You can start Partition Manager in any of the following ways:
This help page gives a brief description of each of these methods. Refer to the
assistance help topic for references to
manpages and other related documents.
Partition Manager Components
Partition Manager runs within the Tomcat-based Servlet Engine. On HP-UX, the Tomcat-based Servlet Engine is a component
of the HP-UX Web Server Suite. On Microsoft® Windows® this is provided by the JSP/Servlet
Container for HP System Management Homepage. The Servlet Engine will be started automatically by
HP System Management Homepage when Partition Manager starts.
Partition Manager uses HP WBEM Services to obtain
information about nPartitions from the nPartition Provider.
WBEM services are provided by the CIM Server on HP-UX and by WMI on Microsoft® Windows®.
Refer to the WBEM services section below for
information about configuring and running the WBEM services provider. Interaction with the
service processor on the local complex occurs over the
IPMI
BT interface. Interaction with remote complexes occurs over the IPMI over LAN
interfaces. See the User Authentication
section below for additional information.
Partition Manager interacts with the user through a Web browser running on a
client system. The client system may be the same as the server system, or it may
be a separate workstation or PC. Not all Web browsers are supported by Partition
Manager. On workstations and servers running HP-UX 11i v1 (B.11.11) or
HP-UX 11i v2 (B.11.23), Partition Manager supports the use of the default Web
browser that is installed by the Operating Environment
bundle. On PCs, Partition Manager supports the use of Microsoft® Internet Explorer version 6.0 and
Netscape version 7.0.
Partition Manager executes
partition(1)
commands to perform administration functions.
The parmgr Command
On HP-UX the /opt/parmgr/bin/parmgr command starts
HP System Management Homepage and a client Web browser running Partition Manager. HP System Management Homepage
automatically starts the Tomcat-based Servlet Engine when Partition Manager starts.
Figure 1 shows the command syntax.
Table 1 shows a quick summary of some of the command
options.
For a complete description of the parmgr command, refer to the
parmgr(1M) manpage.
The parmgr command will start the client Web browser if it is not already
running. If the Web browser has been installed somewhere other than the default
location, you must set the BROWSER environment variable to the path
to the browser. If you are using the X Window System to manage the Web browser
display, you must set the DISPLAY environment variable to the X
server display name.
If the Web browser is already running, parmgr will
attempt to use the existing browser window. The Web browser will display
the login screen. After logging in and authenticating your identity,
Partition Manager will start.
Table 1 parmgr Command Options (Summary) -h |
Display help about the command line parameters, then exit.
| -F |
Force a client Web browser to be used, even though
parmgr cannot determine if the communication between
the X server and the client browser is secure. Without this option,
Partition Manager will only start the Web browser if it can determine that
the communication between the X server and the client Web browser is
secure.
| -b |
Bypass HP System Management Homepage authentication if you are already logged in with
Administrator
(root) permissions.
| -t action_name
action_options |
Start a specific Partition Manager tool. Normally, Partition Manager will
start in the complex scope hardware
view. Use this option to start Partition Manager in a different
view or action.
|
Start from HP System Management HomepageProcedure 1 Start Partition Manager from HP System Management Homepage
Direct your Web browser to the HP System Management Homepage URL on a server with Partition
Manager installed:
http://server-hostname:2301/
where server-hostname is the host name of the
server.
Login to HP System Management Homepage.
Select the Tools menu.
Choose one of the following items from the list of nPartition
Management tools. Partition Manager will run as a workspace in the
HP System Management Homepage portal.
View and Manage Complex.
The complex scope hardware
view will be displayed for the complex in which HP System Management Homepage is running.
If the HP System Management Homepage server is not running on an nPartition, after
selecting this menu item, you will be asked to login to the complex or
nPartition that you want to manage. See the User Authentication section below for
details.
View and Manage Remote Complex.
You will be asked to login to the complex or
nPartition that you want to manage. See the User Authentication section below for
details.
Start from HP Systems Insight ManagerProcedure 2 Start Partition Manager from HP Systems Insight Manager
Direct your Web browser to the HP Systems Insight Manager URL on a server with Partition
Manager installed:
http://server-hostname:280/
where server-hostname is the host name of the
server.
Login to HP Systems Insight Manager.
Choose one of the following selections from the
Configure Partition Management
menu. You will be asked to select a target system to manage. Only a single
target system can be selected. Partition Manager will run as a workspace in
the HP Systems Insight Manager portal.
Create New nPartition.
The create nPartition wizard
will be displayed for the target system.
Modify nPartition.
The modify nPartition action will
be displayed for the target system.
View and Manage Complex.
The complex scope hardware
view will be displayed for the target system.
View and Manage nPartition.
The partition scope hardware
view will be displayed for the target system.
View and Manage Remote Complex.
You will be asked to login to the complex or
nPartition that you want to manage. See the User Authentication section below for
details.
Start from HP Virtual Server Environment
To start Partition Manager from a component in HP Virtual Server Environment (VSE), click the following
links in the component System or General tabs.
nPar Complex.
This link in the HP Integrity Essentials Virtualization Manager System tab launches Partition Manager to
manage the complex through the complex scope hardware
view. The complex scope details are provided by an
nPartition Provider running on an nPartition in the complex (not via
IPMI).
nPar or nPartition.
These links in the Virtualization Manager System tab and HP Virtual Machines Manager General
tabs launch Partition Manager to manage the containing nPartition through the
partition scope hardware view.
When launching Partition Manager from VSE, you are prompted to enter
WBEM credentials for the nPartition that is being managed or is
providing complex details, if the WBEM credentials have not yet been configured for that
system in SIM (or if the WBEM credentials configured in SIM are invalid).
Credentials that are entered in this situation persist only for the current session.
To return to the VSE component from Partition Manager,
click the Go Back link above the
scope indicator. The Go Back
link exits Partition Manager and returns to the same tab from which Partition Manager was launched.
Start from SAMProcedure 3 Start Partition Manager from SAM in HP-UX
Start SAM using the
sam(1M)
command.
From the main screen, select the Partition Manager
functional area. SAM will execute
the parmgr command, using the -F option. If the client
Web browser is already running, parmgr will attempt to use the existing
browser window.
The Web browser will first display the login screen. After logging in and, if
necessary, authenticating your identity,
Partition Manager will display the complex scope
hardware view. However, if Partition Manager detects any possible
configuration problems in the complex, the analyze complex health action will be
displayed first.
User Authentication
Your access to Partition Manager depends on whether you are a privileged
user or a non-privileged user. Non-privileged
users can only view information, and cannot perform any tasks that change the
remote nPartition or the complex that it belongs to. Privileged users can perform
all tasks in Partition Manager (refer to the configuration privilege help topic for information
about restrictions that may apply to privileged users).
When your Web browser connects to Partition Manager, your identity is
authenticated in two stages.
The login screen requests your user name and password. (When Partition Manager is
launched from HP System Management Homepage or HP Systems Insight Manager, this level of authentication has
already been performed.) If you are running on a local
nPartition, Partition Manager will then start immediately. If the
user name represents a privileged user on the local system you will have
privileged access.
If you are not running Partition Manager on a local nPartition, you must
provide additional credentials for access to a remote system. You will be
presented with two choices.
A Remote nPartition.
To manage a remote nPartition (and the complex that
it belongs to), you must provide the hostname or IP address of the
nPartition, a user name known to the remote nPartition, and the password
associated with that user name. The user name defaults to the user name
entered at the login screen. After filling in the
fields, click [Connect to remote nPartition].
Partition Manager will communicate with the remote nPartition via
WBEM, using the supplied user name and password. If
the user name represents a privileged user on the remote nPartition you will
have privileged access.
If the WBEM user name and password is not valid on all nPartitions in the
complex, then Partition Manager will be unable to obtain some information from
other nPartitions. To simplify management of a complex, use a consistent set
of WBEM user names and passwords on all nPartitions in the complex.
A Remote Partitionable Complex.
To manage a remote complex via IPMI over LAN, you must provide the
hostname or IP address of the service processor on the remote complex and
the IPMI password for that service processor. (The IPMI password can be set
or changed by logging on to the service processor and using the
SO command from the Command Menu.) After filling in the
fields, click [Connect to remote complex].
If an error is reported when you attempt to connect using this option, check
to see that IPMI over LAN access has not been disabled on the remote service
processor. Access to the complex via IPMI over LAN can be enabled or disabled
by logging on to the service processor and using the SA
command from the Command Menu.
Within Partition Manager, you can use the
Tools Switch Complexes
action to display these choices. You can then select a different complex to be
managed.
Session Timeout
If HP System Management Homepage sees no activity for approximately 30 minutes, the
session will expire. You will have to login again in order to continue.
To end the session manually, logout of HP System Management Homepage, or click the Log
off link if it is displayed in the upper right of the Partition Manager
screen.
WBEM Services
The CIM server implements the Common Information Model for HP WBEM Services on
HP-UX. The CIM server obtains nPartition information from the
nPartition Provider.
Under Microsoft® Windows® these services are implemented by WMI (Windows
Management Instrumentation), using the Pegasus/WMI Mapper
service. The nPartition Provider is implemented by the
WMI nPar Provider service.
When Partition Manager is running on an nPartition to manage the local complex,
the WBEM services provider must be running on the local
nPartition.
When Partition Manager is connected to the service processor of a remote
partitionable system via IPMI over LAN, then the WBEM services provider must be running on the
system that Partition Manager is running on.
When Partition Manager is connected to a remote nPartition via WBEM, then the
WBEM services provider must be running on that remote nPartition. In order to connect in
this manner, you may need to perform additional configuration steps described
next.
In order to connect as a privileged user, the
enableRemotePrivilegedUserAccess parameter on the
WBEM services provider running on the remote nPartition must be set to
true. This is the default setting, but it may have been
changed by a system administrator. On HP-UX, use the
cimconfig(1M) command to check or change the setting of this parameter.
Restart the CIM server after making any configuration changes.
On Windows, edit the file
%PEGASUS_HOME%\cimserver_planned.conf and restart the
Pegasus/WMI Mapper service.
If you are not connected as a privileged user, you will only be able to view
information in Partition Manager. You will not be able to perform any tasks
that change the remote nPartition or the complex that it belongs to.
Partition Manager uses Secure Socket Layer (SSL) connections between the
client and the WBEM services provider. The WBEM services provider must have SSL connections enabled
(the enableHttpsConnection parameter must be set to
true). On HP-UX, use the
cimconfig(1M) command to check or change the setting of this parameter.
Restart the CIM server after making any configuration changes.
On Windows, edit the file
%PEGASUS_HOME%\cimserver_planned.conf and restart the
Pegasus/WMI Mapper service.
By default, Partition Manager validates the certificates used with SSL
connections. This means that the client Certificate Trust Store must include
the server certificates from the remote nPartition. Refer to the Managing SSL Certificates section below for
instructions on exporting and importing certificates.
If your environment does not require the additional security provided by
certificate validation, you can disable this feature. To do so, edit the CIM
properties file:
[Windows:]
C:\hp\hpsmh\tomcat\webapps\parmgr\WEB-INF\classes\cim.properties
[HP-UX:]
/opt/hpsmh/tomcat/webapps/parmgr/WEB-INF/classes/cim.properties
[Linux:]
/opt/hp/hpsmh/tomcat/webapps/parmgr/WEB-INF/classes/cim.properties
Remove the comment prefix (//) from the following line in
the file to disable certificate validation:
//TrustManager=org.snia.wbemcmd.xml.DontValidateCertificate
For more information about configuring the WBEM services provider, refer to the
cimconfig(1M) and
cimserver(1M) manpages.
Managing SSL Certificates
To enable SSL certificate validation in Partition Manager, you must export the
server certificates from the WBEM services provider on the remote nPartition that you want to
connect to, and import those certificates into the keystore on the nPartition where
Partition Manager is running. Follow the steps below.
Procedure 4 Get the Certificate File from the WBEM services provider
Locate the WBEM services provider certificate file (cert.pem) on the
remote nPartition that you want to connect to. To find the correct file, open
the WBEM services provider configuration file:
[Windows:] %PEGASUS_HOME%\cimserver_current.conf
[HP-UX:] $PEGASUS_HOME/cimserver_current.conf
The location of the server certificate file is configured by the
sslCertificateFilePath setting. Normally, this will be
set to:
[Windows:] C:\hp\sslshare\cert.pem
[HP-UX:] /etc/opt/hp/sslshare/cert.pem
If there is no sslCertificateFilePath setting, the
default server certificate file is:
[Windows:] %PEGASUS_HOME%\server.pem
[HP-UX:] $PEGASUS_HOME/server.pem
Copy the certificate file located in step 1 (cert.pem or
server.pem) to the client system.
Procedure 5 Import the Certificate File on the Client
Import the certificate into the Partition Manager keystore:
[Windows:]
%JAVA_HOME%\bin\keytool -import \
-alias server_hostname \
-file cert.pem \
-keystore %SystemDrive%\hp\sslshare\parmgr.keystore
[HP-UX:]
$JAVA_HOME/bin/keytool -import \
-alias server_hostname \
-file cert.pem \
-keystore /etc/opt/hp/sslshare/parmgr.keystore
When prompted, enter the password to the keystore. If the
parmgr.keystore file does not yet exist (this is the
first certificate that you have imported), then this command will create a new
keystore file. In that case, any password that you enter will become the
assigned password for this keystore.
To enable certificate validation for the
partition(1) commands used by Partition Manager, append the contents of
cert.pem to the end of the Shared Authentication Store file:
[Windows:] %SystemDrive%\hp\sslshare\client.pem
[HP-UX:] /var/opt/wbem/client.pem
The name of the Shared Authentication Store file is either client.pem
or known_hosts.pem. For more information, see the release notes for
the nPartition commands running on the system.
On Microsoft® Windows®, restart the “HP System Management Homepage” service
(SysMgmtHP), or reboot Windows.
nPartition Configuration Privilege
When running Partition Manager on a local nPartition, or when connecting via WBEM to a
remote nPartition, the ability to perform configuration operations on a complex is
affected by the setting of the
nPartition Configuration Privilege. For details, refer to
the configuration privilege topic.
IP Filtering and Firewalls
IP filtering and network firewalls block certain types of inbound and outbound IP
packets. If you use these products, you must ensure that the following
requirements are met.
Ports 2301 and 2381 must not be disabled. These ports are
used to start HP System Management Homepage from a Web browser.
The ports used by WBEM must not be disabled.
Partition Manager sends all WBEM requests to port 5989. The ports used to return
replies to parmgr are negotiated by the kernel when the reply is
received. Partition Manager cannot be used if WBEM is disabled.
For more information about IP filtering on HP-UX, refer to
ipf(8).
Bastille
Bastille is a system hardening program
which enhances the security of an HP-UX host. It configures daemons, system
settings and firewalls to be more secure. It can shut off unneeded services and
tools such as
rcp(1)
and
rlogin(1),
and can help to limit the vulnerability of common internet services such as Web
servers and DNS.
One of the facilities that Bastille uses to lock down a system is IP filtering.
Refer to the previous section for requirements when using IP filtering with
Partition Manager. If Bastille's interactive user interface is used, be aware of
these issues when answering the questions asked by Bastille.
Bastille also has three install-time security options that are represented by the
following files in /etc/opt/sec_mgmt/bastille.
- HOST.config
Host-based lockdown, without IPFilter configuration.
Using this configuration has no impact on
Partition Manager.
- MANDMZ.config
A fairly tight lockdown, but leaves open select network ports that are
used by common management protocols and tools. For example, WBEM still
functions when this configuration is used.
Launching Partition Manager under this configuration requires the use of SSH
or changes to enable ports 2301 and 2381.
To enable launching Partition Manager on a system where ports 2301 and 2381 have
been disabled, adjust the IP
filtering by adding entries such as:
pass in quick proto tcp from any to any port = 2301
flags S/0xff keep state keep frags
pass in quick proto tcp from any to any port = 2381
flags S/0xff keep state keep frags
to /etc/opt/sec_mgmt/bastille/ipf.customrules prior to running
Bastille.
Refer to
ipf(5)
for more information.
- DMZ.config
A tight lockdown. Launching Partition Manager under this configuration requires
the use of SSH.
Bastille also impacts using Partition Manager to remotely manage a system where Bastille is
enabled. After the normal transfer of certificates, Partition Manager will work as described
above if the HOST.config or MANDMZ.config configurations
are used. However, the DMZ.config configuration blocks WBEM traffic and thus
prevents Partition Manager from remotely managing the system.
For more information about Bastille, refer to
bastille(1M)
and the Bastille User Guide, installed at
/opt/sec_mgmt_bastille/docs/user_guide.txt.
Performance Issues
A noticeable delay may occur the first time that each Partition Manager view is
displayed after the Tomcat-based Servlet Engine is started or restarted.
This is due to the initial compilation of Java Server Pages. Once a given view
has been displayed, subsequent displays of that view will be significantly faster.
When managing a remote partitionable complex, the performance degrades when the
connection traverses long network distances, e.g. managing a partitionable complex
in California from a system in New York. Furthermore, when managing a remote
system, performance can be improved by connecting to a remote nPartition, rather
than connecting directly to the remote system's service processor.
When managing a remote system, possible performance improvements can be obtained
by running the Web browser on the local system, instead of running the browser
remotely to a local X Server.
The nPartition Provider maintains a cache of information
about systems being managed. This cache is cleared when the nPartition Provider
is unloaded by the WBEM services provider. Performance may be reduced when managing a system
for the first time, or immediately after the WBEM services provider has been restarted.
Subsequent management sessions of the same system will be faster.
|