In a recent post I mentioned that there are some nice things about using Supermicro hardware here at Anchor. There’s a bit of a dark lining to that silver cloud, however – we’ve had the worst luck trying to get their IPMI stuff to work in any sane way.

IPMI is short for Intelligent Platform Management Interface. Different companies have different names for the technology – Dell has this in their DRAC cards, HP calls this iLO, Sun calls it ALOM. IPMI basically gives you access to a bunch of diagnostic information and management controls for the server. The real killer feature is remote console. Because IPMI is largely independent of the rest of the system, you can get unimpeded access to everything on the server, regardless of what state it’s in. Just like The Matrix, you need to experience how great it is when you rescue a downed server from a BSOD, or a dopey prompt holding up the BIOS while booting.

You see that? IPMI just saved you from:

1. Walking all the way to the datacentre
2. Going through six proximity card doors and an airlock
3. Getting to your suite
4. Opening the racks
5. Finding the server
6. Hooking up a keyboard and monitor
7. Hitting F1 to get past that pesky “keyboard not found” error
8. Walking back to the office – congratulations, you just wasted your lunchtime

Supermicro has IPMI cards for their whole range of servers. They generally all do the same stuff, they just work in slightly different ways. But because they’re not entirely removed from the rest of the system, they can behave in strange ways…

After installing an IPMI card in one system, the video output to the monitor was noticeably poorer. Text was fuzzy and somewhat distorted. Removing the IPMI card fixed this problem immediately.

Some IPMI cards “piggyback” off an onboard network port. An IPMI card has its own IP address but needs a physical network connection. We’ve observed a piggyback-style IPMI card prevent the host from network-booting.

IPMI cards usually offer access to one or more serial ports on the host. Because this happens via the motherboard, we’ve had an instance of it interfering with use of the external serial port, even without wanting to use this feature on the IPMI card.

Of course, once you’ve got the IPMI card installed, it doesn’t count unless you can use it. Supermicro supplies software to configure the card, but it’s not exactly convenient. To actually use the card, there’s a java application you install and run on your workstation. Putting aside any weird issues you might have getting it to run on your version of the JVM, it’s really not fun to use. The interface is clunky and a bit of an eyesore.

Let us turn now to something much nicer, the IBM RSA-II slimline. The RSA (Remote Supervisor Adapter) card provides all the functionality you expect from a remote management card, through a very nice interface. The remote console is still a java client, but this time embedded in a normal webpage served from the card itself. I can SSH to the card, and everything in the interface is snappy (unlike APC’s managed power rails). It really is a nice unit, I love it. It’s also a very capable unit (with a pricetag to match). The board is about the size of a cheap video card (cf. Supermicro’s cards which seem to be mini-PCI form factor), running a 200MHz PowerPC chip, with good management interfaces for multiple users.

It’s when I was setting up these users, the day I got it, that I managed to lock myself out. As is good practice, you setup a strong password for the admin account. This is especially important for such a device exposed to the world, as they don’t have as much protection available. I put the nice, strong password into both password fields, checked all the settings, then called it a day. So you can imagine my surprise when I net tried to login and was rejected.

I was stumped; I’d taken extra care to ensure everything was correct, and now this. Well, not to worry, the card will just have to be hard reset. Somehow.

After searching online it became evident that this wouldn’t be easy. Not content to have something straightforward like an internal reset switch or some sort of magic handshake, IBM have made it necessary for you to run a firmware updater from within an OS. To add annoyance, you have to install the OS driver as well, so the app can talk to the RSA card. Some hours later I had Redhat on a disk, installed the ibmasm driver, and got the card reverted to factory default settings.

I then promptly locked myself out again.

It seems the RSA has a maximum password length of 15 characters. They even include this hard limit as part of the HTML form that you enter the password into, but it doesn’t help much when all you see on screen are bullet-points; you can’t tell how many characters you’ve entered, and browsers quietly drop characters once you hit the limit. A little reminder to the textbox would have been a nice touch, just to let you know that you’ve got a limit. Or just let you put in a password of arbitrary length and have a popup warning if it’s too long. They do that if it’s too simple, so why not for this?

At least it’s highly unlikely you’ll get bitten by this problem twice, but it’s a waste of time finding out the hard way.

Tags: ibm, ibmasm forgotten password, ipmi, password, remote console, remote management, rsa, rsa-ii slimline, supermicro

This entry was posted by Barney Desmond on Tuesday, March 10th, 2009 at 4:17 pm and is filed under WTF. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.