manager to manage the containing nPartition through the partition scope hardware view.

When launching Partition Manager from VSE, you are prompted to enter WBEM credentials for the nPartition that is being managed or is providing complex details, if the WBEM credentials have not yet been configured for that system in SIM (or if the WBEM credentials configured in SIM are invalid). Credentials that are entered in this situation persist only for the current session.

To return to the VSE component from Partition Manager, click the Go Back link above the scope indicator. The Go Back link exits Partition Manager and returns to the same tab from which Partition Manager was launched.

Start from SAM

Procedure 3 Start Partition Manager from SAM in HP-UX

  1. Start SAM using the sam(1M) command.

  2. From the main screen, select the Partition Manager functional area. SAM will execute the parmgr command, using the -F option. If the client Web browser is already running, parmgr will attempt to use the existing browser window.

  3. The Web browser will first display the login screen. After logging in and, if necessary, authenticating your identity, Partition Manager will display the complex scope hardware view. However, if Partition Manager detects any possible configuration problems in the complex, the analyze complex health action will be displayed first.

User Authentication

Your access to Partition Manager depends on whether you are a privileged user or a non-privileged user. Non-privileged users can only view information, and cannot perform any tasks that change the remote nPartition or the complex that it belongs to. Privileged users can perform all tasks in Partition Manager (refer to the configuration privilege help topic for information about restrictions that may apply to privileged users).

When your Web browser connects to Partition Manager, your identity is authenticated in two stages.

  1. The login screen requests your user name and password. (When Partition Manager is launched from HP System Management Homepage or HP Systems Insight Manager, this level of authentication has already been performed.) If you are running on a local nPartition, Partition Manager will then start immediately. If the user name represents a privileged user on the local system you will have privileged access.

  2. If you are not running Partition Manager on a local nPartition, you must provide additional credentials for access to a remote system. You will be presented with two choices.

    A Remote nPartition.  To manage a remote nPartition (and the complex that it belongs to), you must provide the hostname or IP address of the nPartition, a user name known to the remote nPartition, and the password associated with that user name. The user name defaults to the user name entered at the login screen. After filling in the fields, click [Connect to remote nPartition].

    Partition Manager will communicate with the remote nPartition via WBEM, using the supplied user name and password. If the user name represents a privileged user on the remote nPartition you will have privileged access.

    If the WBEM user name and password is not valid on all nPartitions in the complex, then Partition Manager will be unable to obtain some information from other nPartitions. To simplify management of a complex, use a consistent set of WBEM user names and passwords on all nPartitions in the complex.

    A Remote Partitionable Complex.  To manage a remote complex via IPMI over LAN, you must provide the hostname or IP address of the service processor on the remote complex and the IPMI password for that service processor. (The IPMI password can be set or changed by logging on to the service processor and using the SO command from the Command Menu.) After filling in the fields, click [Connect to remote complex].

    If an error is reported when you attempt to connect using this option, check to see that IPMI over LAN access has not been disabled on the remote service processor. Access to the complex via IPMI over LAN can be enabled or disabled by logging on to the service processor and using the SA command from the Command Menu.

Within Partition Manager, you can use the ToolsSwitch Complexes action to display these choices. You can then select a different complex to be managed.

Session Timeout

If HP System Management Homepage sees no activity for approximately 30 minutes, the session will expire. You will have to login again in order to continue.

To end the session manually, logout of HP System Management Homepage, or click the Log off link if it is displayed in the upper right of the Partition Manager screen.

WBEM Services

The CIM server implements the Common Information Model for HP WBEM Services on HP-UX. The CIM server obtains nPartition information from the nPartition Provider.

Under Microsoft® Windows® these services are implemented by WMI (Windows Management Instrumentation), using the Pegasus/WMI Mapper service. The nPartition Provider is implemented by the WMI nPar Provider service.

When Partition Manager is running on an nPartition to manage the local complex, the WBEM services provider must be running on the local nPartition.

When Partition Manager is connected to the service processor of a remote partitionable system via IPMI over LAN, then the WBEM services provider must be running on the system that Partition Manager is running on.

When Partition Manager is connected to a remote nPartition via WBEM, then the WBEM services provider must be running on that remote nPartition. In order to connect in this manner, you may need to perform additional configuration steps described next.

  1. In order to connect as a privileged user, the enableRemotePrivilegedUserAccess parameter on the WBEM services provider running on the remote nPartition must be set to true. This is the default setting, but it may have been changed by a system administrator. On HP-UX, use the cimconfig(1M) command to check or change the setting of this parameter. Restart the CIM server after making any configuration changes. On Windows, edit the file %PEGASUS_HOME%\cimserver_planned.conf and restart the Pegasus/WMI Mapper service.

    If you are not connected as a privileged user, you will only be able to view information in Partition Manager. You will not be able to perform any tasks that change the remote nPartition or the complex that it belongs to.

  2. Partition Manager uses Secure Socket Layer (SSL) connections between the client and the WBEM services provider. The WBEM services provider must have SSL connections enabled (the enableHttpsConnection parameter must be set to true). On HP-UX, use the cimconfig(1M) command to check or change the setting of this parameter. Restart the CIM server after making any configuration changes. On Windows, edit the file %PEGASUS_HOME%\cimserver_planned.conf and restart the Pegasus/WMI Mapper service.

  3. By default, Partition Manager validates the certificates used with SSL connections. This means that the client Certificate Trust Store must include the server certificates from the remote nPartition. Refer to the Managing SSL Certificates section below for instructions on exporting and importing certificates.

    HP recommends leaving certificate validation enabled when not all systems in the deployment network are fully trusted. Disabling certificate validation is a security risk.

    If your environment does not require the additional security provided by certificate validation, you can disable this feature. To do so, edit the CIM properties file:

    [Windows:]
    C:\hp\hpsmh\tomcat\webapps\parmgr\WEB-INF\classes\cim.properties

    [HP-UX:]
    /opt/hpsmh/tomcat/webapps/parmgr/WEB-INF/classes/cim.properties

    [Linux:]
    /opt/hp/hpsmh/tomcat/webapps/parmgr/WEB-INF/classes/cim.properties
        

    Remove the comment prefix (//) from the following line in the file to disable certificate validation:

    //TrustManager=org.snia.wbemcmd.xml.DontValidateCertificate

For more information about configuring the WBEM services provider, refer to the cimconfig(1M) and cimserver(1M) manpages.

Managing SSL Certificates

To enable SSL certificate validation in Partition Manager, you must export the server certificates from the WBEM services provider on the remote nPartition that you want to connect to, and import those certificates into the keystore on the nPartition where Partition Manager is running. Follow the steps below.

Procedure 4 Get the Certificate File from the WBEM services provider

  1. Locate the WBEM services provider certificate file (cert.pem) on the remote nPartition that you want to connect to. To find the correct file, open the WBEM services provider configuration file:

    [Windows:] %PEGASUS_HOME%\cimserver_current.conf
    [HP-UX:]   $PEGASUS_HOME/cimserver_current.conf 

    The location of the server certificate file is configured by the sslCertificateFilePath setting. Normally, this will be set to:

    [Windows:] C:\hp\sslshare\cert.pem      
    [HP-UX:]   /etc/opt/hp/sslshare/cert.pem

    If there is no sslCertificateFilePath setting, the default server certificate file is:

    [Windows:] %PEGASUS_HOME%\server.pem
    [HP-UX:]   $PEGASUS_HOME/server.pem 
  2. Copy the certificate file located in step 1 (cert.pem or server.pem) to the client system.

    Copy the certificate file to a temporary directory (not the sslshare directory) on the client system. Do not overwrite the existing cert.pem or server.pem file in the sslshare directory on the client system.

Procedure 5 Import the Certificate File on the Client

  1. Import the certificate into the Partition Manager keystore:

    [Windows:]
    %JAVA_HOME%\bin\keytool -import \
      -alias server_hostname \
      -file cert.pem \
      -keystore %SystemDrive%\hp\sslshare\parmgr.keystore
    
    [HP-UX:]
    $JAVA_HOME/bin/keytool -import \
      -alias server_hostname \
      -file cert.pem \
      -keystore /etc/opt/hp/sslshare/parmgr.keystore

    When prompted, enter the password to the keystore. If the parmgr.keystore file does not yet exist (this is the first certificate that you have imported), then this command will create a new keystore file. In that case, any password that you enter will become the assigned password for this keystore.

    Use a password that you will remember. You will need it the next time that you import a certificate into the keystore.

  2. To enable certificate validation for the partition(1) commands used by Partition Manager, append the contents of cert.pem to the end of the Shared Authentication Store file:

    [Windows:] %SystemDrive%\hp\sslshare\client.pem
    [HP-UX:]   /var/opt/wbem/client.pem

    The name of the Shared Authentication Store file is either client.pem or known_hosts.pem. For more information, see the release notes for the nPartition commands running on the system.

  3. On Microsoft® Windows®, restart the “HP System Management Homepage” service (SysMgmtHP), or reboot Windows.

nPartition Configuration Privilege

When running Partition Manager on a local nPartition, or when connecting via WBEM to a remote nPartition, the ability to perform configuration operations on a complex is affected by the setting of the nPartition Configuration Privilege. For details, refer to the configuration privilege topic.

IP Filtering and Firewalls

IP filtering and network firewalls block certain types of inbound and outbound IP packets. If you use these products, you must ensure that the following requirements are met.

  1. Ports 2301 and 2381 must not be disabled. These ports are used to start HP System Management Homepage from a Web browser.

  2. The ports used by WBEM must not be disabled. Partition Manager sends all WBEM requests to port 5989. The ports used to return replies to parmgr are negotiated by the kernel when the reply is received. Partition Manager cannot be used if WBEM is disabled.

For more information about IP filtering on HP-UX, refer to ipf(8).

Bastille

Bastille is a system hardening program which enhances the security of an HP-UX host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and tools such as rcp(1) and rlogin(1), and can help to limit the vulnerability of common internet services such as Web servers and DNS.

One of the facilities that Bastille uses to lock down a system is IP filtering. Refer to the previous section for requirements when using IP filtering with Partition Manager. If Bastille's interactive user interface is used, be aware of these issues when answering the questions asked by Bastille.

Bastille also has three install-time security options that are represented by the following files in /etc/opt/sec_mgmt/bastille.

HOST.config

Host-based lockdown, without IPFilter configuration. Using this configuration has no impact on Partition Manager.

MANDMZ.config

A fairly tight lockdown, but leaves open select network ports that are used by common management protocols and tools. For example, WBEM still functions when this configuration is used.

Launching Partition Manager under this configuration requires the use of SSH or changes to enable ports 2301 and 2381.

To enable launching Partition Manager on a system where ports 2301 and 2381 have been disabled, adjust the IP filtering by adding entries such as:

pass in quick proto tcp from any to any port = 2301
flags S/0xff keep state keep frags

pass in quick proto tcp from any to any port = 2381
flags S/0xff keep state keep frags
                

to /etc/opt/sec_mgmt/bastille/ipf.customrules prior to running Bastille.

Refer to ipf(5) for more information.

DMZ.config

A tight lockdown. Launching Partition Manager under this configuration requires the use of SSH.

Bastille also impacts using Partition Manager to remotely manage a system where Bastille is enabled. After the normal transfer of certificates, Partition Manager will work as described above if the HOST.config or MANDMZ.config configurations are used. However, the DMZ.config configuration blocks WBEM traffic and thus prevents Partition Manager from remotely managing the system.

For more information about Bastille, refer to bastille(1M) and the Bastille User Guide, installed at /opt/sec_mgmt_bastille/docs/user_guide.txt.

Performance Issues

A noticeable delay may occur the first time that each Partition Manager view is displayed after the Tomcat-based Servlet Engine is started or restarted. This is due to the initial compilation of Java Server Pages. Once a given view has been displayed, subsequent displays of that view will be significantly faster.

When managing a remote partitionable complex, the performance degrades when the connection traverses long network distances, e.g. managing a partitionable complex in California from a system in New York. Furthermore, when managing a remote system, performance can be improved by connecting to a remote nPartition, rather than connecting directly to the remote system's service processor.

When managing a remote system, possible performance improvements can be obtained by running the Web browser on the local system, instead of running the browser remotely to a local X Server.

The nPartition Provider maintains a cache of information about systems being managed. This cache is cleared when the nPartition Provider is unloaded by the WBEM services provider. Performance may be reduced when managing a system for the first time, or immediately after the WBEM services provider has been restarted. Subsequent management sessions of the same system will be faster.