Transcript
HPE OneView 3.0 User Guide
Abstract This guide describes HPE OneView features, interfaces, resource model design, and secure working environment. It describes up-front planning considerations and how to use the HPE OneView appliance UI or REST APIs to configure, manage, monitor, and troubleshoot your data center infrastructure. It also includes information about the SCMB (State-Change Message Bus). It is intended for infrastructure administrators, network administrators, and server administrators that plan, configure, and manage data center hardware and software throughout its lifecycle, and for backup administrators and operations personnel that monitor and troubleshoot data center hardware and software.
Part Number: 5200-1735 Published: October 2016 Edition: 1
© Copyright 2013-2016 Hewlett Packard Enterprise Development LP Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgements Google® is a registered trademark of Google Inc. Java® is a trademark of Oracle or its affiliates. Microsoft®, Windows®, and Windows Server® are trademarks of the Microsoft Group of companies.Linux® is a registered trademark of Linus Torvalds in the United States and other countries. VMware® is a registered trademark of VMware Inc. Warranty Hewlett Packard Enterprise will replace defective delivery media for a period of 90 days from the date of purchase.
Contents I Learning about HPE OneView............................................................................19 1 Learning about HPE OneView......................................................................21 1.1 HPE OneView for converged infrastructure management......................................................21 1.2 HPE OneView licensing...........................................................................................................23 1.3 Managing, monitoring, or migrating server hardware on c7000 enclosures...........................24 1.4 Provisioning features...............................................................................................................24 1.4.1 Resource templates, groups, and sets............................................................................25 1.4.2 Server profiles and server profile templates....................................................................27 1.4.3 Streamlined process for bringing hardware under management....................................27 1.4.4 Operating system deployment........................................................................................28 1.4.5 Storage provisioning and management..........................................................................28 1.5 Firmware and configuration change management features....................................................29 1.5.1 Simplified firmware management....................................................................................29 1.5.2 Simplified configuration change management................................................................30 1.6 Monitoring the environment and responding to issues............................................................30 1.6.1 Data center environmental management........................................................................32 1.6.2 Resource utilization monitoring.......................................................................................32 1.6.3 Activity and health management ....................................................................................32 1.6.4 Hardware and firmware inventory information................................................................33 1.6.5 Remote Support..............................................................................................................33 1.7 Backup and restore features...................................................................................................33 1.8 Security features......................................................................................................................34 1.9 High availability features..........................................................................................................35 1.10 Graphical and programmatic interfaces................................................................................35 1.11 Integration with other management software .......................................................................36 1.11.1 Other management software warnings.........................................................................37 1.12 Open integration....................................................................................................................38 1.13 Networking features...............................................................................................................38 1.14 HPE Smart Update Tools features........................................................................................39
2 Understanding the resource model...............................................................41 2.1 Resource model summary diagram........................................................................................42 2.2 Appliance.................................................................................................................................42 2.3 Connections.............................................................................................................................43 2.4 Connection templates..............................................................................................................44 2.5 Data centers............................................................................................................................44 2.6 Domains..................................................................................................................................45 2.7 Enclosures...............................................................................................................................46 2.8 Enclosure groups.....................................................................................................................46 2.9 Enclosure types.......................................................................................................................47 2.10 Interconnects.........................................................................................................................47 2.11 Interconnect types.................................................................................................................48 2.12 Logical enclosures.................................................................................................................48 2.13 Logical interconnects.............................................................................................................49 2.14 Logical interconnect groups..................................................................................................50 2.15 Logical switches....................................................................................................................51 2.16 Logical switch groups............................................................................................................52 2.17 Networks................................................................................................................................52 2.18 Network sets..........................................................................................................................53 Contents
3
2.19 Power delivery devices..........................................................................................................53 2.20 Racks.....................................................................................................................................54 2.21 SAN Managers......................................................................................................................55 2.22 SANs.....................................................................................................................................55 2.23 Server hardware....................................................................................................................56 2.24 Server hardware types..........................................................................................................57 2.25 Server profiles.......................................................................................................................57 2.26 Server profile templates.........................................................................................................58 2.27 Storage Pools........................................................................................................................59 2.28 Storage Systems...................................................................................................................60 2.29 Switches................................................................................................................................60 2.30 Unmanaged devices..............................................................................................................61 2.31 Uplink sets.............................................................................................................................61 2.32 Volumes.................................................................................................................................62 2.33 Volume Templates.................................................................................................................62
3 Understanding the security features of the appliance...................................65 3.1 Securing the appliance............................................................................................................65 3.2 Best practices for maintaining a secure appliance..................................................................67 3.3 Creating a login session..........................................................................................................68 3.4 Authentication for appliance access........................................................................................69 3.5 Controlling access for authorized users..................................................................................69 3.5.1 Specifying user accounts and roles................................................................................69 3.5.2 Mapping of SSO roles for iLO and OA............................................................................69 3.5.3 Mapping appliance interactions with iLO, OA, and iPDU................................................70 3.6 Protecting credentials..............................................................................................................70 3.7 Understanding the audit log....................................................................................................71 3.8 Choosing a policy for the audit log..........................................................................................72 3.9 Appliance access over SSL.....................................................................................................72 3.10 Managing certificates from a browser...................................................................................72 3.10.1 Self-signed certificate....................................................................................................73 3.10.2 Using a certificate authority...........................................................................................73 3.10.3 Create a certificate signing request...............................................................................73 3.10.4 Create a self-signed certificate......................................................................................74 3.10.5 Import a certificate.........................................................................................................74 3.10.6 View the Certificate settings..........................................................................................75 3.10.7 Downloading and importing a self-signed certificate into a browser.............................75 3.10.8 Verifying a certificate.....................................................................................................75 3.11 Nonbrowser clients................................................................................................................76 3.11.1 Passwords.....................................................................................................................76 3.11.2 SSL connection.............................................................................................................76 3.12 Ports required for HPE OneView...........................................................................................76 3.13 Controlling access to the appliance console.........................................................................77 3.13.1 Enable or disable authorized services access..............................................................77 3.13.2 Restricting console access............................................................................................78 3.14 Files you can download from the appliance..........................................................................78
4 Navigating the graphical user interface.........................................................79 4.1 About the graphical user interface...........................................................................................79 4.2 Activity sidebar........................................................................................................................80 4.2.1 About the Activity sidebar................................................................................................80 4.2.2 Activity sidebar details.....................................................................................................80 4.2.3 Expand or collapse the Activity sidebar..........................................................................80 4
Contents
4.3 Audit tracking...........................................................................................................................80 4.4 Banner and main menu...........................................................................................................81 4.5 Browsers..................................................................................................................................81 4.5.1 Browser best practices for a secure environment...........................................................82 4.5.2 Commonly used browser features and settings..............................................................82 4.5.3 Browser requirements.....................................................................................................83 4.5.4 Set the browser for US or metric units of measurement.................................................83 4.6 Button functions.......................................................................................................................83 4.7 Filters sidebar..........................................................................................................................84 4.8 Help sidebar............................................................................................................................84 4.8.1 View the End-User License agreement...........................................................................85 4.8.2 View the Written Offer.....................................................................................................85 4.9 Appliance status screens.........................................................................................................85 4.9.1 Starting............................................................................................................................86 4.9.2 Oops................................................................................................................................86 4.9.3 Updating the appliance...................................................................................................86 4.9.4 Temporarily unavailable..................................................................................................86 4.9.5 Resetting.........................................................................................................................86 4.9.6 Waiting............................................................................................................................86 4.10 Icon descriptions....................................................................................................................87 4.10.1 Status and severity icons..............................................................................................87 4.10.2 User control icons.........................................................................................................87 4.10.3 Informational icons........................................................................................................88 4.11 Labels screen details.............................................................................................................88 4.12 Map view screen details.....................................................................................................88 4.13 Notifications area...................................................................................................................89 4.14 Log out of the appliance........................................................................................................90 4.15 Organizing resources into groups by assigning labels..........................................................90 4.15.1 View resources by label................................................................................................92 4.16 Performing an action on multiple resources..........................................................................92 4.17 Search help topics.................................................................................................................93 4.17.1 Help search features and limitations.............................................................................94 4.18 Search resources..................................................................................................................95 4.18.1 Clear the Smart Search box..........................................................................................97 4.19 View resources according to their health status....................................................................98 4.19.1 Reset the health status view.........................................................................................98
5 Using the REST APIs and other programmatic interfaces............................99 5.1 Resource operations...............................................................................................................99 5.2 Return codes...........................................................................................................................99 5.3 URI format...............................................................................................................................99 5.4 Resource model format.........................................................................................................100 5.5 Log in to the appliance using REST APIs.............................................................................100 5.6 REST API version and backward compatibility.....................................................................100 5.7 Asynchronous versus synchronous operations.....................................................................101 5.8 Task resource........................................................................................................................102 5.9 Error handling........................................................................................................................102 5.10 Concurrency control using etags.........................................................................................102 5.11 Querying resources and pagination using common REST API parameters........................103 5.12 State-Change Message Bus...............................................................................................104 5.13 Metric Streaming Message Bus..........................................................................................104 5.14 Analysis and troubleshooting..............................................................................................104 5.14.1 HPE Operations Analytics integration with HPE OneView..........................................104 5.15 Developer tools in a web browser.......................................................................................105 Contents
5
5.16 PowerShell and Python code sample libraries....................................................................105
6 Accessing documentation and help.............................................................107 6.1 Online help—conceptual and task information as you need it..............................................107 6.2 This user guide supplements the online help........................................................................107 6.3 Where to find HPE OneView documentation........................................................................108 6.4 Enable off-appliance browsing of UI help and REST API help..............................................108
II Planning tasks.................................................................................................109 7 Planning your data center resources...........................................................111 7.1 How many data centers?.......................................................................................................111 7.1.1 Managing, monitoring, or migrating server hardware?..................................................111 7.2 Security planning...................................................................................................................111 7.3 Preparing your data center network switches.......................................................................111 7.4 Planning for a dual-stack implementation.............................................................................112 7.5 Planning your resource names..............................................................................................112 7.6 Planning the appliance configuration....................................................................................113 7.6.1 Appliance VM and host requirements...........................................................................113 7.6.2 Planning for high availability..........................................................................................115 7.6.3 Separate networks for data and management..............................................................115 7.6.4 Time clocks and NTP....................................................................................................115 7.6.5 IP addresses.................................................................................................................115
8 Planning for configuration changes.............................................................117 8.1 Configuration changes that require or result in resource outages.........................................117 8.2 Configuration changes that might require changes to multiple resources............................118 8.2.1 Adding a network..........................................................................................................118 8.2.2 Adding an enclosure.....................................................................................................119
9 Planning for enclosure migration from VCM into HPE OneView.................121 9.1 Timing and type of migration.................................................................................................121 9.2 Understanding the migration process....................................................................................121 9.2.1 Warning issues..............................................................................................................123
III Configuration quick starts...............................................................................125 10 Quick Start: Initial configuration of HPE OneView.....................................127 10.1 Initial configuration of resources in HPE OneView..............................................................127 10.1.1 Prerequisites...............................................................................................................127 10.1.2 Configure resources in HPE OneView........................................................................127 10.2 Define physical dimensions and power systems in HPE OneView.....................................128
11 Quick Starts for networks, enclosures, and storage..................................131 11.1 Quick Start: Add a network and associate it with an existing server...................................131 11.1.1 Adding a network and associating it with an existing server.......................................131 11.2 Quick Start: Add an active/active network configuration for single or multiple logical interconnect groups.....................................................................................................................133
6
Contents
11.2.1 Adding an active/active network configuration for single or multiple logical interconnect groups....................................................................................................................................134 11.3 Quick Start: Migrate from an active/standby to an active/active configuration....................135 11.3.1 Migrating from an active/standby to an active/active configuration.............................136 11.4 Quick Start: Add a c7000 enclosure with a single logical interconnect group and connect its server blades to networks.......................................................................................................137 11.4.1 Scenario 1: Adding a c7000 enclosure to manage to an existing enclosure group....137 11.4.2 Scenario 2: Defining network connectivity before adding a c7000 enclosure to manage..................................................................................................................................138 11.4.3 Scenario 3: Defining network connectivity as you add the enclosure to manage.......140 11.5 Quick Start: Add a c7000 enclosure with multiple logical interconnect groups and connect its server hardware to networks..................................................................................................142 11.6 Quick Start: Add an HPE ProLiant DL rack mount server to manage.................................144 11.6.1 Adding an HPE ProLiant DL rack mount server to manage........................................145 11.7 Quick Start: Configure a c7000 enclosure and server blade for direct attach to an HPE 3PAR Storage System.................................................................................................................145 11.7.1 Configuring a c7000 enclosure and server blade for direct attach to an HPE 3PAR Storage System......................................................................................................................147 11.8 Quick Start: Configuring an HPE 5900 for management by HPE OneView........................148 11.9 Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView.........................................................................................................................149 11.10 Quick Start: Configure server hardware MAC address binding for FCoE server profiles...150 11.10.1 Prerequisites..............................................................................................................150 11.10.2 Configuring server hardware MAC address binding for FCoE server profiles..........150
IV Configuration and management.....................................................................153 12 Best practices............................................................................................155 13 Managing server hardware, server profiles, and server profile templates.157 13.1 Managing server hardware..................................................................................................157 13.1.1 Roles...........................................................................................................................158 13.1.2 Tasks for server hardware...........................................................................................158 13.1.3 Server hardware management features......................................................................158 13.1.4 Server hardware monitoring features..........................................................................159 13.1.5 Prerequisites for bringing server hardware into an appliance.....................................160 13.1.6 About server hardware................................................................................................160 13.1.6.1 How the appliance handles unsupported hardware............................................161 13.1.6.2 About monitored server hardware.......................................................................161 13.1.6.3 About unsupported server hardware...................................................................161 13.1.6.4 About unmanaged devices.................................................................................161 13.1.7 Tasks for server hardware types.................................................................................162 13.1.8 About server hardware types......................................................................................162 13.1.9 How the iLO is changed as a result of HPE OneView management..........................162 13.1.10 Launch the iLO console to manage servers remotely...............................................163 13.1.11 Enabling health monitoring for legacy servers..........................................................164 13.2 Managing server profiles.....................................................................................................165 13.2.1 Roles...........................................................................................................................165 13.2.2 Tasks for server profiles..............................................................................................165 13.2.3 About server profiles...................................................................................................166 13.2.3.1 Capturing best-practice configurations...............................................................166 13.2.3.2 About editing a server profile..............................................................................167 13.2.3.3 About moving a server profile.............................................................................168 Contents
7
13.2.3.4 About migrating server profiles...........................................................................169 13.2.3.5 Working with server profiles to control remove-and-replace behavior................169 13.2.3.6 About assigning a server profile to an empty device bay...................................170 13.2.3.7 About server profile connections.........................................................................170 13.2.3.8 About server profile connections and changing server hardware types.............171 13.2.3.9 About server profiles and local storage...............................................................171 13.2.3.10 About attaching SAN volumes to a server profile.............................................173 13.2.3.11 About server profile consistency validation.......................................................174 13.2.4 When to use a server profile.......................................................................................175 13.3 Managing server profile templates......................................................................................176 13.3.1 Roles...........................................................................................................................176 13.3.2 Tasks for server profile templates...............................................................................176 13.3.3 About server profile templates....................................................................................177 13.3.3.1 About creating a server profile template.............................................................177 13.3.3.2 About editing a server profile template...............................................................177 13.3.4 When to use a server profile template........................................................................177 13.4 Learning more.....................................................................................................................178
14 Managing licenses.....................................................................................179 14.1 UI screens and REST API resources..................................................................................179 14.2 Roles...................................................................................................................................179 14.3 Tasks for licenses................................................................................................................179 14.4 About licensing....................................................................................................................179 14.4.1 License types..............................................................................................................179 14.4.1.1 Server hardware licenses...................................................................................179 14.4.1.2 Other licenses.....................................................................................................180 14.4.2 About HPE OneView Advanced licensing for managing server hardware..................181 14.4.2.1 Server blade licensing at the enclosure level.....................................................181 14.4.2.2 About rack mount server licensing......................................................................182 14.4.3 About HPE OneView Standard licensing for monitoring server hardware..................183 14.4.4 Purchasing or obtaining licenses................................................................................183 14.4.5 License delivery..........................................................................................................183 14.4.6 License key format......................................................................................................183 14.4.7 Licensing and utilization statistics...............................................................................184 14.4.8 Licensing scenarios.....................................................................................................184 14.4.9 License reporting.........................................................................................................185 14.5 Learning more.....................................................................................................................185
15 Managing networks and network resources..............................................187 15.1 Roles...................................................................................................................................187 15.2 Tasks for networks...............................................................................................................187 15.2.1 Tasks for Fibre Channel networks...............................................................................187 15.2.2 Tasks for Ethernet networks........................................................................................187 15.2.3 Tasks for FCoE networks............................................................................................188 15.3 About networks....................................................................................................................188 15.4 About network sets..............................................................................................................188 15.5 About Fibre Channel networks............................................................................................190 15.5.1 Fibre Channel network types......................................................................................190 15.5.2 Fabric-attach Fibre Channel networks........................................................................190 15.5.3 Direct-attach Fibre Channel networks.........................................................................191 15.6 About Ethernet networks.....................................................................................................191 15.6.1 About tagged Ethernet networks.................................................................................191 15.6.2 About untagged Ethernet networks.............................................................................192 8
Contents
15.6.3 About tunnel Ethernet networks..................................................................................192 15.6.4 About Smart Link.........................................................................................................192 15.7 About Fibre Channel over Ethernet (FCoE) networks.........................................................192 15.8 Data center switch port requirements..................................................................................193 15.9 Learning more.....................................................................................................................194
16 Managing interconnects, logical interconnects, and logical interconnect groups............................................................................................................195 16.1 Managing enclosure interconnect hardware.......................................................................195 16.1.1 Roles...........................................................................................................................195 16.1.2 Tasks for interconnects...............................................................................................195 16.1.3 About interconnects....................................................................................................195 16.1.3.1 About managed and monitored interconnects....................................................195 16.1.3.2 About unmanaged and unsupported interconnects............................................196 16.1.3.3 FIP snooping.......................................................................................................196 16.1.3.4 Connectivity and synchronization with the appliance.........................................196 16.1.4 Learning more.............................................................................................................197 16.2 Managing logical interconnects and logical interconnect groups........................................197 16.2.1 Roles...........................................................................................................................197 16.2.2 Tasks for logical interconnects....................................................................................197 16.2.3 Tasks for logical interconnect groups..........................................................................198 16.2.4 About logical interconnects.........................................................................................198 16.2.4.1 About uplink sets.................................................................................................198 16.2.4.2 About internal networks......................................................................................200 16.2.4.3 About stacking links and stacking health............................................................200 16.2.4.4 Creating or deleting a logical interconnect..........................................................201 16.2.5 About logical interconnect groups...............................................................................202 16.2.5.1 About the logical interconnect group graphical interface....................................202 16.2.5.2 About multiple logical interconnect groups in an enclosure group......................203 16.2.5.3 About copying a logical interconnect group........................................................203 16.2.5.4 About uplink sets in a logical interconnect group................................................203 16.2.5.5 About Link Layer Discovery Protocol (LLDP) tagging.........................................204 16.2.5.6 About enhanced type-length-value (TLV) structure............................................204 16.2.6 About firmware associated with a logical interconnect................................................205 16.2.6.1 About updating firmware for logical interconnects..............................................205 16.2.7 About active/active and active/standby configurations................................................206 16.2.7.1 About active/standby configurations...................................................................206 16.2.7.2 About active/active configurations......................................................................206 16.2.8 About loop protection..................................................................................................209 16.2.9 About pause flood protection......................................................................................209 16.2.10 About SNMP settings................................................................................................210 16.2.11 About the Virtual Connect FlexFabric–20/40 F8 interconnect module......................210 16.2.12 About Quality of Service for network traffic...............................................................210 16.2.13 Add an uplink set.......................................................................................................211 16.2.14 Update firmware for logical interconnects within enclosures....................................212 16.2.14.1 Stage and activate firmware for update from logical interconnect....................212 16.2.14.2 Stage firmware for later activation for update from logical interconnect...........212 16.2.14.3 Activate the firmware for update from logical interconnect...............................213 16.2.15 Update the logical interconnect configuration from the logical interconnect group....214 16.2.16 Create a logical interconnect group..........................................................................215 16.2.17 Learning more...........................................................................................................216
Contents
9
17 Managing enclosures, enclosure groups, and logical enclosures.............217 17.1 Roles...................................................................................................................................217 17.2 Managing enclosures..........................................................................................................217 17.2.1 Tasks for enclosures...................................................................................................217 17.2.2 About enclosures .......................................................................................................218 17.2.2.1 About c7000 enclosures.....................................................................................218 17.2.2.2 About managed c7000 enclosures.....................................................................218 17.2.2.3 About monitored c7000 enclosures....................................................................219 17.2.2.4 About migrating c7000 enclosures managed by other management systems ..........................................................................................................................................220 17.2.2.5 About unmanaged and unsupported c7000 enclosures.....................................230 17.2.2.6 Connectivity and synchronization with HPE OneView........................................231 17.2.3 Prerequisites for bringing a c7000 enclosure into HPE OneView...............................231 17.2.4 Checklist: connecting a server to a data center network.............................................232 17.2.5 Add a c7000 enclosure...............................................................................................232 17.2.6 Add a c7000 enclosure to monitor the hardware........................................................232 17.2.7 Migrate a c7000 enclosure currently managed by VCM.............................................233 17.2.7.1 Prerequisites.......................................................................................................233 17.2.7.2 Migrating an enclosure managed by VCM..........................................................233 17.2.7.3 Migrating a VCM enclosure using REST APIs....................................................234 17.2.7.4 Perform post-migration tasks..............................................................................235 17.2.7.5 Resolve compatibility issues...............................................................................236 17.2.8 Prepare a VCEM enclosure for migration into HPE OneView.....................................236 17.2.9 Effects of managing a c7000 enclosure......................................................................237 17.3 Managing enclosure groups................................................................................................237 17.3.1 Tasks for enclosure groups.........................................................................................237 17.3.2 About enclosure groups..............................................................................................237 17.3.2.1 Enclosure groups and logical interconnect groups.............................................237 17.3.3 Create an enclosure group..........................................................................................237 17.3.3.1 Prerequisites.......................................................................................................238 17.3.3.2 Creating an enclosure group...............................................................................238 17.4 Managing logical enclosures...............................................................................................238 17.4.1 Tasks for logical enclosures........................................................................................238 17.4.2 About logical enclosures.............................................................................................238 17.4.2.1 About inconsistent logical enclosures.................................................................239 17.4.2.2 About updating firmware from a logical enclosure..............................................239 17.4.3 Create a logical enclosure...........................................................................................239 17.4.4 Update firmware from a logical enclosure...................................................................239 17.4.5 Create a logical enclosure support dump file..............................................................240 17.5 Learning more.....................................................................................................................241
18 Managing firmware for managed devices.................................................243 18.1 Tasks for firmware...............................................................................................................243 18.2 About firmware bundles.......................................................................................................243 18.2.1 About updating firmware.............................................................................................245 18.2.1.1 About managing firmware manually....................................................................246 18.3 About unsupported firmware...............................................................................................246 18.4 Maintain availability during Virtual Connect interconnect firmware upgrades.....................247 18.5 Best practices for managing firmware.................................................................................248 18.6 Create a custom SPP..........................................................................................................249 18.7 Update firmware on managed devices................................................................................251 18.7.1 Update firmware on the logical enclosure...................................................................251 18.7.2 Update firmware with a server profile..........................................................................252 18.7.3 Update firmware with a server profile template...........................................................253 10
Contents
18.8 Learning more.....................................................................................................................253
19 Managing power, temperature, and the data center.................................255 19.1 Managing power..................................................................................................................255 19.1.1 Roles...........................................................................................................................255 19.1.2 Tasks for managing power..........................................................................................255 19.1.3 About power delivery devices.....................................................................................255 19.2 Managing your data center..................................................................................................256 19.2.1 Roles...........................................................................................................................256 19.2.2 Tasks for data centers.................................................................................................256 19.2.3 About data centers......................................................................................................257 19.3 Managing racks...................................................................................................................257 19.3.1 Roles...........................................................................................................................257 19.3.2 Tasks for racks............................................................................................................257 19.3.3 About racks.................................................................................................................257 19.4 Learning more.....................................................................................................................258
20 Managing storage......................................................................................259 20.1 Storage systems..................................................................................................................259 20.1.1 Roles...........................................................................................................................260 20.1.2 Tasks...........................................................................................................................260 20.1.3 About storage systems................................................................................................260 20.1.3.1 About HPE 3PAR StoreServ Storage systems...................................................260 20.2 Storage pools......................................................................................................................260 20.2.1 Roles...........................................................................................................................261 20.2.2 Tasks...........................................................................................................................261 20.2.3 About storage pools....................................................................................................261 20.3 Volumes...............................................................................................................................261 20.3.1 Roles...........................................................................................................................261 20.3.2 Tasks...........................................................................................................................261 20.3.3 About volumes............................................................................................................261 20.3.3.1 About snapshots.................................................................................................261 20.4 Volume templates................................................................................................................262 20.4.1 Roles...........................................................................................................................262 20.4.2 Tasks...........................................................................................................................262 20.4.3 About volume templates..............................................................................................262 20.5 SAN Managers....................................................................................................................262 20.5.1 Roles...........................................................................................................................262 20.5.2 Tasks...........................................................................................................................262 20.5.3 About SAN managers.................................................................................................262 20.5.3.1 About zone sets..................................................................................................263 20.5.3.2 Configuring SAN managers to be managed by HPE OneView..........................263 20.6 SANs...................................................................................................................................264 20.6.1 Tasks...........................................................................................................................264 20.6.2 About SANs.................................................................................................................264 20.6.2.1 About SAN zoning...............................................................................................264 20.7 Learning more.....................................................................................................................265
21 Managing switches, logical switches, and logical switch groups..............267 21.1 Managing switches..............................................................................................................267 21.1.1 Roles...........................................................................................................................267 21.1.2 Tasks for switches.......................................................................................................267 21.1.3 About top-of-rack switches..........................................................................................267 Contents
11
21.2 Managing logical switches...................................................................................................268 21.2.1 Roles...........................................................................................................................268 21.2.2 Tasks for logical switches............................................................................................268 21.2.3 About logical switches.................................................................................................268 21.2.3.1 Managed logical switches...................................................................................269 21.2.3.2 Monitored logical switches..................................................................................269 21.2.3.3 Logical switch configuration guidelines...............................................................270 21.3 Managing logical switch groups..........................................................................................271 21.3.1 Roles...........................................................................................................................271 21.3.2 Tasks for logical switch groups....................................................................................271 21.3.3 About logical switch groups.........................................................................................271 21.4 Learning more.....................................................................................................................271
22 Managing users and authentication..........................................................273 22.1 Roles...................................................................................................................................273 22.2 Tasks for managing users and groups................................................................................273 22.3 About user accounts............................................................................................................273 22.4 About user roles..................................................................................................................274 22.5 Action privileges for user roles............................................................................................275 22.6 About authentication settings..............................................................................................278 22.7 About directory service authentication................................................................................279 22.8 Managing user passwords..................................................................................................280 22.9 Reset the administrator password.......................................................................................281 22.10 Learning more...................................................................................................................282
23 Backing up an appliance...........................................................................283 23.1 Roles...................................................................................................................................283 23.2 About backing up the appliance..........................................................................................283 23.3 Best practices for backing up an appliance.........................................................................285 23.4 Determining your backup policy..........................................................................................285 23.5 Back up an appliance manually...........................................................................................285 23.6 Using REST APIs to create and download an appliance backup file..................................286 23.7 Creating a custom script to create and download an appliance backup file.......................287 23.8 Configure automatic remote backups..................................................................................287 23.9 Disable automatic remote backups.....................................................................................287 23.10 Learning more...................................................................................................................288
24 Restoring an appliance from a backup file................................................289 24.1 Roles...................................................................................................................................289 24.2 About restoring the appliance..............................................................................................289 24.3 Best practices for restoring an appliance............................................................................291 24.4 Restore an appliance from a backup file.............................................................................291 24.5 Using REST APIs to restore an appliance from a backup file.............................................294 24.6 Creating a custom script to restore an appliance................................................................294 24.7 Post-restoration tasks..........................................................................................................294
25 Managing the appliance............................................................................295 25.1 Updating the appliance........................................................................................................295 25.1.1 Roles...........................................................................................................................295 25.1.2 Tasks...........................................................................................................................295 25.1.3 About appliance updates.............................................................................................295 25.1.4 Learning more.............................................................................................................296 12
Contents
25.2 Managing appliance availability...........................................................................................296 25.2.1 Roles...........................................................................................................................296 25.2.2 Tasks...........................................................................................................................296 25.2.3 Best practices for managing a VM appliance..............................................................296 25.2.4 Shut down the appliance from the UI..........................................................................297 25.2.5 Restart the appliance from the UI ..............................................................................297 25.2.6 How the appliance handles an unexpected shutdown................................................298 25.3 Managing settings...............................................................................................................298 25.3.1 Roles...........................................................................................................................299 25.3.2 Tasks...........................................................................................................................299 25.3.3 Reset the appliance to the original factory settings.....................................................299 25.3.4 About appliance proxy settings...................................................................................300 25.3.5 About scopes..............................................................................................................300 25.3.5.1 Scope-enabled resource categories...................................................................300 25.4 Managing addresses and ID pools......................................................................................300 25.4.1 Roles...........................................................................................................................301 25.4.2 Tasks for addresses and identifiers.............................................................................301 25.4.3 About ID pools.............................................................................................................301 25.4.4 Add an IPv4 subnet and address range......................................................................301 25.5 Managing the security features of the appliance.................................................................302 25.6 Enabling or disabling Hewlett Packard Enterprise support access to the appliance...........302 25.6.1 Roles...........................................................................................................................302 25.6.2 Tasks...........................................................................................................................302 25.7 Managing TLS certificates...................................................................................................302 25.7.1 Roles...........................................................................................................................303 25.7.2 Tasks...........................................................................................................................303 25.7.3 Learning more.............................................................................................................303 25.8 Managing the Hewlett Packard Enterprise public key.........................................................303 25.8.1 Roles...........................................................................................................................303 25.8.2 Tasks...........................................................................................................................303 25.9 Downloading audit logs.......................................................................................................303 25.9.1 Roles...........................................................................................................................303 25.9.2 Tasks...........................................................................................................................303 25.9.3 Download audit logs....................................................................................................304 25.9.4 Learning more.............................................................................................................304
V Monitoring.......................................................................................................305 26 Monitoring data center status, health, and performance...........................307 26.1 Daily monitoring...................................................................................................................307 26.1.1 Initial check: the Dashboard........................................................................................307 26.1.2 Activities......................................................................................................................307 26.1.3 Utilization graphs.........................................................................................................307 26.1.4 Monitor data center temperature.................................................................................308 26.2 Best practices for monitoring data centers..........................................................................308 26.2.1 Best practices for monitoring health with the appliance UI.........................................308 26.2.2 Best practices for monitoring health using SCMB or REST APIs...............................309 26.3 Managing activities..............................................................................................................311 26.3.1 About Activity..............................................................................................................311 26.3.2 Activity types: alerts and tasks....................................................................................312 26.3.2.1 About alerts.........................................................................................................312 26.3.2.2 About tasks.........................................................................................................313 26.3.3 Activity states..............................................................................................................314 Contents
13
26.3.4 Activity statuses..........................................................................................................315 26.3.5 Service alerts..............................................................................................................315 26.4 Managing email notifications...............................................................................................315 26.5 About email notification of alert messages..........................................................................315 26.6 Configure the appliance for email notification of alerts........................................................316 26.7 Using the Dashboard screen...............................................................................................316 26.7.1 Learning about the Dashboard....................................................................................316 26.7.2 Dashboard screen details...........................................................................................317 26.7.3 How to interpret the Dashboard charts.......................................................................317 26.7.4 Customizing the dashboard........................................................................................319 26.8 Managing remote support...................................................................................................319 26.8.1 About remote support..................................................................................................319 26.8.2 About channel partners...............................................................................................320 26.8.3 About data collection...................................................................................................320
27 Monitoring power and temperature...........................................................321 27.1 Monitoring power and temperature with the UI...................................................................321 27.1.1 Monitoring data center temperature............................................................................321 27.1.1.1 Manipulating the view of the data center visualization........................................322 27.1.2 Monitoring power and temperature utilization.............................................................323 27.1.2.1 About the Utilization panel..................................................................................323 27.1.2.2 About utilization graphs and meters....................................................................323 27.2 REST API power and temperature monitoring....................................................................325 27.2.1 Update enclosure power capacity settings..................................................................325 27.2.2 Update server hardware power capacity settings.......................................................326
28 Using a message bus to send data to subscribers...................................327 28.1 About accessing HPE OneView message buses................................................................327 28.2 Using the State-Change Message Bus (SCMB).................................................................327 28.2.1 Connect to the SCMB.................................................................................................327 28.2.2 Set up a queue to connect to the HPE OneView SCMB exchange............................328 28.2.3 JSON structure of message received from the SCMB................................................329 28.2.4 Example to connect and subscribe to SCMB using .NET C#.....................................330 28.2.5 Example to connect and subscribe to SCMB using Java............................................333 28.2.6 Examples to connect and subscribe to SCMB using Python......................................334 28.2.6.1 Installation...........................................................................................................334 28.2.6.2 Pika.....................................................................................................................335 28.2.6.3 AMQP.................................................................................................................336 28.2.7 Re-create the AMQP client certificate.........................................................................337 28.3 Using the Metric Streaming Message Bus (MSMB)............................................................337 28.3.1 Connect to the MSMB.................................................................................................338 28.3.2 Set up a queue to connect to the HPE OneView MSMB exchange............................339 28.3.3 JSON structure of message received from the MSMB...............................................339 28.3.4 Example to connect and subscribe to MSMB using .NET C#.....................................342 28.3.5 Example to connect and subscribe to MSMB using Java...........................................344 28.3.6 Examples to connect and subscribe to MSMB using Python......................................345 28.3.6.1 Installation...........................................................................................................345 28.3.6.2 Pika.....................................................................................................................346 28.3.6.3 AMQP.................................................................................................................347 28.3.7 Re-create the AMQP client certificate.........................................................................348
29 Generating reports....................................................................................349 29.1 Roles...................................................................................................................................349 14
Contents
29.2 Tasks for reports..................................................................................................................349
30 Using data services...................................................................................351 30.1 About data services.............................................................................................................351 30.1.1 About metric streaming...............................................................................................351 30.1.2 About log forwarding to a remote syslog server..........................................................351 30.2 REST API to enable metric streaming.................................................................................352 30.2.1 Roles...........................................................................................................................352 30.2.2 Tasks for metrics REST API........................................................................................352 30.3 REST API to leverage remote system logs.........................................................................352 30.3.1 Roles...........................................................................................................................353 30.3.2 Tasks for remoteSyslog REST API.............................................................................353
VI Troubleshooting.............................................................................................355 31 Troubleshooting.........................................................................................357 31.1 Basic troubleshooting techniques .......................................................................................357 31.2 About the support dump file................................................................................................358 31.3 Create a support dump file..................................................................................................359 31.4 Create a support dump for authorized technical support using REST API scripting...........360 31.5 Troubleshooting activity.......................................................................................................361 31.5.1 Alerts are not generated..............................................................................................361 31.5.2 Alert is locked .............................................................................................................361 31.5.3 Alerts are not visible in the user interface...................................................................361 31.5.4 Alert status is reported as blank or unexpected .........................................................362 31.5.5 Alert state is unexpected.............................................................................................362 31.6 Troubleshooting the appliance............................................................................................362 31.6.1 Appliance performance is slow...................................................................................363 31.6.2 Unexpected appliance shutdown................................................................................364 31.6.3 Cannot update appliance............................................................................................364 31.6.4 Appliance update file downloads, but update fails......................................................365 31.6.5 Appliance update is unsuccessful...............................................................................366 31.6.6 Browser does not display the HPE OneView user interface.......................................366 31.6.7 Icons are not visible on the appliance dashboard.......................................................367 31.6.8 Could not retrieve the browser session ......................................................................367 31.6.9 Cannot create or download a backup file ...................................................................368 31.6.10 Support dump was not created ................................................................................369 31.6.11 Support dump file not saved .....................................................................................370 31.6.12 Cannot create unencrypted support dump ...............................................................370 31.6.13 Unable to import a certificate ...................................................................................370 31.6.14 Certificate was revoked ............................................................................................371 31.6.15 Invalid certificate chain prevents operations ............................................................371 31.6.16 Invalid certificate content prevents operations .........................................................371 31.6.17 Audit log could not be downloaded ..........................................................................372 31.6.18 Audit entries are not logged .....................................................................................372 31.6.19 Audit log is absent ....................................................................................................372 31.6.20 Restore action was unsuccessful .............................................................................372 31.6.21 Appliance did not shut down.....................................................................................374 31.6.22 Cannot restart the appliance after a shutdown.........................................................375 31.6.23 You cannot log in ......................................................................................................376 31.6.24 Cannot log in after a factory reset action..................................................................376 31.6.25 Reinstall the remote console ....................................................................................376 31.6.26 Appliance is offline, manual action is required..........................................................377 Contents
15
31.6.27 Appliance is offline and unusable..............................................................................378 31.7 Troubleshooting the appliance network setup.....................................................................379 31.7.1 Appliance cannot access the network.........................................................................379 31.7.2 Appliance cannot retrieve DNS information from DHCP server..................................379 31.7.3 DNS server is unreachable ........................................................................................380 31.7.4 Gateway server is unreachable ..................................................................................380 31.7.5 Cannot change network settings ................................................................................380 31.7.6 NTP synchronization fails ...........................................................................................381 31.8 Troubleshooting email notifications.....................................................................................381 31.8.1 Cannot configure email notification of alerts...............................................................382 31.8.2 Unable to connect through
..............................382 31.8.3 Host does not respond as an SMTP server ...............................................................382 31.8.4 Unable to deliver email messages to some email IDs ...............................................384 31.8.5 Designated recipients are not receiving email notifications of events ........................384 31.8.6 Frequent, irrelevant email messages .........................................................................385 31.8.7 Test message could not be sent .................................................................................386 31.8.8 Some test messages were not received ....................................................................386 31.9 Troubleshooting enclosures and enclosure groups.............................................................387 31.9.1 Add or remove enclosure is unsuccessful...................................................................387 31.9.2 Unassigned server profile connections cannot be migrated.......................................389 31.9.3 Migration is unsuccessful............................................................................................392 31.9.4 Invalid OA certificate...................................................................................................392 31.10 Troubleshooting firmware bundles....................................................................................393 31.10.1 Incorrect credentials .................................................................................................393 31.10.2 Lost iLO connectivity ................................................................................................393 31.10.3 SUM errors ...............................................................................................................393 31.10.4 Failed firmware update on enclosure add ................................................................394 31.10.5 Failed firmware update on all devices in an enclosure.............................................395 31.11 Troubleshooting interconnects...........................................................................................395 31.11.1 Interconnect edit is unsuccessful .............................................................................395 31.11.2 Interconnect modules are in an incorrect state.........................................................396 31.11.3 Replace an Virtual Connect interconnect in a managed enclosure...........................397 31.12 Troubleshooting licenses...................................................................................................398 31.12.1 Restore a license key that has been erased from an enclosure Onboard Administrator..........................................................................................................................398 31.12.2 The license assigned does not match the type specified..........................................399 31.12.3 Licensing numbers appear to be inaccurate ............................................................399 31.12.4 Could not view license details ..................................................................................400 31.12.5 Could not add license ...............................................................................................401 31.12.6 Could not add license key ........................................................................................401 31.12.7 Could not apply license ............................................................................................402 31.13 Troubleshooting locale issues...........................................................................................403 31.14 Troubleshooting logical interconnects...............................................................................403 31.14.1 I/O bay occupancy errors .........................................................................................403 31.14.2 Uplink set warnings or errors ...................................................................................404 31.14.3 Physical interconnect warnings or errors .................................................................404 31.14.4 Firmware update errors ............................................................................................404 31.14.5 Pause flood condition detected on a Flex-10 physical port.......................................405 31.15 Troubleshooting logical switches.......................................................................................405 31.15.1 Switch communications.............................................................................................405 31.16 Troubleshooting networks.................................................................................................406 31.16.1 Network create operation is unsuccessful.................................................................406 31.17 Troubleshooting reports.....................................................................................................406 31.17.1 Cannot view reports .................................................................................................406 31.18 Troubleshooting scopes....................................................................................................407 16
Contents
31.18.1 Cannot add scope ....................................................................................................407 31.18.2 Cannot edit or delete scope .....................................................................................407 31.19 Troubleshooting server hardware......................................................................................407 31.19.1 Server add or remove is unsuccessful......................................................................408 31.19.2 Cannot control power on server ...............................................................................409 31.19.3 Lost connectivity to server hardware after appliance restarts...................................410 31.19.4 Replace a server with an assigned server profile ....................................................410 31.19.5 Replace a server adapter on server hardware with an assigned server profile .......411 31.20 Troubleshooting server profiles.........................................................................................412 31.20.1 Server profile is not created or updated correctly ....................................................412 31.20.2 Cannot apply the server profile ................................................................................414 31.20.3 Profile operations are not successful .......................................................................415 31.20.4 Cannot update or delete profile ................................................................................415 31.20.5 Inconsistent firmware versions .................................................................................417 31.21 Troubleshooting storage....................................................................................................418 31.21.1 Brocade Network Advisor (BNA) SAN manager fails to add ....................................418 31.21.2 Unable to establish connection with Brocade Network Advisor (BNA) SAN manager.................................................................................................................................419 31.21.3 Volume not available to server hardware .................................................................419 31.21.4 Volume is visible from the storage system but not visible on the appliance.............421 31.21.5 Target port failure .....................................................................................................421 31.21.6 Zone operations fail on Cisco SAN manager ...........................................................422 31.21.7 Storage system port is in an undesired state............................................................423 31.22 Troubleshooting user accounts.........................................................................................424 31.22.1 Incorrect privileges ...................................................................................................424 31.22.2 Cannot modify local user account ............................................................................424 31.22.3 Cannot delete local user account .............................................................................425 31.22.4 Unauthenticated user or group .................................................................................425 31.22.5 User public key is not accepted ...............................................................................425 31.22.6 Directory service not available .................................................................................426 31.22.7 Cannot add directory service ...................................................................................426 31.22.8 Cannot add server for a directory service ................................................................428 31.22.9 Cannot add directory group ......................................................................................429 31.22.10 Cannot find directory group ....................................................................................429
32 Support and other resources.........................................................................433 32.1 Accessing Hewlett Packard Enterprise Support.......................................................................433 32.2 Accessing updates....................................................................................................................433 32.3 Websites...................................................................................................................................434 32.4 Remote support........................................................................................................................434 32.5 Customer self repair.................................................................................................................435 32.6 Documentation feedback..........................................................................................................435
A Using the virtual appliance console................................................................437 A.1 Using the virtual appliance console............................................................................................437
B Backup and restore script examples...............................................................439 B.1 Sample backup script.................................................................................................................439 B.2 Sample restore script.................................................................................................................450
C Authentication directory service......................................................................461 C.1 Microsoft Active Directory configurations...................................................................................461 Contents
17
C.1.1 Users and groups in same OU..........................................................................................461 C.1.2 Users and groups in different OUs, under same parent....................................................461 C.1.3 Users and groups in different OUs, under different parents..............................................462 C.1.4 Built-in groups....................................................................................................................463 C.2 OpenLDAP directory configuration.............................................................................................464 C.3 Validate the directory server configuration.................................................................................465 C.4 LDAP schema object classes.....................................................................................................466
D HPE Smart Update Tools installation with HPE Insight Control server provisioning........................................................................................................469 E Maintenance console......................................................................................471 E.1 About the Maintenance console.................................................................................................471 E.2 About the Maintenance console password................................................................................473 E.3 About the factory reset operation...............................................................................................474 E.4 Access the Maintenance console...............................................................................................474 E.5 Log in to the Maintenance console.............................................................................................475 E.6 Maintenance console main menu screen details.......................................................................475 E.7 Maintenance console Details screen details..............................................................................476 E.8 Maintenance console appliance states......................................................................................477 E.9 Perform a factory reset using the Maintenance console ...........................................................478 E.10 Reset the administrator password with the Maintenance console...........................................479 E.11 Reset the Maintenance console password...............................................................................480 E.12 Restart the appliance using the Maintenance console.............................................................480 E.13 Shut down the appliance using the Maintenance console.......................................................481 E.14 View the appliance details........................................................................................................481
Index...................................................................................................................483
18
Contents
Part I Learning about HPE OneView This part describes HPE OneView and its model for data center resources and introduces you to the terms and concepts used in this document and the appliance online help.
20
1 Learning about HPE OneView Designed for converged infrastructure environments, HPE OneView is a single integrated platform, packaged as an appliance, that implements a software-defined approach to managing your physical infrastructure through its entire life cycle. To learn more about HPE OneView, start with the introduction or select a topic from the following list. •
“HPE OneView licensing” (page 23)
•
“Managing, monitoring, or migrating server hardware on c7000 enclosures” (page 24)
•
“Provisioning features” (page 24)
•
“Firmware and configuration change management features” (page 29)
•
“Monitoring the environment and responding to issues” (page 30)
•
“Backup and restore features” (page 33)
•
“Security features” (page 34)
•
“High availability features” (page 35)
•
“Graphical and programmatic interfaces” (page 35)
•
“Integration with other management software ” (page 36)
•
“Open integration” (page 38)
•
“Networking features” (page 38)
•
“HPE Smart Update Tools features” (page 39)
1.1 HPE OneView for converged infrastructure management Optimized for collaboration, productivity, and reliability, HPE OneView is designed to provide simple, single-pane-of-glass lifecycle management for the complex aspects of enterprise IT—servers, networking, software, power and cooling, and storage. HPE OneView makes it possible to easily monitor, configure, and manage physical and logical server, network, and storage resources through either a graphical user interface or by using REST (REpresentational State Transfer) APIs. HPE OneView is designed to manage your converged infrastructure and support key scenarios such as deploying bare-metal servers, deploying hypervisor clusters from bare metal, performing ongoing hardware maintenance, and responding to alerts and outages. It is designed for the physical infrastructure needed to support virtualization, cloud computing, big data, and mixed computing environments.
1.1 HPE OneView for converged infrastructure management
21
HPE OneView is delivered as a virtual appliance, a pre-configured virtual machine ready to be deployed on a hypervisor host. HPE OneView is a scalable, resource-oriented solution focused on the entire life cycle—from initial configuration to on-going monitoring and maintenance—of both physical and logical resources: •
Physical resources are objects you can touch, such as server hardware, interconnects, top-of-rack switches, enclosures, storage systems and racks.
•
Logical resources are virtual objects such as templates or groups that when applied to physical resources, provide a common structure across your data center. For example, server profile templates, logical interconnect groups, enclosure groups, server profiles, and volume templates are logical resources.
Software-defined flexibility—your experts design configurations for efficient and consistent deployment HPE OneView provides several software-defined resources, such as groups and server profiles, to enable you to capture the best practices of your experts across a variety of disciplines, including networking, storage, hardware configuration, and operating system build and configuration. By having your experts define the server profiles and the networking groups and resources, you can eliminate cross-silo disconnects. By using RBAC (role-based access control) and the groups, sets, and server profiles established by your experts, you can enable system administrators to provision and manage hundreds of servers without requiring that your experts be involved with every server deployment.
22
Learning about HPE OneView
HPE OneView combines complex and interdependent data center provisioning and management into one simplified and unified interface. You can: •
Provision the data center (page 24)
•
Manage and maintain firmware and configuration changes (page 29)
•
Monitor the data center and respond to issues (page 30)
The solution also provides core enterprise management capabilities, including: •
High availability features (page 35)
•
Security features (page 34)
•
Graphical and programmatic interfaces (page 35)
•
Remote Support (page 33)
HPE OneView manages servers and enclosure networking resources, supports connections from enclosures to storage, and provides information to help you manage data center power and cooling: •
Servers are represented and managed through server profiles and server profile templates.
•
Networking is an essential component to provisioning and managing data center servers.
•
Management software is integrated with HPE OneView for seamless operation.
•
Environmental management—such as power, cooling, and space planning—requires that you consider all the equipment in the entire data center, including equipment not managed by HPE OneView. HPE OneView consolidates data center power and cooling information into one interface view.
•
Storage provisioning with automated zoning is available. Storage devices connect to the enclosures using either Fibre Channel fabric attach (SAN switch) connections, Fibre Channel over Ethernet (FCoE) fabric attach (SAN switch) connections, or Fibre Channel direct attach (flat SAN) connections.
1.2 HPE OneView licensing HPE OneView supports the following license types: •
HPE OneView Advanced licensing for managing server hardware
•
HPE OneView Standard licensing for monitoring server hardware
HPE OneView Standard licensing delivers monitoring, inventory management and reporting for HPE BladeSystem and HPE ProLiant BL and DL servers. HPE OneView Advanced licensing delivers all supported HPE OneView features. The following table provides an overview of the features available for each license type. Features
HPE OneView Standard HPE OneView Advanced
Partner integrations
√
Software-defined infrastructure (profiles, groups, sets, and others)
√
Storage provisioning and SAN zoning
√
Virtual Connect advanced management
√
Firmware management
√
Power management (3D visualization)
√
OS provisioning
√ 1.2 HPE OneView licensing
23
Features
HPE OneView Standard HPE OneView Advanced
Remote management (HPE iLO Advanced)
√
Map view
√
√
Smart search, Activity view, and Dashboard
√
√
Health monitoring
√
√
Inventory
√
√
Reporting
√
√
REST API access
√
√
Remote Support
√
√
1–year 9x5 support (optional)
3–years 24x7 support (included)
Technical support and software updates
More information “Managing, monitoring, or migrating server hardware on c7000 enclosures” (page 24) “About licensing” (page 179)
1.3 Managing, monitoring, or migrating server hardware on c7000 enclosures Server hardware such as enclosures and rack mount servers, can be added to HPE OneView in one of the following ways: Managed
If you add a managed server to HPE OneView, either in an enclosure or rack server, you can apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. For more information, see “About managed c7000 enclosures” (page 218) and “Managing server hardware” (page 157). Managing server hardware requires HPE OneView Advanced licensing.
Monitored
If you add a monitored server to HPE OneView, either in an enclosure or rack server, you can monitor it for inventory and hardware status only. For more information, see “About monitored c7000 enclosures” (page 219). Monitoring server hardware uses a free license called HPE OneView Standard.
Migrated
Enclosures from Virtual Connect Manager (VCM) and Virtual Connect Enterprise Manager (VCEM) can be migrated to HPE OneView with the configuration information, so that the enclosure can be managed by HPE OneView. The managed enclosure requires HPE OneView Advanced licensing. For more information about migrating, see “About migrating c7000 enclosures managed by other management systems ” (page 220).
More information “HPE OneView licensing” (page 23)
1.4 Provisioning features After you install the HPE OneView appliance and perform the initial configuration tasks, you can quickly bring existing hardware under management, and prepare for and deploy hardware to your data center.
24
Learning about HPE OneView
Features for provisioning hardware and bringing resources under management include: •
Resource templates, groups, and sets (page 25)
•
Server profiles and server profile templates (page 27)
•
Streamlined process for bringing hardware under management (page 27)
•
Operating system deployment (page 28)
•
Storage provisioning and management (page 28)
1.4.1 Resource templates, groups, and sets With the HPE OneView template-driven approach, you can: •
Use your experts to define server and networking configurations for specific environments.
•
Provision hundreds of servers quickly and consistently without requiring that your experts take action for every server you deploy.
•
Simplify the distribution of configuration changes across your data center.
Resource templates and groups The following resources are templates your experts define to meet various workload demands. These templates can then be applied over and over again to the physical resources ensuring quick and consistent configurations. Template or group
Description
Enclosure group
A template that defines a consistent configuration for an enclosure. An enclosure group specifies the placement of the various interconnects and the logical interconnect groups that apply to those interconnects. When an enclosure group is applied to a physical enclosure, HPE OneView creates a logical enclosure which is then ready to perform work. The same enclosure group can be applied to many physical enclosures to create many identically configured logical enclosures.
Logical interconnect group A template that defines the desired networking configuration of a physical interconnect or set of interconnects. Logical interconnect groups are used when defining enclosure groups and represent the networking template of that enclosure group. When an enclosure group is applied to a physical enclosure, HPE OneView: • Creates a logical enclosure • Uses the logical interconnect groups in that enclosure group to configure the physical interconnects in that enclosure into logical interconnects. Logical switch group
A template that defines how physical switches are combined to form logical switches. Logical switches are an aggregation of up to two physical top-of-rack switches. Once constructed from a logical switch group, a logical switch continues to be associated with its logical switch group. Any change in consistency between the logical switch group and its associated logical switches is monitored and made visible on the associated logical switch screen in HPE OneView.
Server profile templates
A template that defines the characteristics of a server profile. A server profile template can be applied to multiple servers creating identically configured servers. A server profile can be updated to match any server profile template.
Volume templates
A template that defines a standard configuration for storage volumes.
1.4 Provisioning features
25
Logical resources The following logical resources represent the physical, software-defined resources configured to work as needed in your environment. These resources actually run the workloads. Resource
Description
Logical enclosure
A logical enclosure represents a logical view of a single enclosure with an enclosure group serving as a template. By default, you can add a c7000 enclosure and an enclosure group and logical interconnect group are created. Or, you can create multiple logical interconnect groups and an enclosure group before you add the enclosure. A logical enclosure is automatically created when a c7000 enclosure is added.
Logical interconnects A logical interconnect is a single administrative entity that consists of the configuration for a set of physical interconnects in a single enclosure. A logical interconnect represents the available networks, uplink sets, internal networks, and stacking links for the physical interconnects. Logical switch
A logical switch can consist of a maximum of two physical top-of-rack switches (external to the c7000 enclosure) configured in a single stacking domain.
Server profile
A server profile represents a physical server that has been fully configured to perform its desired function. The server profile specifies all of the storage, networking, firmware, and server settings required by the server workload. A server profile is built on all of the other logical resources in HPE OneView.
Volumes
A volume is a logical storage space provisioned from a storage pool on a storage system.
Define configurations for specific environments Groups and templates enable you to define configurations that are specific to the environment you want to build, such as virtual hosts, Microsoft Exchange environments, external or internal web servers, or corporate database servers. For example, to build multiple external web servers: 1.
2. 3.
Your networking expert can create logical interconnect groups, uplink sets, networks, and network sets to establish all of the connection policies between data center networks and the interconnects managed by the appliance. Your server expert can create enclosure groups, add enclosures, and create server profile templates to establish all of the settings required by an external web server. Your server administrators can use the server profile templates whenever they need to deploy this type of server.
Flexibility in design and deployment HPE OneView provides flexibility in the creation of groups, templates, and sets. For example, you can create a logical interconnect group in these ways:
26
•
Before you add an enclosure to the appliance to be managed, you can create a logical interconnect group or groups specifying how you want the interconnects to be configured, and an enclosure group that specifies how you want the enclosure to be configured. Then, when you add the enclosure, you can specify the enclosure group you already created.
•
You can add an enclosure to the appliance to be managed and, after the appliance discovers and adds the interconnect hardware in the enclosure, you can use or modify the default logical interconnect group that the appliance creates.
•
You can migrate a Virtual Connect domain into HPE OneView which creates logical interconnect groups.
•
Copy an existing logical interconnect group to create a new logical interconnect group.
Learning about HPE OneView
Groups, templates, and sets also simplify the distribution of configuration changes within the appliance. More information “Learning about HPE OneView” (page 21) “Understanding the resource model” (page 41)
1.4.2 Server profiles and server profile templates Server profiles and server profile templates enable you to provision hardware quickly and consistently according to your best practices. Store your best practice configuration in a server profile template and then use the server profile template to create and deploy server profiles. A server profile captures key aspects of a server configuration in one place, including: •
Firmware update selection and scheduling
•
BIOS settings
•
Local RAID configuration
•
Network connectivity
•
Boot order configuration
•
Local storage and SAN storage
•
Unique IDs
Server profiles enable your experts to specify a server configuration before the server arrives. When the server hardware is installed, your administrators can quickly bring the new server under management. For example, you can deploy a server profile from a template that is not assigned to a particular server, but specifies all the configuration aspects—such as BIOS settings, network connections, and boot order—to use for a type of server hardware. Before the server is installed in an enclosure bay, you can do one of the following: •
Assign the server profile at the time of creation to an empty bay in an enclosure where the server will eventually reside.
•
Create an unassigned profile and assign it once the hardware arrives.
You can move a server profile that has been assigned to hardware in an enclosure bay. You can copy server profiles to multiple servers by using server profile templates. You can control the server profile behavior. For example, you can assign a server profile to an empty bay and when an appropriate server is inserted into that bay, the server profile is automatically applied to the server hardware. The server profile can also be associated with a specific server to ensure that the profile is not applied if the wrong server is accidentally inserted into the bay. More information “About server profiles” (page 166) “About server profile templates” (page 177) “Learning about HPE OneView” (page 21)
1.4.3 Streamlined process for bringing hardware under management HPE OneView simplifies the process of bringing the enclosures, interconnects, and server hardware under management.
1.4 Provisioning features
27
For example: •
When you add an enclosure, the appliance automatically detects all of the hardware seated in the enclosure and brings it under management. For example, the appliance:
◦
Updates the enclosure Onboard Administrator, Virtual Connect interconnect modules, and server iLO firmware to the minimum version required
◦
Configures each Virtual Connect interconnect module, removing the existing VC configuration. To keep the existing VC configuration, migrate the enclosure.
◦
Configures the Onboard Administrator, which includes configuring NTP (Network Time Protocol) and configuring an SSO (single sign-on) certificate for UI access
◦
Configures each server iLO, which includes configuring an SSO certificate for UI access
◦
Configures the hardware for monitoring, which includes configuring SNMP (Simple Network Management Protocol) traps
•
When you migrate a VCM-managed enclosure, the appliance automatically validates the configuration information (including hardware, Virtual Connect domain, networks, and server profiles) before importing the enclosure. During the migration, the configuration information is moved into HPE OneView.
•
When you add an HPE Intelligent Power Distribution Unit (iPDU) power device, the appliance automatically detects and presents the connected devices so that you can bring the devices under management.
More information “About managed c7000 enclosures” (page 218) “Learning about HPE OneView” (page 21)
1.4.4 Operating system deployment Server profiles and enclosure groups make it easier to prepare a bare-metal server for operating system deployment. For example, you can use server profiles in conjunction with deployment tools such as: •
HPE Insight Control server provisioning to install an operating system on the server
•
HPE OneView for VMware vCenter Auto Deploy to deploy hypervisors from bare metal and add them to existing clusters automatically
More information Learning about HPE OneView (page 21)
1.4.5 Storage provisioning and management HPE OneView provides automated, policy-driven provisioning of supported storage resources. It is fully integrated with server profiles so that you can manage your new or existing storage infrastructure. With HPE OneView you can view and manage your storage system and storage pools. You add existing volumes and create new volumes, and you can create volume templates to provision multiple volumes with the same configuration. Switched fabric, direct attach, and vSAN SAN topologies are supported. Storage system and storage pools are added to the appliance followed by volumes, which are associated with networks. The volumes can then be attached to server profiles.
28
Learning about HPE OneView
You can also add SAN managers to make their managed SANs available to the appliance. Managed SANs can be associated with Fibre Channel or Fibre Channel over Ethernet networks on the appliance to enable automated zoning and automatic detection of connectivity.
Supported storage automation features Automated storage provisioning When you import supported storage systems and existing storage pools, HPE OneView can quickly create volumes. Automatic SAN zoning HPE OneView automatically manages SAN zoning through server profile volume attachments. Storage integration through server profiles Create and make new private volumes accessible to the server hardware by adding volume attachments to the server profile. Make existing private or shared volumes accessible to server hardware by adding volume attachments to the server profile. HPE OneView tracks the connection status between server profiles and SANs. Volume management You can use HPE OneView to manage the full life cycle of your volumes. You can add existing volumes, create new volumes, grow volumes, and remove or delete volumes using HPE OneView. You can also create volume snapshots, create a volume from a snapshot, and revert a volume to a snapshot using HPE OneView. Zoning policies HPE OneView enables you to set a zoning policy for your managed SANs. You can choose single initiator/all targets, single initiator/single storage system, or single initiator/single target. Zone naming and aliases HPE OneView uses rules-based zone naming to give you full control of your zone names. You can use zone naming to incorporate your current naming structure, which HPE OneView will use during the automated zoning process. HPE OneView enables you to create aliases for initiators, targets, and target groups, which HPE OneView displays in place of their WWPNs. More information “About storage systems” (page 260) “About SAN managers” (page 262) HPE OneView Support Matrix
1.5 Firmware and configuration change management features 1.5.1 Simplified firmware management HPE OneView provides fast, reliable, and simple firmware management across the appliance. When you add a resource to the appliance to be managed to ensure compatibility and seamless operation, the appliance automatically updates the resource firmware to the minimum version required to be managed by the appliance. NOTE:
Firmware for monitored resources is not managed by HPE OneView.
1.5 Firmware and configuration change management features
29
A firmware bundle, also known as an SPP (Service Pack for ProLiant), is a tested update package of firmware, drivers, and utilities. Firmware bundles enable you to update firmware on managed server blades, and infrastructure (enclosures and interconnects). An on-appliance firmware repository enables you to upload SPP firmware bundles and deploy them across your environment according to your best practices. For example, you can: •
View the versions and contents of firmware bundles stored in the firmware repository.
•
View the version of firmware installed on supported hardware from the Server Hardware.
•
Set a firmware baseline—a desired state for firmware versions—on a managed resource, such as a server profile, or on a group of resources, such as all of the interconnects in a logical interconnect.
•
Detect when a managed resource does not comply with the firmware baseline.
•
Identify firmware compatibility issues.
•
Update firmware for an entire enclosure.
•
Update firmware for individual resources or for groups of resources, such as logical 1 interconnects.
•
Update OS drivers and firmware
•
Remove a firmware bundle from the repository
Hewlett Packard Enterprise occasionally releases component hotfixes between main SPP releases. Hewlett Packard Enterprise notifies you that a hotfix is available to upload and provides details about the SPP to which the hotfix applies. Different mechanisms are available for applying a hotfix in HPE OneView.
1.5.2 Simplified configuration change management Templates and groups simplify the distribution of configuration changes across the appliance. For example: •
You can reduce errors by making multiple and complex changes to a group. Then, for each member of the group, you can use a single action to update the configuration to match the configuration of the group.
•
The appliance notifies you when it detects that a device does not comply with the current template or group. You control when and if a device configuration is updated.
•
The logical interconnect settings manage the firmware for physical interconnects to ensure that all interconnects within the logical enclosure have compatible firmware.
1.6 Monitoring the environment and responding to issues One user interface You use the same interface for monitoring that you use to provision resources. There are no additional tools or interfaces to learn.
Isolated management network The appliance architecture is designed to separate the management traffic from the production network, which increases reliability and security of the overall solution. For example, your data center resources remain operational even in the unlikely event of an appliance outage.
1. Enclosure groups do not include a firmware baseline; therefore, updates to enclosure firmware are managed through a logical enclosure configuration.
30
Learning about HPE OneView
Automatic configuration for monitoring health and utilization When you add resources to the appliance, they are automatically configured for monitoring health, activity, alerts, and utilization. You can monitor resources immediately without performing additional configuration or discovery steps.
Agentless and out-of-band management All health and utilization monitoring and management of HPE ProLiant Gen8 (or later) servers is agentless and out-of-band for increased security and reliability. For these servers: •
There are no agents to monitor or update.
•
The appliance does not require open SNMP ports on the host operating system.
•
The appliance does not interact with the operating system on the host, which frees memory and processor resources on the host for use by server applications, and enables you to monitor servers that have no host operating system installed.
Management from other platforms using the REST APIs and message buses The REST APIs and the SCMB (State-Change Message Bus) or MSMB (Metric Streaming Message Bus) also enable you to monitor the HPE OneView environment from other management platforms. For more information about message buses, see “Using a message bus to send data to subscribers” (page 327)
Monitoring the environment and responding to issues Features for monitoring the environment and responding to issues include the following: •
The Dashboard screen (page 317), which displays a summary view of data center capacity and health information
•
The Activity screen (page 311), which displays and enables you to filter all system tasks and alerts
•
Data center environmental management (page 32)
•
Resource utilization monitoring (page 32)
•
Activity and health management (page 32)
•
Hardware and firmware inventory information (page 33)
More information HPE iLO 4 with AMS traps supported for alerting in HPE OneView at http://www.hpe.com/info/ oneview/docs
1.6 Monitoring the environment and responding to issues
31
1.6.1 Data center environmental management HPE OneView integrates these critical areas for environmental management of the data center: •
Thermal data visualization in 3D
•
Power delivery infrastructure representation
•
Physical asset location in 3D
Feature
Description
Thermal data visualization
3D data center thermal mapping provides a view of the thermal status of your entire data center. The appliance collects thermal data from the managed resources in each data center rack and presents the data graphically, enabling easy identification of hot spots in a rack.
Power delivery infrastructure representation
HPE OneView collects and reports processor utilization and power and temperature history for your data center hardware. The appliance monitors power, automatically detects and reports power delivery errors, and provides precise power requirement information for HPE ProLiant Gen8 (or later) servers and HPE BladeSystem enclosures that you can use for planning rack and power usage. Power Discovery Services enable automatic discovery and visualization of the power delivery topology for your data center. HPE iPDUs enable the appliance to map the rack power topology automatically. The appliance detects wiring errors—such as lack of redundancy—and updates electrical inventory automatically when new servers are installed. The appliance also supports per-outlet power control for remote power cycling of each iPDU outlet. You can manually define the power requirements and power topology for devices that do not support Power Discovery Services.
Physical asset location
Location Discovery Services enable the appliance to automatically display the exact 3D location of HPE ProLiant Gen8 (or later) servers in HPE Intelligent Series Racks, reducing labor time, lowering operational costs, and eliminating human errors associated with inventory and asset management. You can manually define the positions of racks and devices that do not support Location Discovery Services.
More information “Managing power, temperature, and the data center” (page 255) “Monitoring power and temperature” (page 321)
1.6.2 Resource utilization monitoring HPE OneView periodically collects and maintains CPU utilization information for all of the servers it manages. HPE OneView also collects port-level statistics for networking, including transmit, receive, and error counters. HPE OneView displays all of this data in the UI and makes the data available through the REST APIs. More information “Monitoring power and temperature utilization” (page 323) “Utilization graphs” (page 307)
1.6.3 Activity and health management HPE OneView provides streamlined activity monitoring and management. The appliance automatically registers alerts and notifications from all managed resources, and resources added to the appliance are immediately available for monitoring and management. When the appliance notifies you of a problem, when possible, it suggests a way to correct the problem.
32
Learning about HPE OneView
Using the UI and REST APIs, you can: •
View all activities (alerts and tasks) by description or source, and filter activities using multiple filter criteria.
•
Assign alerts to specific users.
•
Annotate activities with notes from administrators, enabling the administrators of the data center to collaborate through the appliance instead of through outside tools such as email.
•
View alerts for a specific resource from the UI screen for that resource or using the REST API for that resource.
•
Automatically forward SNMP traps from managed resources to enterprise monitoring consoles or centralized SNMP trap collectors.
More information HPE iLO 4 with AMS traps supported for alerting in HPE OneView at http://www.hpe.com/info/ oneview/docs
1.6.4 Hardware and firmware inventory information HPE OneView provides detailed hardware and firmware inventory information about the resources it manages. You can access the following data through the UI and the REST APIs: •
Summary and detailed views of managed hardware, such as servers, enclosures, and interconnects.
•
Summary of monitored hardware, such as servers and enclosures.
•
Summary and detailed views of firmware bundle contents.
•
Firmware inventory for server and enclosure components.
You can use the Smart Search feature of the UI to find specific items in the inventory. Reports are available to help you monitor your inventory as well as help you monitor your environment. The inventory reports provide information about your servers or enclosures such as model, serial number, part number, and so on. Other reports provide a picture of the overall status of your environment.
1.6.5 Remote Support By registering for Remote Support in HPE OneView, you enable Proactive Care and automatic case creation for hardware failures on Gen8 and newer servers and enclosures. Once enabled, all eligible devices added in the future will be automatically enabled for remote support. Hewlett Packard Enterprise will contact you to ship a replacement part or send an engineer for devices that are under warranty or support contract. Remote support enables Proactive Care services including Proactive Scan reports and Firmware/Software Analysis reports with recommendations that are based on collected configuration data. More information “About remote support” (page 319)
1.7 Backup and restore features HPE OneView provides services to back up an appliance to a file, and to restore an appliance from a backup file. Backups can be scheduled to occur automatically and stored remotely.
1.7 Backup and restore features
33
One proprietary backup file for both the appliance and its database Backup files are proprietary and contain configuration settings and management data—there is no need to create separate backup files for the appliance and its database. Hewlett Packard Enterprise does not recommend using VM snapshots to protect the appliance. Synchronization errors can occur and result in unpredictable and unwanted behavior.
Flexible scheduling and an open interface for backup operations You can create backup files while the appliance is online. Also, you can use REST APIs to: •
Schedule a backup process from outside the appliance.
•
Collect backup files according to your site policies.
•
Integrate with enterprise backup and restore products.
•
Utilize the backup and restore scripts.
A backup file is a snapshot of the appliance configuration and management data at the time the backup file was created. Hewlett Packard Enterprise recommends that you create regular backups, preferably once a day and after you make hardware or software configuration changes in the managed environment.
Specialized user role for creating backup files HPE OneView provides a user role (Backup administrator) specifically for backing up the appliance by permitting access to other resource views without permitting actions on those resources, or other tasks.
Recovery from catastrophic failures You can recover from a catastrophic failure by restoring your appliance from the backup file. When you restore an appliance from a backup file, all management data and most configuration settings on the appliance are replaced with the data and settings in the backup file, including things like user names and passwords, audit logs, and available networks. The state of the managed environment is likely to be different from the state of that environment at the time the backup file was created. During a restore operation, the appliance reconciles the data in the backup file with the current state of the managed environment. After the restore operation, the appliance uses alerts to report any discrepancies that it cannot resolve automatically. More information “Backing up an appliance” (page 283)
1.8 Security features To ensure a secure platform for data center management, the appliance includes features such as the following:
34
•
Separation of the data and management environments, which is critical to protect against Denial of Service attacks.
•
RBAC (role-based access control), which enables an administrator to establish access control and authorization for users based on their responsibilities for specific resources.
•
Single sign-on to iLO and Onboard Administrator without storing user-created iLO or Onboard Administrator credentials.
•
Audit logging for all user actions.
•
Support for authentication and authorization using an optional directory service such as Microsoft Active Directory.
Learning about HPE OneView
•
Use of certificates for authentication over Transport Layer Security (TLS).
•
An automated remote backup feature that allows you to set the day and time a backup will be performed and the ability to specify a remote SSH or SFTP server to store the backup files automatically.
More information “Understanding the security features of the appliance” (page 65)
1.9 High availability features HPE OneView is delivered as a preconfigured virtual appliance ready to be deployed on a hypervisor host. The hypervisor software provides the virtual machine with high-availability and recovery capabilities that allow the virtual machine to be restarted on another host in a cluster and to resume management without disruption to the managed resources.
1.10 Graphical and programmatic interfaces HPE OneView was developed to use a single, consistent resource model embodied in a fast, modern, and scalable HTML5 user interface and industry-standard REST APIs for mobile, secure access, and open integration with other management software.
User interface—efficiency and simplicity by design The UI is designed for the way you work, providing powerful, easy-to use tools, including the following: Feature
Description
Dashboard screen
Provides a graphical representation of the general health and capacity of the resources in your data center. From the Dashboard you can immediately see the areas that need your attention.
Map view
Available from each resource, the Map view enables you to examine the configuration and understand the relationships between logical and physical resources in your data center.
Smart Search box
The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as specific instances of resource names, serial numbers, WWNs, and IP and MAC addresses.
Labels view
Available from each resource, the Labels view enables you to organize resources into groups. For example, you might want to identify the servers that are used primarily by the Finance team, or identify the storage systems assigned to the Asia/Pacific division.
Scopes view
A grouping of resources that can be used to restrict the range of an operation or action. The resources are arranged by categories. All the resources in these categories can be added to or removed from a scope, including enclosures, server hardware, networks, network sets, interconnects, switches, logical switches, logical switch groups, logical interconnects, and logical interconnect groups.
Activity feed
The Activity feed gives you a unique perspective into the health of your environment by interleaving the tasks, alerts, and administrator notes into a single view. The Activity feed simplifies the correlation of user activity with system health, allowing for timely resolution of issues.
Resource-specific management screens
These screens enable you to focus on the resources you are authorized to view and manage. Resource group screens enhance scalability by enabling you to manage multiple resources as one.
The UI provides on-screen hints and tips to help you avoid and correct errors, and provides links to learn more about the tasks. At the top of each screen, the help icon gives you access to the entire help system. 1.9 High availability features
35
REST APIs—automation and integration HPE OneView has a resource-oriented architecture that provides a uniform REST interface. The REST APIs: •
Provide an industry-standard interface for open integration with other management platforms.
•
Are designed to be ubiquitous—every resource has one URI (Uniform Resource Identifier) and represents a physical device or logical construct.
•
Enable you to automate anything you can do from the UI using your favorite scripting or programming language.
•
Are designed to be highly scalable.
More information “Navigating the graphical user interface” (page 79) “Accessing documentation and help” (page 107) HPE OneView REST API Scripting Help
1.11 Integration with other management software To use the integrated management software listed in this section, you must purchase HPE OneView Advanced licenses. For more information, see “About licensing” (page 179).
Onboard Administrator for HPE BladeSystem c7000 enclosures HPE OneView interacts seamlessly with the Onboard Administrator to provide complete management of BladeSystem c7000 enclosures. Onboard Administrator privileges are determined by the role assigned to your HPE OneView user account.
HPE Integrated Lights-Out HPE OneView interacts seamlessly with the iLO management processor to provide complete management of server hardware. HPE OneView automatically configures the iLO according to the settings specified by the HPE OneView server profile. HPE OneView configures seamless access to the iLO graphical remote console, enabling you to launch the iLO remote console from the HPE OneView UI in a single click. Your iLO privileges are determined by the role assigned to your HPE OneView appliance account.
HPE Insight Control Full licenses of HPE OneView Advanced includes the right to use HPE Insight Control which delivers essential infrastructure management. Insight Control can save you time and money by making it easy to deploy, migrate, monitor, and optimize your IT infrastructure through a single, simple management console for your ProLiant ML/DL/SL and BladeSystem servers. You can elect to use either HPE OneView or the corresponding license for HPE Insight Control to manage devices. You do not need to purchase two licenses for the same server. However, you cannot operate HPE OneView and Insight Control licenses to manage the same server at the same time. The exception is Insight Control server provisioning. This can be used simultaneously with HPE OneView to manage the same server. HPE Insight Control is not included in the HPE OneView download or media, but can be downloaded from http://www.hpe.com/servers/software/insightupdates by using the HPE Insight Control license key provided during the entitlement or fulfillment process.
HPE Insight Control server provisioning HPE OneView Advanced includes the right to use Insight Control server provisioning, a capability for multi-server, physical OS provisioning and server configuration. Insight Control server 36
Learning about HPE OneView
provisioning software is not included in the HPE OneView media, but can be downloaded from http://www.hpe.com/servers/software/insightupdates.
HPE OneView for Microsoft System Center HPE OneView Advanced includes the right to use HPE OneView for Microsoft System Center. HPE OneView for Microsoft System Center fully integrates the HPE management ecosystem into Microsoft System Center, delivering capabilities such as proactive monitoring, remote management and provisioning of HPE servers, networking and storage. HPE OneView for Microsoft System Center can be downloaded from http://www.hpe.com/products/ovsc.
HPE OneView for VMware vCenter HPE OneView Advanced includes the right to use HPE OneView for VMware vCenter, HPE OneView for VMware vCenter/vRealize Operations, and HPE OneView for VMware vCenter Log Insight. HPE OneView for VMware fully integrates the HPE management ecosystem to deliver capabilities such as proactive monitoring, deep troubleshooting, remote management, and provisioning of HPE servers, networking, and storage. HPE OneView integrations with VMware can be downloaded from http://www.hpe.com/products/ovvcenter.
1.11.1 Other management software warnings Do not use external managers, such as HPE Systems Insight Manager (SIM) or third-party management software, to manage hardware that is under management using HPE OneView. Using another external manager can cause errors and unexpected behavior. For example: iLO has a maximum of three trap destinations, one of which is HPE OneView. If external managers define additional trap destinations, iLO removes one of the existing trap destinations. If HPE OneView is the trap destination iLO removes, HPE OneView will no longer receive SNMP traps and will not display server health or lifecycle alerts. NOTE: Third-party tools do not provide a warning, so use caution if those tools make or require configuration changes to the server. If you attempt to change a resource managed by HPE OneView with other HPE management tools such as ROM-Based Setup Utility (RBSU), a warning message displays. •
If you attempt to change server firmware using SUM, and the firmware baseline associated with the server profile for that server is not set to Managed manually, SUM displays a warning: HPE OneView is managing the server and it is configured for Service Pack for ProLiant version x. It cannot be updated to a different version directly using SUM.
•
If HPE OneView manages the iLO, the iLO login screen displays a warning.
1.11 Integration with other management software
37
Figure 1 iLO warning
•
If you attempt to make BIOS or iLO changes in Intelligent Provisioning, a warning displays.
More information https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA5-6605ENW.pdf
1.12 Open integration The single, consistent resource model, REST APIs, SCMB (State-Change Message Bus), and MSMB (Metric Streaming Message Bus) enable you to use scripting to integrate HPE OneView with other enterprise applications to address user needs and perform tasks such as: •
Automating standard workflows and troubleshooting steps
•
Automating integrations with other software, such as a CMDB (configuration management database)
•
Connecting to service desks
•
Monitoring resources, collecting data, and mapping and modeling systems
•
Exporting data to formats that suit your needs
•
Attaching custom databases, data warehouses, or third-party business intelligence tools
•
Integrating in-house user customizations
The SCMB is an interface that uses asynchronous messaging to notify subscribers of changes to managed resources—both logical and physical. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes—without having to continuously poll the appliance for status using the REST APIs.
More information HPE OneView REST API Scripting Help “Using a message bus to send data to subscribers” (page 327)
1.13 Networking features HPE OneView provides several networking features to streamline the provisioning of networking resources for server blades and to manage configuration changes, including firmware updates, to Virtual Connect interconnect modules.
38
Learning about HPE OneView
Supported networks The Virtual Connect interconnect modules in enclosures support the following types of data center networks: •
Ethernet for data networks, including tagged, untagged, or tunnel networks.
•
Fibre Channel for storage networks, including Fibre Channel fabric attach (SAN switch) connections, and Fibre Channel direct attach (Flat SAN) connections to supported 3PAR storage systems.
•
Fibre Channel over Ethernet (FCoE) for storage networks where storage traffic is carried over a dedicated Ethernet VLAN.
More information •
Logical interconnects
•
Logical interconnect group
•
Network set
•
Switches
•
Logical switches
•
Logical switch groups
“Learning about HPE OneView” (page 21) Migrating a Virtual Connect configuration to HPE OneView
1.14 HPE Smart Update Tools features HPE Smart Update Tools (SUT) is an operating system utility for HPE OneView that enables an administrator to perform online firmware and driver updates. SUT polls HPE OneView every five minutes for new requests, processes those requests, and provides HPE OneView with a status. HPE OneView posts the progress in the Firmware section of the Server Profile page. SUT installs updates in the correct order and ensures that all dependencies are met before starting an update. If there are unmet dependencies, SUT prevents the installation and notifies the HPE OneView administrator that the installation cannot continue due to a dependency. Key features: •
Combined driver, software, and firmware updates
•
Compliance reporting in the HPE OneView dashboard based on the status received from SUT
•
An increase in the maximum uptime by minimizing the number of reboots required for activation
•
The ability to perform firmware staging and development tasks outside of the actual maintenance window so that one reboot during the maintenance window activates both firmware and driver updates
•
Multiple user roles:
•
◦
HPE OneView Infrastructure administrator who defines the desired state using the firmware options in the server profile
◦
SUT administrator who uses SUT to update the firmware and the software on the server
Manual control and varying levels of automation:
1.14 HPE Smart Update Tools features
39
◦
On demand or manual updates
◦
Semiautomatic when staging is automatic or staging and installation are automatic
◦
Fully automatic update NOTE: SUT requires HPE iLO 2.30 and later to function correctly. If HPE OneView manages the server firmware, HPE OneView automatically updates the iLO firmware to enable SUT to proceed.
More information “HPE Smart Update Tools installation with HPE Insight Control server provisioning” (page 469)
40
Learning about HPE OneView
2 Understanding the resource model HPE OneView uses a resource model that reduces complexity and simplifies the management of your data center. This model provides logical resources, including templates, groups, and sets, that when applied to physical resources, provides a common structure across your data center. The UI distinguishes between physical and virtual resources by using certain actions. For example: •
You can create, delete, or copy a logical resource, but not a physical resource
•
You can add or remove a physical resource
High-level overview
Network resources
• Resource model summary diagram (page 42)
• Networks (page 52)
Server resources
• Network sets (page 53)
• Server profile templates (page 58)
Storage resources
• Server profiles (page 57)
• Storage Systems (page 60)
• Connections (page 43)
• Storage Pools (page 59)
• Connection templates (page 44)
• Volumes (page 62)
• Server hardware (page 56)
• Volume Templates (page 62)
• Server hardware types (page 57)
• SAN Managers (page 55)
Network provisioning resources
• SANs (page 55)
• Enclosure groups (page 46)
Appliance resources
• Enclosure types (page 47)
• Appliance (page 42)
• Enclosures (page 46)
• Domains (page 45)
• Interconnect types (page 48) • Interconnects (page 47)
Data center power and cooling management resources
• Logical enclosures (page 48)
• Data centers (page 44)
• Logical interconnect groups (page 50)
• Racks (page 54)
• Logical interconnects (page 49)
• Power delivery devices (page 53)
• Logical switches (page 51)
• Unmanaged devices (page 61)
• Logical switch groups (page 52)
Learn more
• Switches (page 60) • Uplink sets (page 61)
• For a complete list of resources, see the HPE OneView REST API Reference in the online help. • For information about using HPE OneView, see the other chapters in this guide and the online help.
41
2.1 Resource model summary diagram The following figure summarizes some of the most frequently used resources and shows the relationships between them. Figure 2 Resource model summary diagram Volume Templates
Volume Attachments
Volumes
Storage Pools
Storage Systems
Power Delivery Devices
Racks
Connection Templates
Server Profile Templates Domains
Appliance
Server Profiles
Server Hardware
Connections
Device Bay Device Bay
Enclosures
Logical Enclosure
Data Centers
Has a type Specified in a server profile Physical resource Logical resource
I/O Bay I/O Bay
Server Hardware Types Types
or
Network Sets
SAN Manager
Networks
SANs
Switches
Interconnects Uplink Sets Uplink Sets
Enclosure Groups
Logical Interconnect Groups
Enclosure Types
Interconnect Types
Logical Interconnects
Logical Switches Logical Switch Groups
The UI and REST APIs are organized by resource. The documentation for the UI and REST APIs are also organized by resource. The complete list of resources are included in the HPE OneView REST API Reference in the online help. The following sections introduce the resources shown in Figure 2: Resource model summary diagram (page 42). More information Understanding the resource model (page 41)
2.2 Appliance The appliance resource defines configuration details specific to the HPE OneView appliance (as distinct from the resources HPE OneView manages).
Relationship to other resources An appliance resource is associated with the following resources in the resource summary diagram (page 42):
42
•
Exactly one domain
•
Zero or more instances of the other resources in the summary diagram (page 42)
Understanding the resource model
UI screens and REST API resources Several REST API resources are related to the appliance and appliance settings. See the resources in the following categories in the HPE OneView REST API Reference in the online help: UI screen
REST API resource
Settings
• Appliance time, locale, and timezone settings appliance/configuration/timeconfig/locales appliance/configuration/time-locale • Appliance device READ community string appliance/device-read-community-string • Reset the appliance to the factory defaults appliance • Upgrade or patch the appliance firmware appliance/firmware • Health of appliance components appliance/health-status • Configure and retrieve network information of the appliance appliance/network-interfaces • Shut down or restart an appliance appliance/shutdown • Generating and downloading support dumps from an appliance appliance/support-dumps • Trap destinations in the management appliance appliance/trap-destinations
OneView License
• Status of the End User License Agreement (EULA) and related data appliance/eula
More information Managing the appliance (page 295) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.3 Connections A connection is the logical representation of a connection between a server and a network or network set. Connections can be configured in server profiles. A connection specifies the following: •
The network or network set to which the server is to be connected
•
Configuration overrides (such as a change to the preferred bandwidth) to be made to the default configuration for the specified network or network set
•
Boot order
2.3 Connections
43
Relationship to other resources A connection resource is associated with the following resources in the resource summary diagram (page 42): •
Exactly one server profile resource.
•
Exactly one connection template resource.
•
Exactly one network or network set resource. The resources that are available to the connection depend on the configuration of the logical interconnect of the enclosure that contains the server hardware.
UI screens and REST API resources UI screen
REST API resources
Server Profiles
connections and server-profiles
More information About server profiles (page 166) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.4 Connection templates A connection template defines default configuration characteristics, such as the preferred bandwidth and maximum bandwidth, for a network or network set. When you create a network or network set, HPE OneView creates a default connection template for the network or network set.
Relationship to other resources A connection template resource is associated with zero or more connection resources. A connection resource is associated with the appropriate connection template for a type of network or network set.
UI screens and REST API resources UI screen
REST API resource
Notes
None
connection-templates
The UI does not display or refer to connection templates, but connection templates determine the default values displayed for the connection when you select a network or network set.
More information Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.5 Data centers In HPE OneView, a data center represents a physically contiguous area in which racks containing IT equipment—such as servers, enclosures, and devices—are located. You create a data center to describe a portion of a computer room, summarizing your environment and its power and thermal requirements. A data center resource is often a subset of your entire data center and can include equipment that is not managed by HPE OneView. By representing the physical layout
44
Understanding the resource model
of your data center equipment, including unmanaged devices, you can use detailed monitoring information for space planning and determining power and cooling requirements. In HPE OneView, you can: •
View a 3D model of the data center layout that includes a color-coding scheme to help you identify areas that are too hot or too cold.
•
View temperature history data.
•
More easily locate specific devices for hands-on servicing.
Relationship to other resources A data center resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more racks
UI screens and REST API resources UI screen
REST API resource
Data Centers
datacenters
More information Managing your data center (page 256) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.6 Domains The domain resource describes the management domain for the appliance. All physical and logical resources managed by the appliance are part of a single management domain.
Relationship to other resources A domain resource is associated with the following resources in the resource summary diagram (page 42): •
Exactly one appliance
•
Zero or more instances of the other resources in the summary diagram (page 42)
UI screens and REST API resources UI screen
REST API resource
Notes
None
domains
The UI does not display or refer to domains, but the domain resource provides information about limits such as the total number of networks that you can add to the appliance. You can use the domains REST API to obtain information about the domain.
More information Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.6 Domains
45
2.7 Enclosures An enclosure is a physical structure with device bays supporting server, networking, and storage building blocks. These building blocks share the enclosure's common power, cooling, and management infrastructure. The enclosure provides the hardware connections between the interconnect downlinks and the installed servers. The enclosure interconnects provide the physical uplinks to the data center networks. When you add an enclosure to be managed, HPE OneView discovers and adds all of the components within the enclosure, including any installed servers and any installed interconnects.
Relationship to other resources An enclosure resource is associated with the following resources in the resource summary diagram (page 42): •
One logical enclosure
•
Exactly one enclosure group
•
Zero or more physical interconnects
•
One or more logical interconnects and one or more logical interconnect groups (through the enclosure’s association with an enclosure group and interconnects)
•
Zero or one rack resource
•
Zero or more power delivery devices
UI screens and REST API resources UI screen
REST API resource
Enclosures
enclosures
More information Managing enclosures (page 217) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.8 Enclosure groups An enclosure group is a template that defines a consistent configuration for a logical enclosure. Network connectivity for an enclosure group is defined by the logical interconnect groups associated with the enclosure group. Using enclosure groups, you can quickly add many enclosures and have them configured into identical logical enclosures.
Relationship to other resources An enclosure group resource is associated with the following resources in the resource summary diagram (page 42):
46
•
Zero or more logical enclosures
•
Zero or more server profiles
•
Zero or more logical interconnect groups
Understanding the resource model
UI screens and REST API resources UI screen
REST API resource
Enclosure Groups
enclosure-groups
More information Managing enclosure groups (page 237) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.9 Enclosure types An enclosure type defines characteristics of a specific Hewlett Packard Enterprise enclosure hardware model, such as an HPE BladeSystem c7000 Enclosure.
Relationship to other resources An enclosure type resource is associated with zero or more enclosures.
UI screens and REST API resources UI screen
REST API resource
Notes
None
None
The UI does not refer to enclosure type, but the enclosure type is used by HPE OneView when you add an enclosure. The enclosures REST resource includes an enclosureType attribute.
More information Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.10 Interconnects An interconnect is a physical resource that enables communication between hardware in the enclosure and the data center Ethernet LANs and Fibre Channel SANs. The Virtual Connect FlexFabric 10Gb/24-port Module is an example of a supported interconnect. For a list of supported interconnects, see the HPE OneView Support Matrix. An interconnect has the following types of ports: Port type
Description
Uplinks
Uplinks are physical ports that connect the interconnect to the data center networks. For example, the X2 port of an Virtual Connect FlexFabric 10Gb/24-port Module is an uplink.
Downlinks
Downlinks are physical ports that connect the interconnect to the server hardware through the enclosure midplane.
Stacking links
Stacking links are internal or external physical ports that join interconnects to provide redundant paths for Ethernet traffic from servers to the data center networks. Stacking links are based on the configuration of the associated logical interconnect group.
In the resource model:
2.9 Enclosure types
47
Relationship to other resources An interconnect resource is associated with the following resources in the resource summary diagram (page 42): •
Exactly one enclosure
•
Zero or one logical interconnect, and, through that logical interconnect, one or more logical interconnect groups
UI screens and REST API resources UI screen
REST API resources
Interconnects
interconnects, interconnect-types, and logical-interconnects
More information Managing enclosure interconnect hardware (page 195) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.11 Interconnect types The interconnect type resource defines the characteristics of a model of interconnect, such as the following: •
Downlink capabilities and the number of downlink ports
•
Uplink port capabilities and the number of uplink ports
•
Supported firmware versions
Relationship to other resources An interconnect type resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more interconnects
UI screens and REST API resources UI screen
REST API resource
Notes
Interconnects
interconnect-types
The UI does not display or refer to the interconnect type resource specifically, but the information is used by HPE OneView when you add or manage an interconnect using the Interconnects screen.
More information Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.12 Logical enclosures A logical enclosure represents a logical view of a single enclosure with an enclosure group serving as a template. If the intended configuration in the logical enclosure does not match the actual configuration on the enclosure, the logical enclosure becomes inconsistent. 48
Understanding the resource model
A logical enclosure is automatically created when a c7000 enclosure is added.
Relationship to other resources A logical enclosure resource is associated with the following resources in the resource summary diagram (page 42): •
One enclosure, and through the enclosure, one enclosure group
UI screens and REST API resources UI screen
REST API resource
Logical Enclosures
logical-enclosures
More information Managing logical enclosures (page 238) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.13 Logical interconnects A logical interconnect is a single entity for multiple physical interconnects A logical interconnect is a single administrative entity that consists of the configuration for a set of interconnects in an enclosure. This configuration includes: •
Interconnects, which are required for the enclosure to connect to data center networks.
•
Uplink sets, which map data center networks to physical uplink ports. If no uplink sets are defined, the logical interconnect cannot connect to data center networks, and the servers attached to the downlinks of the logical interconnect cannot connect to data center networks.
•
Downlink ports, which connect through the enclosure midplane to the servers in the enclosure. A logical interconnect includes all of the physical downlinks of all of the member interconnects. The downlinks connect the interconnects to physical servers. The set of downlinks that share access to a common set of networks is called logical downlinks.
•
Internal networks, which are used for server-to-server communications without traffic egressing any uplinks.
•
Stacking links, if used, join interconnects either through connections inside the enclosure or external cables between the face plate ports of the interconnects.
•
The firmware baseline, which specifies the firmware version to be used by all of the member interconnects. The firmware baseline for physical interconnects is managed by the logical interconnect.
The Network administrator configures multiple paths from server bays to networks The Network administrator can ensure that every server bay of an enclosure has two independent paths to an Ethernet data center network by creating a logical interconnect for which the following conditions are true: •
The logical interconnect has at least two interconnects that are joined by stacking links, or two interconnects are defined in separate logical interconnect groups.
•
The logical interconnect has at least one uplink set that includes uplinks to the network from at least two physical interconnects. 2.13 Logical interconnects
49
HPE OneView detects and reports a configuration or state in which there is only one path (no redundant paths) to a network or in which there are no paths to a network.
The Server administrator is not required to know the details about interconnect configurations Because a logical interconnect is managed as a single entity, the server administrator is isolated from the details of interconnect configurations. For example, if the network administrator configures the logical interconnect to ensure redundant access from each server bay in the enclosure to each Ethernet data center network, the server administrator must only ensure that a server profile includes two connections to a network or to a network set that includes that network.
Relationship to other resources A logical interconnect resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more interconnects. For a logical interconnect to be usable, it must include at least one interconnect. If there are zero interconnects, the enclosure and its contents do not have any uplinks to the data center networks.
•
One or more logical interconnect groups associated with an enclosure group, which define the initial configuration of the logical interconnects.
•
Zero or more uplink sets, which associate zero or more uplink ports and zero or more networks.
•
Zero or one logical enclosure
UI screens and REST API resources UI screen
REST API resource
Notes
Logical Interconnects
logical-interconnects and logical-downlinks
You use the logical-downlinks REST API to obtain information about the common set of networks and capabilities available to a downlink.
More information Managing logical interconnects and logical interconnect groups (page 197) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.14 Logical interconnect groups The logical interconnect group is a template that defines the physical and logical configuration of the interconnects that are configured together to form a logical interconnect. This configuration includes the following:
50
•
The interconnect types, interconnect configurations, and interconnect downlink capabilities
•
The interconnect ports used for stacking links
•
The uplink sets, which map uplink ports to Ethernet or Fibre Channel networks
•
The available networks based on the uplink sets and internal networks
Understanding the resource model
In the resource model: •
A logical interconnect group or groups is associated with an enclosure group instead of an individual enclosure.
•
You can create a logical interconnect group either automatically during an enclosure add operation, or independently of enclosure add operations. If you add an enclosure without specifying an existing enclosure group, HPE OneView creates both an enclosure group and a single logical interconnect group based on the physical interconnects in that enclosure. You can then edit that enclosure group and that logical interconnect group. If you want multiple logical interconnect groups per enclosure, create the logical interconnect groups before you add the enclosure, or edit the logical interconnect groups to remove interconnects from one logical interconnect group and add them to another.
•
The uplink sets defined by the logical interconnect group establish the initial configuration for uplink sets for each logical interconnect in the enclosure group. If you change uplink sets for an existing logical interconnect group:
◦
Only enclosures that you add after the configuration change are configured with the new uplink set configuration.
◦
Existing logical interconnects are reported as not being consistent with the logical interconnect group. You can then request that those existing logical interconnects be updated with the new configuration.
After a logical interconnect has been created and associated with a logical interconnect group, it continues to be associated with that group and reports if its configuration differs from the group. You can then change the configuration of the logical interconnect to match the group.
Relationship to other resources A logical interconnect group resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more logical interconnects
•
Zero or more enclosure groups
The uplink sets defined by a logical interconnect group specify the initial configuration of the uplink sets of each logical interconnect in the group.
UI screens and REST API resources UI screen
REST API resource
Logical Interconnect Groups
logical-interconnect-groups
More information Managing logical interconnects and logical interconnect groups (page 197) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.15 Logical switches A logical switch is added into HPE OneView as a managed or monitored logical switch. The logical switch can consist of a maximum of two physical top-of-rack switches (external to the c7000 enclosure) configured in a single stacking domain.
2.15 Logical switches
51
Connectivity limits one logical switch per one logical interconnect. Interconnects within a logical interconnect cannot be connected to more than one logical switch. A logical switch is based on a logical switch group configuration. If the logical switch transitions to an Inconsistent with group state (because of changes in either the logical switch or the logical switch group), update the logical switch configuration based on the logical switch group to return to a consistent state.
UI screens and REST API resources UI screen
REST API resource
Logical Switches
logical-switches
More information Managing logical switches (page 268) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.16 Logical switch groups The logical switch group is a template for creating logical switches. Logical switches are an aggregation of up to two physical top-of-rack switches. Once constructed from a logical switch group, a logical switch continues to be associated with its logical switch group. Any change in consistency between the logical switch group and its associated logical switches is monitored and made visible on the associated logical switch screen in HPE OneView.
UI screens and REST API resources UI screen
REST API resource
Logical Switch Groups
logical-switch-groups
More information Managing logical switch groups (page 271) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.17 Networks A network represents a Fibre Channel, Ethernet, or Fibre Channel over Ethernet (FCoE) network in the data center.
Relationship to other resources A network resource is associated with the following resources in the resource summary diagram (page 42):
52
•
Zero or more connections
•
Zero or one uplink set per logical interconnect
•
For tagged, Ethernet networks, zero or more network sets
Understanding the resource model
UI screens and REST API resources UI screen
REST API resource
Networks
fc-networks or ethernet-networks or fcoe-networks
More information Managing networks and network resources (page 187) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.18 Network sets A network set represents a group of tagged, Ethernet networks identified by a single name. Network sets are used to simplify server profile configurations and server profile templates. When a connection in a server profile specifies a network set, it can access any of the member networks. Additionally, if networks are added to or deleted from a network set, server profiles that specify the network set are isolated from the change. One common use for network sets is as a trunk for multiple VLANs to a vSwitch. In the resource model: •
A network set can contain zero or more tagged, Ethernet networks.
•
A tagged, Ethernet network can be a member of zero or more network sets.
•
A connection in a server profile can specify either a network or a network set.
•
A network set cannot be a member of an uplink set.
Other configuration rules apply.
Relationship to other resources A network set resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more connections, and, through those connections, zero or more server profiles
•
Zero or more Ethernet networks
UI screens and REST API resources UI screen
REST API resource
Network Sets
network-sets
More information About network sets (page 188) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.19 Power delivery devices A power delivery device is a physical resource that delivers power from the data center service entrance to the rack components. You create the power distribution device objects to describe the power source for one or more components in the rack. Power delivery devices can include power feeds, breaker panels, branch circuits, PDUs, outlet bars, outlets, and UPS devices.
2.18 Network sets
53
For a complete list of power delivery devices, see the screen details online help for the Power Delivery Devices screen.
Relationship to other resources A power delivery device resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more racks
•
Zero or more unmanaged devices
UI screens and REST API resources UI screen
REST API resource
Power Delivery Devices
power-devices
More information Managing power (page 255) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.20 Racks A rack is a physical structure that contains IT equipment such as enclosures, servers, power delivery devices, and unmanaged devices in a data center. By describing the physical location, size, and thermal limit of equipment in the racks, you enable space and power planning and power analysis features for your data center.
Relationship to other resources A rack resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or one data centers
•
Zero or more enclosures
•
Zero or more instances of server hardware (for HPE ProLiant DL servers)
•
Zero or more unmanaged devices
•
Zero or more power delivery devices
UI screens and REST API resources UI screen
REST API resource
Racks
racks
More information Managing power (page 255) Resource model summary diagram (page 42) Understanding the resource model (page 41)
54
Understanding the resource model
2.21 SAN Managers SAN Managers enables you to bring systems that manage SANs under management of HPE OneView. When you add a SAN manager to HPE OneView, the SANs that it manages become available to associate with HPE OneView networks that you can attach to server profiles. In the resource model: •
SAN managers are not associated with HPE OneView resources directly. The SANs they manage (known as managed SANs) can be associated with HPE OneView networks, which can then be configured in server profiles.
Relationship to other resources The SAN managers resource is associated with the following resources in the resource model summary diagram (page 42): •
A managed SAN on a SAN manager can be associated with one HPE OneView network, which can be associated with one server profile.
UI screens and REST API resources UI screen
REST API resource
SAN Managers
device-managers
More information SAN Managers (page 262) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.22 SANs SANs are discovered by SAN Managers and become managed when they are associated with HPE OneView networks. Server profile attachments to volumes over SANs auto configure the server, SAN zoning, and storage system enabling the server to access the volume. SANs are made available to HPE OneView when the SAN manager to which they belong is added. In the resource model: •
SANs are associated with the SAN Manager on which they reside.
•
SANs can be associated with one or more Fibre Channel (FC) or Fibre Channel over Ethernet (FCoE) networks.
Relationship to other resources The SANs resource is associated with the following resources in the resource model summary diagram (page 42): •
A managed SAN on a SAN manager can be associated with one or more Fibre Channel (FC) and/or one or more Fibre Channel over Ethernet (FCoE) network.
UI screens and REST API resources UI screen
REST API resource
SANs
fc-sans
2.21 SAN Managers
55
More information SANs (page 264) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.23 Server hardware Server hardware represents an instance of server hardware, such as a physical HPE ProLiant BL460c Gen8 Server Blade installed in an enclosure, or a physical HPE ProLiant DL380p rack server. For information about the supported server hardware, see the HPE OneView Support Matrix.
Relationship to other resources A server hardware resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or one server profile. If a server does not have a server profile assigned, you cannot perform actions that require the server profile resource, such as managing firmware or connecting to data center networks. However, you can:
◦
Add the managed server hardware to HPE OneView, including automatically updating the server firmware to the minimum version required for management by HPE OneView. NOTE: Attempts to add monitored servers with less than the minimum firmware version required by HPE OneView will fail, and the firmware must be updated outside of HPE OneView, for example, with Smart Update Manager.
◦
View inventory data.
◦
Power on or power off the server.
◦
Launch the iLO remote console.
◦
Monitor power, cooling, and utilization.
◦
Monitor health and alerts.
•
Exactly one server hardware type.
•
If the server hardware is a server blade, exactly one device bay of an enclosure. This association also applies to full-height server blades, which occupy two device bays but are associated with the top bay only.
•
If the server hardware is a rack mount server, zero or one rack resource and zero or more power delivery devices.
UI screens and REST API resources
56
UI screen
REST API resource
Notes
Server Hardware
server-hardware
You use the server hardware resource, not the server profile resource, to perform actions such as powering off or powering on the server, resetting the server, and launching the HPE iLO remote console. You can launch the iLO remote console through the UI. The REST APIs do not include an API to launch the iLO remote console.
Understanding the resource model
More information Managing server hardware (page 157) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.24 Server hardware types A server hardware type captures details about the physical configuration of server hardware, and defines which settings are available to the server profiles assigned to that type of server hardware. For example, the server hardware type for the HPE ProLiant BL460c Gen8 Server Blade includes a complete set of default BIOS settings for that server blade hardware configuration. When you add an enclosure to HPE OneView, HPE OneView detects the servers installed in the enclosure and creates a server hardware type for each unique server configuration it discovers. When you add a unique rack mount server model, HPE OneView creates a new server hardware type for that server configuration.
Relationship to other resources A server hardware type resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more server profiles
•
Zero or more server profile templates
•
Zero or more servers of the type defined by that server hardware type
UI screens and REST API resources UI screen
REST API resource
Server Hardware Types
server-hardware-types
More information About server hardware types (page 162) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.25 Server profiles Server profiles capture key aspects of the server configuration in one place, enabling you to provision converged infrastructure hardware quickly and consistently according to your best practices. A server profile can contain the following configuration information about the server hardware: •
Basic server identification information
•
Firmware versions
•
Connections to Ethernet networks, Ethernet network sets, FCoE networks, and Fibre Channel networks
•
Local storage
•
SAN storage
•
Boot settings
2.24 Server hardware types
57
•
BIOS settings
•
Physical or virtual UUIDs (universally unique identifiers), MAC (media access control) addresses and WWN (World Wide Name) addresses
Relationship to other resources A server profile is associated with the following resources in the resource summary diagram (page 42): •
Zero or one server profile template
•
Zero or more connection resources. You use a connection resource to specify connection from the server to a network or network set. If you do not specify at least one connection, the server cannot connect to data center networks. The networks and network sets that are available to a server profile connection depend on the configuration of the logical interconnect of the enclosure that contains the server hardware.
•
Zero or one server hardware resource.
•
Exactly one server hardware type resource.
•
Exactly one enclosure group resource. To enable portability of server profiles, a server profile is associated with an enclosure group resource instead of an enclosure resource. Because enclosures in the enclosure group are configured identically, you can assign a server profile to any appropriate server hardware, regardless of which enclosure and bay in the enclosure group contains that server hardware.
UI screens and REST API resources UI screen
REST API resource
Server Profiles
server-profiles
More information Managing server profiles (page 165) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.26 Server profile templates Server profile templates help to monitor, flag, and update server profiles in HPE OneView. A server profile template defines the source for the configuration of:
58
•
Firmware versions
•
Connections to Ethernet networks, Ethernet network sets, and Fibre Channel networks
•
Local storage
•
SAN storage
•
Boot settings
•
BIOS settings
•
Profile affinity
Understanding the resource model
Relationship to other resources A server profile template is associated with the following resource in the resource summary diagram (page 42): •
Zero or more server profile resources.
•
Zero or more connection resources.
•
Exactly one server hardware type resource.
•
Exactly one enclosure group resource. To enable portability of server profiles, a server profile is associated with an enclosure group resource instead of an enclosure resource. Because enclosures in the enclosure group are configured identically, you can assign a server profile to any appropriate server hardware, regardless of which enclosure and bay in the enclosure group contains that server hardware.
UI screens and REST API resources UI screen
REST API resource
Server Profile Templates
server-profile-templates
More information Managing server profile templates (page 176) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.27 Storage Pools A storage pool exists on a storage system and contains volumes. Storage pools are created on a storage system using the management software for that system. After you add a storage pool to HPE OneView, you can add existing volumes or create new volumes. In the resource model: •
A storage pool exists on only one storage system.
•
A storage pool can contain zero or more volumes.
•
A storage pool can be associated with zero or more volume templates.
Relationship to other resources A storage pool resource is associated with the following resources in the resource model summary diagram (page 42): •
One storage system, and through it, zero or more volumes, which can be connected to zero or more server profiles
UI screens and REST API resources UI screen
REST API resource
Storage Pools
storage-pools
More information Storage pools (page 260) Resource model summary diagram (page 42) Understanding the resource model (page 41) 2.27 Storage Pools
59
2.28 Storage Systems You can connect supported storage systems to HPE OneView to manage storage pools and volumes. In the resource model: •
A storage system can have zero or more storage pools.
•
A storage system can have zero or more volumes in each storage pool.
Relationship to other resources A storage system resource is associated with the following resources in the resource model summary diagram (page 42): •
Zero or more storage pools, and through those storage pools, zero or more volumes.
•
Zero or more server profiles, through zero or more volumes.
UI screens and REST API resources UI screen
REST API resource
Storage Systems
storage-systems
More information Storage systems (page 259) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.29 Switches Switches provide a unified, converged fabric over Ethernet for LAN and SAN traffic. This unification enables network consolidation and greater use of infrastructure and cabling, reducing the number of adapters and cables required and eliminating redundant switches. A configuration of enclosures, server blades, and third-party devices—such as the Cisco Fabric Extender for HPE BladeSystem modules and Cisco Nexus top of rack switches—provides scalability to manage server blades and a higher demand for bandwidth from each server with access-layer redundancy. HPE OneView provides minimal monitoring (power and state only) of switches and their associated interconnects. See the HPE OneView Support Matrix for the complete list of supported devices.
Relationship to other resources A Cisco Nexus top of rack switch is associated with interconnects, specifically the Cisco Fabric Extender for BladeSystem modules within an enclosure, as shown in the resource summary diagram (page 42).
UI screens and REST API resources UI screen
REST API resource
Switches
switches
More information Managing switches (page 267) Resource model summary diagram (page 42) 60
Understanding the resource model
Understanding the resource model (page 41)
2.30 Unmanaged devices An unmanaged device is a physical resource that is located in a rack or consumes power but is not currently managed by HPE OneView. Some unmanaged devices are unsupported devices that cannot be managed by HPE OneView. All devices connected to an Intelligent Power Distribution Unit (iPDU) using an Intelligent Power Discovery (IPD) connection are added to HPE OneView as unmanaged devices. Other devices that do not support IPD—such as KVM switches, routers, in-rack monitors and keyboards—are not added to the list of unmanaged devices automatically. To include these devices in HPE OneView, you can add them manually and describe their names, rack positions, and power requirements.
Relationship to other resources An unmanaged device resource is associated with the following resources in the resource summary diagram (page 42): •
Zero or more racks
•
Zero or more power delivery devices
UI screens and REST API resources UI screen
REST API resource
Notes
Unmanaged Devices
unmanaged-devices
You can view, add, or edit the properties of unmanaged devices using either the UI or the REST APIs. To delete an unmanaged device, you must use the REST APIs.
More information About unmanaged devices (page 161) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.31 Uplink sets An uplink set assigns data center networks to uplink ports of interconnects. The uplinks must be from physical interconnects that are members of the logical interconnect to which the uplink set belongs. An uplink set is part of a logical interconnect. For each logical interconnect: •
An uplink set cannot include a network set.
•
A network can be a member of one uplink set per logical interconnect group.
•
An uplink set can contain one Fibre Channel network.
•
An uplink set can contain multiple Ethernet networks.
•
An uplink set can contain one or more FCoE networks, but the uplinks must be contained within a single FCoE-capable interconnect.
•
Internal networks allow server-to-server connectivity within the logical interconnect. Internal networks are created by adding existing networks to internal networks and not associating them with an uplink set. If you add an internal network to an uplink set, the network is automatically removed from the internal networks.
2.30 Unmanaged devices
61
Relationship to other resources An uplink set is part of a logical interconnect or a logical interconnect group. The uplink sets defined by a logical interconnect group specify the configuration for uplink sets used by logical interconnects that are members of the group. If the uplink sets of a logical interconnect do not match the uplink sets of the logical interconnect group, HPE OneView notifies you that the logical interconnect is not consistent with its group.
UI screens and REST API resources UI screen
REST API resource
Logical Interconnects or Logical Interconnect Groups uplink-sets
More information About uplink sets (page 198) Managing logical interconnects and logical interconnect groups (page 197) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.32 Volumes A volume is a virtual disk allocated from a storage pool. A server profile can define the attachment of a server to a volume. In the resource model: •
A volume exists in only one storage pool, which exists on only one storage system.
•
A volume can be attached to zero, one, or many server profiles.
Relationship to other resources A volume resource is associated with the following resources in the resource model summary diagram (page 42): •
One storage pool, and through it, one storage system
•
Zero, one, or many server profiles through volume attachments
UI screens and REST API resources UI screen
REST API resource
Volumes
storage-volumes
More information Volumes (page 261) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.33 Volume Templates A volume template defines the settings for the volumes created from it. Use a volume templates to create multiple volumes with the same configuration.
62
Understanding the resource model
In the resource model: •
A volume template can be associated with one storage pool.
Relationship to other resources A volume template resource is associated with the following resources in the resource model summary diagram (page 42): •
One storage pool, which can have zero, one, or many volume templates associated with it
UI screens and REST API resources UI screen
REST API resource
Volume Templates
storage-volume-templates
More information Volume templates (page 262) Resource model summary diagram (page 42) Understanding the resource model (page 41)
2.33 Volume Templates
63
64
3 Understanding the security features of the appliance Most security policies and practices used in a traditional environment are applicable in a virtualized environment. However, in a virtualized environment, these policies might require modifications and additions. Only Transport Layer Security (TLS) protocols are now supported for GUI, REST API, and message bus access. Any reference in the documentation to "SSL" should be understood to mean "TLS" protocols.
3.1 Securing the appliance The following factors secured (hardened) the appliance and its operating system: •
Best practice operating system security guidelines are followed:
◦
The appliance operating system minimizes its vulnerability by running only the services required to provide functionality.
◦
The appliance operating system enforces mandatory access controls.
◦
The appliance maintains a firewall that allows traffic on specific ports and blocks all unused ports. See “Ports required for HPE OneView” (page 76) for the list of network ports used.
◦
Key appliance services run only with the required privileges; they do not run as privileged users.
◦
The operating system bootloader is password protected. The appliance cannot be compromised by someone attempting to boot in single-user mode.
◦
There are no users allowed at the operating system level (no interactive OS logins are allowed). Users interact with the appliance strictly through: –
REST APIs (either programmatically or through the graphical user interface)
–
the State Change Message Bus (AMPQ interface)
–
a captive CLI shell used to access unmanaged interconnects
•
The appliance is designed to operate entirely on an isolated management LAN. Access to the production LAN is not required.
•
RBAC (role-based access control) enables an administrator to quickly establish access control and authorization for users based on their responsibilities for specific resources. RBAC also simplifies what is shown in the UI:
◦
Users can initiate actions only for the resources for which they are authorized. For example, users with the role of Network administrator can initiate actions for the network resources only, and users with the role of Server administrator can initiate actions for the server resources only.
◦
Users with the role of Infrastructure administrator have full access to all screens and actions.
•
The appliance supports integration with Microsoft Active Directory or OpenLDAP for user authentication. Local HPE OneView user accounts can be completely disabled when enterprise directories are in use. See “About directory service authentication” (page 279) for more information.
•
The appliance enforces a password change at first login. The default password cannot be used again. 3.1 Securing the appliance
65
•
The appliance supports self-signed certificates and certificates issued by a certificate authority. The appliance is initially configured with a self-signed certificate. As the Infrastructure administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload the certificate to the appliance. This ensures the integrity and authenticity of your HTTPS connection to the appliance.
66
•
A UI that restricts access from host operating system users.
•
All browser operations and REST API calls use HTTPS. All weak SSL (Secure Sockets Layer) ciphers are disabled.
•
HPE OneView supports a secure update procedure for installing patches or upgrading to the next version. The updates are digitally signed by HPE and the update procedure verifies the digital signature. The signature and verification ensures the authenticity and integrity of software updates.
•
Data downloads that are restricted to support dump files (encrypted by default), proprietary backup files, audit logs, and certificates.
•
Backup files and transaction logs are proprietary.
•
Support dumps are encrypted by default, but an Infrastructure administrator has the option to not encrypt them. Support dumps are automatically encrypted when a user with another role creates them to protect customer information.
•
Hewlett Packard Enterprise closely monitors security bulletins for threats to appliance software components and, if necessary, issues software updates.
Understanding the security features of the appliance
3.2 Best practices for maintaining a secure appliance The following table comprises a partial list of security best practices that Hewlett Packard Enterprise recommends in both physical and virtual environments. Differing security policies and implementation practices make it difficult to provide a complete and definitive list. Topic
Best Practice
Accounts
• Limit the number of local accounts. Integrate the appliance with an enterprise directory solution such as Microsoft Active Directory or OpenLDAP.
Certificates
• Use certificates signed by a trusted certificate authority (CA), if possible. HPE OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using SSL. Certificates can also be used to authenticate devices when setting up a communication channel. The appliance supports self-signed certificates and certificates issued by a CA. The appliance is initially configured with self-signed certificates for the web server and message broker software. Hewlett Packard Enterprise advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA. For the highest level of security, Hewlett Packard Enterprise recommends that you use certificates signed by a trusted certificate authority:
◦
Ideally, you should use your company's existing CA and import their trusted certificates. The trusted root CA certificate should be deployed to user’s browsers that will contact systems and devices that will need to perform certificate validation.
◦
If your company does not have its own certificate authority, then consider using an external CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them.
As the Infrastructure administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload the certificate to the appliance web server. This ensures the integrity and authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for the database and message broker. For more information, see “Using a certificate authority” (page 73). Network
• Hewlett Packard Enterprise recommends creating a private management LAN and keeping that separate from production LANs, using VLAN or firewall technology (or both).
◦
Management LAN Connect all management processor devices, including Onboard Administrators, iLOs, and iPDUs to the HPE OneView appliance and to the management LAN. Grant management LAN access to authorized personnel only. For example, Infrastructure administrators, Network administrators, and Server administrators.
◦
Production LAN Connect all NICs for managed devices to the production LAN.
• Do not connect management systems (for example, the appliance, the iLO, and the Onboard Administrator) directly to the Internet. If you require inbound Internet access, use a corporate VPN (virtual private network) that provides firewall protection. For outbound Internet access (for example, for Remote Support), use a secured web proxy. To set the web proxy, see ”Preparing for remote support registration” or “Configure the proxy settings” in the online help for more information.
3.2 Best practices for maintaining a secure appliance
67
Topic
Best Practice
Nonessential services
• The appliance is preconfigured so that nonessential services are removed or disabled in its management environment. Ensure that you continue to minimize services when you configure host systems, management systems, network devices (including network ports not in use) to significantly reduce the number of ways your environment could be attacked.
Passwords
Hewlett Packard Enterprise recommends that you integrate the appliance with an enterprise directory such as Microsoft Active Directory or OpenLDAP. Disable local HPE OneView accounts. Your enterprise directory can then enforce common password management policies such as password lifetime, password complexity, and minimum password length.
Roles
• Clearly define, and assign roles to users according to the access they need to perform their tasks. The Infrastructure administrator role should be reserved for the highest access.
Service Management
• Consider using the practices and procedures, such as those defined by the Information Technology Infrastructure Library (ITIL). For more information, see the following website: http://www.itil-officialsite.com/home/home.aspx
Updates
• Sign up for HPE OneView bulletins at www.hpe.com/support/e-updates • Install updates for all components in your environment on a regular basis.
Virtual Environment
• Educate administrators about changes to their roles and responsibilities in a virtual environment. • Restrict access to the appliance console to authorized users. For more information, see “Restricting console access” (page 78). • If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switch. • Turn off promiscuous mode in the hypervisor and encrypt traffic flowing over the VLAN to lessen the effect on any VLAN traffic sniffing. NOTE: In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be used on a VM (Virtual Machine) guest. The VM guest can enable promiscuous mode, but it will not be functional. • Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production machines. • Ensure proper access controls on Fibre Channel devices. • Use LUN masking on both storage and compute hosts. • Ensure that LUNs are defined in the host configuration, instead of being discovered. • Use hard zoning (which restricts communication across a fabric) based on port WWNs (Worldwide Names), if possible. • Ensure that communication with the WWNs is enforced at the switch-port level.
3.3 Creating a login session You create a login session when you log in to the appliance through the browser or some other client (for example, using the REST API). Additional requests to the appliance use the session ID, which must be protected because it represents the authenticated user. A session remains valid until you log out or the session times out (for example, if a session is idle for a longer period of time than the session idle timeout value). The default timeout value is 24 hours. To change the value on a per-session basis, use POST /rest/sessions/idle-timeout.
68
Understanding the security features of the appliance
3.4 Authentication for appliance access Access to the appliance requires authentication using a user name and password. User accounts are configured on the appliance or in an enterprise directory. All access (browser and REST APIs), including authentication, occurs over SSL to protect the credentials during transmission over the network.
3.5 Controlling access for authorized users Access to the appliance is controlled by roles, which describe what an authenticated user is permitted to do on the appliance. Each user must be associated with at least one role.
3.5.1 Specifying user accounts and roles User login accounts on the appliance must be assigned a role, which determines what the user has permission to do. For information on each role, and the capabilities these roles provide, see “About user roles” (page 274). For information on how to add, delete, and edit user accounts, see the online help.
3.5.2 Mapping of SSO roles for iLO and OA The appliance enables SSO (single sign-on) to iLO and OA (Onboard Administrator) without storing user-created iLO or OA credentials. The following table describes the mapping of roles between the appliance, iLO, and OA. Appliance role
SSO to iLO roles
SSO to OA roles
Infrastructure administrator
Admin
Admin
Server administrator
Admin
Admin
Network administrator
User
User
Read only
User
User
Backup administrator
None
None
Storage administrator
User
User
Appliance roles See “About user roles” (page 274).
iLO roles •
Administrator privileges enable assigning all administrative rights for server reset, remote console, and login tasks.
•
User privileges have access restrictions, based on IP address, DNS name, or time.
OA roles •
Administrator privileges enable creating or editing all user accounts on an enclosure.
•
Operator privileges enable full information access and control of bays to which you have permitted access to. NOTE:
•
SSO cannot configure permitted bays.
User privileges enable full information access but no control capability. 3.4 Authentication for appliance access
69
3.5.3 Mapping appliance interactions with iLO, OA, and iPDU The appliance performs configurations on the iLO, OA, and iPDU. The following table summarizes how the appliance interacts with these devices. For firewall information, see “Ports required for HPE OneView” (page 76). Protocol or interaction
Description
iLO Use
OA
Configure
Use
✓
iPDU
Configure
Use
Configure
✓
NTP
Configures NTP
SNMP
Enables and configures SNMP to collect information
✓
✓
✓
✓
✓
✓
SNMP traps
Enables and configures SNMP traps sent to appliance
✓
✓
✓
✓
✓
✓
HTTPS Collects information 1 (RIBCL/SOAP/JSON) (the specific protocol varies, but all use SSL)
✓
Remote Console
Links from the UI to the iLO Remote Console
✓
SSH
Not used
Telnet
Not used
XML reply
Collects generic system information
✓
SSO
Enables and configures an SSO certificate for UI access. See “Mapping of SSO roles for iLO and OA” (page 69) for the privileges that are granted.
✓
✓
✓
✓
Appliance user Configures and account manages the system (_HPOneViewAdmin) using an administrator-level user account (and randomly generated password) 1
✓
✓
✓ ✓
✓
✓
✓
SSL encrypts traffic on the network, but does not authenticate the remote system's certificate.
3.6 Protecting credentials Local user account passwords are stored using a salted hash; that is, they are combined with a random string, and then the combined value is stored as a hash. A hash is a one-way algorithm that maps a string to a unique value so that the original string cannot be retrieved from the hash. Passwords are masked in the browser. When transmitted between appliance and the browser over the network, passwords are protected by SSL. Local user account passwords must be a minimum of eight characters, with at least one uppercase character. The appliance does not enforce additional password complexity rules. Site security 70
Understanding the security features of the appliance
policy determines password strength and expiration (see “Best practices for maintaining a secure appliance” (page 67)). Hewlett Packard Enterprise recommends that you integrate an external authentication directory service (also known as an enterprise directory) with the appliance. Then, the directory service enforces password management policies such as minimum length and complexity.
3.7 Understanding the audit log The audit log contains a record of actions performed on the appliance, which you can use for individual accountability. You must have Infrastructure administrator privileges to download the audit log. For information on downloading the audit log from the UI, see “Download audit logs” (page 304). Monitor the audit logs because they are rolled over periodically to prevent them from getting too large. Download the audit logs periodically to maintain a long-term audit history. Each user has a unique logging ID per session, enabling you to follow a user’s trail in the audit log. Some actions are performed by the appliance and might not have a logging ID. A breakdown of an audit entry follows: Token
Description
Date/time
The date and time of the event
Internal component The unique identifier of an internal component ID Reserved
The organization ID. Reserved for internal use
User domain
The login domain name of the user
User name/ID
The user name
Session ID
The user session ID associated with the message
Task ID
The URI of the task resource associated with the message
Client host/IP
The client (browser) IP address identifies the client machine that initiated the request
Result
The result of the action, which can be one of the following values: • SUCCESS • FAILURE • SOME_FAILURES • CANCELED • KILLED
Action
A description of the action, which can be one of the following values: • ADD
• LIST
• UNSETUP
• CANCELED
• MODIFY
• ENABLE
• DEPLOY
• LOGIN
• DELETE
• DISABLE
• START
• LOGOUT
• ACCESS
• SAVE
• DONE
• DOWNLOAD_START
• RUN
• SETUP
• KILLED
3.7 Understanding the audit log
71
Token
Description
Severity
A description of the severity of the event, which can be one of the following values, listed in descending order of importance: • INFO • NOTICE • WARNING • ERROR • ALERT • CRITICAL
Resource category For REST API category information, see the HPE OneView REST API Reference in the online help. Resource URI/name
The resource URI/name associated with the task
Message
The output message that appears in the audit log
Maintenance console entries The audit log includes entries for these Maintenance console events: •
Successful logins
•
Unsuccessful logins
•
Unsuccessful challenge-response authorization attempts
•
Attempted appliance restarts
•
Attempted appliance shutdowns
•
Attempts to reset the administrator password
•
Service console launches and exits
•
Entries in which no login was required
3.8 Choosing a policy for the audit log Choose a policy for downloading and examining the audit log. The audit log contains a record of actions performed on the appliance, which you can use for individual accountability. As the audit log gets larger, older information is deleted. To maintain a long-term audit history, you must periodically download and save the audit log. For more information about the audit log, see “Understanding the audit log” (page 71).
3.9 Appliance access over SSL All access to the appliance is through HTTPS (HTTP over SSL), which encrypts data over the network and helps to ensure data integrity. For a list of supported cipher suites, see Algorithms for securing the appliance in the online help.
3.10 Managing certificates from a browser A certificate authenticates the appliance over SSL. The certificate contains a public key, and the appliance maintains the corresponding private key, which is uniquely tied to the public key. NOTE: This section discusses certificate management from the perspective of the browser. For information on how a non-browser client (such as cURL) uses the certificate, see the documentation for that client. 72
Understanding the security features of the appliance
The certificate also contains the name of the appliance, which the SSL client uses to identify the appliance. The certificate has the following boxes: •
Common Name (CN) This name is required. By default it contains the fully qualified host name of the appliance.
•
Alternative Name The name is optional, but Hewlett Packard Enterprise recommends supplying it because it supports multiple names (including IP addresses) to minimize name-mismatch warnings from the browser. By default, this name is populated with the fully qualified host name (if DNS is in use), a short host name, and the appliance IP address. NOTE: Name.
If you enter Alternative Names, one of them must be your entry for the Common
These names can be changed when you manually create a self-signed certificate or a certificate signing request.
3.10.1 Self-signed certificate The default certificate generated by the appliance is self-signed; it is not issued by a trusted certificate authority. By default, browsers do not trust self-signed certificates because they lack prior knowledge of them. The browser displays a warning dialog box; you can use it to examine the content of the self-signed certificate before accepting it.
3.10.2 Using a certificate authority Use a trusted CA (certificate authority) to simplify certificate trust management; the CA issues certificates that you import. If the browser is configured to trust the CA, certificates signed by the CA are also trusted. A CA can be internal (operated and maintained by your organization) or external (operated and maintained by a third party). You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The overall steps are as follows: 1. 2. 3. 4. 5.
You generate a CSR (certificate signing request). You copy the CSR and submit it to the CA, as instructed by the CA. The CA authenticates the requestor. The CA sends the certificate to you, as stipulated by the CA. You import the certificate.
For information on generating the CSR and importing the certificate, see the UI help.
3.10.3 Create a certificate signing request The appliance uses a certificate for authentication over SSL. The certificate contains a public key, and the appliance maintains the corresponding private key, which is uniquely tied to the public key. A certificate authority (CA) is a trusted party that issues a certificate that enables others, who trust the CA, to also trust the host. In essence, the CA vouches for the host. For information on creating a self-signed certificate, see “Create a self-signed certificate” (page 74).
3.10 Managing certificates from a browser
73
Prerequisites •
Minimum required privileges: Infrastructure administrator.
•
Gather the information for the request, as required by the CA.
•
Obtain the CA’s challenge password.
Creating a certificate signing request 1. 2. 3. 4. 5. 6.
From the main menu, select Settings. Select Actions→Create certificate signing request. Supply the data requested on the screen. Click OK. Copy the certificate request data from the dialog box and send it to the CA. The CA designates how and where to send the certificate request data. Click OK.
Next steps: After you receive the certificate from the CA, import the certificate. See Import a certificate.
3.10.4 Create a self-signed certificate The appliance uses a certificate for authentication over SSL. The certificate contains a public key, and the appliance maintains the corresponding private key, which is uniquely tied to the public key. A self-signed certificate indicates that a host vouches for itself, which, in some cases, might be adequate. By default, browsers do not trust self-signed certificates and display a warning. A more secure alternative is a certificate issued by a third-party certificate authority. For information on these certificates, see “Create a certificate signing request” (page 73). Prerequisites •
Minimum required privileges: Infrastructure administrator
Creating a self-signed certificate 1. 2. 3. 4. 5. 6. 7.
From the main menu, select Settings. Click Security. Select Actions→Create self-signed certificate. Supply the data requested on the screen. Enter optional information, as needed. Click OK. Verify that the certificate was created. The certificate information is shown on the screen.
3.10.5 Import a certificate After sending a certificate signing request to the CA and receiving a certificate, you must import it. Prerequisites •
Minimum required privileges: Infrastructure administrator.
•
Ensure that no other users are logged in to the appliance.
Importing a certificate 1. 2. 3. 4. 74
From the main menu, select Settings. Click Security. Select Actions→Import certificate. Copy the certificate text and paste it into the box provided.
Understanding the security features of the appliance
5. 6.
Click OK. After the appliance web server restarts and reconnects, log in to the appliance.
3.10.6 View the Certificate settings Prerequisites •
Minimum required privileges: Infrastructure administrator, Backup administrator, Read only
Viewing the Certificate settings 1. 2.
Navigate from the main menu to the Settings screen. Select Overview→Security→Certificate.
3.10.7 Downloading and importing a self-signed certificate into a browser The advantage of downloading and importing a self-signed certificate is to circumvent the browser warning. In a secure environment, it is never appropriate to download and import a self-signed certificate, unless you have validated the certificate and know and trust the specific appliance. In a lower security environment, it might be acceptable to download and import the appliance certificate if you know and trust the certificate originator. However, Hewlett Packard Enterprise does not recommend this practice. Microsoft Internet Explorer and Google Chrome share a common certificate store. A certificate downloaded with Internet Explorer can be imported with Google Chrome as well as Internet Explorer. Likewise, a certificate downloaded with Google Chrome can also be imported by both browsers. Mozilla Firefox has its own certificate store, and must be downloaded and imported with that browser only. The procedures for downloading and importing a self-signed certificate differ with each browser. Downloading a self-signed certificate with Microsoft Internet Explorer 1. 2. 3. 4. 5. 6.
Click in the Certificate error area. Click View certificate. Click the Details tab. Verify the certificate. Select Copy to File... Use the Certificate Export Wizard to save the certificate as Base-64 encoded X.509 file.
Importing a self-signed certificate with Microsoft Internet Explorer 1. 2. 3. 4. 5.
Select Tools→Internet Options. Click the Content tab. Click Certificates. Click Import. Use the Certificate Import Wizard. a. When it prompts you for the certificate store, select Place…. b. Select the Trusted Root Certification Authorities store.
3.10.8 Verifying a certificate You can verify the authenticity of the certificate by viewing it with your browser. After logging in to the appliance, choose Settings→Security to view the certificate. Make note of these attributes for comparison: •
Fingerprints (especially)
•
Names 3.10 Managing certificates from a browser
75
•
Serial number
•
Validity dates
Compare this information to the certificate displayed by the browser, that is, when browsing from outside the appliance.
3.11 Nonbrowser clients The appliance supports an extensive number of REST APIs. Any client, not just a browser, can issue requests for REST APIs. The caller must ensure that they take appropriate security measures regarding the confidentiality of credentials, including: •
The session token, which is used for data requests.
•
Responses beyond the encryption of the credentials on the wire using HTTPS.
3.11.1 Passwords Passwords are likely displayed and stored in clear text by a client like cURL. Take care to prevent unauthorized users from: •
Viewing displayed passwords
•
Viewing session identifiers
•
Having access to saved data
3.11.2 SSL connection The client should specify HTTPS as the protocol to ensure SSL is used on the network to protect sensitive data. If the client specifies HTTP, it will be redirected to HTTPS to ensure that SSL is used. The appliance certificate, which the client requires, allows the SSL connection to succeed. A convenient way to obtain a certificate is to use a browser pointed at the appliance; for more information on obtaining a certificate with a browser, see “Managing certificates from a browser” (page 72)
3.12 Ports required for HPE OneView HPE OneView requires specific ports to be available to the appliance to manage servers, enclosures, and interconnects. Table 1 Ports required for HPE OneView
76
Port number
Protocol
Use
Description
22
TCP
Inbound and Outbound
Used for SSH and SFTP. SSH is required to communicate with VC Ethernet and FlexFabric interconnect modules. SFTP is required for actions such as firmware upgrades and support dumps.
80
TCP
Inbound
Used for the HTTP interface. Typically, this port redirects to port 443; this port provides the access required by the iLO.
123
UDP
Inbound
HPE OneView acts as an NTP server, iLO and Onboard Administrator requires access.
123
UDP
Outbound
Used as an NTP client to synchronize the appliance time.
161
UDP
Outbound
Supports SNMP GET calls to obtain status data from a server through iLO. Also used for iPDU.
Understanding the security features of the appliance
Table 1 Ports required for HPE OneView (continued) Port number
Protocol
Use
Description
162
UDP
Inbound
Used for SNMP trap support from the iLO, Onboard Administrator, and iPDU devices. This port is also used to monitor the VC interconnects and trap forwarding.
443
TCP
Inbound
Used for the HTTPS interface to user interface and APIs.
443
TCP
Outbound
Used for secure SSL access to the iLO and Onboard Administrator. Used for Redfish, RIBCL, SOAP, and iPDU communication.
2162
UDP
Inbound
Used as an alternative SNMP trap port.
5671
TCP
Inbound
Allows external scripts or applications to connect to and monitor messages from the SCMB (State-Change Message Bus).
17988
TCP
Outbound
Used for virtual media access to the iLO from HPE OneView.
17990
TCP
Browser to iLO
Provides browser access to the remote console.
3.13 Controlling access to the appliance console Use the hypervisor management software to restrict access to the appliance, which prevents unauthorized users from accessing the password reset and service access features. See “Restricting console access” (page 78). Typical legitimate uses for access to the console are: •
Troubleshooting network configuration issues
•
Resetting an appliance administrator password For information on how to reset the administrator password, see “Reset the administrator password” (page 281).
•
Enabling service access by an on-site authorized support representative
The virtual appliance console is displayed in a graphical console; password reset and Hewlett Packard Enterprise Services access use a non-graphical console. Switching from one console to another (VMware vSphere and Microsoft Hyper-V) 1. 2. 3. 4.
Open the virtual appliance console. Press and hold Ctrl+Alt. Press and release the space bar (VMware vSphere only). Press and release F1 to select the non-graphical console or F2 to select the graphical console.
Switching from one console to another (KVM) 1. 2.
Open the Virtual Machine Manager. In the Menu bar, select Send Key→Ctrl+Alt+F1 for the non-graphical console or select Send Key→Ctrl+Alt+F2 for the graphical console.
3.13.1 Enable or disable authorized services access When you first start up the appliance, you can choose to enable or disable access by on-site authorized support representatives. By default, on-site authorized support representatives are allowed to access your system through the appliance console and diagnose issues that you have reported. Support access is privileged, which enables the on-site authorized support representative to debug any problems on the appliance. Access to the services access account requires the 3.13 Controlling access to the appliance console
77
technician to obtain a one-time password using a challenge/response mechanism similar to the one for a password reset. Any time after the initial configuration of the appliance, an Infrastructure administrator can enable or disable services access through the UI with the following procedure: Prerequisites •
Minimum required privileges: Infrastructure administrator
Enabling or disabling authorized services access 1. 2.
From the main menu, select Settings. Click the Edit icon in the Security panel. The Edit Security window opens.
3.
4.
Select the appropriate setting for Service console access: •
Disabled to prevent access to the console.
•
Enabled to allow access to the console.
Click OK.
You can also use an /rest/appliance/settings REST API to enable or disable services access. CAUTION: Hewlett Packard Enterprise recommends that you enable access. Otherwise, the authorized support representative will not be able to access the appliance to troubleshoot issues.
3.13.2 Restricting console access You can restrict console access to the virtual appliance through secure management practices of the hypervisor itself. For VMware vSphere, this information is available from the VMware website: http://www.vmware.com In particular, search for topics related to vSphere's Console Interaction privilege and best practices for managing VMware's roles and permissions. For Microsoft Hyper-V, restrict access to the console through role-based access. For information, see the Microsoft website: http://www.microsoft.com
3.14 Files you can download from the appliance You can download the following data files from the appliance: •
Support dump By default, all data in the support dump is encrypted and accessible by an authorized support representative only.
•
Backup file All data in the backup file is in a proprietary format. Hewlett Packard Enterprise recommends that you encrypt the file according to your organization's security policy.
•
Audit logs Session IDs are not logged, only the corresponding logging IDs are logged. Passwords and other sensitive data are not logged.
78
Understanding the security features of the appliance
4 Navigating the graphical user interface 4.1 About the graphical user interface To learn the names of common areas, icons, and controls on a UI screen, see the numbered descriptions that appear after the image. Figure 3 Screen topography
1
2
3
4
HPE OneView main menu: The primary menu for navigating to resources. Click the icon or click anywhere in the area to expand the menu. View selector: Enables you to control the information displayed about a resource so that you can focus only on what you are interested in. Map view icon: Provides a graphical representation of the relationships between the selected resource and other resources. To see these relationships, select the icon or the select the Map view in the view selector Actions menu: Provides the actions that are available to run on the current resource. Actions include, but are not limited to: adding, creating, deleting, removing, and editing a resource instance. If you do not have the appropriate permissions to perform an action, the
6
7
8
9
10
Session control: Tracks who is currently logged in to the appliance and the duration of each login session. Also enables you to and edit some user account information, depending on your user credentials. Help control: Expands (or hides) a sidebar which provides access to UI and REST API help, the EULA and Written Offer, and the HPE OneView online user forum. Activity sidebar: Shows recent alerts and task activity for the current resource. Use the Activity control icon to open (or close) this sidebar. Details pane: Provides all information known about a selected resource instance. To see details about a particular resource instance, click its name in the master pane. Master pane: Lists all resource instances that have been configured on the appliance. In some cases, a status icon indicates general health of the resource. 4.1 About the graphical user interface
79
5
action does not appear on the Actions menu. Activity control: Expands (or hides) a sidebar of recent appliance, resource, or user activity (from the current login session and browser window).
In addition to the screen components shown in Figure 3 (page 79), every UI screen has a notifications area that notifies you when an event or activity requires your attention. Some screens also have a filters sidebar that enables you to control the type of information displayed in the master pane.
4.2 Activity sidebar 4.2.1 About the Activity sidebar The Activity sidebar shows tasks initiated during the current session. The most recent task is displayed first. Task notifications provide information (including in-progress, error, and completion messages) about tasks that were launched. The Activity sidebar differs from the Activity screen because it displays only recent activity. The Activity screen, in contrast, displays all activities and allows you to list, sort, and filter them. For more information, see “About Activity” (page 311). Click an activity to show more details.
4.2.2 Activity sidebar details The Activity sidebar shows task activities generated during your current login session. Component
Description Shows recent task activity generated during your login session. When the Activity sidebar is closed, the number of alert or task notifications that have not yet been viewed appears next to the Activity icon.
Activity
Describes the alert or task and the affected resource. A health status icon indicates the current status of the resource associated with the activity.
4.2.3 Expand or collapse the Activity sidebar Prerequisites •
Minimum required privileges: Network administrator, Server administrator, Infrastructure administrator, Backup administrator, Read only
Expanding or collapsing the Activity filter sidebar 1.
Use the right pin icon ( ) to expand the Activity filter sidebar. Use the left pin icon ( ) to collapse the Activity filter sidebar.
2.
Select an activity to reveal more details.
Next step: Filter activities.
4.3 Audit tracking Change tracking provides a history of the changes you make within an action dialog box, such as an add action. Click 80
in the lower left corner in the dialog to view the changes.
Navigating the graphical user interface
Figure 4 Expanded view of audit tracking
4.4 Banner and main menu The main menu is the primary method for navigating to resources and the actions that can be performed on them. To expand the main menu, click inside the main menu area of the banner. Figure 5 Banner
The main menu provides access to resources; each resource screen contains an Actions menu. •
If you are not authorized to view a resource, that resource does not appear in the main menu.
•
If you do not have the appropriate permissions to perform an action, the action does not appear on the Actions menu.
Figure 6 Expanded main menu
4.5 Browsers For general information about browser use, see the following topics: •
“Browser best practices for a secure environment” (page 82)
•
“Commonly used browser features and settings” (page 82)
•
“Browser requirements” (page 83)
•
“Set the browser for US or metric units of measurement” (page 83)
4.4 Banner and main menu
81
4.5.1 Browser best practices for a secure environment Best practice
Description
Use supported browsers
See the HPE OneView Support Matrix to ensure that your browser and browser version are supported and the appropriate browser plug-ins and settings are configured.
Log out of the appliance before you close the browser
In the browser, a cookie stores the session ID of the authenticated user. Although the cookie is deleted when you close the browser, the session is valid on the appliance until you log out. Logging out ensures that the session on the appliance is invalidated. NOTE: hours.
If you close the browser, any open sessions will be invalidated within 24
Avoid linking to or from sites When you are logged in to the appliance, avoid clicking links to or from sites outside outside of the appliance UI the appliance UI, such as links sent to you in email or instant messages. Content outside the appliance UI might contain malicious code. Use a different browser to access sites outside the appliance
When you are logged in to the appliance, avoid browsing to other sites using the same browser instance (for example, via a separate tab in the same browser). For example, to ensure a separate browsing environment, use Firefox for the appliance UI, and use Chrome for non-appliance browsing.
4.5.2 Commonly used browser features and settings Feature
Description
Screen resolution
For optimum performance, the minimum screen size is 1280 × 1024 pixels for desktop monitors and 1280 × 800 for laptop displays. The minimum supported screen size is 1024 × 768 pixels.
Language Close window
You can close browser windows at any time. Closing the window while you are logged in invalidates your session after 24 hours.
Copy and paste
You can select and copy most text, with the exception of text in images. You can paste text into text entry boxes.
Search in a screen
Press Ctrl+F to search for text in the current screen.
Local history
Right-click the browser back button to view the history of the active tab. Use this feature to determine how you arrived at the current screen.
Back and forward buttons
You can use the browser back and forward buttons to navigate the UI. NOTE: Pop-up dialog boxes are not considered screens. If you click the back button while a pop-up dialog box is displayed, you return to the previous screen. If you click the forward button to go to a pop-up dialog box, you go instead to the screen with the link to the pop-up dialog box. The exceptions are screens that you access directly from the Actions menu. If you use the browser navigation buttons with these screens, you lose any unsaved changes you made on the screens.
Bookmarks
You can create bookmarks for commonly-used screens. You can email these links to other users, who must log in and have the appropriate authorization for the screen.
Open screens in a new tab Right-click a hyperlink in the appliance to a resource or screen to open the link in a or window new tab or window. NOTE: If you right-click a link while in an edit screen, the actions you take on another screen do not automatically refresh the form in the first screen.
82
Navigating the graphical user interface
Feature
Description
Browser refresh
If you click the browser refresh button to refresh a screen on which you have added but not saved information, you lose the information.
Zoom in/zoom out
Use the zoom in or zoom out feature to increase or decrease the text size.
4.5.3 Browser requirements The appliance has specific browser requirements that can affect its use. The following browsers are supported: •
Microsoft Internet Explorer: Version 10 and Version 11
•
Mozilla Firefox: ESR Version 17, Personal edition (latest version)
•
Google Chrome (latest version)
4.5.4 Set the browser for US or metric units of measurement To configure how units of measurement are displayed—either in United States (US) or metric units—change the region portion of the language setting in your browser. Metric units are used for all regions except the United States region. Specify the United States as your region code if you want United States customary units. Specify any other region code if you want metric units. Table 2 Set US or metric units of measurement Browser
Procedure
Google Chrome
1. 2. 3. 4. 5.
Microsoft Internet Explorer
The browser locale and regions locale are derived from your Windows settings.
Click the Google menu icon. Select Settings→Show advanced settings... Scroll down to Languages and click Language and input settings... Click Add and then select the language you want to use. Restart the browser to apply your changes.
1. Select Tools+Internet Options+General (tab)+Languages→Language Preference. 2. Specify your own language tags. Click Add button in the Language Preferences dialog box, and then enter your language tag in the User-defined box. 3. Click OK. 4. Restart the browser to apply your changes. Mozilla Firefox
The browser locale and regions locale are derived from the version of Firefox you are running. 1. Select Tools→Options→Content→Languages→Choose. 2. Select your preferred language and then click OK. 3. Restart the browser to apply your changes.
4.6 Button functions UI buttons have the same function, whether they appear on screens or dialog boxes.
4.6 Button functions
83
Table 3 Standard UI buttons Button
Description
Add and Add +
Adds items from your data center environment . for management or monitoring • Add adds a single item and closes the screen or dialog box. • Add + enables you to add another item in the same dialog box.
Create and Create +
Creates logical constructs used by the appliance (such as server profiles, logical interconnect templates, and network sets). • Create creates a single item and closes the screen or dialog box. • Create + enables you to create another item in the same session.
Close
Closes a screen or dialog box and returns you to the previous screen.
Cancel
Discards unsaved changes on a screen or dialog box and then closes the screen or dialog box.
OK
Confirms and saves your entries and then closes the screen or dialog box.
4.7 Filters sidebar Some resource screens have a Filters sidebar that enables you to control the amount and type of information displayed in the details pane. Figure 7 Filters sidebar OneView 1
Search
Enclosures 1
Filters
Reset
+ Add enclosure
Status: All statuses
Name Encl1
Critical Warning OK 2
Unknown Disabled Labels: All labels finance mkting sales
1
2
Pin control: Switches between the Filters sidebar and Filters banner bar when clicked. When the filter banner is in view, the filter headings display across the screen below the resource title. Click the filter name to access the filter options when in the banner bar view. Filtering criteria enables you to refine the information displayed for a resource in the master pane.
4.8 Help sidebar Click in the banner to open the help sidebar. The help sidebar provides hyperlinks to the help system, open source code used in the product, partner program, initial configuration procedures, license agreement, written offer, and the online user forum. 84
Navigating the graphical user interface
Figure 8 Help sidebar
1 2 3 4 5
6 7 8
Opens context-sensitive help for the current screen in a new browser window or tab. Opens the top of the help contents in a new browser window, which enables you to navigate to the entire table of contents for the UI help. Opens the top of the REST API Reference contents in a new browser window, which enables you to navigate to the entire table of contents for the REST API Reference. Opens a new browser window to the Composable Infrastructure partner program website. Opens the first-time setup help in a new browser window, which guides you through initial configuration tasks to make your data center resources known to the appliance and bring them under management. Displays the End-User License agreement (EULA). Displays the Written offer, which describes the open source products used by HPE OneView. Opens a new browser window to the online user forum where you can share your experiences using HPE OneView and pose or answer questions.
4.8.1 View the End-User License agreement Use this procedure to view the End-User License agreement for HPE OneView. Viewing the End-User License agreement 1. 2.
Click the icon in the banner to open the Help sidebar. Click End-User License agreement.
4.8.2 View the Written Offer Use this screen to review the Written offer, which describes how to send a request for source code, as stipulated under applicable third-party licenses. Viewing the Written Offer 1. 2.
Click the icon in the banner to open the Help sidebar. Click Written Offer.
4.9 Appliance status screens Depending on certain conditions and situations, status screens will provide recommendations for corrective action or troubleshooting hints and tips. Should those screens appear, refer to the following topics for more information. 4.9 Appliance status screens
85
4.9.1 Starting The appliance is starting up or restarting. Initially, a rotating in-progress icon is displayed, eventually followed by a progress bar. As web applications for the appliance become active, a progress bar advances. On completion, the login screen displays.
4.9.2 Oops The appliance encountered a serious error and could not recover from it. Restarting the appliance might resolve the error. The error message will advise you to create a support dump file and contact your authorized support representative.
4.9.3 Updating the appliance An appliance update is in progress. The appliance will restart after it is updated and you will be presented with a login screen. This restart will not disrupt the operation of the systems under management.
4.9.4 Temporarily unavailable The appliance is off-line or unresponsive. This screen is also displayed after you shut down the appliance.
4.9.5 Resetting The appliance is currently being reset to its original, factory defaults. The factory reset operation has the option to preserve or destroy the appliance network settings. If they were destroyed, you will need to reset the network settings. After the reset operation is complete, you need to determine the IP address to use in the browser window so that you can log in to the appliance. Do one of the following to configure the appliance: •
Restore the appliance from a backup file. See “Restore an appliance from a backup file” (page 291)
•
Configure the appliance manually. See “Initial configuration of resources in HPE OneView” (page 127).
More information “About the factory reset operation” (page 474)
4.9.6 Waiting The appliance is currently waiting for resources: •
To become available while it is restarting. The Starting status screen displays when those resources are available.
•
To become available while it is being updated The Updating status screen displays when those resources are available.
•
To quiesce while it is shutting down. The Temporarily unavailable status screen will be displayed.
There is also the possibility that the appliance encountered an error. In that case, the Oops status screen will be displayed. 86
Navigating the graphical user interface
4.10 Icon descriptions HPE OneView uses icons as user controls and to show the current status of resources and activities. •
“Status and severity icons” (page 87)
•
“User control icons” (page 87)
•
“Informational icons” (page 88)
4.10.1 Status and severity icons Large icon
Small icon
Resource
Activity
Task
Critical
Critical
Failed/Interrupted
Warning
Warning
Warning
OK
Informational
Success
Disabled
Canceled
Unknown
An In progress rotating icon indicates that a change is being applied or a task is running. This icon can appear in combination with any of the resource states. For example:
4.10.2 User control icons Icon
Name
Action
Expand menu
Expands a menu to show all options
View details Identifies a title that has additional information. Clicking the title changes the view to display details. Expand
Expands a collapsed list item
Collapse
Collapses an expanded list item
Edit
Enables editing
Delete or remove
Deletes the current entry
Search
Searches for the text you enter in the Search box. This is especially useful for finding types of resources or specific resources by name. 4.10 Icon descriptions
87
Icon
Name
Action
Pin
The left pin expands or collapses the Filters sidebar The right pin expands or collapses the Activity sidebar or Help sidebar
Sort
Determines whether items are displayed in ascending or descending order
4.10.3 Informational icons Icon
Name
Description
Map
Provides a graphical representation of the relationships between the current resource and other resources
Activity control
Provides a recent history of user and appliance initiated tasks and alerts
Session control
Displays your login name and the duration of your current session. Also provides a link you can use to log out of the appliance. To change your full name, password, and contact information, click the Edit icon next to your login name.
Help control • When this icon is at the top of a dialog box, you can click it to open context-sensitive help for that topic in another window or tab. • In the banner, this icon expands or collapses the Help sidebar, where you can browse the help documentation or find help on the screen currently displayed. The help sidebar provides the following:
◦
A Help on this page hyperlink to access context-sensitive help for the current screen
◦
A Browse help hyperlink to access the entire help system
◦
Links that you can use to display the EULA and the Written Offer.
◦
A link to the HPE OneView Forum, an online forum for customers and partners to share their experiences and pose questions related to using HPE OneView. Community members as well as Hewlett Packard Enterprise representatives are welcome to assist with answering questions.
4.11 Labels screen details The Labels view enables you to view the labels for a resource. Labels can be used to organize resources into groups. For example, you might want to identify the servers that are used primarily by the Finance team, or identify the storage systems assigned to the Asia/Pacific division. You can filter and search for labels across all resource types or within a specific resource.
4.12 Map view
screen details
The Map view enables you to examine the configuration and understand the relationships between logical and physical resources in your data center. This view gives you immediate visibility into your resources from the individual Ethernet, Fibre Channel, and FCoE networks all the way up to the enclosure, rack, and top-level physical data center. The Map view was designed to be highly interactive and useful even at scale.
88
Navigating the graphical user interface
To open the relationship view for a resource, do one of the following: •
Select Map from the view selector.
•
Select the
icon.
Providing context for a resource can be helpful when troubleshooting problems with the resource. By looking at the Map view, you can determine if anything related to the resource is also having a problem. A status icon indicates the general health of the resource and provides a quick path to track errors. Figure 9 Sample Map view
The selected resource is located at the center of the Map view. Everything above the resource is an ancestor; everything below the resource is a descendant. A connecting line between boxes indicates a direct relationship, such as servers in an enclosure. Use your pointer to hover over any resource to see its direct relationships to other resources. Other items can be indirectly related to the resource, such as logical interconnect groups and server profiles. Click any resource that appears in a relationship view to open its specific Map view.
4.13 Notifications area The notifications area on a resource UI screen appears when an activity (an alert or task) has affected the resource, which might require your attention. By default, one line of information appears in the notifications area. Click anywhere in the yellow box to expand the notifications area and view more information associated with the activity. Click again to collapse the notifications area.
4.13 Notifications area
89
Figure 10 Notifications area 1
A, Slot 1
!
Overview
The system A, Slot 1 is not configured for redundant power because it has 1 c...
Actions All
0
1
0
General > Model Manag
!
A, Slot 1
Overview
Actions
Location Power Maximum
2
Serial
The system A, Slot 1 is notconfigured for redundant power because it has 1 connected power input(s). The system must have at least 2 connected power inputs(s) to have redundant power.
All
0
1
0
The system A, Slot 1 is ...
Resolution: Configure the system with 1 more redundant power delivery device(s) or verify that the configuration matches the target system
1 2
Powered by
parentLS1
Maximum power
280 Watts
Serial number
a963fdec-ebfb-4ba4
A collapsed notifications area (the default). Select All to view all activity associated with the resource. An expanded notifications area, which provides resolutions for critical or warning alerts that require your attention, with links to Details, when they are available.
4.14 Log out of the appliance 1. 2.
Click the Session control icon in the banner. Select Logout.
4.15 Organizing resources into groups by assigning labels Labels identify resources so you can organize them into groups. After labeling your resources, you can quickly view them by searching on the labels. Prerequisites •
Required privileges: Edit privileges for the resource
Adding a new label to a resource 1.
90
2.
From the main menu, select the resource, and then select the resource instance you want to label. Select Labels from the view selector.
3.
Select the
icon.
Navigating the graphical user interface
4.
5.
Follow these guidelines to create a label name: •
Labels are not case sensitive, but are displayed as entered.
•
Labels must be alphanumeric and a maximum of 80 characters. Labels can contain spaces.
Click Add. The new labels are shown.
6.
Click OK to add the labels to this resource.
Adding an existing label to a resource 1. 2.
From the main menu, select the resource category, and then select the resource instance you want to label. Select Labels from the view selector.
3. 4.
Select the icon. Determine if you want to search for all labels or for a specific label.
5. 6.
•
To search for all labels for this resource type, click label you want.
•
To search for a specific label, in the Name box, enter an existing label name or a portion of the name, and then click .
. Scroll through the list to find the
Select the existing label and click Add. Click OK to add the label to the resource.
Removing a label from a resource 1. 2.
From the main menu, select the resource, and then select the resource instance from which you want to remove a label. Select Labels from the view selector.
3. 4. 5.
Select the icon. Click the Delete icon for the label you want to remove from this resource. Click OK to remove the label from the resource.
Searching for resources by label 1.
Click in the Smart Search box and enter labels: followed by the label name. TIP: Enter complete words or names as your search criteria. Partial words or names might not return the expected results. To search for a label with a space, enter the label name in quotes. For example, labels:”Asia Pacific Division”.
Search
4.15 Organizing resources into groups by assigning labels
91
2.
Determine if you want to search for a specific label for the resource type, or search for a label across all resource types. •
To search for a label for a specific resource type: a. Select the Scope for the resource type. b. Press Enter. The resources that share that label are shown.
•
To search for a label across all resource types: a. Select Everything for the Scope.
a.
Press Enter. A search results page lists the top matches for all resource types.
b.
Click on a resource instance (a hyperlink) on the results page to go to that resource. The Overview view for the resource is shown.
4.15.1 View resources by label On most screens, you can filter the view of resource instances based on their label. The default filter is All labels, which shows all resource instances. To filter the view based on a specific label or labels, select the label or labels from the Labels menu. All resource instances with those labels are shown. To clear selected label filters, select All labels. NOTE: Up to 100 labels are shown for the resource. If you do not see the label you are looking for, see Searching resources using labels.
Filter resources using labels OneView Server Hardware 2
labels:mkting labels:sales All Statuses
Labels
Reset
All labels
+ Add server hardware
mkting sales
Name
Model
Server Profile
Encl1, bay 1
BL660c Gen9
none
Encl1, bay 2
BL660c Gen9
none
4.16 Performing an action on multiple resources For some actions, you can select multiple resources in the rather than performing the action on one resource at a time. For example, you can power on many server blades with one operation. Each action on a resource instance is logged individually in the Activity screen. 92
Navigating the graphical user interface
If the action cannot be performed on a specific resource instance, the resource is excluded from the action. For example, if you try to power on a server that is already powered on, the action is not performed on that server. Opening the for an action displays the results, which in this example, shows that one server was powered on and two were excluded:
If any resource is excluded from the action, a critical or warning icon is displayed. A resource is excluded if the action is not possible, such as attempting to delete a server profile for a powered-on server. If multiple resources are excluded, select a single resource and try the action again to determine why a resource was excluded. Use the following key combinations to select multiple resources in the master pane: •
To select a contiguous range of objects, select the resource at the beginning of the range and press Shift and hold as you select the end of the range.
•
To select individual objects, press Ctrl and hold as you point to and select each object.
Use the Ctrl key to unselect any previously-selected objects.
4.17 Search help topics 1. 2.
On any screen, click the icon in the banner to open the help sidebar. In the Help sidebar, select Help on this page. Context-specific help appears in a separate browser window.
3.
In the new browser window where the help is displayed, click Search at the top of the left navigation pane, next to the Contents and Index links. Figure 11 UI help search box
4. 5.
Enter a search term in the Search box. Press Enter or click List Topics to start the search process. Search results are presented as links to the sections in which the search term appears.
6.
Scan the search results for the section title or titles that best match what you are looking for, and click the link to view the content. Each instance of your search term is highlighted in yellow for easy identification.
4.17 Search help topics
93
More information “Help search features and limitations” (page 94)
4.17.1 Help search features and limitations Features Case sensitivy.
By default, searches are case-insensitive. The Case sensitive check box enables you to search matching the case of the word or phrase you enter.
Full word and phrase matches
You can search for full or hyphenated words. Phrase search enables you to search for documents containing an exact sentence or phrase by entering the search text in double quotes (“). Do not include special characters in the search text of a phrase search.
Wildcard characters
The wildcard feature enables you to replace individual letters, or sequences of letters, within the search word. Use a question mark (?) to replace a single character. Use an asterisk (*) to represent several (or zero) characters.
Keyboard pasted characters
When entering a search keyword, you may find it useful to copy it from another window, right-click in the text box, and select Paste.
Boolean operators
This feature lets you combine keywords with the Boolean operators to produce more relevant results: Use a space character for Boolean AND. Use either OR or or for Boolean OR. Use a hyphen character (-) for NOT.
Auto complete
Auto-complete monitors what you are typing and, after typing the first few characters, displays a list of suggested words. If one of those words matches what you intended to type, you can select it from the list.
Highlighting
Search highlighting highlights the searched key words or phrase in the resulting documents.
Fuzzy search
Like a spelling corrector, a fuzzy search tries to correct misspelled search text and suggests corrected text.
Proximity search
Proximity search looks for documents where two or more word occurrences are at most ten words apart. The proximity search operators are NEAR and FBY (meaning “followed by”). These operators can be entered in upper or lower case.
Synonym search
This feature suggests links to synonyms of the keyword.
Limitations Special characters
Special characters are not allowed in word search. The search function does not return topics or index entries that contain special characters, such as the copyright symbol.
94
Navigating the graphical user interface
The backslash character (\) is not allowed inside a phrase. Hyphen
The search function does not return topics or index entries that contain a hyphen.
Common words
The search feature does not return common words such as a, an, and the.
Initials
The search function does not return topics or index entries that contain initials, such L.P..
Boolean searches
Boolean operator names must be entered in English. The AND and OR Boolean operators cannot be combined in a search text. NOT operators must be at the end of the search string.
Proximity searches
The proximity operators must be entered in English.
More information “Search help topics” (page 93)
4.18 Search resources The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as specific instances of resource names, serial numbers, WWNs (World Wide Names), and IP and MAC addresses. In general, anything that appears in a resource master pane is searchable. Smart Search makes locating resources easy, enabling you to inventory or take action on a desired set of devices. Perhaps you are looking for all resources in a given enclosure or need to find one server using a certain MAC address. Smart Search instantly gives you the information you are seeking. The default search behavior is to focus on the resource you are currently viewing. However, to broaden the scope of your search across all resources, you must select the option to search Everything, which searches all resources. Search the current resource
Search all resources
1. Click in the Smart Search box.
1. Click in the Smart Search box.
Search 2. Enter your search text and press Enter.
Search 2. Select Everything.
The search results are focused in your current location in the UI.
3. Enter your search text and press Enter.
Some resources might not include the option to choose between the current resource or everything, in which case the default search is for everything.
4.18 Search resources
95
When you start typing, search suggestions are provided based on pattern matching and previously-entered search criteria. •
You can either select a suggestion (the screen displays data containing that selection) or click Enter.
•
If your search term is a resource, then the list of resources in a master pane is filtered to match your search input.
TIP: •
Enter complete words or names as your search criteria. Partial words or names might not return the expected results.
•
If you enter a multi-word search term, results show matches for all words you enter.
•
Enclose a search term in double quotes (”) if the search term contains spaces.
When you find what you are looking for in the search results, which are organized by type, select the item to navigate to it. NOTE: The Smart Search feature does not search the help system. To learn how to search the UI and REST API help, see “Search help topics” (page 93). The most recent filter selection is displayed in the Smart Search box. Table 4 Advanced searching and filtering with properties Example of advanced filtering syntax
Search results
By model name: model:"BladeSystem c7000 Enclosure G2"
All hardware that matches the model number and name.
model:"ProLiant BL460c Gen8" model:"VC 8Gb 20-Port FC Module" By name or address: name:enclosure10
An enclosure with the name enclosure10.
name:"192.0.2.0, PDU 1"
A power delivery device with the name 192.0.2.0, PDU 1.
name:"192.0.2"
A list of physical machines whose IP addresses begin with 192.0.2.
name:"mysystem"
A list of physical machines for which the host name is mysystem.
By health status: status:Critical
All resources that are in a critical state. For other health status values, see “Activity statuses” (page 315).
By associated resource: Associated resource category:Networks"
All networks
By user role: roles:"network administrator"
All users (by name) assigned with the Network administrator role. For other values for role, see “About user roles” (page 274).
96
Navigating the graphical user interface
Table 4 Advanced searching and filtering with properties (continued) Example of advanced filtering syntax
Search results
By owner: owner:Administrator
All resources and messages owned by the Infrastructure administrator.
By date: created:<7d
Created within the last 7 days.
Refine results by combining properties: A space character separating two of the same object operates as a logical OR. model:"ProLiant BL460c Gen8" model:"ProLiant BL460c Gen9"
All ProLiant BL460c Gen8 and ProLiant BL460c Gen9 hardware.
status:Critical status:Warning
All resources that are in either a critical or warning state.
A space character separating two dissimilar objects operates as an AND. owner:Administrator firmware
All activities owned by the Administrator and related to firmware.
NTP status:critical
All critical messages related to NTP.
status:unknown state:locked owner:Administrator
All messages with unknown status, having a locked state, and owned by Administrator.
Combining AND and OR operations The OR operator is useful for specifying similar objects. The AND operator is useful for combining dissimilar objects. status:critical OR status:disabled
All messages with either a Critical or Warning status.
name:host.example.com status:Critical status:Warning
All messages with either a Critical or Warning status and related to the resource host.example.com.
associatedresourcecategory:network OR associatedresourcecategory:Network sets
All messages pertaining to either the Network or Network Sets resource categories.
associatedresourcecategory:power-devices AND status:warning OR status:critical
All Critical or Warning messages for the power devices resource category.
NOT operation status:Warning NOT model:"ProLiant BL465c All messages with a Warning status except those that apply to ProLiant BL465c G7 models G7" NOTE: You can only use NOT once in a query. NOT operators that follow are treated as text.
4.18.1 Clear the Smart Search box The Smart Search box retains filter options. Use this procedure to clear it before entering a search parameter. Clearing the Smart Search box 1. 2.
From the main menu, navigate to the Activity screen. Click Reset in the Activity heading or the Activity filter sidebar.
4.18 Search resources
97
4.19 View resources according to their health status On most screens, you can filter the view of resource instances based on their health status, which might be useful for troubleshooting or maintenance purposes. The default filtering is All statuses, which means that all resource members are shown, regardless of their health status. To filter that view based on a specific health status, select the health status you are interested in viewing from the Status menu. For more information about health status icons and what they mean, see “Icon descriptions” (page 87). Figure 12 Filter resource instances by their health status OneView Server Hardware 32
Search All Labels
Status
All statuses
+ Add server hardware
Critical
none
Encl1, bay 1
Warning Model Model Ok Dl 360P Gen8 DL660c Gen9 Unknown Dl 360P Gen8 Disabled BL660c Gen9
Encl1, bay 2
BL660c Gen9
none
Name
172.18.6.15
Server Profile
none
4.19.1 Reset the health status view OneView Server Hardware 6
status:Warning Warning
Labels
Reset
1
+ Add server hardware
1
98
Name
Model
Server Profile
172.18.6.15
DL360p Gen8
none
172.18.6.16
DL380p Gen8
none
172.18.6.31
DL360 Gen9
none
To return to the default view, All statuses, click the Reset link.
Navigating the graphical user interface
5 Using the REST APIs and other programmatic interfaces REST (Representational State Transfer) is a web service that uses basic CRUD (Create, Read, Update and Delete) operations performed on resources using HTTP POST, GET, PUT, and DELETE. To learn more about REST concepts, see http://en.wikipedia.org/wiki/ Representational_state_transfer. The appliance has a resource-oriented architecture that provides a uniform REST interface. Every resource has one URI (Uniform Resource Identifier) and represents a physical device or logical construct. You can use REST APIs to manipulate resources.
5.1 Resource operations RESTful APIs are stateless. The resource manager maintains the resource state that is reported as the resource representation. The client maintains the application state and the client might manipulate the resource locally, but until a PUT or POST is made, the resource as known by the resource manager is not changed. Operation
HTTP Verb
Description
Create
POST resource URI (payload = resource data)
Creates new resources. A synchronous POST returns the newly created resource. An asynchronous POST returns a TaskResource URI in the Location header. This URI tracks the progress of the POST operation.
Read
GET resource URI
Returns the requested resource representation(s)
Update
PUT resource URI (payload = Updates an existing resource update data) PATCH resource URI (payload Updates a part of the resource. For example, when you only need to update one field of the resource. = update data)
Delete
DELETE resource URI
Deletes the specified resource
5.2 Return codes Return code
Description
2xx
Successful operation
4xx
Client-side error with error message returned
5xx
Appliance error with error message returned
NOTE: If an error occurs, indicated by a return code 4xx or 5xx, an ErrorMessage is returned. The expected resource model is not returned.
5.3 URI format All URIs point to resources. The client does not need to create or modify URIs. The URI for a resource is static and uses the format https://{appl}/rest/resource category/resource ID where: https://{appl}
The appliance address
/rest
The type of URI
/resource category
The category of the resource (for example, server-profiles) 5.1 Resource operations
99
/resource instance ID
The specific resource instance identifier (optional)
5.4 Resource model format The resources support JSON (JavaScript Object Notation) for exchanging data using a REST API. If not otherwise specified in the REST API operation, the default is JSON.
5.5 Log in to the appliance using REST APIs When you log in to the appliance using the login-sessions REST API, a session ID is returned. You use the session ID in all subsequent REST API operations in the auth header. The session ID is valid for 24 hours. Log in
Log out
Operation
Operation
POST
DELETE
API
API
/rest/login-sessions
/rest/login-sessions
Request headers
Request headers
REST API Request Headers
auth:{YourSessionID}
Request body
REST API Request Headers
{"userName":"YourUserName","password":"YourPassword"} Request body None NOTE: This is an example of a local log in on the appliance. If you are using a directory service, you must Response add the following attributes: authnHost and 204 No Content authLoginDomain. Response The LoginSessionIdDTO that includes the session ID
5.6 REST API version and backward compatibility When you perform a REST API operation, an X-API-Version header is required. This version header corresponds to the REST API version of software currently running on the appliance. To determine the correct REST API version, perform /rest/version. This GET operation does not require an X-API-Version header. If multiple appliances are running in your environment, you need to determine the REST API version required by each appliance. NOTE: If an X-API-Version header is not included in the request, the APIs default to version 1. Because most APIs in HPE OneView have a minimum of 3 or greater, invoking an API without including the X-API-Version header will likely result in an HTTP 404 error, because that version of the API will not be found. The requests documented in the HPE OneView REST API Scripting Help correspond to the API Reference version included in the product.
Supported REST API versions This release of HPE OneView supports the latest REST API version in addition to supporting the REST API versions supported in previous releases of HPE OneView. The HPE OneView REST API documentation for older REST API versions is available online at www.hpe.com/info/oneview/docs, and the documentation for the current version of supported REST APIs is included with the online help for this release as well as online.
100 Using the REST APIs and other programmatic interfaces
Backward compatibility The following list explains how to preserve your existing scripts when upgrading to a new version of HPE OneView, take advantage of new functionality, and find the current and previous versions of the HPE OneView REST API documentation. •
Prevent scripts from breaking To prevent your existing scripts from breaking that were written for a specific API version, use the same X-API-Version value for that specific REST API. This ensures that the same set of data is sent and returned in the response body during PUT and POST operations. NOTE: The set of possible enumerated values that may be returned in a given resource attribute may be extended from release to release (independent of the API version). Clients should ignore any values that they do not expect. To maintain backward compatibility, the set of enumerated values will not be reduced and the meaning of these values will not change for a given API version. NOTE: The Index or SCMB always returns the latest version of resource data, independent of what is sent in the X-API-Version header on the request (this header controls the Index DTO model, but not the data contained within). To obtain a specific version of a resource’s data, perform a GET on the resource’s URI with the desired X-API-Version header.
•
Use new functionality To take advantage of new functionality, you must move to the new X-API-Version value. If the X-API-Version value is set globally in your scripts, moving to a new X-API-Version will likely impact multiple REST APIs. To view a list of REST APIs that have changed, see What's New in the HPE OneView API Reference. If you do not need to use the new functionality, you can use a previous X-API-Version and avoid impacting your existing scripts. Hewlett Packard Enterprise recommends that you move to the new X-API-Version, because backward compatibility is not guaranteed from release to release, and older functionality will be deprecated. The current version of the REST APIs are documented in the HPE OneView REST API Reference that is included on the appliance. To view previous versions of the REST API reference, go to www.hpe.com/info/oneview/docs.
5.7 Asynchronous versus synchronous operations A synchronous operation returns a response after the REST API operation completes. For example, POST /rest/server-profiles returns a newly created server profile in the response body. An asynchronous operation, such as creating an appliance backup, returns the URI of a task in the Location response header. You can use the task URI to retrieve the current status of the operation, and to obtain the associated resource once the task is complete. •
This is common behavior for all asynchronous APIs.
•
You should not depend on any other behavior to get the current status of the operation (such as the content of the returned response body), as it varies from API to API. See the API Reference for the behavior of each specific API.
•
You should not depend on any other behavior to occur, as it is subject to change in the future, even for the same API version.
5.7 Asynchronous versus synchronous operations 101
Example 1 Example response header returned from an asynchronous appliance backup REST call HTTP/1.1 202 Accepted Date: Tue, 26 Jan 2016 23:19:14 GMT Server: Apache Location: https:///rest/tasks/39CE80C4-EF2C-4717-90EA-EF166E83B49F Content-Length: 0 cache-control: no-cache
5.8 Task resource When you make an asynchronous REST API operation, HTTP status 202 Accepted is returned and the URI of a TaskResource resource model is returned in the Location header of the response. You can then perform a GET on the TaskResource model URI to poll for the status of the asynchronous operation. The TaskResource model also contains the name and URI of the resource that is affected by the task in the associatedResource attribute. Creating an appliance backup example 1. Create an appliance backup. /rest/backups The URI of a TaskResource in the Location header is returned in the response. 2. Poll for status of the backup using the TaskResource URI returned in step 1. /rest/tasks/{id} 3. When the task reaches the Completed state, use the associatedResource URI in the TaskResource to download the backup file. GET {associatedResource URI}
5.9 Error handling If an error occurs during a REST API operation, a 4xx (client-side) or 5xx (appliance) error is returned along with an error message (ErrorMessage resource model). The error message contains a description and might contain recommended actions to correct the error. A successful REST API POST operation returns the newly created resource (synchronous) or a TaskResource URI in the Location header (asynchronous).
5.10 Concurrency control using etags A client uses etags to verify the version of the resource model. This prevents the client from modifying (PUT) a version of the resource model that is not current. For example, if a client performs a GET on a server profile and receives an etag in the response header, modifies the server profile, and then updates (PUT) the resource model, the etag in the PUT request header must match the resource model etag. If the etags do not match, the client PUT request will not complete and a 412 PRECONDITION FAILED error is returned.
102 Using the REST APIs and other programmatic interfaces
5.11 Querying resources and pagination using common REST API parameters Querying resources You can use a set of common parameters to customize the results returned from a GET operation, such as sorting or filtering. Each REST API specification lists the set of available common parameters.
Pagination when querying for a collection of resources When you perform a GET operation to retrieve multiple resources (that is, a GET on a collection URI, such as /rest/server-profiles), the resources are returned in a collection object that includes an array of resources along with information about the set of resources returned. This collection of resources may be automatically truncated into pages to improve performance when a query would return a large number of resources. The collection attributes (described below) provide information needed to determine whether the full set of resources were returned, or if additional queries are required to retrieve additional pages. For example, a collection object includes a next page and previous page URI. These URIs indicate whether additional pages are available, and can be retrieved via a GET operation on these URIs. This provides a simple model for ensuring all resources in the query have been retrieved, by doing iterative GETs on the nextPageUri attribute until the attribute comes back empty/null (See Example: Return all resources in a specific collection query below.). It’s also possible to query for a specific page of resources, using the start and count query parameters. These parameters indicate the index of the first resource to be returned, and the number of resources to return in the page, respectively. NOTE: Queries across multiple pages in a collection are stateless, and are based simply on the start index and a count of resources returned from that starting point at the time the query is made. For example, if any server profiles were added or deleted after you performed a GET operation using a specific next page URI from a collection of server profile resources, and you perform the GET again, the returned page using the same next page URI may not contain the same set of resources. Note also that the specific set of resources returned with a given start and count parameter is highly dependent on any filter, query and sort parameters sent in the request, therefore it’s important to always pass the same filter, query and sort parameters on all requests for additional pages. The nextPageUri and prevPageUri attributes will be pre-populated with any filter, query and sort parameters from the current request. Attributes returned in all GET operations performed on a collection URI, for example/rest/server-profile: total
The total number of resources available in the requested collection (taking into account including any filters). Not necessarily what was returned.
count
The actual number of resources returned (in the members attribute).
start
The zero-based index of the first item returned (in the members attribute).
members
The array of resources returned in the current result set.
nextPageUri
A URI that can be used to query for the next page in the result set (using the same count specified in the current query).
prevPageUri
A URI that can be used to query for the previous page in the result set (using the same count specified in the current query).
5.11 Querying resources and pagination using common REST API parameters 103
NOTE: A null or empty nextPageUri or prevPageUri attribute is an indication that you have reached the last or first page (respectively) in the query. This allows scripts to iterate on nextPageUri until null, in order to retrieve the full set of resources in the query. Example: Return all resources in a specific collection query The number of resources returned in a query might not match what was specified in the count parameter. Clients must always check the returned results to determine whether the full results set was returned or not. The two reasons that all the resources may not be returned in a query are: •
You've reached the last page of the query (and there are simply not that many resource left to return). This is also indicated by a returned prevPageUri with a null value.
•
For performance reasons, the service may automatically truncate the returned result set, requiring additional GET requests (with appropriate start & count parameters set) in order to retrieve the full set of resources.
The simplest way to make sure that you have retrieved all resources in a specific collection is to always perform iterative GET requests using the returned nextPageUri until the value is null. See the following example in pseudo-code based on any filters/queries and sort order: currentCollection = doGet("/rest/server-hardware"); allResources = currentCollection.members; While (currentCollection.nextPageUri) { currentCollection = doGet(currentCollection.nextPageUri); allResources.Append(currentCollection.members); }
5.12 State-Change Message Bus The State-Change Message Bus (SCMB) is an interface that uses asynchronous messaging to notify subscribers of changes to managed resources—both logical and physical. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes—without having to continuously poll the appliance for status using the REST APIs. To learn more about receiving asynchronous messages about changes in the appliance environment, see “Using a message bus to send data to subscribers” (page 327).
5.13 Metric Streaming Message Bus The Metric Streaming Message Bus (MSMB) is an interface that uses asynchronous messaging to notify subscribers about the most recent metrics for managed resources. You can configure the interval and the metrics that you want to receive using the REST APIs. To learn more, see “Using a message bus to send data to subscribers” (page 327).
5.14 Analysis and troubleshooting You can use REST APIs to capture data obtained from remote system logs and iLO and make this data accessible for use by powerful troubleshooting and analysis tools.
5.14.1 HPE Operations Analytics integration with HPE OneView The integration of Operations Analytics and HPE OneView provides IT professionals with troubleshooting, analysis, and capacity planning information for devices managed using HPE OneView. Using HPE OneView REST APIs, you can capture data from logs, metrics, alerts, and inventories, and import them into Operations Analytics for graphical display and viewing.
104 Using the REST APIs and other programmatic interfaces
Real-time troubleshooting applications like Operations Analytics need access to HPE OneView resources, relationships, metrics, alerts, and logs at near real time intervals. This data is then used to pinpoint developing issues and avoid infrastructure downtime by predicting failure in advance. For technical information about Operations Analytics, see HPE Operations Analytics Manuals.
5.15 Developer tools in a web browser You can use developer/debug tools in your web browser to view the REST API operations as they happen in the UI. The UI uses REST APIs for all operations; therefore, anything you can do in the UI can be done using REST API operations.
5.16 PowerShell and Python code sample libraries Windows PowerShell and Python libraries are available on Git-compliant websites to download and use for your REST API scripting. The libraries are currently under the MIT Open Source license, and you can modify the source code for your own purposes. Each library provides methods for you to submit feedback, issues, and other discussions to Hewlett Packard Enterprise. About Git version control: The repository layouts and overall workflows use a very standard simple workflow where the master branch is always the top of tree trunk. Hewlett Packard Enterprise tags each release and branches a release only to fix an issue on a specific release. To learn more about using Git, see http://git-scm.com/book. NOTE: If you have questions about REST API scripting or HPE OneView, post your questions to the user community forum at http://www.hpe.com/info/oneviewcommunity.
PowerShell library The PowerShell library is hosted on GitHub and is available here: https://github.com/ HewlettPackard/POSH-HPOneView. To subscribe to the site and monitor the project, you need a valid Microsoft or GitHub account. Downloading releases or source code does not require authentication. For ease of use when the library is updated, a new installer is provided. You can use a browser or a GIT Windows client to download the source code and samples. To download the Windows client, see http://windows.github.com/. The GitHub site provides an issues tracker to submit issues or feature requests.
Python library The Python library is hosted on a GitHub website and is available here: https://github.com/ HewlettPackard/python-hpOneView. To receive development discussions, sign up on the public mailing list at https:// groups.google.com/forum/#!forum/hp-oneview-python.
5.15 Developer tools in a web browser 105
106
6 Accessing documentation and help This chapter describes how to access help from the appliance, how to access the publicly available online information library, and where to find REST API help and reference documentation.
6.1 Online help—conceptual and task information as you need it The online help documents both the UI and the REST APIs, and includes: •
Overviews of the appliance and its features
•
Descriptions of resources and UI screens
•
Quick-start instructions for bringing your data center under management
•
Step-by-step instructions for using the UI to perform tasks
•
Information about using REST API scripting to perform tasks
•
The HPE OneView REST API Reference
•
Information about using the SCMB (State-Change Message Bus) to subscribe to state change messages
REST API help design The REST API help is designed so that: •
Each resource is documented in its own chapter.
•
Each REST API scripting chapter identifies the REST API calls you must invoke to complete the tasks.
•
Each REST API call links to the HPE OneView REST API Reference for details about the API, such as attributes and parameters, the resource model schema, and JSON (JavaScript Object Notation) examples.
UI help design The online help for the UI is designed so that each resource is documented in its own chapter. At the top of each help chapter is a navigation box that directs you to: •
Tasks that you can perform using the UI
•
An About section that provides conceptual information about the resource
•
A screen details section for every screen, which provides definitions of screen components to assist you in data entry and decision making
•
Troubleshooting information in case you encounter a problem
•
Links to the help for the associated REST APIs if you prefer to use REST API scripting to perform a task
6.2 This user guide supplements the online help This user guide provides: •
Conceptual information and describes tasks you can perform using the UI or REST APIs. It does not duplicate the step-by-step instructions provided by the online help unless the information might be needed when the online help is not available.
•
For procedures that use the REST APIs, the REST APIs are listed, but the complete syntax and usage information is included in the HPE OneView REST API Reference in the online help. 6.1 Online help—conceptual and task information as you need it 107
•
Planning information, including configuration decisions to make and tasks that you might need to perform before you install an appliance, add managed devices, or make configuration changes.
•
Quick starts that provide high-level step-by-step instructions for selected tasks that might require that you configure multiple resources using the UI or REST APIs.
6.3 Where to find HPE OneView documentation User guides and other manuals HPE OneView user guides and other manuals are available on the Hewlett Packard Enterprise Information Library. See “Websites” (page 434) for other information resources.
Online help To view help on the appliance, click in a new browser window or tab:
to open the Help sidebar. Links in the sidebar open help
•
Help on this page opens help for the current screen
•
Browse help opens the top of the help system where you decide which help topics you want to read about
•
Browse REST API help opens help for API scripting and reference information
•
Clicking
on a screen or dialog box opens context-sensitive help for that dialog box
NOTE: To submit feedback about HPE OneView documentation, send email to [email protected].
6.4 Enable off-appliance browsing of UI help and REST API help The off-appliance versions of the HPE OneView help systems are useful for developers who are writing REST API scripts or other users who prefer the convenience of accessing help locally without logging in to the appliance. NOTE:
You can also browse the API Reference at http://www.hpe.com/info/oneview/docs.
Downloading HTML UI help and HTML REST help 1.
Go to the Enterprise Information Library: http://www.hpe.com/info/oneview/docs
2. 3. 4. 5.
Select the HPE OneView online help and API Reference (download) zip and save it to your computer or to a local directory on a web server. Use the utility of your choice to extract the contents of the .zip file. Navigate to the content directory. Double-click the index.html file to open the HPE OneView help system.
108 Accessing documentation and help
Part II Planning tasks The chapters in this part describe data center configuration planning tasks that you might want to complete before you install the appliance or before you make configuration changes. By completing these planning tasks, you can create a data center configuration that takes full advantage of the appliance features and is easier for your administrators to monitor and manage.
110
7 Planning your data center resources In addition to ensuring that your environment meets the prerequisites for installation of the appliance, there are other planning tasks you might want to complete before adding data center resources. By completing these planning tasks, you can create a data center configuration that takes full advantage of the appliance features and is easier for your administrators to monitor and manage.
7.1 How many data centers? An appliance data center resource represents a physically contiguous area in which racks containing IT equipment are located. You create data centers in the appliance to describe a lab floor or a portion of a computer room, which provides a useful grouping to summarize your environment and its power and thermal requirements. Using data centers to describe the physical topology and power systems of your environment is optional. If you choose to create multiple data centers, consider including data center information in your other resource names to enable you to use the appliance search capabilities to filter results by data center.
7.1.1 Managing, monitoring, or migrating server hardware? Determine whether you want to add enclosures into HPE OneView to manage or monitor them, or if you want to migrate a Virtual Connect enclosure. Manage
If you add a managed server to HPE OneView, either in an enclosure or rack server, you can apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. For more information, see “About managed c7000 enclosures” (page 218) and “Managing server hardware” (page 157). Managing server hardware requires HPE OneView Advanced licensing. For more information, see “About licensing” (page 179).
Monitor
If you add a monitored server to HPE OneView, either in an enclosure or rack server, you can monitor it for inventory and hardware status only. For more information, see “About monitored c7000 enclosures” (page 219) and “About monitored server hardware” (page 161). Monitoring server hardware uses a free license called HPE OneView Standard. For more information, see “About licensing” (page 179).
Migrate
If you have an enclosure in Virtual Connect Manager (VCM), you can migrate it to HPE OneView with the configuration information, so that the enclosure can be managed by HPE OneView. The managed enclosure requires HPE OneView Advanced licensing. For more information, see “About licensing” (page 179). For more information about migrating, see “About migrating c7000 enclosures managed by other management systems ” (page 220).
7.2 Security planning To learn about the security features of the appliance, and for general information about protecting the appliance, see “Understanding the security features of the appliance” (page 65).
7.3 Preparing your data center network switches The switch ports for data center network switches that connect to the Virtual Connect interconnect modules must be configured as described in “Data center switch port requirements” (page 193). Network traffic should also be considered as described in “About active/active and active/standby configurations” (page 206).
7.1 How many data centers?
111
7.4 Planning for a dual-stack implementation Network management systems can use IPv4 or IPv4/IPv6 communication protocols on the same network infrastructure. The default protocol is IPv4. Managing interconnects with IPv4 and IPv6 protocols provides network address redundancy if the IPv4 primary address fails to connect. IPv4/IPv6 dual communication stack configuration is required for the appliance to communicate with the interconnects on the IPv6 management network To set up a dual-stack protocol for an enclosure, use the Onboard Administrator to enable IPv6 and IPv6 address types. NOTE:
SNMP access and SNMP trap destinations support IPv4 and IPv6 addresses.
7.5 Planning your resource names The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as instances of resource names, serial numbers, WWNs, and IP and MAC addresses. In general, anything that appears in a resource is searchable. Defining a standard naming convention for your networks, network sets, enclosures, enclosure groups, logical interconnect groups, and uplink sets makes it easy for you to identify them and enables efficient searching or filtering in the UI. Consider the following information when choosing resource names: •
To minimize the need for name changes and to make network-related resources easier to identify, consider choosing names that include the following information:
◦
The purpose of the resource. For example: prod for production network resources dev for development network resources
◦
For tagged networks, the VLAN ID NOTE: If you are creating multiple tagged networks at the same time (creating networks in bulk), the network name is automatically appended with an underscore (_) and the VLAN ID. For example, Dev_101.
◦
An identifier to help you distinguish between resources that use the left side or the right side of an enclosure. For example: left and right A and B 1 and 2
◦
Examples of network names that follow the recommended naming conventions include the following: dev_1105_A prod_1102_1 test_1111_left
◦
If you plan to use multi-network connections in server profiles, create network sets that contain all the networks to be used by a single profile connection. Choose names such as the following: dev_nset_A prodnset_1
112
Planning your data center resources
testns_left
◦
Changing the names of uplinks sets can result in resources being taken offline temporarily (see “Configuration changes that require or result in resource outages” (page 117)). To minimize the need for name changes, and make the uplink sets easier to identify, choose names such as the following: devUS_A prodUS_1 testUS_left
•
The appliance does not support the filtering of resources, such as server hardware, based on physical location (data center name). To enable filtering by data center name, choose a naming convention that includes the data center name in the resource name.
•
The appliance supports the filtering of resources by model, so you can search for server hardware without having to include the model number in the name.
•
The appliance provides default names for many resources. For example:
•
◦
Enclosures are assigned the name Encln, where n is a number that is incremented by 1 as each enclosure is added.
◦
enclosure_name-LI is the default name of a logical interconnect, where enclosure_name is the name of the enclosure.
◦
Datacenter 1 is the name assigned to the data center when you initialize the appliance.
◦
Server hardware types are assigned names based on the server model, such as BL460c Gen8 1. If you select a server hardware type as a standard, you can choose to rename that server hardware type to include the word Standard or some other identifier to help administrators quickly determine the correct server hardware type to choose.
You can create shorter names by using abbreviations for resources. For example: Resource name
Typical abbreviations
Enclosure
Encl
Enclosure group
EG, Group
Logical interconnect
LI
Logical interconnect group
LIG
Uplink set
US
For more information about the search capabilities of the appliance, see “Search resources” (page 95).
7.6 Planning the appliance configuration These topics cover appliance configuration.
7.6.1 Appliance VM and host requirements HPE OneView is a virtual appliance running on the following supported hypervisor hosts.
7.6 Planning the appliance configuration
113
Table 5 Supported hypervisors and versions Hypervisor
Version
VMware vSphere ESXi
• 5.5 • 5.5 update 1 • 5.5 update 2 • 5.5 update 3 • 6.0 • 6.0 update 1 • 6.0 update 2
Microsoft Hyper-V
Hyper-V is supported on the following Microsoft Windows platforms with the Hyper-V role installed: • Windows Server 2012 • Windows Server 2012 R2 • Windows Hyper-V Server 2012 • Windows Hyper-V Server 2012 R2
The appliance virtual machine (VM) requirements have changed, and are as follows: •
ProLiant G7–class or later CPUs.
•
Four 2–GHz or greater virtual CPUs.
•
16 GB of memory.
•
160 GB of thick-provisioned disk space. You can manually expand the virtual disk to increase the size of the firmware repository from the default 12 GB to 100 GB (minimum total disk space of 275 GB required). The best practice is to expand the virtual disk during appliance installation. See the installation or upgrade instructions.
•
A connection to the management LAN. Hewlett Packard Enterprise highly recommends that you have separate networks for management and data.
•
The hypervisor host meets the minimum system requirements:
•
•
◦
Minimum system requirements for installing ESXi/ESX (1003661), VMware Knowledge Base
◦
Review Prerequisites for Installation (Hyper-V Server 2012, Hyper-V Server 2012 R2), Microsoft TechNet
◦
Install Hyper-V and Configure a Virtual Machine (Windows Server 2012), Microsoft Windows Server
Configure Power management options under BIOS settings:
◦
Power Regulator set to Static High Performance Mode.
◦
Power Profile set to Maximum Performance.
Network Time Protocol (NTP) is properly configured. Correct operation of the virtual appliance requires an accurate time source. Two options are available for ensuring accurate time on the virtual appliance using Network Time Protocol (NTP):
114
Planning your data center resources
NTP on the hypervisor Configure the hypervisor host to use NTP and configure HPE OneView to use the hypervisor host as its time source.
NTP in HPE OneView Configure HPE OneView to use three or more NTP servers. NOTE: You must configure the hypervisor host to reserve the minimum required resources (reservations or shares). See the links below for instructions on reserving resources on the hypervisor host. •
Configure Memory and Processors (Microsoft Windows Server)
•
Allocate CPU Resources and Allocate Memory Resources (VMware vSphere ESX and vCenter Server Documentation Center)
7.6.2 Planning for high availability To use HPE OneView in a high availability (HA) configuration, see the hypervisor documentation for specific requirements. VMware vSphere ESXi
http://www.vmware.com/products/datacenter-virtualization/ vsphere/high-availability.html
Microsoft Hyper-V
http://technet.microsoft.com/en-us/library/cc753787.aspx
7.6.3 Separate networks for data and management HPE recommends having separate networks for management and data. See “Best practices for maintaining a secure appliance” (page 67) for more information. See the HPE OneView Support Matrix.
7.6.4 Time clocks and NTP HPE recommends using NTP on the host on which you install the virtual appliance. If you are not using NTP on the host, HPE recommends configuring NTP directly on the virtual appliance. Do not configure NTP on both the host and the virtual appliance. In addition, the clock on the VM host must be set to the correct time.
7.6.5 IP addresses You must specify what type of IP addresses are in use and how they are assigned to the appliance, either manually by you or assigned by a DHCP (Dynamic Host Configuration Protocol) server. The appliance supports configuring IPv4 address as well as IPv6 address as appliance IP address. The appliance does not support an IPv6-only configuration; it can be an IPv4-only configuration or a dual mode (both IPv4 and IPv6) configuration. See “Planning for a dual-stack implementation” (page 112) for more information.
VM appliance On a VM appliance, IP addresses can be assigned in two ways: manually by the user (static IP) or assigned by DHCP (Dynamic Host Configuration Protocol). DHCP is not supported for assigning appliance IP addresses unless DHCP reservations are used.
7.6 Planning the appliance configuration
115
116
8 Planning for configuration changes This chapter identifies configuration changes that might result in a resource being taken offline temporarily or that might require that you make changes to multiple resources.
8.1 Configuration changes that require or result in resource outages Appliance Taking an appliance offline does not affect the managed resources—they continue to operate while the appliance is offline. In an appliance cluster, HPE OneView is taken offline temporarily by an activate standby operation. HPE OneView resumes operation after the standby appliance becomes the active appliance. When you install an appliance update, the appliance restarts and goes offline.
Enclosures The Onboard Administrator (OA) is taken offline automatically during an enclosure firmware update.
Interconnects and logical interconnects •
Server profile connections to networks in an uplink set are taken offline when you delete the uplink set.
•
Server profile connections to networks in an uplink set can be interrupted for a few seconds when you change the name of an uplink set using either of these methods:
•
◦
Change the name of the uplink set in the logical interconnect.
◦
Change the name of the uplink set in the logical interconnect group, and then update the logical interconnect from the logical interconnect group.
An interconnect is taken offline when you:
◦
Update or activate firmware for a logical interconnect. Staging firmware does not require interconnects be taken offline.
◦
Update firmware for an enclosure and select the option to update the enclosure, logical interconnect, and server profiles.
•
If an interconnect has firmware that has been staged but not activated, any subsequent reboot of that interconnect activates the firmware, which takes the interconnect offline.
•
You can prevent the loss of network connectivity for servers connected to a logical interconnect that has a stacking mode of Enclosure and a stacking health of Redundantly Connected by updating firmware using the following method: 1. Staging the firmware on the logical interconnect. 2. Activating the firmware for the interconnects in even-numbered enclosure bays. 3. Waiting until the firmware update to complete and the interconnects are in the Configured state. 4. Activating the firmware for the interconnects in the odd-numbered enclosure bays.
Networks •
If you attempt to delete a network that is in use by one or more server profiles, the appliance warns you that the network is in use. If you delete the network while it is in use, server profile
8.1 Configuration changes that require or result in resource outages
117
connections that specify the network explicitly (instead of as part of a network set) are taken offline. If you add a network with the same name as the network you deleted, connections that specify the network explicitly (instead of as part of a network set) are not updated—you must edit each server profile connection to reconfigure it to specify the network you added. Because you must edit the server profile to edit the connection, you must power off the server. •
If you attempt to delete a network that is a member of a network set, the appliance warns you that the network is assigned to at least one network set. If you delete that network and there are other networks in that network set, server profile connectivity to the deleted network is taken offline, but connectivity to other networks in the network set is unaffected. You can add a network to a network set, including a network that has the same name as a network you deleted, while server profile connections to that network set remain online.
Network sets •
If you attempt to delete a network set that is in use by one or more server profiles, the appliance warns you that the network set is in use. If you delete the network set while it is in use, server profile connections to that network set are taken offline.
•
If you add a network set with the same name as the network you deleted, connections that specify the network set are not updated—you must edit each server profile connection to reconfigure it to specify the network set you added. Because you must edit the server profile to edit the connection, you must power off the server.
•
Server profiles with connections to a network set can be affected when a network in the network set is deleted. See “Networks”.
Server profiles and server hardware •
Before you edit a server profile, you might need to power down the server hardware to which the server profile is assigned. See “About editing a server profile” (page 167) for a list of edits that can be performed without powering down the server hardware.
•
Firmware updates require that you edit the server profile to change the firmware baseline. As with any other edits to server profiles, you must power down the server hardware to which the server profile is assigned before you edit a server profile.
•
Server profiles and server hardware can be affected by changes to networks and network sets. For more information, see “Networks” and “Network sets”.
•
Server profiles and server hardware can be affected by changes to the names of uplink sets. For more information, see “Interconnects and logical interconnects”.
8.2 Configuration changes that might require changes to multiple resources •
“Adding a network” (page 118)
•
“Adding an enclosure” (page 119)
8.2.1 Adding a network When you add a network to the appliance, you might need to make configuration changes to the following resources:
118
•
Networks. Add the network.
•
Network Sets. (Optional) If the network you are adding is an Ethernet network you might want to add it to a network set or create a network set that includes the network.
Planning for configuration changes
•
•
Logical Interconnects and Logical Interconnect Groups. For a server connected to a logical interconnect to access a network, the logical interconnect must have an uplink set that includes a connection to that network:
◦
You might need to update multiple logical interconnects.
◦
You can make configuration changes to the logical interconnect group, and then update each logical interconnect from the group.
◦
If your configuration changes include deleting an uplink set or changing the name of an uplink set, server profile network connectivity can be affected. See “Configuration changes that require or result in resource outages” (page 117).
Server Profiles. If the server profile does not have a connection to a network set that includes this network, you must add connections to the network.
For a summary of the tasks you complete when adding a network, see .
8.2.2 Adding an enclosure When you add an enclosure to be managed by the appliance, you might need to make configuration changes to the following resources: •
Enclosures. Add the enclosure to be managed.
•
Enclosure Groups. Every managed enclosure must be a member of an enclosure group. If you do not choose an existing enclosure group, you must create one when you add the enclosure.
•
Logical Enclosures. Logical enclosures maintain configurations of enclosures that are linked together. Use logical enclosures for firmware updates, OA scripting, and making the enclosures consistent with changes made from the enclosure group.
•
Logical Interconnects and Logical Interconnect Groups. Logical interconnects and logical interconnect groups define the network connectivity for the managed enclosure. Enclosure groups must specify a logical interconnect group. When you create an enclosure group, if you do not specify an existing logical interconnect group, you must create one. For a server connected to a logical interconnect to access a network, the logical interconnect group you create must have an uplink set that includes a connection to that network.
•
Server Profiles. Adding and assigning server profiles to the server blades in the managed enclosure is not required at the time you add the enclosure, but to use the server blades in a managed enclosure, you must assign server profiles to them. To access a network, the server profile must include a connection to that network or a network set that includes that network.
For a summary of the tasks you complete when adding a managed enclosure and connect its server blades to data center networks, see “Quick Start: Add a c7000 enclosure with a single logical interconnect group and connect its server blades to networks” (page 137).
8.2 Configuration changes that might require changes to multiple resources
119
120
9 Planning for enclosure migration from VCM into HPE OneView Planning for a migration from VCM-managed enclosures to HPE OneView-managed enclosures is an important part of the migration process. Understanding what will be migrated from Virtual Connect Manager (VCM) and the requirements of HPE OneView can help ensure a smooth and easy migration. This chapter will help explain the requirements and what to expect with migration. For example, a partial list of what will not be migrated is shown in “About blocking issues during migration” (page 227). The automated migration process imports the configuration information for the enclosures including hardware, Virtual Connect (VC) domain, networks, and server profiles with some exceptions. MAC and WWN settings on server profile connections are retained and specified as user-defined in HPE OneView. Any new addresses allocated after the migration are assigned from the HPE OneView ID pool. See "About ID pools" in the online help for more information. In planning your migration, keep in mind that Virtual Connect is case sensitive but HPE OneView is case insensitive. For example, in Virtual Connect, “Profile1” is different than “profile1” is different than “PROFILE1”. In HPE OneView, “Profile1” is the same as “profile1” is the same as “PROFILE1”. You may need to change the name of some components before migrating to avoid name conflicts.
9.1 Timing and type of migration In determining when to perform a migration, decide if you want to perform an in-service or offline migration. For offline, consider the required down time needed to perform the migration. For in-service, consider the hardware and software infrastructure needed to perform the migration. The size of the configuration that you want to migrate affects process time. Large, complex configurations take more time to process than smaller ones.
9.2 Understanding the migration process An enclosure managed by VCM can be migrated into HPE OneView so that it can be managed by HPE OneView. The migration can occur through the HPE OneView UI or using REST API. The basic process consists of the following steps. Review this process to see the types of issues you might encounter so you can determine what changes you need to make in your environment to perform a successful migration. See “Before migrating c7000 enclosures” (page 225) for more information. IMPORTANT: Execute show config -includepoolinfo from the VCM command line. Backup the VCM configuration: the Virtual Connect (VC) domain as well as the output from show config -includepoolinfo. The backup is used if you need to revert back to VCM for management. If a restoration is needed, you will need the factory default credentials for the VC interconnect found on the label. The show config -includepoolinfo output enables you to check specific details of the VC domain after the enclosure has been migrated to HPE OneView. See the Virtual Connect User Guide at http://www.hpe.com/info/virtualconnect/docs for more information. Prerequisites for performing a migration •
Required privileges: HPE OneView Infrastructure administrator, Onboard Administrator (OA), and VCM Domain Administrator.
•
OA and VCM credentials as well as the OA IP address for the enclosure.
•
For VCEM-managed enclosures: VCEM credentials to remove the Virtual Connect domain from the domain group using the VCEM web interface, or the HPE PowerShell module. 9.1 Timing and type of migration 121
•
Backup and secure the VCM configuration (including the output from show config -includepoolinfo).
•
Review the HPE OneView Support Matrix and verify the enclosure contains supported servers, interconnect modules, and mezzanine cards.
•
Review “Prerequisites for bringing a c7000 enclosure into HPE OneView” (page 231) for prerequisites and preparation that must be in place.
•
Assign server profiles before the migration, or recreate server profiles after the migration, if applicable.
•
Ensure network connectivity with OA and iLOs in the Virtual Connect domain.
•
Ensure all interconnect modules are present and powered on within the enclosure.
122 Planning for enclosure migration from VCM into HPE OneView
Migration task
Start compatibility and migration process 1. Determine if you want to perform an offline or in-service migration. 2. Determine whether to migrate your enclosure using the HPE OneView GUI or HPE OneView REST API. 3. Provide OA and VCM credentials and the enclosure OA IP address. HPE OneView checks the compatibility of the VCM-managed enclosure with HPE OneView and produces a migration compatibility report of the issues. The report shows warnings and blocking issues.
Resolve issues in the compatibility report 4. Review and resolve issues from the top down in the compatibility report. By resolving issues that are listed first, you might resolve issues listed later in the report. • Resolve all blocking migration errors listed on the compatibility report by modifying the configuration in VCM or HPE OneView. For a list of some of the blocking issues you might encounter, see “About blocking issues during migration” (page 227). • Evaluate warnings on the compatibility report to determine if action needs to be taken. Unless specified otherwise, warnings indicate a capability that will not be migrated into HPE OneView. Make sure the detected capability is not critical to operations before proceeding. For a list of some of the warnings you might encounter, see “Warning issues” (page 123). 5. Resolving an issue may require disabling a feature within VCM, changing a configuration in VCM, or in some cases, changing the HPE OneView logical interconnect group. For more information on VCM, see the HPE Virtual Connect for c-Class BladeSystem User Guide or the HPE Virtual Connect Manager Command Line Interface for c-Class BladeSystem User Guide at https://www.hpe.com/info/ virtualconnect/docs.
Migrate 6. For in-service migration, after resolving all blocking issues and warnings you want to resolve, run a final compatibility test. For offline migration, after resolving all blocking issues (except server power on) and warnings you want to resolve, power off the servers and run a final compatibility test. 7. If the final report shows that all blocking issues are resolved: a. Read each acknowledgment in full (including any learn more links). b. Understand and accept the implications of each acknowledgement by clicking each one. c. Proceed with the migration. NOTE: You have the option to migrate up to four single enclosure domains from VCM into HPE OneView simultaneously.
Post migration tasks 1. Upon successfully completing an offline migration, power on the servers. 2. Optional: Recreate server profiles in HPE OneView, if server profiles were not assigned to server hardware before migration. See “Server profile acknowledgment” (page 230) for more information. 3. Perform the following best practices: a. Back up the new configuration in HPE OneView. b. Test network and storage connectivity. c. Plan a reboot if one of the acknowledgements, such as a SR-IOV virtual function configuration, indicated a change which would impact your operation. NOTE: During an in-service migration, some changes do not take effect until the servers are rebooted for the first time following a migration. After migration, the enclosure is no longer available in VCM.
9.2.1 Warning issues The following partial list of Virtual Connect features are not supported in HPE OneView. These features are considered warning issues and are listed in the compatibility report. Migration can continue with these warnings, but you should review them to determine if the features are important 9.2 Understanding the migration process 123
to your environment. If a feature is required in your environment and your enclosure contains ProLiant G6 or later server blades, you might want to consider monitoring your enclosure. See “About monitored c7000 enclosures” (page 219). NOTE: Unassigned profiles will not be migrated. The profiles will be deleted from VCM during the migration. Either assign profiles before the migration or use the show config -includepoolinfo output to recreate the profiles once the enclosure is in HPE OneView. Potential warnings • Custom module hostname
• Network Access Group
• Unassigned server profiles
• Mixed USE-BIOS connections in a profile
• RADIUS/TACACS+
• User role configuration
• sFlow traffic monitoring
• VCM SNMP traps and Ethernet and FC SNMP access settings inconsistent
• Module-specific DNS name
• SMIS not enabled
NOTE: In general, if a feature is listed as a warning which is not required for the environment, continuing will mean the functionality will not be migrated to HPE OneView.
124 Planning for enclosure migration from VCM into HPE OneView
Part III Configuration quick starts The quick starts provided in this part describe the basic resource configuration tasks required to quickly bring the primary components of your hardware infrastructure under appliance management. Additional resource configuration and ongoing management tasks are documented in Part IV.
126
10 Quick Start: Initial configuration of HPE OneView Initial configuration of resources in HPE OneView is no different from configuring resources as part of routine maintenance. While HPE OneView is designed to allow flexibility in the order in which you create, add, and edit resources and devices, Hewlett Packard Enterprise recommends using the following workflow sequence for initial configuration or whenever you make significant additions or changes to your environment. To use REST APIs to configure the appliance and bring your environment under management for the first time, see the REST API help, which is available from the Help Sidebar.
10.1 Initial configuration of resources in HPE OneView 10.1.1 Prerequisites •
You have installed HPE OneView. See the HPE OneView Installation Guide for more information.
•
You have configured the appliance network.
•
You are logged on as Administrator.
10.1.2 Configure resources in HPE OneView 1.
Add users to the appliance. Create user accounts with specific privileges and local or directory-based authentication: •
Add a fully authorized local user (Infrastructure administrator)
•
Add a local user with specialized access
•
Add a fully authorized user with authentication by membership in an organizational directory
•
Add a user with role-based access and authentication by membership in an organizational directory Create user accounts assigned with predefined or specialized privileges with local or directory-based authentication. See the Users and Groups online help for more information.
2.
Add firmware bundle to the appliance firmware repository. Add the latest firmware bundle to the appliance. See the Firmware Bundles online help for more information.
3.
Create networks. Create Ethernet networks for data and Fibre Channel over Ethernet networks for storage. See the Networks online help for more information.
4.
Create network sets. Create network sets to group Ethernet networks together to simplify management. See the Network Sets online help for more information.
5.
Create one or more logical interconnect groups. Create one or more logical interconnect groups to define the connections between your networks and interconnect uplink ports. See the Logical Interconnect Groups online help for more information. 10.1 Initial configuration of resources in HPE OneView 127
6.
Create an enclosure group. Create an enclosure group to define and maintain consistent configurations and to be able to detect and manage devices such as interconnects and server hardware in your enclosures. See the Enclosure Groups online help for more information.
7.
Add enclosures to the appliance. Add enclosures to the appliance to manage their contents and apply firmware updates. See the Enclosures online help for more information.
8.
Optional: Add switches to the appliance. Create a logical switch group to add a top-of-rack switch to the appliance to provide a unified, converged fabric over 10 Gigabit Ethernet for LAN and SAN traffic. See the Switches online help for more information.
9.
Optional: Add storage systems and storage pools. Add storage systems to the appliance and then add storage pools to the appliance. See the Storage Systems online help and the Storage Pools online help for more information.
10. Optional: Create volumes. Create volumes in the storage pools. You can also create volumes by creating volume templates. You can add existing volumes from storage systems to the appliance. See the Volumes online help and the Volume Templates online help for more information. 11. Optional: Add a SAN manager to the appliance to manage SAN storage. Add a SAN manager to access the SANs it manages. See the SAN Managers online help for more information. 12. Optional: Associate SANs with networks. Associate SANs with networks in HPE OneView. See the SAN Managers online help for more information. 13. Create server profiles and apply them to server hardware. Create and apply server profiles to define common configurations for your server hardware. See the Server Profiles online help for more information. 14. Optional: Attach a SAN volume to a server profile. Attach a SAN volume to a sever profile. See the Server Profiles online help for more information. 15. Save the appliance configuration to a backup file. Save the initial appliance configuration settings and database to a backup file in the event that you need to restore the appliance to its current configuration in the future. See the Settings online help for more information about creating and saving appliance backup files.
10.2 Define physical dimensions and power systems in HPE OneView Defining the physical dimensions of the space that the networking hardware inhabits and positioning enclosures, power delivery devices, server hardware, and other devices in racks within HPE OneView provides the appliance with an accurate diagram of the devices in your
128 Quick Start: Initial configuration of HPE OneView
data center and their physical connections. The appliance can then provide powerful monitoring and management functionality, including: •
The Data Centers screen generates a 3D model of your IT environment, which you can use for planning and organization.
•
The Data Centers screen displays power and temperature data to enable you to analyze power consumption rates. The appliance reports peak temperatures for racks and their components to identify and alert you about potential cooling issues.
•
The Power Delivery Devices screen provides data to enable you to analyze power consumption rates and power caps. Add power devices.
1.
Define your power devices and power connections. See the Power Delivery Devices online help for more information. 2.
Add racks and configure the rack layout. Add racks and configure the layout of enclosures, power delivery devices, and other rack devices. See the Racks online help for more information.
3.
Create data centers and position racks in them. Define the physical topology and cooling and power characteristics of your data center, which enables 3D visualization and temperature monitoring. See the Data Centers online help for more information.
10.2 Define physical dimensions and power systems in HPE OneView 129
130
11 Quick Starts for networks, enclosures, and storage 11.1 Quick Start: Add a network and associate it with an existing server This quick start describes how to add a network to the appliance and enable existing servers to access that network. Prerequisites •
Required privileges: Infrastructure administrator or Network administrator for adding the network.
•
Required privileges: Infrastructure administrator or Server administrator for changing the configurations of the server profiles.
•
The enclosures and server hardware are added to the appliance.
•
All data center switch ports that connect to the Virtual Connect interconnects are configured as described in “Data center switch port requirements” (page 193).
11.1.1 Adding a network and associating it with an existing server When you add a network to the appliance, you might need to make configuration changes to the following resources:
11.1 Quick Start: Add a network and associate it with an existing server 131
NOTE: You can create active/active configurations without having to create two networks with the same VLAN ID. See “Quick Start: Add an active/active network configuration for single or multiple logical interconnect groups” (page 133) for more information. Resource
Task
Description
Networks
1. Add the network.
• Adding a network does not require that you take resources offline. • For more information about networks, see “Managing networks and network resources” (page 187), the online help for the Networks screen, or the REST API scripting help for networks and network sets.
Logical 2. Add the network to an Interconnect uplink set or internal Groups networks.
• You can either add the network to an existing uplink set or create an uplink set for the network. • Changing the configuration of an uplink set does not require that you take resources offline. • Configuration changes made to a logical interconnect group are not automatically propagated to the member logical interconnects. However, by changing the logical interconnect group, you can update each logical interconnect with a single action. • For more information, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnect Groups screen, or the REST API scripting help for logical interconnects and the REST API for the uplink-sets resource.
Logical 3. Do one of the following: • Changing the configuration of an uplink set does not require that Interconnects you take resources offline. • Add the network to an (one or more) uplink set or internal • Configuration changes made to a logical interconnect group are not networks. automatically propagated to the member logical interconnects. To update a logical interconnect with changes made to its logical • Update the logical interconnect group, do one of the following: interconnect from the logical interconnect ◦ Select Logical Interconnects→Actions→Update from group. group.
◦
Use the REST APIs to reapply the logical interconnect group.
When adding a network, updating a logical interconnect from its group does not require that you take resources offline. • You can make changes to a logical interconnect without also changing the logical interconnect group. In this case, you add the network to an uplink set on the logical interconnect. However, the appliance labels the logical interconnect as being inconsistent with its group. • For more information, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnects screen, or the REST API scripting help for logical interconnects. Network Sets
4. (Optional) Add the • Applies to Ethernet networks only. network to a network set. • Adding a network to a network set does not require that you take resources offline. You do not need to update server profiles that have connections to the network set. • For more information about network sets, see “Managing networks and network resources” (page 187), the online help for the Network Sets screen, or the REST API scripting help for networks and network sets.
132 Quick Starts for networks, enclosures, and storage
Resource
Task
Description
Server Profiles and Server Hardware
5. Power off the server • For a server to connect to the network, the server profile for the before you edit the server server hardware must include a connection to either the network or profile. a network set that includes the network. 6. Edit the server profile to • If you add the network to a network set, server profiles that have add a connection to the connections to the network set automatically have access to the network. added network. You do not have to edit these server profiles. 7. Power on the server after • If the network is not added to a network set, you must add a you apply the server connection to the network in the server profiles that you want to profile. connect to that network. Power off the server hardware before adding the connection to a server profile. • For more information about server profiles, see “Managing server hardware, server profiles, and server profile templates” (page 157), the online help for the Server Profiles screen, or the REST API scripting help for server profiles.
11.2 Quick Start: Add an active/active network configuration for single or multiple logical interconnect groups This quick start describes how to add an active/active configuration for an enclosure. Prerequisites •
Required privileges: Infrastructure administrator or Network administrator for adding networks.
•
Required privileges: Infrastructure administrator or Server administrator for changing the server profile configurations.
•
Two or more supported Virtual Connect interconnects, as listed in the appropriate support or compatibility matrix on the Hewlett Packard Enterprise Information Library.
•
The enclosures and server blades are added to the appliance.
•
Follow the recommended naming conventions described in “Requirements for an active/active configuration” (page 207).
11.2 Quick Start: Add an active/active network configuration for single or multiple logical interconnect groups 133
11.2.1 Adding an active/active network configuration for single or multiple logical interconnect groups For each Virtual Connect interconnect module you want to set up as an active/active configuration in the appliance, make configuration changes to the following resources: Resource
Task
Description
Networks
1. Add networks.
On the Networks screen:
• For an enclosure group with a single logical interconnect group: a. Add a pair of Ethernet networks for each VLAN you want to connect: one network for the first interconnect module and one network for the second interconnect module using the same VLAN ID.
• For Name, assign names to the networks according to “Requirements for an active/active configuration” (page 207) • For Type, select Ethernet. • For VLAN ID, enter the same ID for both networks. • Verify that Smart link is selected.
• For more information about networks, see “Managing networks and network resources” (page 187), the online For example, create Dev101_A help for the Networks screen, or the REST API and Dev101_B for VLAN ID 101. scripting help for networks and network sets.
• For a multiple logical interconnect group configuration: a. Add an Ethernet network to be used in both logical interconnect groups. Logical 2. Create uplink sets. Interconnect • For an enclosure group with a single Groups and logical interconnect group: Logical a. Create a pair of uplink sets to Interconnects associate the networks with the uplink ports on the interconnect module. b. Assign one set of networks to the uplink set that has ports on the first interconnect module. Assign the other networks to the uplink set that has ports on the second interconnect module.
• You can either add the networks to existing uplink sets or create new uplink sets for the networks.
For example, uplink port X5 is defined in both sets: UplinkSet_A for bay 1 and UplinkSet_B for bay 2. Dev101_A is assigned to UplinkSet_A, and Dev101_B is assigned to UplinkSet_B.
NOTE: If you change the name of an uplink set in the Logical Interconnect Groups screen, and then select Actions→Update from group on the Logical Interconnects screen, connectivity is interrupted briefly.
• For a multiple logical interconnect group configuration: a. Create an uplink set on the first logical interconnect group and an uplink set on the second logical interconnect group with the same networks. Network Sets
134 Quick Starts for networks, enclosures, and storage
• Uplinks in each uplink set must be restricted to a single interconnect. • Duplicate VLAN IDs are not allowed in the same uplink set. • For more information, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnects screen, or the REST API scripting help for logical interconnect groups and the REST API for the uplink-sets resource.
Resource
Task
Description
3. (Optional) Add one or more pairs of • Adding a network to a network set does not require network sets. Each set should include that you take resources offline. You do not need to only the networks that will be used on update server profiles that have connections to the the same server profile connection. network set. For example, create network set • Duplicate VLAN IDs are not allowed in a network set. DevSet_A for your development • Each network set should have multiple networks. Dev_A networks, and create DevSet_B for your development • For more information about network sets, see Dev_B networks. “Managing networks and network resources” (page 187), the online help for the Network Sets screen, or the REST API scripting help for networks and network sets. Server Profiles and Server Hardware
4. Power off the server before you edit • When adding a connection to the server profile, select the server profile. the physical port connected to the module with the 5. Edit the server profile to add two uplink set containing the networks configured for that connections. Assign one port for the connection. Do not select Auto. networks or network sets on one • For more information about server profiles, see module, and assign a different port for “Managing server hardware, server profiles, and server the networks or network sets on the profile templates” (page 157), the online help for the other module. Server Profiles screen, or the REST API scripting Make sure the networks associated help for server profiles. with the uplink ports in the uplink set match the networks assigned to the profile connections in the downlink ports. For example, Connection1 is LOM1:1-a for DevSet_A, and Connection2 is LOM1:1-b for DevSet_B. 6. Power on the server.
11.3 Quick Start: Migrate from an active/standby to an active/active configuration This quick start describes how to migrate from an active/standby configuration to an active/active configuration for an enclosure. Prerequisites •
Required privileges: Infrastructure administrator or Network administrator for adding networks.
•
Required privileges: Infrastructure administrator or Server administrator for changing the server profile configurations.
•
Two or more supported Virtual Connect interconnects, as listed in the appropriate support or compatibility matrix on the Hewlett Packard Enterprise Information Library.
•
The enclosures and server blades are added to the appliance.
•
Follow the recommended naming conventions described in “Requirements for an active/active configuration” (page 207).
11.3 Quick Start: Migrate from an active/standby to an active/active configuration 135
11.3.1 Migrating from an active/standby to an active/active configuration For an enclosure group with a single logical interconnect group, when migrating from an active/standby configuration to an active/active configuration, make configuration changes to the following resources: Resource
Task
Description
Logical 1. Find the uplink set or sets that you Interconnect want to convert to active/active. Groups 2. Record all networks in the uplink sets.
For more information, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnect Groups screen, or see the REST API scripting help for logical interconnect groups.
Networks
3. Rename the networks by adding to the network name, as described in “Requirements for an active/active configuration” (page 207) (for example, Dev_100_A). 4. Create Ethernet networks using the same external VLAN ID for each network renamed in step 3 (for example, Dev_100_B).
On the Networks screen:
5. (Optional) Add network sets for the networks created in step 4.
• Adding a network to a network set does not require that you take resources offline. You do not need to update server profiles that have connections to the network set.
Network Sets
• For VLAN ID, use the same external VLAN ID for each network renamed in step 3. • Verify that Smart link is selected. • For more information about networks, see “Managing networks and network resources” (page 187), the online help for the Networks screen, or the REST API scripting help for networks and network sets.
• Duplicate VLAN IDs are not allowed in a network set. • For more information about network sets, see “Managing networks and network resources” (page 187), the online help for the Network Sets screen, or the REST API scripting help for networks and network sets. Logical 6. Determine if all logical interconnects Interconnect have active and standby uplink ports Groups and on the same modules. Logical • If the standby uplinks are on the Interconnects same module, go to step 7. • If the standby uplinks are on different modules, force a failover so that all standby uplinks are on the same module. Go to step 7.
To determine the port status (active or standby), access the Logical Interconnects screen and review the state of each port in the Uplink Sets view. • Hewlett Packard Enterprise recommends deleting the standby uplinks from the original uplink set, and then adding them to the new uplink set. This method prevents connectivity loss. If you change the name of an uplink set on the Logical Interconnect Groups screen, and then select Actions→Update from group on the Logical Interconnects screen, connectivity is interrupted briefly.
7. Edit the active/standby uplink set and delete the standby uplinks. 8. Create a second uplink set for the • For more information, see “Managing interconnects, standby uplinks removed in step 7. logical interconnects, and logical interconnect groups” 9. Add the networks created in step 4 (page 195), the online help for the Logical Interconnects to the new uplink set. For example, screen, or the REST API scripting help for logical UplinkSet_B contains all Dev_B interconnects and the REST API for the uplink-sets networks. resource. 10. Select Actions→Update from group. The active uplinks maintain traffic so there is no downtime.
136 Quick Starts for networks, enclosures, and storage
Resource
Task
Description
Server Profiles and Server Hardware
11. Power off the server before you edit • Change every server profile connection associated with the server profile. the port servicing the original standby uplinks. Assign the 12. Edit the server profile to add a new networks or network sets created in steps 4 or 5 to connection for the new networks or the port. network sets. • For more information about server profiles, see 13. Power on the server. “Managing server hardware, server profiles, and server profile templates” (page 157), the online help for the Server Profiles screen, or the REST API scripting help for server profiles.
Logical 14. Edit the logical interconnect group • For more information, see “Managing interconnects, Interconnect and rename the original uplink set logical interconnects, and logical interconnect groups” Groups and by adding to the name, as (page 195), the online help for the Logical Interconnects Logical described in “Requirements for an screen, or the REST API scripting help for logical Interconnects active/active configuration” (page 207) interconnects and the REST API for the uplink-sets (for example, UplinkSet_A). resource. Do not make any changes other than the uplink set name. 15. Select Actions→Update from group.
11.4 Quick Start: Add a c7000 enclosure with a single logical interconnect group and connect its server blades to networks This quick start describes the process to add an enclosure to an existing appliance with Virtual Connect interconnects and enable the server blades to access the existing data center networks. The scenarios in this quick start are for a single logical interconnect group per enclosure (fully stacked) configuration. To create multiple logical interconnect groups for an enclosure, see “About multiple logical interconnect groups in an enclosure group” (page 203). The steps you take to add an enclosure and ensure that its server blades are connected to the data center networks depend on whether you use an existing enclosure group, or if you need to define the network connectivity by configuring enclosure groups, and logical interconnects and their uplink sets. For a server blade in an enclosure to connect to a data center network, you must ensure that several resources are configured. For a complete list of resources and the reasons you need them, see “Checklist: connecting a server to a data center network” (page 232). Logical interconnect groups, their uplink sets, and their associated enclosure groups can be created in different ways: •
You can create them before the enclosure is added to HPE OneView.
•
You can create them as part of the enclosure add operation. During the enclosure add operation, HPE OneView detects the interconnects installed in the enclosure and creates the groups based on the hardware in the enclosure. You complete the configuration of the groups before you complete the enclosure add operation.
11.4.1 Scenario 1: Adding a c7000 enclosure to manage to an existing enclosure group The quickest way to add an enclosure for management by HPE OneView is to specify an existing enclosure group. When you add an enclosure to an existing enclosure group, the enclosure is configured like the other enclosures in the group, including the network connections. This scenario creates a single logical interconnect group for the enclosure. To create multiple logical interconnect groups for an enclosure, see “About multiple logical interconnect groups in an enclosure group” (page 203). 11.4 Quick Start: Add a c7000 enclosure with a single logical interconnect group and connect its server blades to networks 137
Prerequisites •
Required privileges: Infrastructure administrator or Server administrator.
•
The hardware configuration of the enclosure interconnects must match the configuration expected by the logical interconnect group that is associated with the enclosure group.
•
The uplink sets for the logical interconnect group or groups include connections to the networks you want to access.
•
All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in “Data center switch port requirements” (page 193).
•
The networks and network sets, if any, have been added to HPE OneView. To add networks or network sets, see “Quick Start: Add a network and associate it with an existing server” (page 131) or “Managing networks and network resources” (page 187).
•
See “Prerequisites for bringing a c7000 enclosure into HPE OneView” (page 231) for prerequisites and preparation you must complete before you add an enclosure.
•
See “Prerequisites for bringing server hardware into an appliance” (page 160) for prerequisites and preparation you must complete before you add a server.
Process Resource
Task
Description
Enclosures
1. Add the enclosure.
• Select Add enclosure for management. • Specify an existing enclosure group. • Select a firmware baseline and an HPE OneView Advanced licensing option. • For more information about enclosures, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosures screen, or the REST API scripting help for enclosures.
Server Profiles
2. Do one of the following: • Create a server profile manually or from a server profile template, and assign it to the server hardware.
For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: • If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. • Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network.
• Copy a server • Server profiles contain much more configuration information than the profile and assign connections to networks. For more information about server profiles, it to the server see “Managing server hardware, server profiles, and server profile hardware, then templates” (page 157), the online help for the Server Profiles screen, modify it as or the REST API scripting help for server profiles. necessary. 3. Power on the server hardware.
11.4.2 Scenario 2: Defining network connectivity before adding a c7000 enclosure to manage In this scenario, you configure the logical interconnect group, including its uplink sets, and the enclosure group before you add the enclosure for management. After you define those configurations, the process is the same as adding an enclosure to an existing enclosure group. This scenario creates a single logical interconnect group for the enclosure. To create multiple 138 Quick Starts for networks, enclosures, and storage
logical interconnect groups for an enclosure, see “About multiple logical interconnect groups in an enclosure group” (page 203). Prerequisites •
Required privileges: Infrastructure administrator or Server administrator.
•
The hardware configuration of the enclosure interconnects must match the configuration expected by the logical interconnect group that you create.
•
All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in “Data center switch port requirements” (page 193).
•
The networks and network sets, if any, have been added to HPE OneView. To add networks or network sets, see “Quick Start: Add a network and associate it with an existing server” (page 131) or “Managing networks and network resources” (page 187).
•
See “Prerequisites for bringing a c7000 enclosure into HPE OneView” (page 231) for prerequisites and preparation you must complete before you add an enclosure.
•
See “Prerequisites for bringing server hardware into an appliance” (page 160) for prerequisites and preparation you must complete before you add a server.
11.4 Quick Start: Add a c7000 enclosure with a single logical interconnect group and connect its server blades to networks 139
Process Resource
Task
Description
Logical Interconnect Groups
1. Create at least one logical interconnect group.
• You add uplink sets as part of creating a logical interconnect group. Ensure that at least one of the uplink sets you add includes an uplink port to the data center networks you want to access. • For more information about logical interconnect groups, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnect Groups screen, or the REST API scripting help for logical interconnect groups.
Enclosure Groups
2. Create an enclosure • You can create an enclosure group with logical interconnect groups group. initially, or you can create an enclosure group that does not specify logical interconnect groups, and then add the logical interconnect groups later. • For more information about enclosure groups, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosure Groups screen or the REST API scripting help for enclosure groups.
Enclosures
3. Add the enclosure.
• Select Add enclosure for management. • Specify the enclosure group you created. • Select a firmware baseline and an HPE OneView Advanced licensing option. • For more information about enclosures, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosures screen, or the REST API scripting help for enclosures.
Server Profiles and Server Hardware
4. Do one of the following: • Create a server profile manually or from a server profile template, and assign it to the server hardware.
For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: • If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. • Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network.
• Copy a server • Server profiles contain much more configuration information than the profile and assign connections to networks. For more information about server profiles, it to the server see “Managing server hardware, server profiles, and server profile hardware, then templates” (page 157), the online help for the Server Profiles screen, edit the server or the REST API scripting help for server profiles. profile as necessary. 5. Power on the server hardware.
11.4.3 Scenario 3: Defining network connectivity as you add the enclosure to manage In this scenario, you configure the logical interconnect group, including its uplink sets, and the enclosure group during the enclosure add operation. HPE OneView detects the interconnects installed in the enclosure and prompts you to create a logical interconnect group and enclosure group based on the hardware in the enclosure. This scenario creates a single logical interconnect group for the enclosure. To create multiple logical interconnect groups for an enclosure, see “About multiple logical interconnect groups in an enclosure group” (page 203).
140 Quick Starts for networks, enclosures, and storage
Prerequisites •
Required privileges: Infrastructure administrator or Server administrator.
•
All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in “Data center switch port requirements” (page 193).
•
The networks and network sets, if any, have been added to HPE OneView. To add networks or network sets, see “Quick Start: Add a network and associate it with an existing server” (page 131) or “Managing networks and network resources” (page 187).
•
See “Prerequisites for bringing a c7000 enclosure into HPE OneView” (page 231) for prerequisites and preparation you must complete before you add an enclosure.
•
See “Prerequisites for bringing server hardware into an appliance” (page 160) for prerequisites and preparation you must complete before you add a server.
11.4 Quick Start: Add a c7000 enclosure with a single logical interconnect group and connect its server blades to networks 141
Process Resource
Task
Description
Enclosures
1. Add the enclosure.
• Select Add enclosure for management. • Select Create new enclosure group. • Select an enclosure group name. • Select a firmware baseline and an HPE OneView Advanced licensing option. • For more information about enclosures, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosures screen, or the REST API scripting help for enclosures.
Logical Interconnect Groups
2. Select Create new • During the enclosure add operation, select Create new logical logical interconnect interconnect group. After you click Add, HPE OneView discovers the group. interconnects in the enclosure, creates a default logical interconnect 3. Edit the default group, and opens an edit screen for that logical interconnect group. logical interconnect • The default logical interconnect group name is the enclosure group group. name you entered followed by interconnect group. For example, if you specified DirectAttachGroup for the enclosure group name, the default logical interconnect group name is DirectAttachGroup interconnect group. • You add uplink sets as part of editing the logical interconnect group. Ensure that at least one of the uplink sets you add includes an uplink port to the data center networks you want to access. • For more information about logical interconnect groups, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnect Groups screen, or the REST API scripting help for logical interconnect groups.
Server Profiles and Server Hardware
4. Do one of the following: • Create a server profile manually or from a server profile template, and assign it to the server hardware.
For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: • If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. • Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network.
• Copy a server • Server profiles contain much more configuration information than the profile and assign connections to networks. For more information about server profiles, it to the server see “Managing server hardware, server profiles, and server profile hardware, then templates” (page 157), the online help for the Server Profiles screen, edit the server or the REST API scripting help for server profiles. profile as necessary. 5. Power on the server hardware.
11.5 Quick Start: Add a c7000 enclosure with multiple logical interconnect groups and connect its server hardware to networks This quick start describes the process to add an enclosure with multiple logical interconnect groups so that the server hardware can access existing data center networks. For the benefits of configuring multiple logical interconnect groups, see “About multiple logical interconnect groups in an enclosure group” (page 203). To set up an enclosure that is not stacked, configure multiple logical interconnect groups such that each interconnect is in a different logical interconnect group (which subsequently defines 142 Quick Starts for networks, enclosures, and storage
the logical interconnects) before adding the enclosure. You can also set up a partially-stacked enclosure where you have more than one interconnect associated to a logical interconnect group. Prerequisites •
Required privileges: Infrastructure administrator or Server administrator.
•
The interconnects selected in the logical interconnect groups must match the interconnects contained in the enclosure.
•
All data center switch ports that connect to the Virtual Connect (VC) interconnects are configured as described in “Data center switch port requirements” (page 193).
•
See “Prerequisites for bringing a c7000 enclosure into HPE OneView” (page 231) for prerequisites and preparation you must complete before you add an enclosure.
•
See “Prerequisites for bringing server hardware into an appliance” (page 160) for prerequisites and preparation you must complete before you add a server.
11.5 Quick Start: Add a c7000 enclosure with multiple logical interconnect groups and connect its server hardware to 143 networks
Adding a c7000 enclosure with multiple logical interconnect groups and connecting its server hardware to networks Resource
Task
Networks and 1. Add networks. Network Sets 2. (Optional) Add networks to sets. Logical Interconnect Groups
Description • Adding a network does not require that you take resources offline. • For more information about networks, see “Managing networks and network resources” (page 187).
3. Create a logical • You can create a logical interconnect group with more than one logical interconnect group interconnect for each interconnect • You add uplink sets as part of creating a logical interconnect group. you want in a Ensure that at least one of the uplink sets you add includes an uplink different group. port to the data center networks you want to access. • The logical interconnect groups create the logical interconnects when the enclosure is added. • For more information about logical interconnect groups, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnect Groups screen, or the REST API scripting help for logical interconnect groups.
Enclosure Groups
4. Create an enclosure • Include the logical interconnect groups you created in the enclosure group. group. • For more information about enclosure groups, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosure Groups screen or the REST API scripting help for enclosure groups.
Enclosures
5. Add the enclosure.
• Select Add enclosure for management. • Specify the enclosure group you created. • Select a firmware baseline and a licensing option. • For more information about enclosures, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosures screen, or the REST API scripting help for enclosures.
Server Profiles and Server Hardware
6. Do one of the following: • Create a server profile manually or from a server profile template and assign it to the server hardware.
For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: • If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. • Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network.
• Copy a server • Server profiles contain much more configuration information than the profile and assign connections to networks. For more information about server profiles, it to the server see “Managing server hardware, server profiles, and server profile hardware, then templates” (page 157), the online help for the Server Profiles screen, edit the server or the REST API scripting help for server profiles. profile as necessary. 7. Power on the server hardware.
11.6 Quick Start: Add an HPE ProLiant DL rack mount server to manage This quick start describes the process for adding a rack mount server to manage.
144 Quick Starts for networks, enclosures, and storage
The features supported by the appliance vary by server model. For information about the features supported for HPE ProLiant DL servers, see “Server hardware management features” (page 158). Prerequisites •
Required privileges: Infrastructure administrator or Server administrator.
•
The server is connected to a live power source.
•
See “Prerequisites for bringing server hardware into an appliance” (page 160) for prerequisites and preparation you must complete before you add a server.
11.6.1 Adding an HPE ProLiant DL rack mount server to manage Resource
Task
Description
Server Hardware
1. Add the server using the Server Hardware screen or the REST APIs for the server-hardware resource. 2. Power on the server.
• When you add a server, you must provide the following information:
◦
Specify Managed.
◦
The iLO IP address or host name.
◦
The user name and password for an iLO account with administrator privileges.
◦
A license type to use for the server hardware.
For more information about server hardware, see “Managing server hardware, server profiles, and server profile templates” (page 157), the online help for the Server Hardware screen, or the REST API scripting help for server hardware. • If this server configuration differs from the other servers in the appliance, the appliance automatically adds a server hardware type for this model. • Because this is a rack mount server:
◦
You cannot use the appliance to provision any networks for this server.
◦
The features supported by the appliance vary by server model. For information about the features supported for HPE ProLiant DL servers, see “Server hardware management features” (page 158).
11.7 Quick Start: Configure a c7000 enclosure and server blade for direct attach to an HPE 3PAR Storage System This quick start describes the process for adding and configuring an enclosure so that its servers can connect to an HPE 3PAR Storage System that is directly attached (Flat SAN) to the enclosure with Virtual Connect FlexFabric interconnects. Prerequisites •
Required privileges: Infrastructure administrator or Network administrator for adding the networks.
•
Required privileges: Infrastructure administrator or Server administrator for adding the enclosure and server profiles.
•
The HPE 3PAR Storage System is installed and configured and the cables are attached to the enclosure you want to use.
11.7 Quick Start: Configure a c7000 enclosure and server blade for direct attach to an HPE 3PAR Storage System 145
•
See “Prerequisites for bringing a c7000 enclosure into HPE OneView” (page 231) for prerequisites and preparation you must complete before you add an enclosure.
•
See “Prerequisites for bringing server hardware into an appliance” (page 160) for prerequisites and preparation you must complete before you add a server.
146 Quick Starts for networks, enclosures, and storage
11.7.1 Configuring a c7000 enclosure and server blade for direct attach to an HPE 3PAR Storage System Resource
Task
Description
Networks
1. Add the Fibre • When you add the networks from the Networks screen: Channel direct attach networks. ◦ For Type, select Fibre Channel
◦
For Fabric type, select direct attach
• For more information about networks, see “Managing networks and network resources” (page 187), the online help for the Networks screen, or the REST API scripting help for networks and network sets. Logical Interconnect Groups
2. Create a logical • Choose a name for the logical interconnect group that helps you interconnect group distinguish logical interconnect groups that have connections to direct that defines the attach Fibre Channel networks from other logical interconnect groups. uplink sets for the direct attach network • You add uplink sets as part of creating the logical interconnect group. Ensure that the uplink sets use the uplink ports on the enclosure that connections. are physically connected to the HPE 3PAR Storage Server. • For more information about logical interconnect groups, see “Managing interconnects, logical interconnects, and logical interconnect groups” (page 195), the online help for the Logical Interconnect Groups screen, or the REST API scripting help for logical interconnect groups.
Enclosure Groups
3. Create an enclosure • Choose a name that helps you distinguish enclosures that use direct group. attach Fibre Channel connections from enclosures that use fabric attach Fibre Channel connections.
Enclosures
4. Add the enclosure.
• Select Add enclosure for management. • Select the enclosure group that you added in the preceding step. • Select a firmware baseline and an HPE OneView Advanced licensing option. • For more information about enclosures, see “Managing enclosures, enclosure groups, and logical enclosures” (page 217), the online help for the Enclosures screen, or the REST API scripting help for enclosures.
Server Profiles
5. Do one of the following:
• For a server blade to connect to the HPE 3PAR Storage System, it must have a server profile assigned to it, and that server profile must include at least one connection to the direct attach Fibre Channel • Create a server network that connects to the storage system. profile and assign it to the server • For example, if the networks you added are Direct A and Direct hardware. B, ensure that the server profile has one connection to the Direct A network and one connection to the Direct B network. • Copy a server profile, edit it as • You enable SAN storage through the server profile, in addition to other necessary, and configuration settings. You must add storage systems, add storage then assign it to volumes, and then attach to volumes when you create the profile. the server For more information about server profiles, see “Managing server hardware. hardware, server profiles, and server profile templates” (page 157), the 6. After you configure online help for the Server Profiles screen, or the REST API scripting the HPE 3PAR help for server profiles. Storage System, power on the server hardware.
11.7 Quick Start: Configure a c7000 enclosure and server blade for direct attach to an HPE 3PAR Storage System 147
11.8 Quick Start: Configuring an HPE 5900 for management by HPE OneView To add an HPE 5900 to the appliance as a SAN manager, you must configure the switch as described in this document. The following procedures describe how to configure an HPE 5900 using the switch software so that you can add it to HPE OneView. See also: •
The SAN Managers chapter in the UI help
•
The SAN Managers chapter in the REST API scripting help
See the HPE OneView Support Matrix for more information about supported SAN managers. NOTE: In a cascaded switch environment, all zone and zone alias operations should be performed from a single switch that is added as SAN manager (device manager) in HPE OneView. Zone and zone aliases created through other switches in the fabric will not be visible in HPE OneView. Table 6 Enable SSH and create an SSH user ✓ Configuration Enable SSH on the HPE 5900 and create an SSH user (named a5900 with password sanlab1 in this example) on the HPE 5900 using the HPE 5900 software: 1. system-view 2. public-key local create rsa 3. public-key local create dsa 4. ssh server enable 5. user-interface vty 10 15 6. authentication-mode scheme 7. quit 8. local-user a5900 class manage 9. password simple sanlab1 10. service-type ssh 11. authorization-attribute user-role network-admin 12. quit 13. ssh user a5900 service-type stelnet authentication-type password
148 Quick Starts for networks, enclosures, and storage
Table 7 Create an SNMPv3 user ✓ Configuration The 5900 has a predefined view named ViewDefault. This view grants access to the iso MIB but does not provide access to the snmpUsmMIB, snmpVasmMIB, snmpModules.18 MIBs. The following steps show how to assign a SNMP v3 user with default read permission.
Create an SNMPv3 user with default read permissions Use this procedure if you want the user to have the default level of access. 1. Enter system-view on the HPE 5900 by issuing the command: system-view 2. Create a group (named DefaultGroup in this example) and set Readview permission to ViewDefault: snmp-agent group v3 DefaultGroup privacy read-view ViewDefault 3. Create an SNMPv3 user (named defaultUser with MD5 authentication password authPass123 and AES-128 privacy password privPass123 in this example) and add it to the group created in Step 1: snmp-agent usm-user v3 defaultUser DefaultGroup simple authentication-mode md5 authPass123 privacy-mode aes128 privPass123 4. Save the changes: save NOTE:
HPE OneView supports the following privacy protocols:
• AES-128 • DES-56
11.9 Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView To add a Cisco SAN manager to the appliance as a SAN manager, you must configure the switch as described in this document. The following procedures describe how to configure a Cisco SAN manager using the switch software so that you can add it to HPE OneView. See also: •
The SAN Managers chapter in the UI help
•
The SAN Managers chapter in the REST API scripting help
See the HPE OneView Support Matrix for more information about supported SAN managers. NOTE: In a cascaded switch environment, all zone and zone alias operations should be performed from a single switch that is added as SAN manager (device manager) in HPE OneView. Zone and zone aliases created through other switches in the fabric will not be visible in HPE OneView.
11.9 Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView 149
Table 8 Create an SNMPv3 user with write permissions ✓ Configuration 1. Enter the config mode using the command config t 2. Create the user with required authentication and privacy snmp-server user auth priv example 1, creating a AUTHPRIV user with SHA and AES128 and adding to network-admin group (switch)#snmp-server user AuthPrivUser auth sha authString123 priv aes-128 privString123 network-admin example 2, creating a AUTHPRIV user with MD5 and DES and adding to network-admin group (switch)#snmp-server user AuthPrivUser auth md5 authString123 priv privString123 network-admin 3. Optional : To create a role for the user, use the following commands role name rule 1 permit read-write example 3, creating a AUTHNOPRIV user with MD5 and adding to new role/group (switch)#role name newRole (switch)#rule 1 permit read-write (switch)#snmp-server user AuthUser auth md5 authString123 newRole NOTE: • Cisco supports AUTHPRIV and AUTHNOPRIV users only. The SNMP user can be added to the network-admin group/role which will be present on the switch or a role can be created and the user assigned to it. • HPE OneView supports the following authentication protocols:
◦
SHA
◦
MD5
• HPE OneView supports the following privacy protocols:
◦
AES-128
◦
DES-56
11.10 Quick Start: Configure server hardware MAC address binding for FCoE server profiles In order to configure a SAN so that the server profile volume attachments are visible to the server hardware, you need to perform a binding configuration for each server hardware.
11.10.1 Prerequisites •
You intend to attach volumes to server hardware using FCoE.
•
You have configured at least one FCoE connection in a server profile.
11.10.2 Configuring server hardware MAC address binding for FCoE server profiles 1. 2. 3. 4.
From the main menu, select Server Profiles. In the master pane, select the server profile that specifies the server hardware with an FCoE connection. From the View selector, select Connections. For each connection that you want to bind to a vfc interface, click the expander to display the details of the connection. Note the MAC address of the connection.
150 Quick Starts for networks, enclosures, and storage
5.
Use SSH to bind the server hardware MAC address to the vfc interface on the vSAN. See “Adding a FCoE volume in a multi-hop FCoE environment” in the FCOE Cookbook for HP Virtual Connect for information on binding the server hardware MAC addresses to vfc interfaces on the vSAN.
11.10 Quick Start: Configure server hardware MAC address binding for FCoE server profiles 151
152
Part IV Configuration and management The chapters in this part describe the configuration and management tasks for the appliance and the resources it manages.
154
12 Best practices Hewlett Packard Enterprise recommends the following best practices for HPE OneView: •
“Best practices for managing a VM appliance” (page 296)
•
“Best practices for maintaining a secure appliance” (page 67)
•
“Best practices for backing up an appliance” (page 285)
•
“Best practices for restoring an appliance” (page 291)
•
“Best practices for migrating an enclosure from VCM into HPE OneView” (page 230)
•
“Best practices for managing firmware” (page 248)
•
“Best practices for monitoring health with the appliance UI” (page 308)
155
156
13 Managing server hardware, server profiles, and server profile templates Managing servers with the appliance involves interacting with several different resources on the appliance: •
A server profile captures the entire server configuration in one place, enabling you to consistently replicate new server profiles and to rapidly modify them to reflect changes in your data center environment.
•
A server profile enables management of your server hardware.
•
A server profile template provides a mechanism to store configurations for a server profile. All of the configuration constructs of a server profile are present in the server profile template.
•
An instance of server hardware is a physical server, such as an HPE ProLiant BL460c Gen8 Server Blade, installed in an enclosure or an HPE ProLiant DL380p rack mount server.
•
A server hardware type defines the characteristics of a specific server model and set of hardware options, such as mezzanine cards.
•
A connection, which is associated with a server profile, connects a server to the data center networks.
Server profiles provide most of the management features for servers, but server hardware and server profiles are independent of each other: •
A physical server, which is an instance of server hardware, might or might not have a server profile assigned to it.
•
A server profile might be assigned to one instance of server hardware, or no server hardware at all.
It is the combination of the server hardware and the server profile assigned to it that is the complete server in the appliance. You must use the server hardware resource to add physical servers to the appliance when you install a rack mount server. Server blades are added to the appliance automatically when you add an enclosure or install a server blade in an existing enclosure.
UI screens and REST API resources UI screen
REST API resource
Server Profiles
server-profiles and connections
Server Profile Templates
server-profile-templates
Server Hardware
server-hardware
Server Hardware Types
server-hardware-types
13.1 Managing server hardware Server hardware represents an instance of server hardware, such as a physical server blade installed in an enclosure, or a physical rack server. A server hardware type captures details about the physical configuration of server hardware, and defines which settings are available to the server profiles assigned to that type of server hardware.
13.1 Managing server hardware 157
13.1.1 Roles •
Minimum required privileges: Infrastructure administrator or Server administrator
13.1.2 Tasks for server hardware The appliance online help provides information about using the UI or the REST APIs to: •
Get information about the server hardware.
•
Power on and power off a server.
•
Reset a server.
•
Collect remote support data for server hardware.
•
Launch the iLO remote console to manage servers remotely.
•
Add or edit a rack server.
•
Add a server to an existing enclosure.
•
Claim a server currently being managed by another appliance.
•
Remove a server from management.
•
Remove a server from an existing enclosure.
•
Refresh the connection between the appliance and the server hardware.
•
View activities.
13.1.3 Server hardware management features The appliance supports the following features on server hardware when added as managed. Feature
Supported server hardware
HPE ProLiant 1 BL G7
HPE ProLiant BL and WS Gen8 and HPE ProLiant BL and WS Gen9
HPE ProLiant DL Gen8 and HPE ProLiant DL Gen9
Power on or power off the server
✓
✓
✓
View inventory data
✓
✓
✓
✓
✓
✓
With manual installation and configuration of SNMP Agents
✓
✓
2
Monitor power, cooling, and utilization Monitor health and alerts
NOTE: SNMP Agents are not available on ESXi Launch iLO remote console
✓
✓
✓
SSO (single sign-on) to iLO web interface
✓
✓
✓
Automatic firmware upgrade (iLO) to minimum supported version when added to the appliance
✓
✓
✓
Rack visualization and editing
✓
✓
✓
Automatic discovery of server hardware type
✓
✓
✓
158 Managing server hardware, server profiles, and server profile templates
Feature
Supported server hardware HPE ProLiant BL and WS Gen8 and HPE ProLiant BL and WS Gen9
HPE ProLiant DL Gen8 and HPE ProLiant DL Gen9
BIOS settings
✓
✓
Firmware
✓
✓
HPE ProLiant 1 BL G7 Server profile features
Connections to networks
✓
✓
4
✓
✓
✓
✓
✓
Boot order
5
Local storage
✓
SAN storage 1
2
3
3 6
✓
The appliance might report an unsupported status for some double-wide, double-dense ProLiant G7 server blade models, which means that the appliance cannot manage them. Not all servers support monitoring power, cooling, and utilization.
3
HPE ProLiant DL580 Gen8 is not supported.
4
Due to a limitation in Gen9 BL server ROMs dated 8/27/14 or earlier, it is not possible to set the primary boot device when the boot mode is set to UEFI or UEFI Optimized. If Manage boot order is selected, a warning will be displayed in the corresponding profile indicating this condition. Only supported with the embedded array controller. M.2 drives are supported in specific configurations. See the HPE OneView Support Matrix for details Local storage is supported for select models of HPE ProLiant DL Gen9 server hardware. See the HPE OneView Support Matrix for a list of models that support local storage.
5
6
13.1.4 Server hardware monitoring features When you monitor server hardware, the appliance supports the following features. Feature
Monitored Server Hardware HPE ProLiant XL Gen9 HPE ProLiant BL and DL G6 (with iLO 2)
Power on or power off the server
✓
Launch iLO remote console Remote support
HPE ProLiant BL NOTE: Apollo and DL Gen8 and chassis is not discovered. Gen9
✓
✓
✓
✓
✓
✓
With manual installation and configuration of SNMP Agents
With manual installation and configuration of SNMP Agents
✓
✓
NOTE: SNMP Agents are not available on ESXi 5.x and 6.x.
NOTE: SNMP Agents are not available on ESXi 5.x and 6.x. ✓
✓
Monitor power, cooling, and 1 utilization Monitor health and alerts
HPE ProLiant BL and DL G7
✓
✓
13.1 Managing server hardware 159
Feature
Monitored Server Hardware HPE ProLiant XL Gen9 HPE ProLiant BL and DL G6 (with iLO 2)
HPE ProLiant BL and DL G7
HPE ProLiant BL NOTE: Apollo and DL Gen8 and chassis is not discovered. Gen9
SSO (single sign-on) to iLO web interface
✓
✓
Automatic discovery of server hardware type
✓
2
✓
1
Not all servers support monitoring power, cooling, and utilization.
2
ProLiant DL G7 servers do not have discovery of server hardware type.
✓
13.1.5 Prerequisites for bringing server hardware into an appliance Server hardware model The server hardware must be a supported model listed in the HPE OneView Support Matrix. The server hardware is connected to a live power source. The server hardware must have a valid serial number and product ID to be managed by HPE OneView.
iLO firmware The iLO (Integrated Lights-Out) firmware version must meet the minimum requirement listed in the HPE OneView Support Matrix.
IP addresses IPv4 configuration is required. iLOs on rack server hardware must have an IP address.
Local user accounts iLOs must be configured to allow for local user accounts.
13.1.6 About server hardware A server hardware resource represents an instance of server being managed or monitored by HPE OneView. For a managed server hardware resource, the configuration can be applied by assigning a server profile to it. There are different ways servers can be added into HPE OneView. Managed
HPE OneView manages the server enabling you to apply configurations, assign server profiles, monitor operation status, collect statistics, and alert users to specific conditions. Server blades that are in a managed enclosure will automatically be added as managed. Managed servers require an HPE OneView Advanced or an HPE OneView Advanced w/o iLO license.
Monitored
HPE OneView monitors the hardware for inventory and hardware status only. The server can be managed outside of HPE OneView. Server blades that are in a monitored enclosure will be added as monitored. Monitored servers use a free license called HPE OneView Standard.
160 Managing server hardware, server profiles, and server profile templates
13.1.6.1 How the appliance handles unsupported hardware Unsupported hardware is any device that the appliance cannot manage. Unsupported devices are similar to unmanaged devices in that all unsupported devices are not managed by the appliance. The difference is that you can bring unmanaged devices under management of the appliance if you take the appropriate actions or properly configure them. Unsupported hardware can never be managed by the appliance. The appliance detects the unsupported hardware and displays the model name and other basic information that it obtains from the device for inventory purposes. The appliance also accounts for the physical space unsupported devices occupy in enclosures and racks. To account for the space a device occupies, the appliance represents unsupported hardware the same way it represents unmanaged devices. The action available for unsupported hardware is Remove.
13.1.6.2 About monitored server hardware You can add rack servers or server blades in order to inventory and monitor the hardware. This is useful when you have servers that have already been deployed. Monitoring allows you to monitor power, cooling, hardware health, and utilization. You can power on and off the server, iLO remote console, and review inventory. You will also get email notification, SNMP trap forwarding, and optional 1 year 9x5 support. The monitoring feature is available for all G6 and later ProLiant servers with iLO 2, iLO 3, or iLO 4. If a server is being monitored by HPE OneView, you can still manage the enclosures, server profiles, and Virtual Connect infrastructure through VCM or VCEM. You cannot manage server profiles for monitored server hardware in HPE OneView. A benefit of monitoring server hardware is that the basic functionality of inventory and monitoring can be done with a free license called HPE OneView Standard. OneView can configure the servers’ iLO to send their sysLogs to a remote destination. See the HPE OneView REST API Reference documentation of the PATCH operation on /rest/serverhardware for additional details about how to perform an sysLog operation. To add a server blade for monitoring, see “Add a c7000 enclosure to monitor the hardware” (page 232).
13.1.6.3 About unsupported server hardware The appliance cannot manage unsupported server hardware. However, you can place unsupported server hardware in enclosures or racks. Adding unsupported server hardware to the appliance enables you to account for the physical space it occupies in an enclosure or rack for planning and inventory purposes. The appliance displays basic information about unsupported server hardware that it obtains from the iLO or the OA. When the appliance detects unsupported server hardware, it places the hardware in the Unsupported state. You can perform a remove action on unsupported server hardware to remove it from the appliance. NOTE:
Unsupported DL servers can only be added via an intelligent iPDU.
13.1.6.4 About unmanaged devices An unmanaged device is a device, such as a server, enclosure, KVM (keyboard, video and mouse) switch, in-rack monitor/keyboard, or router, that occupies space in a rack and/or consumes power but is not managed by the appliance. Unmanaged devices are created automatically to represent devices that are attached to an Intelligent Power Distribution Unit (iPDU) using Power Discovery Services connections. 13.1 Managing server hardware 161
BladeSystem enclosures and ProLiant DL series servers are shown in the unmanaged or unsupported state in the Enclosures and Server Hardware in the master pane, respectively. These will be represented as unmanaged enclosures and servers; as such, they are not included in the Unmanaged Devices resource list. When creating an unmanaged device, you provide its name, model description, height in U-slots and maximum power requirements. These values are used in power and cooling capacity analysis and enable alerts to be generated identify potential power and cooling issues. Because there is no communication to the unmanaged device, the status is disabled unless appliance-generated alerts identify issues to be addressed. For purposes of power configuration, unmanaged devices are assumed to have two power supply connections to support redundant power. These are identified as power supplies 1 and 2. If an unmanaged device does not support redundant power, connect only power supply 1, then clear the alert about lack of redundant power to the device. For devices that are not discovered through Power Discovery Services connections, you can manually add these devices to the appliance for tracking, inventory, and power management purposes.
13.1.7 Tasks for server hardware types The appliance online help provides information about using the UI or the REST APIs to: •
Edit the name or description of the server hardware type.
•
Delete a server hardware type.
13.1.8 About server hardware types A server hardware type defines the physical configuration for server hardware and defines the settings that are available to server profiles to be assigned to that type of server hardware. For example, the server hardware type for the HPE ProLiant BL460c Gen8 Server Blade includes a complete list of BIOS settings and the defaults for that model. The appliance creates server hardware types according to the server hardware it detects. The server hardware type is used when you create a server profile to show which settings are available.
13.1.9 How the iLO is changed as a result of HPE OneView management When server hardware is being managed by the appliance, the following configuration changes are made to the iLO on the server: •
A management account (_HPOneViewadmin) is created and can be viewed on the iLO Overview and User Administration screens.
•
SNMP is enabled and the appliance is added as an SNMP trap destination. NOTE: Health monitoring is not enabled on ProLiant G6 or ProLiant G7 iLO 3 server hardware until the management agents are installed on the OS and the SNMP service is configured with the same SNMP read community string shown on the Settings screen.
•
NTP is enabled and the appliance becomes the server hardware’s NTP time source.
•
An appliance certificate is installed to enable single sign-on operations.
162 Managing server hardware, server profiles, and server profile templates
•
iLO firmware is updated to the minimum versions listed in the HPE OneView Support Matrix for managed servers.
•
The iLO time zone is set to Atlantic/Reykjavik as recommended by the iLO documentation. The time zone setting determines how the iLO adjusts UTC time to obtain the local time and how it adjusts for daylight savings time (summer time). For the entries in the iLO event log and IML to display the correct local time, you must specify the time zone in which the server is located. If you want iLO to use the time provided by the SNTP server, without adjustment, configure the iLO to use a time zone that does not apply an adjustment to UTC time. In addition, that time zone must not apply a daylight saving time (summer time) adjustment. There are several time zones that fit this requirement. One example is the Atlantic/Reykjavik time zone. This time zone is neither east nor west of the prime meridian and time does not change in the spring or fall.
More information “Enabling health monitoring for legacy servers” (page 164) “About SNMP settings” (page 210)
13.1.10 Launch the iLO console to manage servers remotely The iLO remote console is only available for servers with an iLO license. The console enables you to remotely connect to the server to do the following: •
Access a screen on the physical server to install or use the operating system (Windows or Linux)
•
Power on, power off, or reset a server
•
Mount CD/DVD installation media from a remote client to enable an OS installation
The iLO user web interface exposes these iLO features: •
Power monitoring
•
Power on or power off
•
Remote console
•
Health data
•
Account creation
•
Security
•
Other iLO management tasks
You launch the iLO remote console from the Server Hardware or Server Profiles screen. The steps involved to launch the iLO remote console depend upon the client operating system (Windows or Linux) and your browser (Internet Explorer, Chrome, or Firefox). Prerequisites •
Required privileges: Infrastructure administrator or Server administrator
Launching the iLO console to manage servers remotely 1.
From the main menu, select one of the following: •
Server Hardware, and then select a server
•
Server Profiles, and then select a server profile
13.1 Managing server hardware 163
2.
Select Actions→Launch console. •
Windows client with Internet Explorer, Chrome, or Firefox The iLO console is a Windows binary application that is installed on each client computer the first time the console is launched. Once the first-time installation completes, click the My installation is complete — Launch console button to launch the remote console. After the console is installed, it can be launched directly from the Actions menu. NOTE:
Installing the application provides the best user experience from HPE OneView.
The initial Launch console action prompts for an installation and will attempt to open the installer. The number of dialog boxes presented during installation depends on the browser.
◦
In Internet Explorer, click Run when prompted. If you attempt a Launch console action and no errors occur during installation, but no console is displayed, press and hold the Shift key and then select Actions→Launch console to reinstall the remote console as described in “Reinstall the remote console ” (page 376).
◦
In Chrome, when you click Install software, the downloaded HPE iLO Integrated Remote Console installer file is displayed in the lower left corner of the browser. Click this file name to begin the installation. If you attempt a Launch console action and no errors occur during installation, but no console is displayed, press and hold the Shift key and then select Actions→Launch console to reinstall the remote console as described in “Reinstall the remote console ” (page 376).
◦
In Firefox, click the Save File button when Firefox first tries to open the installer, and then double-click the installer file when it is displayed in the Downloads dialog to begin the installation. If you attempt a Launch console action during installation you will receive a notification, press and hold the Shift key and then select Actions→Launch console to reinstall the remote console as described in “Reinstall the remote console ” (page 376).
•
Windows client with Java plug-in If you are not running Internet Explorer, you can alternatively launch an iLO Java plug-in console by clicking the launch link in the Install software dialog. This is for cases where you are on a Windows workstation and are not permitted to install any software. With Internet Explorer, the Install software dialog is never displayed so you cannot launch the Java console. NOTE: The Java plug-in console opens a popup window. Hewlett Packard Enterprise recommends that you disable your browser’s popup blocker.
•
Linux client with any browser Linux clients will launch the Java plug-in console with single sign-on authentication directly on the iLO. This console requires JRE to be installed on the client, otherwise you will be prompted to install it. The number of dialogs presented during installation depends on the browser.
13.1.11 Enabling health monitoring for legacy servers 164 Managing server hardware, server profiles, and server profile templates
Network management systems use SNMP (Simple Network Management Protocol) to monitor network-attached devices. The appliance uses SNMP to retrieve information from managed devices. The devices use SNMP to send asynchronous notifications (called traps) to the appliance. You specify a read community string that serves as a credential to verify access to the SNMP data on the managed devices. The appliance sends the read community string to enclosures (through their OAs) and to the servers (though their iLO management processors). Some older devices require manual host OS configuration.
Install SNMP OS host agents for HPE ProLiant server blades For the appliance to monitor the health of HPE ProLiant G6 and HPE ProLiant G7 server blades, you need to configure the SNMP settings for the server and iLO 3. 1. 2. 3. 4.
5.
Install the host operating system on the server. Install the SNMP subsystem on the server. Configure SNMP on the host to use the community string and trap destination of the appliance. Using the latest SPP, install the Hewlett Packard Enterprise management agent set and associated drivers. You will be prompted for the SNMP community string and the trap destination. After the Hewlett Packard Enterprise management agent set and associated drivers are installed and running, add the HPE ProLiant G6 and HPE ProLiant G7 server blade to the appliance. If you install the agents and drivers after adding the G7 server blade, you might have to refresh the G7 server blade from the user interface or with REST APIs.
NOTE: If you change the appliance read community string, you must reconfigure all HPE ProLiant G6 and HPE ProLiant G7 server blade SNMP OS host agents to use the new read community string. The appliance cannot propagate this update to the host OS.
13.2 Managing server profiles Servers are represented and managed through their server profiles. A server profile captures key aspects of a server configuration in one place, including firmware levels, BIOS settings, network connectivity, boot order configuration, iLO settings, and unique IDs.
13.2.1 Roles •
Minimum required privileges: Infrastructure administrator or Server administrator
13.2.2 Tasks for server profiles The appliance online help provides information about using the UI or the REST APIs for the following tasks: •
Get information about a server profile.
•
Add a SAN volume to a server profile.
•
Boot from an attached SAN volume.
•
Create and apply a server profile or server profile template.
•
Copy, edit, or delete a server profile.
•
Install a firmware bundle using a server profile.
•
Connect the server to data center networks by adding a connection to a server profile.
•
Manage local storage of a server. 13.2 Managing server profiles 165
•
Manage SAN storage by attaching new or existing SAN volumes to the server profile.
•
Manage the boot settings of a server.
•
Manage the BIOS settings of a server.
•
Manage virtual or physical IDs for the server hardware.
•
Migrate an existing server profile.
•
Move a server profile to another server.
•
Power on and off the server hardware to which the server profile is assigned.
•
Specify identifiers and addresses when creating a server profile.
•
Update firmware with a server profile.
•
Update the profile configuration from the server profile template.
•
View activities.
13.2.3 About server profiles •
“Capturing best-practice configurations” (page 166)
•
“About editing a server profile” (page 167)
•
“About moving a server profile” (page 168)
•
“About migrating server profiles” (page 169)
•
“Working with server profiles to control remove-and-replace behavior” (page 169)
•
“About assigning a server profile to an empty device bay” (page 170)
•
“About server profile connections” (page 170)
•
“About server profile connections and changing server hardware types” (page 171)
•
“About server profiles and local storage” (page 171)
•
“About attaching SAN volumes to a server profile” (page 173)
13.2.3.1 Capturing best-practice configurations After setting up your data center, you can create server profiles to provision hundreds of servers as easily as you provision one server. A server profile is the configuration for a server instance. Server profiles and server profile templates capture the entire server configuration in one place, enabling you to replicate new server profiles and to modify them to reflect changes in your data center. A server profile includes: •
Basic server identification information
•
Connectivity settings for Ethernet networks, network sets, Fibre Channel, and FCoE networks
•
Firmware versions
•
Local storage settings
•
SAN storage settings
•
Boot settings
•
BIOS settings
When you create a server profile, you can specify the server hardware to which you want to apply the profile. Leave the server hardware unassigned if the server hardware is not yet installed. Typically, you capture best-practice configurations in a server profile template, and then create 166 Managing server hardware, server profiles, and server profile templates
individual server profiles. Similar to virtual machine (VM) templates, profiles enable you to create a provisioning baseline for server hardware types in an enclosure. When you create a server profile, it is designated for a server hardware type and enclosure group (for server blades), whether the profile is assigned or unassigned. Server hardware can have only one profile assigned to it. By default, the server profile controls the server boot behavior. The server hardware type determines the available options you can select in the server profile. If applicable, you can select the boot mode and PXE boot policy. You also have the option of specifying the order in which the server hardware attempts to boot. HPE ProLiant Gen9 servers support both legacy BIOS and UEFI for configuring the boot process while HPE ProLiant Gen8 are legacy BIOS mode servers only. For more information about UEFI, see UEFI FAQs at Unified Extensible Firmware Interface Forum. By selecting to manage BIOS settings through the appliance, you can view all settings, only those you have modified, or only those that are different than the default values. The BIOS settings displayed depend on the supported server hardware. Applying the sections of a server profile to server hardware is a sequential process. The screen displays the current section being applied, followed by other sections that have been applied successfully. If a server profile needs to be reapplied due to an error, only the unconfigured sections and unapplied sections are reapplied. For example, if a firmware update succeeds, but the subsequent BIOS portion of the apply operation fails, the firmware is not applied a second time when the profile is reapplied. This helps to prevent unnecessary and time-consuming updates for the profile. Best practice: Perform server profile management tasks on one enclosure at a time For best performance, create, delete, edit, copy, or move server profiles for server hardware on one enclosure before managing server profiles on a different enclosure.
13.2.3.2 About editing a server profile Edit a server profile to change the settings associated with that profile. You can edit a server profile any time after it has been created. You can also edit a server profile with an Error condition to make corrections. When you edit a server profile, the state of the server changes. The appliance analyzes the changes and determines the actions to update the server. For example, if you change the BIOS settings but not the firmware baseline, the firmware is not updated. Only the requested changes are applied. NOTE: If you change the server settings or state using tools other than the appliance, the changes are not detected or managed. These changes might be overwritten the next time the profile is edited. When you edit a server profile, consider the following: •
Editing a profile is an asynchronous operation. Name and description changes take effect immediately, but other changes might take time to complete. If a profile is associated with a server profile template, changes can cause the profile to be out of compliance with its template. See “About server profile consistency validation” (page 174) for more information.
•
Profile names must be unique.
•
When unassigning a server profile with local storage configured, the logical drive contents are at risk of being lost. To preserve the logical drive, physically remove the disk drives or make a copy of the contents of the logical drive so that you can reassign the profile at a later time.
13.2 Managing server profiles 167
•
BIOS settings are managed using the server profile and the settings on the server are overwritten when the server profile is applied.
•
You cannot switch between virtual and physical identifiers for the following, unless you delete and recreate the profile connection:
◦
Serial number/UUID
◦
MAC address
◦
WWN
To edit some server profile settings, the server hardware must be powered off; for others, the server hardware can remain powered on. You can edit the following settings with the server hardware powered on: •
Profile name
•
Profile description
•
Profile affinity
•
Requested bandwidth of an existing connection
•
Network and network set of an existing connection except when the connection is bootable NOTE: You cannot change an existing connection between an Ethernet network or network set and a Fibre Channel network. A Fibre Channel network can only be changed to another Fibre Channel network on the same interconnect.
•
Create, attach, and edit storage volumes. NOTE: If the server is configured to boot using the storage path, that path cannot be disabled.
•
Firmware and OS Drivers using HPE Smart Update Tools
•
Firmware only using HPE Smart Update Tools
The profile cannot be modified while the server hardware is powered on if the previous modification were not successfully applied, unless the failure was solely due to SAN storage.
13.2.3.3 About moving a server profile You can move a server profile to another piece of server hardware; for example, if you are removing one piece of server hardware and replacing it with another that is similar. The move operation enables you to quickly change the hardware destination without rebuilding the entire server profile. If you cannot move a server profile directly to the new server hardware, you can change it to unassigned. This enables you to retain server profiles that are not currently assigned to any server.
168 Managing server hardware, server profiles, and server profile templates
IMPORTANT: When you move a server blade profile to a different enclosure, and the profile is configured to boot from a direct attach storage device, you must manually update the boot connection of the profile to specify the WWPN that is used for the storage device that is directly attached to the destination enclosure. Each enclosure connects to a different port of the direct attach storage device, so the WWPN for that storage device is different for each enclosure. If you do not specify the correct WWPN and LUN for the device, the server does not successfully boot from that boot target. IMPORTANT: When you move a server profile to a different server, and the profile is managing internal local storage, you must manually move the physical disks from the original server to the new server in order to preserve your data.
13.2.3.4 About migrating server profiles Existing server profiles can be assigned to new hardware when hardware is upgraded or added to your environment. For example, when you upgrade server hardware, the server hardware type can change and, as a result, an assigned server profile might no longer match the new hardware configuration. In this case, you can edit the existing server profile to update the server hardware type and not have to recreate a potentially complex server profile from scratch. The ability to edit existing server profiles and change the server hardware type and enclosure group allows you to perform tasks such as: •
Add or remove a mezzanine card to or from a server
•
Move server hardware from one enclosure to another enclosure with a different configuration
•
Move server profiles to servers with different adapters, different generations of hardware, and different hardware models
•
Move workloads to different servers or enclosure configurations
In an existing server profile, click the Change link adjacent to the Server hardware type or Enclosure group settings to change these values. If you change the server hardware type or enclosure group, other settings within a server profile can be affected. For most of the following attributes, settings remain unchanged so long as the selected server hardware type or enclosure group support the existing settings. If the settings do not support the selected server hardware type or enclosure group, the settings are removed. Exceptions are noted as follows. Affinity
Unchanged if supported, or removed (if the new configuration is a rack server).
Firmware
Unchanged if supported, or removed.
Connections
Most settings are unchanged if supported, though ports will be set to Auto. Unsupported settings are removed.
Local storage
Unchanged if supported, or removed.
SAN storage
Settings remain unchanged if supported, or storage paths are removed, or all SAN configurations are removed (if the new configuration is a rack server).
Boot settings
Settings are always adjusted to support the new configuration.
BIOS
Unchanged if supported, or removed if the profile is migrated to a different server model.
13.2.3.5 Working with server profiles to control remove-and-replace behavior In a server profile, the Affinity control sets the remove-and-replace behavior for server blade. If you apply a server profile to a server blade and the server is subsequently removed from the 13.2 Managing server profiles 169
device bay, the Affinity setting controls whether the server profile is reapplied when you insert a server blade into the empty bay. Server profiles for rack servers do not have affinity. Affinity value
Description
Device bay
The server profile you assign to the (empty) device bay is applied to any server blade you insert into the bay, provided the server hardware type of the inserted server blade matches the server hardware type specified in the server profile. Device bay affinity is the default.
Device bay + server hardware
The server profile you assign to the (empty) device bay is not applied if you insert a different server into the bay. The serial number and server hardware type of the inserted server blade must match the values in the server profile. Affinity between the server profile and the server hardware is established when one of the following conditions is met: • The server profile is assigned to server hardware in a device bay. • The server profile is assigned to an empty device bay and you subsequently insert a server blade with a matching server hardware type into the bay. Editing a server profile resets its server hardware affinity. If you assign the server profile to a populated device bay, the server hardware in the bay becomes associated with the profile. If the server profile is unassigned or assigned to an empty device bay, any current association is cleared.
13.2.3.6 About assigning a server profile to an empty device bay You can assign a server profile to an empty bay. The server profile is applied automatically to the server hardware when the server is inserted into the bay and meets the following criteria: •
The enclosure bay is not assigned by another server profile (for example, you cannot assign a profile to bay 9 if a profile for a full-height server hardware type is assigned to bay 1). This is checked when the profile is assigned.
•
The server hardware type of the hardware matches the server hardware type specified in the server profile.
When you create the server profile, select Device bay or Device bay + server hardware affinity. If you select the affinity Device bay + server hardware for an empty bay, the UUID is set when a matching server hardware type is inserted into the bay.
13.2.3.7 About server profile connections The maximum number of connections supported by a profile is dependent on the total number of virtual ports defined by the server hardware type and enclosure group associated with the profile. The total number of virtual ports is determined by multiplying the number of virtual ports per FlexFabric adapter by the number of FlexFabric adapters defined by the server hardware type. The maximum number of connections is 50 or the total number of virtual ports (plus two for unassigned connections), whichever is greater. Supported software iSCSI boot configurations You can use HPE OneView to select an iSCSI software boot target. The following parameters are supported: •
iPv4
•
Static IP (DHCP is not supported)
•
Bootable Ethernet connection using iSCSI software can only be on the first virtual function of the physical port
NOTE:
HPE OneView does not automatically discover iSCSI configuration parameters.
170 Managing server hardware, server profiles, and server profile templates
13.2.3.8 About server profile connections and changing server hardware types When changing the server hardware type on a server profile with deployed connections, the new server hardware type must define enough ports to allow automatic port assignment of all currently deployed connections. If the new server hardware type does not have sufficient port capacity, automatic port assignment fails when applied to a server and results in the failure of the profile edit operation. To avoid this condition, do one of the following: •
Delete connections so that the remaining number can be automatically assigned.
•
Edit the connections and set the port assignment to None so that those connections are not deployed.
13.2.3.9 About server profiles and local storage You can manage local storage on server hardware using server profiles. •
“Logical drives and unique identifiers” (page 171)
•
“About RAID level and controller” (page 171)
•
“RAID levels and number of physical drives” (page 172)
•
“About local storage and integrated storage controllers” (page 172)
NOTE: HPE OneView does not erase data from physical drives when the server profile that specifies the drives is deleted or unassigned. It might be possible to access the data, so if you want to ensure the data is inaccessible, erase all sensitive data before you delete the server profile or the local storage configuration. IMPORTANT:
Before deleting a profile with local storage settings, back up any important data.
13.2.3.9.1 Logical drives and unique identifiers If you configure new logical drives in your server profile or import the existing logical drives from the server hardware, HPE OneView stores a unique identifier for each logical drive in the server profile configuration when the server profile is applied. On subsequent server profile apply operations, HPE OneView checks for the existence of the identifier on the physical drives of the assigned server hardware. If the identifier is missing, the apply operation fails in order to ensure that if the server profile is re-assigned to new server hardware, the physical drives are inserted correctly. HPE OneView erases the current identifier in a server profile apply operation if any of the following conditions exist: •
Re-initialize internal storage is selected.
•
The Logical drive has been deleted from the server profile.
•
The storage controller is set to managed manually.
13.2.3.9.2 About RAID level and controller You can use RAID to define logical drives or HBA to present drives directly to the controller. The RAID levels which the controller can support are defined in the specifications of each controller. You must check the specifications of each controller to verify which RAID levels the controller supports. Supported RAID levels depend on the server hardware type and on the physical server configuration. Ensure you have enough physical drives present for the selected RAID level. NOTE: Although RAID 50 and RAID 60 are supported by some controllers, they are not supported by HPE OneView. To use RAID 50 or RAID 60, set the controller to manage manually in HPE OneView. 13.2 Managing server profiles 171
More information “RAID levels and number of physical drives” (page 172) 13.2.3.9.3 RAID levels and number of physical drives See the HPE OneView Support Matrix for information on the number of drives supported by specific server hardware. RAID 0
Minimum of 1 drive, increments of 1.
RAID 1
Requires 2 drives.
RAID 10
Requires 4 drives, increments of 2.
RAID 1 ADM
Requires 3 drives.
RAID 5
Minimum of 3 drives, increments of 1.
RAID 6
Minimum of 4 drives, increments of 1.
13.2.3.9.4 About local storage and integrated storage controllers •
HPE OneView is not aware of existing local storage configuration in the integrated storage controller unless you import the local storage when applying a server profile to the server hardware.
•
The import option is not a guarantee that no data will be lost. For example, if the server is currently in HBA mode, you must change it to RAID mode before it can be imported, and that change in controller mode can cause data loss.
•
Once you create a logical drive and apply it to server hardware, that logical drive can no longer be modified.
While deleting or unassigning a server profile does not directly delete local storage data from the server hardware, data can be lost if a server profile that contains changes to the local storage configuration is applied to the server hardware in the future. The table below describes how to preserve your data when making profile or hardware changes.
172 Managing server hardware, server profiles, and server profile templates
Table 9 Make a change to server hardware/server profile and preserve integrated local storage data Change in server hardware
Procedure
Move server profile from one server hardware to another
Move physical drives to new • The appliance verifies that the physical drives have been inserted server hardware 1. Unassign server profile from the current server hardware. 2. Physically remove the local storage drives from the server hardware. 3. Insert the local drives into new server hardware. 4. Do not select Re-initialize internal storage when you apply the server profile to the new server hardware.
Assign a server profile to server hardware that has local storage configured
Result
correctly by validating the saved unique identifier.
A. Import existing drives and • The unique identifier is preserved. data • The existing logical drives and data 1. Delete or unassign the current server profile. 2. Select Import existing logical drives when applying the new server profile.
B. Back up and copy data 1. Back up data. 2. Delete or unassign the server profile. 3. Select Re-initialize internal storage when applying the new server profile. 4. Copy the backed-up data to the new logical drive on the server hardware.
are imported.
• A new logical drive is created with a new unique identifier. • The backed-up data is copied to the new logical drive.
13.2.3.10 About attaching SAN volumes to a server profile Volumes are associated with server profiles through volume attachments. Attaching a volume to a server profile gives the server hardware assigned to the server profile access to storage space on a storage system. As you create or edit a server profile, you can attach an existing volume or dynamically create a new volume to attach. Newly created volumes can be marked as permanent so that they continue to exist after they are removed from the profile or if the profile is deleted. Otherwise, a nonpermanent volume is deleted when the server profile is deleted. Properties for attaching a volume can be configured through the server profile. For example, you can enable and disable storage paths from the server to the SAN storage. Storage targets Within a server profile, storage target ports for volume attachment can be assigned automatically or you can manually assign available ports. The target ports that are assigned automatically will belong to same port group. Target ports that you assign manually can belong to the same or different port groups. Port groups are created when you add a storage system to HPE OneView. Manual target selection is supported for Fabric attach paths only, not Direct attach paths. 13.2 Managing server profiles 173
Existing HPE 3PAR volumes On 3PAR StoreServ Storage systems, a host sees VLUN allows only a specific host to see a volume and a matched set VLUN allows only a specific host on a specific port to see the volume. To reuse a host sees configuration in HPE OneView when adding an existing 3PAR volume to a profile, you must enter the exact LUN value as configured on the 3PAR array. In HPE OneView, use the Manual LUN option to add the exact LUN value in the Add Volume dialog. To reuse end-to-end connectivity for the volume, manually specify the following: •
LUN value (matching the LUN on the 3PAR storage system)
•
Target ports
Also, to attach (export) a 3PAR volume as host sees, all storage paths to that volume must be enabled or disabled together. Some paths cannot be enabled while some are disabled. For more information, download the HPE 3PAR StoreServ Storage Concepts Guide from the HPE Storage Information Library http://www.hpe.com/info/storage/docs.
13.2.3.11 About server profile consistency validation Consistency checking is validating a server profile to ensure that it matches the configuration of its parent server profile template. The appliance monitors both the server profile and server profile template, compares the two, and checks the following for consistency. Profile section
Consistency checking
General
• Server hardware type • Enclosure group • Affinity NOTE: Server hardware type and enclosure group inconsistencies must be fixed manually; that is, you must edit the profile and change the hardware type and enclosure group to match the template.
Firmware
If firmware is not managed by a server profile template, then a firmware server profile configuration is not validated for consistency. Otherwise, the following configurations are validated for consistency. • Firmware baseline • Installation method NOTE: Forcibly installed firmware is compared only if the firmware baseline is inconsistent. Otherwise, forcibly installed firmware is not checked for consistency.
Connections
Connections are compared to identify if extra or missing connections are present. For similar connections, the following attributes are checked for differences. • Port • Network • Requested bandwidth • Connection boot settings NOTE: Extra connections in the server profile with port id None are not considered inconsistent.
Local Storage
If local storage is not managed by server profile template, then local storage server profile configuration is not validated for consistency. Otherwise, the following configurations are validated for consistency. • Controller mode • Logical drives NOTE: Inconsistencies in local storage are not fixed automatically by Update from Template. They must be fixed manually.
174 Managing server hardware, server profiles, and server profile templates
Profile section
Consistency checking
SAN Storage
If SAN storage is not managed by server profile template, then SAN storage server profile configuration is not validated for consistency. Otherwise, for volumes with sharing type private, the profile requires the same number of private volumes as defined in the server profile template from the same storage pools, and that LUN numbers remain consistent. Any differences in the number of private volumes, their storage pool, or a LUN number will be flagged as an inconsistency. For volumes with sharing type shared,the profile must be attached to all the shared volumes associated to the server profile template with matching LUN numbers and storage paths to remain consistent. Additional shared volumes can be attached without causing a consistency state. The Host OS type designated in a profile must match the server profile template to remain compliant. NOTE:
Extra attachments in the server profile do not cause inconsistency.
Boot Settings
If Boot settings are not managed by server profile template, then server profile configuration for boot settings is not validated for consistency. Otherwise, all configurations must match the server profile template.
BIOS Settings
If BIOS settings are not managed by server profile template, then BIOS server profile configuration is not validated for consistency. Otherwise, all configuration must match the server profile template.
Advanced
“Hide unused FlexNICs” instruction must match the server profile template.
If configurations match, the server profile Consistency state field is set to Consistent and is considered to be compliant. Any inconsistency results in an alert for the server profile and the Consistency state field is set to Inconsistent with template.
13.2.4 When to use a server profile A server profile allows you to do the following tasks: •
Manage the server hardware configuration separately from the actual server hardware.
•
Easily reapply the configuration to the server hardware if the server hardware is serviced or replaced.
•
Define the server configuration before the server hardware installation.
•
Capture significant portions of the server configuration in one place, greatly simplifying and hastening server configuration.
Depending on the hardware environment, you can configure many or all the following settings. •
•
Firmware (optional):
◦
Specify the Service Pack for ProLiant (SPP) version and the installation method to install the firmware and drivers while the server is powered on (the updates are applied over the management network).
◦
Specify to install the firmware without drivers regardless of whether the server is powered on or off (the server hardware will be powered on to install the firmware).
◦
Supported for Gen8 and DL servers.
BIOS settings (optional):
◦
Specify the BIOS settings to apply on the selected server hardware.
◦
Supported for Gen8 and DL servers.
13.2 Managing server profiles 175
•
•
•
•
Boot Order (optional):
◦
Specify the BIOS boot order or UEFI Boot Order to apply on the selected server hardware.
◦
Supported for G7, Gen8, and DL servers.
Local Storage configuration (optional):
◦
Configure the disk drives directly connected to the integrated Smart Array controlled with a specific RAID level to create a logical volume.
◦
Configure multiple logical volumes depending on the number of disk drivers supported by the server hardware.
◦
Specify the local storage configuration for Gen8 and DL servers.
Connections (required for Virtual Connect):
◦
Describe which Ethernet networks and Fibre Channel SANs are accessible by the server hardware.
◦
Describe boot configuration options.
◦
Virtual Connect allows the MACs and WWNs to be virtualized, so that MACs and WWNs presented to the networks remain constant when the underlying hardware components change.
Storage Attachments (requires Virtual Connect):
◦
Describes which StoreServ volumes are accessible by the server and supports creation of new StoreServ volumes, which are accessible using Fibre Channel or FCoE.
◦
Describes the StoreServ volumes to automate the presentation of the volumes to the server hardware to eliminate the need to manually configure zoning.
More information
HPE OneView Support Matrix “When to use a server profile template” (page 177)
13.3 Managing server profile templates A server profile template serves as a structural reference when creating a server profile. All of the configuration constructs of a server profile are present in the server profile template. This template type defines the centralized source for the configuration of firmware, connections, local storage, SAN storage, boot, BIOS, profile affinity, and whether unused FlexNICs are hidden.
13.3.1 Roles •
Minimum required privileges: Infrastructure administrator or Server administrator
13.3.2 Tasks for server profile templates The appliance online help provides information about using the UI or the REST APIs to: •
Create a server profile template.
•
Copy, edit, or delete a server profile template.
•
Update the profile configuration from the server profile template.
•
Update firmware with a server profile template.
176 Managing server hardware, server profiles, and server profile templates
13.3.3 About server profile templates Server profile templates provide a mechanism to store configurations for a server profile. Typically, you capture best-practice configurations in a server profile template, and then create and deploy server profiles.
13.3.3.1 About creating a server profile template You can create one or more templates to store the configurations for all the settings of a server profile. When you create a server profile template, you can specify the server hardware type and the enclosure group. You cannot change the server hardware type and the enclosure group after creating the template. All profiles generated from the same template will have the same server hardware type and enclosure group. The connections are always mapped to ports; that is, a saved server profile template will never have connections with Port=Auto. You cannot configure connections with Port=None. You cannot add an existing private volume. For more information about creating a server profile template, see the online help Server Profile Template screen details.
13.3.3.2 About editing a server profile template Edit a server profile template to change the settings associated with that template. You can edit a server profile template any time after it has been created. You can also edit a server profile template that has an Error condition to make corrections. When you edit a server profile template, the appliance analyzes the changes and updates the template configuration. Then, all the server profiles created from the template are evaluated for compliance and a notification is given indicating the number of profiles that will be affected by the change. The profiles are marked as non-compliant. You can use Update from template option in Server Profiles to accept all the changes from the template. NOTE: Server hardware must be powered off to update from template, unless the changes that are made can be made online such as networks and network bandwidth. When you edit a server profile template, consider the following: •
Server profile template names must be unique.
•
You cannot switch between virtual and physical identifiers for the following:
◦
Serial number/UUID
◦
MAC address
◦
WWN
13.3.4 When to use a server profile template A server profile template allows you to do the following tasks: •
Manage the server hardware configuration separately from the actual server hardware.
•
Easily reapply the configuration to the server hardware if the server hardware is serviced or replaced.
•
Define the server configuration prior to the server hardware installation.
•
Capture significant portions of the server configuration in one place, greatly simplifying and hastening server configuration.
Depending on the hardware environment, you can configure many or all of the server profile settings. Server profile templates are useful as you can: 13.3 Managing server profile templates 177
•
Manage many server profiles with the same configuration.
•
Easily generate new server profiles from the template.
•
Control configuration changes for multiple servers at once. HPE OneView checks compliance in all the server profiles that are referenced to the template.
•
Automatically resolve the compliance issues using the Update from Template action. The server profile configuration is adjusted to match the server profile template.
More information
HPE OneView Support Matrix
13.4 Learning more •
“Understanding the resource model” (page 41)
•
“About enclosures ” (page 218)
•
“Managing licenses” (page 179)
•
“Troubleshooting server hardware” (page 407)
•
“Troubleshooting server profiles” (page 412)
178 Managing server hardware, server profiles, and server profile templates
14 Managing licenses You manage licenses from the Settings screen or by using the REST APIs.
14.1 UI screens and REST API resources UI screen
REST API resource
Settings
licenses
14.2 Roles •
Minimum required privileges: Infrastructure administrator
14.3 Tasks for licenses The appliance online help provides information about using the UI or the REST APIs to: •
Add a license key to the appliance license pool.
•
Specify a license policy as part of adding an enclosure.
•
Specify a license type as part of adding a rack mount server.
•
View licensing status information through license graphs.
•
View a list of server hardware that has been assigned a specific license type.
14.4 About licensing This topic describes the types of licenses, how to purchase licenses, how licenses are delivered, and how to determine how many licenses you have available. •
“License types” (page 179)
•
“Purchasing or obtaining licenses” (page 183)
•
“License delivery” (page 183)
•
“License key format” (page 183)
•
“Licensing and utilization statistics” (page 184)
•
“Licensing scenarios” (page 184)
•
“License reporting” (page 185)
14.4.1 License types 14.4.1.1 Server hardware licenses The following types of licenses are available for managing or monitoring hardware in HPE OneView. Managed hardware licenses The following HPE OneView Advanced licenses provide support as listed below, and in addition, enable integration with other products. For more information, see “Integration with other management software ” (page 36). HPE OneView Advanced
Provides an HPE OneView Advanced license and an iLO Advanced license.
14.1 UI screens and REST API resources 179
This license is intended for server hardware and enclosures you want to manage with HPE OneView. See “Purchasing or obtaining licenses” (page 183) for more information. HPE OneView Advanced w/o iLO
Provides an HPE OneView Advanced license only. This license is intended for server hardware you want to manage with HPE OneView. This license is for servers with iLOs that are already licensed, or server hardware for which you do not require an iLO license. See “Purchasing or obtaining licenses” (page 183) for more information. An HPE OneView Advanced w/o iLO license provides support for all server hardware features on the appliance, with the following exceptions: •
Server hardware without an iLO Advanced license does not display utilization data.
•
Rack mount servers without an iLO Advanced license cannot access the remote console.
For examples, see “Licensing scenarios” (page 184). Monitored hardware license HPE OneView Standard
Provides an HPE OneView Standard license for all monitored server hardware. This license is automatically selected: •
for the enclosure when adding a monitored enclosure
•
for the server when adding a monitored server
•
for all ProLiant G6 server blades or G7 BL680c server blades when adding a managed enclosure HPE OneView does not manage the hardware running with an HPE OneView Standard license. See “About monitored c7000 enclosures” (page 219) for more information. When you add an enclosure or rack mount server to the appliance, you must specify one of these licenses. For examples, see “Licensing scenarios” (page 184). More information “About HPE OneView Advanced licensing for managing server hardware” (page 181) “About HPE OneView Standard licensing for monitoring server hardware” (page 183)
14.4.1.2 Other licenses 14.4.1.2.1 Interconnect licenses HPE OneView B22HP FEX Management License
The HPE OneView B22HP FEX Management License provides the ability to continue to monitor Cisco Nexus 5k and 6k ToR switch environments when connected to Cisco Fabric Extender interconnects in an enclosure. This license also allows you to provision Ethernet and FCoE server profile connections to the Cisco Fabric Extender downlink ports, and to assign VLANs. NOTE: The HPE OneView B22HP FEX Management License is not currently enforced in HPE OneView. You can retrieve the key and add the key to the HPE OneView license pool to track license counts. The licenses are not automatically assigned from the pool. 180 Managing licenses
More information “Purchasing or obtaining licenses” (page 183) 14.4.1.2.2 EULA The appliance has a EULA (End-User License agreement) that you must accept before using the appliance for the first time. You can view the EULA from the Help sidebar.
14.4.2 About HPE OneView Advanced licensing for managing server hardware This topic provides information about licensing for server hardware including server blades and rack mount servers. This section applies to HPE OneView Advanced and HPE OneView Advanced w/o iLO licenses only. The appliance uses server-based licensing, but server blades and rack mount servers are managed differently. Server blade licenses are managed at the enclosure level, and rack mount server licenses are managed at the server level. When you add an enclosure, you specify a license policy for all server blades in the enclosure. When you add a rack mount server, you specify a license type for that server. Both policy and type refer to either of the two licenses: HPE OneView Advanced or HPE OneView Advanced w/o iLO. An HPE OneView Advanced w/o iLO license provides support for all server hardware features on the appliance, with the following exceptions: •
Server hardware without an iLO Advanced license does not display utilization data.
•
Rack mount servers without an iLO Advanced license cannot access the remote console.
NOTE: The appliance applies embedded (integrated) licenses to managed server hardware on which they reside.
14.4.2.1 Server blade licensing at the enclosure level A server blade licensing policy at the enclosure level is an efficient way to handle licensing for all servers in an enclosure. When you add an enclosure to the appliance, you must choose a server hardware license policy. This sets the licensing policy for all server hardware in the enclosure. You cannot change the policy for an enclosure unless you remove and re-add the enclosure. For more information on how the appliance handles enclosure licenses, see “About licensing” (page 179). NOTE: A license embedded on a managed server blade will override the enclosure license policy. If you add a managed server blade with an embedded license, the appliance assigns the embedded license to that server, regardless of the enclosure license policy. Embedded licenses on monitored server hardware are ignored. Enclosure licensing policy behavior When you add a managed enclosure to the appliance: •
You must choose a licensing policy: HPE OneView Advanced or HPE OneView Advanced w/o iLO.
•
A license embedded on the OA (Onboard Administrator) is added to the appliance license pool.
•
If the server blade does not have an embedded license, the appliance attempts to assign a license from the pool.
•
If there are not enough licenses to satisfy the policy, a notification is displayed that instructs you on how to address the issue. 14.4 About licensing 181
•
If you add server blades to the enclosure after it has been added to the appliance, the server hardware will use the enclosure license policy.
•
There is no guarantee that an embedded OA license will be applied to the server blades in the enclosure that contains the embedded license.
•
Licenses embedded on a server iLO are automatically added to the appliance and applied to the server hardware on which they are embedded.
•
If the server hardware has an existing permanent iLO Advanced license, the appliance assigns an HPE OneView Advanced w/o iLO license, regardless of the license type you choose.
•
To change the server hardware license policy of an enclosure, you must remove the enclosure from management and then re-add it with the new license policy.
•
When you add server hardware to the appliance, the iLO Advanced license that is part of the HPE OneView Advanced license is applied to the server hardware iLO.
•
If a server blade does not have an iLO license and there are not enough of the selected license type available, the appliance will attempt to apply a demo iLO license to the server blade.
14.4.2.2 About rack mount server licensing Rack mount server licensing is managed at the server level. When you add a rack mount server to the appliance, you must choose a license type. You cannot change the license type for a rack mount server unless you remove and re-add it. NOTE: Embedded licenses take precedent over the license type you choose. If you add a rack mount server to be managed with an embedded license, the appliance assigns the license to that rack mount server, regardless of the license type you choose. Remote console support is not enabled if the rack mount server does not have an iLO license. Rack mount server licensing behavior When you add a managed rack mount server to the appliance: •
You must choose a license type: HPE OneView Advanced or HPE OneView Advanced w/o iLO.
•
A license embedded on the rack mount server iLO is automatically added to the appliance and applied to the rack mount server.
•
If the server hardware has an existing permanent iLO Advanced license, the appliance assigns an HPE OneView Advanced w/o iLO license, regardless of the license type you choose.
•
If the rack mount server does not have an embedded license, the appliance attempts to assign a license from the license pool.
•
If there are not enough licenses available, a notification is displayed that instructs you on how to address the issue.
•
The iLO Advanced license that is part of your HPE OneView Advanced license is applied to the iLO when you add a rack mount server.
•
To change the license type of a rack mount server that does not have an embedded license, you must remove the rack mount server from management and then re-add it with the new license type.
182 Managing licenses
14.4.3 About HPE OneView Standard licensing for monitoring server hardware The HPE OneView Standard license applies to only monitored servers and enclosures and cannot be applied to managed servers. The HPE OneView Standard license is automatically applied when adding enclosures or server hardware to monitor. The HPE OneView Standard license is automatically applied when adding an enclosure to be managed that contains any ProLiant G6 server blades or G7 BL680c server blades. These servers are added in a Monitored state. For more information, see “Licensing scenarios” (page 184)
14.4.4 Purchasing or obtaining licenses Purchasing factory-integrated (embedded) software and hardware provides the best licensing experience because the license is delivered on the hardware and HPE OneView automatically adds the licenses to the license pool on discovery of the hardware. If you purchase nonintegrated licenses, you must activate and register the licenses using the Hewlett Packard Enterprise licensing portal at My HPE Licensing. After you register your licenses, you add the license keys to the appliance.For examples, see “Licensing scenarios” (page 184). . More information “License types” (page 179)
14.4.5 License delivery Server hardware licenses License delivery depends on how the license is purchased. The license delivery methods for HPE OneView Advanced and HPE OneView Advanced w/o iLO are: •
Embedded on the server hardware iLO (software purchased, integrated with the hardware)
•
Embedded on the enclosure OA (enclosure bundle license for 16 servers)
•
Standalone, nonintegrated (purchased separately from the hardware)
More information “About HPE OneView Advanced licensing for managing server hardware” (page 181)
14.4.6 License key format For HPE OneView Advanced and HPE OneView Advanced w/o iLO, the supported key format is: ""_ The encrypted key string is expected to be a series of character/number blocks separated by spaces. The annotation includes space separated fields representing an Hewlett Packard Enterprise sales order number, a product number, a product description, and an EON (entitlement order number). The iLO Advanced license key string, if present, uses the format: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx and is preceded by an underscore (_). The HPE OneView Advanced w/o iLO license does not include the iLO Advanced license key string. Example HPE OneView Advanced key: ABKE C9MA T9PY 8HX2 V7B5 HWWB Y9JL KMPL K6ND 7D5U UVQW JH2E ADU6 H78V ENXG TXBA KFVS D5GM ELX7 DK2K HKK9 DXLD QRUF YQUE BMUF AQF2 M756 9GVQ QZWD LY9B V9ZF BG2B JKTG 2VCB LK4U R4UR V886 3C9X MQT3 G3AD LVKK 5LRG E2U7 GHA3"Order1 Number2 HPE OneView_Example_License EON3"_35T9X-ZQR9V-716S8-TD48P-JLBTW
14.4 About licensing 183
14.4.7 Licensing and utilization statistics The appliance gathers and reports utilization statistics for server hardware that has an iLO Advanced license, including monitored servers and enclosures. Utilization statistics are not available for server hardware that does not have an iLO Advanced license.
14.4.8 Licensing scenarios The way in which the appliance handles license assignments depends on the following: •
Whether the enclosure or server hardware has an embedded license
•
The license type you choose when you add the enclosure or server hardware
•
Whether there are available licenses in the appliance license pool (for server hardware without an embedded license)
The following table describes how the appliance handles licensing for different user actions. Table 10 Licensing scenarios User action
License policy or type Result
Add a managed enclosure with embedded HPE OneView Advanced or HPE OneView Advanced w/o iLO license.
The embedded license takes precedent over the enclosure license policy you select.
Add managed server hardware with embedded HPE OneView Advanced or HPE OneView Advanced w/o iLO license.
Embedded licenses are Embedded licenses are assigned to applied to the server the server hardware on which they hardware regardless of reside. the license type you select.
Add managed server hardware with an existing, permanent iLO Advanced license.
The server hardware will be assigned an HPE OneView Advanced w/o iLO license regardless of the license policy or type.
Notes
Embedded OA licenses are added to Because the embedded the appliance pool and applied to licenses from an enclosure are server hardware that is not licensed. placed in a pool, these licenses are available to apply to any server managed by the appliance.
HPE OneView Advanced w/o iLO Licenses available in the pool The appliance assigns a license to the server hardware. No HPE OneView Advanced w/o iLO licenses available in the pool The appliance issues a warning that there are not enough licenses to satisfy the policy.
Add a managed Any enclosure or server hardware with no embedded license.
Licenses available in the pool The appliance assigns a license to the server hardware. No licenses available in the pool The appliance issues a warning that there are not enough licenses to satisfy the policy.
184 Managing licenses
After the 60-day trial period, a message notifies you when there are not enough licenses for the number of managed server hardware.
Table 10 Licensing scenarios (continued) User action
License policy or type Result
Add a managed enclosure with ProLiant G6 or Proliant BL680 G7 servers.
Any
The G6 servers will be assigned an HPE OneView Standard license while the other servers are assigned the HPE OneView Advanced or HPE OneView Advanced w/o iLO license you specified.
Add enclosure to monitor the hardware
All the server hardware in the enclosure will be assigned an HPE OneView Standard license.
HPE OneView Standard license
Remove a monitored enclosure
HPE OneView Standard
The license is unassigned from the server hardware.
Remove managed server hardware.
HPE OneView Advanced
The license remains assigned to the If the server hardware is server hardware. re-added, it will be assigned the same license.
(applied to server hardware).
Remove managed server hardware.
Notes
The appliance automatically assigns this license when adding an enclosure for monitoring the hardware. Embedded licenses on monitored server hardware are ignored.
Removing server hardware with licenses assigned to them can cause the number of licensed servers shown in the licensing graphs to be greater than the number of servers currently being managed because the licenses are still being counted as assigned to server hardware.
HPE OneView The license is unassigned from the Advanced w/o iLO or server hardware. HPE OneView Advanced (license not yet applied to server).
14.4.9 License reporting Basic license reporting indicates whether the appliance has enough licenses for the managed server hardware in your environment. From the Licenses view on the Settings screen, you can view the following: •
The number of available licenses
•
The number of licensed servers
•
The number of licenses required for compliance (all server hardware licensed)
14.5 Learning more •
“Troubleshooting licenses” (page 398)
14.5 Learning more 185
186
15 Managing networks and network resources This chapter describes configuring and managing networks and network resources for the enclosures and server blades managed by the appliance. NOTE: The network features described in this chapter apply to enclosures and server blades only. The appliance does not monitor or manage the network features and hardware for rack mount servers or for networking equipment outside the enclosures.
UI screens and REST API resources UI screen
REST API resource
Networks
connection-templates, ethernet-networks, fc-networks and fcoe-networks
Network Sets
network-sets
15.1 Roles •
Minimum required privileges: Infrastructure administrator or Network administrator
15.2 Tasks for networks You can manage Fibre Channel, Ethernet, and FCoE networks from the UI Networks screen or by using the REST APIs.
15.2.1 Tasks for Fibre Channel networks The appliance online help provides information about using the UI or the REST APIs to: •
Add and delete a Fibre Channel SAN.
•
Edit a Fibre Channel SAN configuration.
•
Associate a network with a managed SAN.
15.2.2 Tasks for Ethernet networks The appliance online help provides information about using the UI or the REST APIs to: •
Add, edit (change a network configuration), and delete a network.
•
Add an untagged or tunnel network.
•
Add, edit, and delete a network set.
15.1 Roles 187
15.2.3 Tasks for FCoE networks The appliance online help provides information about using the UI or the REST APIs to: •
Add, edit (change a network configuration), and delete a network.
15.3 About networks The HPE Virtual Connect interconnects in enclosures support the following types of data center networks: •
Fibre Channel for storage networks, including fabric-attach (SAN) Fibre Channel (FC) connections and direct-attach (Flat SAN) Fibre Channel connections.
•
Ethernet for data networks, including tagged, untagged, or tunnel networks.
•
Fibre Channel over Ethernet (FCoE) for storage networks where storage traffic is carried over a dedicated Ethernet VLAN.
IMPORTANT: The networking features described in this section apply to enclosures and servers only. The appliance does not monitor or manage the network features and hardware for rack mount servers or networking equipment outside the enclosures.
About creating networks Before creating networks, be aware of the networking maximums. See the HPE OneView Support Matrix for more information. Before you create a connection in a server profile, you must: •
Create at least one network
•
Add the network to a logical interconnect group
•
Assign the network to internal networks or an uplink set
You can create networks before you add an enclosure, which is known as pre-provisioning.
About provisioning networks An Ethernet network is provisioned to an interconnect when the network is associated with an uplink set or internal networks in a logical interconnect. An FC or FCoE network is provisioned to an interconnect when the network is associated with an uplink set in a logical interconnect. An Ethernet and FCoE network must be provisioned to a logical interconnect and be consistent with the logical interconnect group to be deployed in a server profile connection.
15.4 About network sets A network set is a collection of tagged Ethernet networks that form a named group to simplify server profile creation. Network sets are useful in virtual environments where each server profile connection needs to access multiple networks. Use network sets in server profile connections to make all networks on a connection's downlink port available. Network sets define how packets will be delivered to the server when a server Ethernet connection is associated with the network set. Network sets also enable you to define a VLAN trunk and associate it with a server connection.
188 Managing networks and network resources
Instead of assigning a single network to a connection in a server profile, you can assign a network set to that connection. •
Using network sets, you can quickly deploy changes to the network environment to multiple servers. For example, you have 16 servers connected to a network set. To add a new network to all 16 servers, you only need to add it to the network set instead of each server individually.
•
You can create a network set for your production networks and one for your development networks.
•
You can configure a hypervisor with a vSwitch to access multiple VLANs by creating a network set as a trunk that includes these networks.
Network set prerequisites •
All networks in a network set must be Ethernet networks and must have unique external VLAN IDs. Untagged and tunnel networks are single networks and do not use network sets.
•
All networks in a network set must be configured in the same appliance.
•
A network can be a member of multiple network sets.
•
All networks in a network set must be added to uplink sets or internal networks in the logical interconnect group (and its logical interconnects) in order to be used in server profiles with connections to the logical interconnect.
•
A network set can be empty (contain no networks) or can contain one or more of the networks configured in the logical interconnect group and logical interconnect. Empty network sets enable you to create network sets in the configuration before you create the member networks, or to remove all of the member networks before you add their replacements. However, if a server profile adds a connection to an empty network set, the server cannot connect to any data center networks using that connection.
Creating, editing, and deleting network sets •
When you create or modify a network set, you can designate a network for untagged packets. If you do not designate an untagged network, untagged packets are rejected on the profile connection associated with this network set.
•
Server traffic must be tagged with the VLAN ID of one of the Ethernet networks in the network set. Untagged server traffic is either sent to the untagged network (if an untagged network is defined) or is rejected (if no untagged network is defined).
•
The untagged network can send tagged and untagged traffic between the server and the interconnect simultaneously. When you create or modify a network set, you define the maximum bandwidth and the preferred bandwidth for connections to that network set. A server profile can override the preferred bandwidth but not the maximum bandwidth.
•
When a network is deleted, it is automatically deleted from all network sets to which it belonged.
•
When you delete a network set, the networks that belong to the network set are not affected. However, any servers with a connection to that network set are affected because their connections are defined as being to the network set and not to the individual networks. Because the network set is no longer available, the network traffic to and from that server through that connection is stopped. When you delete a network set, any server profile connections that specified that network set become disconnected.
•
When deleting networks in a network set, if all in-use networks are removed from the network set, all assigned profiles using this network set are in error and the server profile connections
15.4 About network sets 189
lose connectivity. To avoid connectivity loss, either leave at least one network in the network set or disassociate the network set from all server profiles.
15.5 About Fibre Channel networks You can use Fibre Channel networks to connect to storage systems. •
“Fibre Channel network types” (page 190)
•
“Fabric-attach Fibre Channel networks” (page 190)
•
“Direct-attach Fibre Channel networks” (page 191)
15.5.1 Fibre Channel network types The Virtual Connect interconnects in enclosures support the following types of Fibre Channel networks when connecting to storage systems: •
Fabric-attach networks—The enclosure interconnects connect to data center SAN fabric switches.
•
Direct-attach networks—Also called Flat SAN, in which the enclosure interconnects connect directly to a supported storage system.
You cannot change the type of Fibre Channel network, but you can delete the network in HPE OneView, and then add the network as a different type. A logical interconnect can be defined to use direct-attach storage and fabric-attach storage at the same time. Figure 13 Direct-attach and fabric-attach Fibre Channel networks HP 3PAR Storage System
Fabric-attached HP storage devices
SAN uplink connections (Direct attach)
SAN B
SAN A 0
4
1
5
2
6
3
7
1 2 Vdc
8
12
9
13
10
14
11
15
16
20
17
21
18
22
19
23
24
28
25
29
26
30
27
31
0
1 2 Vdc
HP StorageWorks 4/32B SAN Switch
SAN Switch A
4
1
5
2
6
3
7
8
12
9
13
10
14
11
15
16
20
17
21
18
22
19
23
24
28
25
29
26
30
27
31
1 2 Vdc
1 2 Vdc
HP StorageWorks 4/32B SAN Switch
SAN uplink c onnections (Fabric attach)
SAN Switch B
FAN 1
FAN 5
SHARED: UPLINK or X-LINK
X1
UID
1
X2
X3
X4
X5
X6
X7
SHARED: UPLINK or X-LINK
X8
X1
UID
HP VC FlexFabric 10Gb/24-Port Module
X2
X3
X4
X5
X6
X7
X8
2
HP VC FlexFabric 10Gb/24-Port Module
3
4
5
6 8
7 Enclosure Interlink
OA1
UID Reset
OA2
UID
iLO Active
Enclosure UID
Reset
iLO Active
Remove management modules before ejecting sleeve
FAN 6
FAN 10
PS 6
PS 5
PS 4
PS 3
PS 2
PS 1
HP BladeSystem c7000 Enclosure
15.5.2 Fabric-attach Fibre Channel networks SAN infrastructures typically use a Fibre Channel switching solution involving several SAN switches that implement NPIV (N-Port ID Virtualization) technology. NPIV uses N-ports and F-ports to build a Fibre Channel SAN fabric. NPIV enables multiple N_Ports to connect to a switch 190 Managing networks and network resources
through a single F_Port, so that a server can share a single physical port with other servers, but access only its associated storage on the SAN. When you configure a fabric-attach Fibre Channel network, the port you choose for the uplink from the enclosure interconnect to the storage SAN must support NPIV (N_Port ID Virtualization). You can use Virtual Connect Fibre Channel modules to connect storage. The appliance manages up to six Virtual Connect Fibre Channel modules in bays 3 through 8 of an enclosure. Virtual Connect Fibre Channel modules are not supported in bay 1 and bay 2.
15.5.3 Direct-attach Fibre Channel networks The direct-attach Fibre Channel solution, also called the Flat SAN solution, eliminates the need for a connection from the enclosure interconnects to a Fibre Channel SAN switch. This means you can connect the enclosure interconnects directly to the 3PAR storage system. The direct-attach Fibre Channel solution is available for 3PAR storage solutions using FlexFabric interconnects. Servers connecting to a direct-attach Fibre Channel network have access to all devices connected on the uplink ports defined for that network. If there is more than one connection from a FlexFabric module to the storage system, each server can access as many paths to the storage LUN (logical unit number) as there are connections to the 3PAR storage system. For direct-attach Fibre Channel networks, the enclosure interconnect does not distribute server logins across uplink ports. Server login distribution does not apply to direct-attach Fibre Channel networks. IMPORTANT: If you do not use automated storage provisioning, you must manually update the boot connection when moving a server profile. When you move a server profile to a different enclosure and the profile is configured to boot from a direct-attach storage system, you must manually update the boot connection of the profile to specify the WWPN (World Wide Port Name) used for the storage system that is directly attached to the enclosure. Each enclosure connects to a different port of the direct-attach storage system, so the WWPN for that storage system is different for each enclosure. If you do not specify the correct WWPN and LUN for the storage system, the server will not boot successfully from the boot target.
15.6 About Ethernet networks You use Ethernet networks as data networks. You can create the following types of Ethernet networks: •
Tagged
•
Untagged
•
Tunnel
15.6.1 About tagged Ethernet networks A tagged network uses virtual LANs (VLANs), allowing multiple networks to use the same physical connections. By sharing physical uplinks, you can separate traffic streams from different servers using the same set of uplinks. Tagged Ethernet networks that are connected to enclosure interconnects require a VLAN ID. •
You can add multiple Ethernet networks that use the same VLAN ID. This capability is required for logical interconnects that use an active/active configuration.
•
Each network name in the appliance must be unique.
15.6 About Ethernet networks 191
Tagged Ethernet networks and network sets You can assign multiple tagged Ethernet networks to a named group called a network set. Later, when you add a connection in a server profile, you can select this network set to enable multiple networks to be selected for that single connection. Any change made to a network set is applied to all server profiles using the network set.
15.6.2 About untagged Ethernet networks An untagged network is a single dedicated network without a VLAN tag, used to pass traffic without VLAN tags. Any tagged packets are dropped. Forwarding is done by MAC address. You might want to configure an untagged network for iSCSI storage traffic or set up networks without configuring VLANs.
15.6.3 About tunnel Ethernet networks A tunnel network is a single dedicated network with a dedicated set of uplink ports used to pass a group of VLANs without changing the VLAN tags. You may want to use tunnel networks if you want to expand beyond the current total of 1000 networks per logical interconnect and 162 networks per downlink port, or if you want to control the resources and QoS. You can have a tunnel network with a maximum of 4094 VLANs.
15.6.4 About Smart Link Smart Link enables the server software to detect and respond to a loss of network connectivity on the interconnect uplink ports. With Smart Link enabled, the Virtual Connect interconnects will drop the Ethernet link on all server connections associated with the network if all uplink ports within an uplink set lose their connection to the data center switches. Smart Link causes the operating system to detect a failure and direct traffic to an alternate path. In order for the Smart Link functionality to operate as designed, valid DCC (Device Control Channel)-compatible NIC firmware and drivers must be installed on the server blade. Smart Link can be helpful when using certain server network teaming (bonding) policies. Smart Link must be enabled for active/active, horizontal stacking, and primary-slice configurations.
15.7 About Fibre Channel over Ethernet (FCoE) networks FCoE networks are a combination of both Ethernet and Fibre Channel technology and are used when storage traffic is carried over a dedicated Ethernet VLAN. Like a tagged Ethernet network, FCoE networks use VLANs to allow multiple networks to use the same physical connection. See the HPE OneView Support Matrix for the number of FCoE networks that can be assigned to a single interconnect and for a single logical interconnect or logical interconnect group. Like FC traffic, FCoE traffic does not cross stacking links. FCoE networks lower cost through: •
Cable consolidation
•
Reduction in the number of SAN fabric switches
•
Adapter and interconnect consolidation
FCoE network requirements •
Assigned VLAN ID, from 2 to 4094
•
Ethernet uplink set
•
Uplink ports are FCoE-capable and come from a single FCoE-capable interconnect module
192 Managing networks and network resources
FCoE support depends upon the Virtual Connect firmware version of the interconnect module, as shown in the following table. Virtual Connect firmware version Supported functionality
Supported interconnects
4.10
A single FCoE network in an uplink • Virtual Connect FlexFabric 10Gb/24-Port Module set • Virtual Connect Flex-10/10D Module for HPE BladeSystem C-class
4.20 or higher
• Up to 32 FCoE networks in an uplink set
• Virtual Connect FlexFabric 10Gb/24-Port Module
• Virtual Connect Flex-10/10D Module for HPE BladeSystem • Up to 32 FCoE networks per C-class interconnect (cumulative across • Virtual Connect FlexFabric–20/40 F8 Module, ports X1–X8 all uplink sets for the interconnect) • FIP snooping 4.30 or higher
• Up to 32 FCoE networks in an uplink set
• Virtual Connect FlexFabric 10Gb/24-Port Module
• Virtual Connect Flex-10/10D Module for HPE BladeSystem • Up to 32 FCoE networks per C-class interconnect (cumulative across • Virtual Connect FlexFabric–20/40 F8 Module, ports X1–X8 all uplink sets for the and QSFP ports interconnect) • FIP snooping
15.8 Data center switch port requirements Although you can configure an uplink set to receive incoming network traffic as untagged by designating a network in that uplink set as Native, traffic egressing the uplink set is always VLAN tagged (except for untagged uplink sets). The switch ports for data center network switches that connect to the Virtual Connect interconnects must be configured as follows: •
Spanning tree edge (because the Virtual Connect interconnects appear to the switch as access devices instead of switches).
•
VLAN trunk ports (tagging) to support the VLAN IDs included in the uplink set that connects to the switch port. For example, if you configure an uplink set, prodUS, that includes the production networks prod 1101 through prod 1104 to use the X2 ports of the interconnects in bay 1 and bay 2 of Enclosure 1, then the data center switch ports that connect to those X2 ports must be configured to support VLAN IDs 1101, 1102, 1103, and 1104.
•
If multiple uplinks in an uplink set connect the same logical interconnect to the same data center switch, you must configure the data center switch ports for LACP (Link Aggregation Control Protocol) in the same LAG (Link Aggregation Group) to ensure that all the uplinks in the uplink set are active. Set the frequency of control messages: short — every 1 second with a 3–second timeout; or long — every 30 seconds with a 90–second timeout.
Also consider the type of network traffic and if you are creating an active/standby or active/active configuration.
15.8 Data center switch port requirements 193
15.9 Learning more •
“Understanding the resource model” (page 41)
•
“Managing interconnects, logical interconnects, and logical interconnect groups” (page 195)
•
“Troubleshooting networks” (page 406)
194 Managing networks and network resources
16 Managing interconnects, logical interconnects, and logical interconnect groups A logical interconnect group acts as a recipe for creating a logical interconnect representing the available networks, uplink sets, stacking links, and interconnect settings for a set of physical interconnects in a single enclosure.
UI screens and REST API resources UI screen
REST API resource
Interconnects
interconnects
Logical Interconnects
logical-interconnects
Logical Interconnect Groups
logical-interconnect-groups
16.1 Managing enclosure interconnect hardware When you add an enclosure, any interconnects in the enclosure are also added to the management domain, and they remain in the domain as long as the enclosure is part of the domain. You can manage enclosure interconnect hardware from the UI Interconnects screen or by using the REST APIs.
16.1.1 Roles •
Minimum required privileges: Infrastructure administrator or Network administrator
16.1.2 Tasks for interconnects The appliance online help provides information about using the UI or the REST APIs to: •
Add or replace a physical interconnect.
•
Clear port counters.
•
Enable or disable uplink ports or downlink ports.
•
Reapply an interconnect configuration.
•
Reset loop and pause flood protection.
•
View data transfer statistics for uplink and downlink ports.
16.1.3 About interconnects Interconnects enable communication between the server hardware in the enclosure and the data center networks.
16.1.3.1 About managed and monitored interconnects Interconnects are added automatically when the enclosure that contains them is added to the appliance. Managed
HPE OneView manages the interconnects—enabling you to apply configurations, collect statistics, and alert users to specific conditions.
Monitored
HPE OneView monitors hardware for inventory and hardware status only. Monitored interconnects are not associated with firmware baselines or logical interconnects.
By default, newly added interconnects have their firmware in an unset state. 16.1 Managing enclosure interconnect hardware 195
Managed interconnects Managed interconnects are an integral part of an enclosure, and each managed interconnect is a member of a logical interconnect. Each logical interconnect is associated with a logical interconnect group, which is associated with an enclosure group. For more information about logical interconnects, see “About logical interconnects” (page 198). For information about the relationship that enclosures and enclosure groups have with interconnects, logical interconnects, and logical interconnect groups, see . You can update managed interconnect firmware using an SPP (Service Pack for ProLiant).
16.1.3.2 About unmanaged and unsupported interconnects Unmanaged interconnects If you assign an enclosure group (which includes a logical interconnect group) to an enclosure in which the interconnects installed in the enclosure do not match the logical interconnect group, each interconnect reports its state as unmanaged. The physical interconnect configuration in the enclosure must match the logical interconnect group before an interconnect can be managed. Unsupported interconnects Unsupported hardware is hardware that the appliance cannot manage. For c7000, if the appliance detects an interconnect that it does not expect (not defined in the logical interconnect group) or cannot manage, the appliance places it into an inventory state and creates a resource for it, but does not bring it under management. If the location corresponds to the definition in the logical interconnect group, it assigns the interconnect a critical health status and displays an alert with a resolution of replacing the interconnect with a model it can manage. The appliance displays the model name of the unsupported interconnect that it obtains from the OA (Onboard Administrator).
16.1.3.3 FIP snooping Fibre Channel over Ethernet (FCoE) is used to transport Fibre Channel (FC) storage data over a dedicated Ethernet cable. FCoE Initialization Protocol (FIP) handles the FC discovery and login process for FCoE networks. FIP uses a Fibre Channel Forwarder (FCF), which is an Ethernet switch capable of handling FCoE. An FCF is like a Fibre Channel switch that has Ethernet ports. FIP provides an Ethernet MAC address used by FCoE to traverse the Ethernet network. FIP obtains the Fibre Channel ID (FC ID) from the Ethernet network, which is required on the Fibre Channel network. FIP snooping provides statistical data that can be used to monitor, verify, or troubleshoot connectivity. For a list of interconnects where FIP snooping is supported, see the appropriate support or compatibility matrix on the Hewlett Packard Enterprise Information Library. More information “Additional uplink port details” in the online help. “Additional downlink port details” in the online help
16.1.3.4 Connectivity and synchronization with the appliance The appliance analyzes the health status of interconnects and issues alerts when there is a change in status of an interconnect or port. The appliance maintains the configuration that you specify on the interconnects that it manages. The appliance also tracks the connectivity status of interconnects. If the appliance loses connectivity with an interconnect, an alert is displayed until connectivity is restored. The appliance
196 Managing interconnects, logical interconnects, and logical interconnect groups
attempts to resolve connectivity issues and clear the alert. If it cannot, you have to resolve the issues and manually refresh the interconnect to synchronize it with the appliance. You can manually refresh the connection between the appliance and an interconnect from the Interconnects screen. See the online help for the Interconnects screen to learn more.
16.1.4 Learning more •
“Interconnects” (page 47)
•
“Networking features” (page 38)
•
“Troubleshooting interconnects” (page 395)
16.2 Managing logical interconnects and logical interconnect groups A logical interconnect represents the available networks, uplink sets, and stacking links for a set of physical interconnects in a single enclosure. The Logical Interconnects screen provides a graphical view of the logical interconnect configuration in an enclosure. Use this screen or the REST APIs to manage the uplink sets for the logical interconnect. When you add an enclosure, a logical interconnect is created automatically. The logical interconnect group serves as a template to ensure the consistent configuration of all of its logical interconnects.
16.2.1 Roles •
Minimum required privileges: Infrastructure administrator or Network administrator
16.2.2 Tasks for logical interconnects The appliance online help provides information about using the UI or the REST APIs to: •
Add, edit, or delete an uplink set.
•
Change Ethernet settings such as:
◦
Fast MAC cache failover.
◦
MAC refresh interval.
◦
IGMP (Internet Group Management Protocol) snooping and idle timeout interval.
◦
Loop protection.
◦
Pause flood protection.
◦
Enable or disable Link Layer Discovery Protocol (LLDP) tagging
◦
Enable or disable enhanced type-length-value (TLV) settings
•
Configure a port to monitor network traffic.
•
Edit internal networks
•
Enable and disable physical ports.
•
Update firmware for the interconnects via the logical interconnects.
•
Manage SNMP (Simple Network Management Protocol) access and trap destinations.
•
Manage the frequency of control messages through the LACP timer.
•
Reapply the logical interconnect configuration to its physical interconnects.
16.2 Managing logical interconnects and logical interconnect groups 197
•
Redistribute logins for uplink failover on a Fibre Channel network.
•
Update the logical interconnect configuration from the logical interconnect group.
•
View and download the MAC address table.
•
Define Quality of Service (QoS) settings for the logical interconnect
16.2.3 Tasks for logical interconnect groups The appliance online help provides information about using the UI or the REST APIs to: •
Create a logical interconnect group
•
Edit a logical interconnect group
•
Delete a logical interconnect group
•
Copy a logical interconnect group
•
Enable or disable Link Layer Discovery Protocol (LLDP) tagging
•
Enable or disable enhanced type-length-value (TLV) settings
•
Define Quality of Service (QoS) settings to apply to the logical interconnect
16.2.4 About logical interconnects A logical interconnect is a single administrative entity that consists of the configuration for a set of interconnects in a single enclosure, and includes: •
The uplink sets, which connect to data center networks.
•
The mapping of networks to physical uplink ports, which is defined by the uplink sets for a logical interconnect.
•
The internal networks, which are used for server-to-server communications without traffic egressing any uplinks.
•
The downlink ports, which connect through the enclosure midplane to the servers in the enclosure.
•
The connections between interconnects, which are called stacking links. Stacking links can be internal cables (through the enclosure) or external cables between the external ports of interconnects.
See the appropriate support or compatibility matrix on the Hewlett Packard Enterprise Information Library for the maximum number of networks that can be provisioned on a logical interconnect. For a server administrator, a logical interconnect represents the available networks through the interconnect uplinks and the interconnect downlink capabilities through a physical server’s interfaces. For a network administrator, a logical interconnect represents an Ethernet stacking configuration, aggregation layer connectivity, stacking topology, network reachability, statistics, and troubleshooting tools.
16.2.4.1 About uplink sets An uplink set defines a single, dedicated network or a group of networks and physical ports on a set of interconnects in an enclosure. An uplink set enables you to attach the interconnects to the data center networks. An uplink set enables multiple ports to support port aggregation (multiple
198 Managing interconnects, logical interconnects, and logical interconnect groups
ports connected to a single external interconnect) and link failover with a consistent set of VLAN networks. •
For tagged Ethernet networks, an uplink set enables you to identify interconnect uplinks that carry multiple networks over the same cable.
•
For untagged or tunnel Ethernet networks, an uplink set identifies interconnect uplinks that are dedicated to a single network.
•
For Fibre Channel networks, you can add one network to an uplink set. Fibre Channel does not allow virtual networks or VLANs.
•
For Fibre Channel over Ethernet (FCoE) networks, an uplink set enables you to carry multiple Fibre Channel and tagged Ethernet networks over the same set of Ethernet cables.
•
One uplink set per Cisco FEX module is allowed.
An uplink set is part of a logical interconnect. The initial configuration of the uplink sets for a logical interconnect is determined by the configuration of the uplink sets for the logical interconnect group, but you can change (override) the uplink sets for a specific logical interconnect. Changes you make to the uplink sets for a logical interconnect group are not automatically propagated to existing logical interconnects. For example, to propagate a newly added VLAN to a logical interconnect group uplink set to its existing logical interconnects, you must individually update each logical interconnect configuration from the logical interconnect group. For each logical interconnect: •
You can define zero or more uplink sets. See networking limits in the HPE OneView Support Matrix for the maximum number of supported uplink sets and the maximum network types supported in an uplink set. If you do not define any uplink sets, the servers in the enclosure cannot connect to data center networks.
•
A network can be a member of one uplink set per logical interconnect group only.
•
An uplink set with Fibre Channel or FCoE networks can use uplinks from only one interconnect.
•
An uplink set can contain one or more tagged Ethernet networks. An uplink set for an untagged or a tunnel network can only contain that one untagged or tunnel network.
•
An uplink set can contain one or more FCoE networks, but the uplinks must be contained within a single FCoE-capable interconnect. See firmware requirements in “About Fibre Channel over Ethernet (FCoE) networks” (page 192).
•
Within a logical interconnect group or logical interconnect, all VLAN IDs must be unique across uplink sets and internal networks.
•
Internal networks allow server-to-server connectivity within the logical interconnect. Internal networks are created by adding existing networks to the internal networks set. Internal networks can be added to uplink sets which automatically removes them from the internal networks set. Cisco FEX modules do not support internal networks.
•
Ethernet networks in an uplink set must be specified individually and cannot be specified by selecting a network set. The use of network sets in uplink sets is not supported for the following reasons:
◦
The networking configuration is intended to be managed by users with a role of Network administrator. Because users with a role of Server administrator can create and edit network sets, allowing network sets to be members of uplink sets could result in server 16.2 Managing logical interconnects and logical interconnect groups 199
administrators changing the mapping of networks to uplink ports without the knowledge of the network administrator.
◦
Because a network can be a member of more than one network set, allowing network sets to be members of uplink sets would make it more difficult to ensure that no single network is a member of more than one uplink set, especially as the network set configurations change over time.
16.2.4.2 About internal networks An internal network is a network that has no uplink ports and is used for server-to-server communications within a logical interconnect. Servers that communicate with each other over internal networks do so without the traffic egressing any uplinks. Only tagged, untagged, and tunnel Ethernet networks can be members of internal networks. If network connectivity outside of the logical enclosure is required, the network must be in an uplink set associated with an uplink. NOTE: A network is not available for profile connections until it is added to an uplink set or internal networks in a logical interconnect group and the associated logical interconnect. Adding and removing internal networks Each logical interconnect group and logical interconnect has an internal network list which is initially empty. Adding a network to the internal network list in both the logical interconnect group and logical interconnect allows it to be used in server profile connections that can be mapped to downlinks on the interconnects within the logical interconnect. IMPORTANT: Duplicate networks in the internal networks list on more than one logical interconnect can result in the inability for the servers in the enclosure to communicate. Therefore, it is recommended to define all your internal networks on one logical interconnect in the enclosure. You can add or remove internal networks from the Logical Interconnects or Logical Interconnect Groups screen. The internal network configuration created in the logical interconnect group is inherited by associated logical interconnects. A logical interconnect can be made consistent with the parent logical interconnect group by selecting Actions→Update from group. Networks in the internal networks list appear as available networks for uplink sets. They are automatically removed from internal networks if they are added to an uplink set. Removing an Ethernet network from an uplink set in a logical interconnect automatically moves it to internal networks so network connectivity is not lost for server profile connections using the network. However, if you remove an Ethernet network from an uplink set in a logical interconnect group, the network does not get moved automatically to the internal networks. If you want the network to be internal, edit the logical interconnect group and add the network to the internal networks.
16.2.4.3 About stacking links and stacking health Stacking links Stacking links apply to Ethernet networks only. You can connect all the interconnects to one another through stacking links so that Ethernet traffic from a server connected to an interconnect downlink can reach the data center networks through that interconnect or through a stacking link from that interconnect to another interconnect. When adding enclosures, create a single logical interconnect group with a single logical interconnect that contains all interconnects within the enclosure. This creates a fully stacked enclosure. To set up an enclosure that is not stacked, configure multiple logical interconnect groups where each interconnect is in a separate logical interconnect group (and subsequently separate logical 200 Managing interconnects, logical interconnects, and logical interconnect groups
interconnects) before adding the enclosure. You can also set up a partially-stacked enclosure where you have more than one interconnect in a logical interconnect group. See “About multiple logical interconnect groups in an enclosure group” (page 203) for more information. Stacking health The appliance detects the topology within an enclosure of the connections between interconnects, and determines the redundancy of paths between servers and data center networks. The appliance reports redundancy information as the stacking health of the logical interconnect, which is one of the following: Redundantly Connected
There are at least two independent paths between any pair of interconnects in the logical interconnect, and there are at least two independent paths from any downlink port on any interconnect in the logical interconnect to any other port (uplink or downlink) in the logical interconnect.
Connected
There is a single path between any pair of interconnects in the logical interconnect, and there is a single path from any downlink port on any interconnect in the logical interconnect to any other port (uplink or downlink) in the logical interconnect.
Disconnected
At least one interconnect is not connected to the other member interconnects in the logical interconnect.
Not applicable
Interconnects do not support stacking or there is a single interconnect in the logical interconnect.
16.2.4.4 Creating or deleting a logical interconnect Creating a logical interconnect in an enclosure A logical interconnect is automatically added when the enclosure is added. When you add a c7000 enclosure, the following occurs: •
A logical enclosure is created based on the defined enclosure group
•
The appliance detects the physical interconnects and their stacking links, if any.
•
The appliance automatically creates a single logical interconnect for each logical interconnect group defined in the enclosure group. NOTE: The number of logical interconnects that are created depends on how the enclosure group was defined. See Edit a logical interconnect group in the online help.
•
The appliance automatically names the logical interconnects using the following naming convention: logical_enclosure_name-logical_interconnect_group_name
•
The data for the logical interconnects displays on the Logical Interconnects screen.
To add or change logical interconnects, see Edit a logical interconnect group in the online help for more information. Deleting a logical interconnect To delete a logical interconnect, you must remove the logical interconnect group from the enclosure group, and then perform an update from group on the logical enclosure. This deletes the logical interconnect from the logical enclosure.
16.2 Managing logical interconnects and logical interconnect groups 201
16.2.5 About logical interconnect groups •
“About the logical interconnect group graphical interface” (page 202)
•
“About multiple logical interconnect groups in an enclosure group” (page 203)
•
“About copying a logical interconnect group” (page 203)
•
“About uplink sets in a logical interconnect group” (page 203)
•
“About Link Layer Discovery Protocol (LLDP) tagging” (page 204)
•
“About enhanced type-length-value (TLV) structure” (page 204)
One or more logical interconnect groups are associated with an enclosure group and are used to define the logical interconnect configuration for every enclosure that is using that enclosure group. Logical interconnect group configurations include the I/O bay occupancy, uplink sets, available networks based on the uplink sets and internal networks, and downlinks. All references to a logical interconnect group by an enclosure group or logical interconnect must be removed before you can delete the logical interconnect group.
16.2.5.1 About the logical interconnect group graphical interface Figure 14 Logical interconnect group screen topography
1
2
Edit icon: Click to edit the associated object, such as uplink set or internal networks, for configuration changes. Delete icon: Click to remove the associated object, such as an uplink set, from the configuration.
3
4
Add uplink set: Click to add an additional uplink set to the logical interconnect group. Uplink set connections: Provides a graphical representation of the uplink set configuration with the associated networks and uplink ports. Hovering over the uplink set or uplink ports
202 Managing interconnects, logical interconnects, and logical interconnect groups
5
6
Uplink port: The assigned uplink port and its status. Hovering over the port displays additional port information. Enclosure bay number: Identifies the interconnect bay of the enclosure.
highlights the configuration connections.
16.2.5.2 About multiple logical interconnect groups in an enclosure group Multiple logical interconnect groups can be associated with one enclosure group. The advantages of using multiple logical interconnect groups in an enclosure group are: •
Having air-gap separation between Ethernet networks to allow isolation of network traffic
•
Eliminating the need for stacking cables between interconnects, freeing uplink ports for data center traffic
•
Doubling the number of networks in an active/active configuration. See “About active/active and active/standby configurations” (page 206) for more information.
Logical interconnect group requirements •
Interconnects in horizontally adjacent bays must contain the same interconnect type or an empty bay
16.2.5.2.1 When to create a logical interconnect group By default, a single logical interconnect group containing all the interconnects in the enclosure is automatically created when you add an enclosure, unless you create the logical interconnect group(s) before adding the enclosure. If you want to have multiple logical interconnects in an enclosure: •
Create logical interconnect groups with the interconnects that you want in each logical interconnect.
•
Add the logical interconnect groups to an enclosure group
•
Add the enclosure using the enclosure group.
16.2.5.3 About copying a logical interconnect group To streamline the creation of logical interconnect groups, you can copy existing logical interconnect groups. When you copy a logical interconnect group, all the settings, uplink sets, and networks copy to the new group. The new group is not associated automatically with enclosure groups or logical interconnects. After copying a logical interconnect group, you can edit the logical interconnect group or associate it to an enclosure group. For example, you have an existing logical interconnect group and you want a new group with the same settings, except a different internal network. Copy the existing logical interconnect group, and then edit the new logical interconnect group to change the internal network. More information “Copy a logical interconnect group” in the online help
16.2.5.4 About uplink sets in a logical interconnect group The uplink sets portion of the logical interconnect group defines the initial configuration for uplink sets for each logical interconnect in the enclosure group. If you change the uplink sets for an existing logical interconnect group, only enclosures that you add after the configuration change are configured with the new uplink set configuration. Changing uplink sets in a logical interconnect group makes the logical enclosure and logical interconnects associated with it inconsistent with the logical interconnect group. Select Update from group to bring the logical enclosure and logical interconnect back into compliance with the changes made to the logical interconnect group.
16.2 Managing logical interconnects and logical interconnect groups 203
16.2.5.5 About Link Layer Discovery Protocol (LLDP) tagging Link Layer Discovery Protocol (LLDP) information is sent by devices at a fixed interval in the form of an Ethernet frame. Each frame contains one LLDP Data Unit (LLDPDU). Each LLDPDU is a sequence of type-length-value (TLV) structures. Untagged LLDP frames By default, Virtual Connect interconnects use untagged LLDP frames to advertise their identity and learn about their link partners. LLDP advertises the Virtual Connect interconnect’s management IP addresses to uplink, downlink, and stacking link ports. LLDP frames also identify stacking links in a logical interconnect. The IPv4 address (and IPv6 address if enabled) are used as the LLDP management address TLV. Tagged LLDP frames LLDP can also be used to communicate with a virtual switch in the hypervisor through the use of tagged LLDP frames on downlink ports. The tagged frame contains the VLAN ID that identifies the subport of the configured FlexNIC. This information is used to build the network topology. LLDP tagging can be enabled or disabled through the HPE OneView UI or REST API. More information “Interconnect settings” in the online help “Enable or disable LLDP tagging” in the online help or REST API Scripting help “About logical interconnect groups” (page 202) “About logical interconnects” (page 198)
16.2.5.6 About enhanced type-length-value (TLV) structure Enhanced TLV is part of the Link Layer Discovery Protocol (LLDP) exchange of information between interconnects. Enhanced TLV determines what is contained on the Chassis ID TLV of LLDP frames sent out by an interconnect. Enhanced TLV can be enabled or disabled through the HPE OneView UI or REST API. Enable The Chassis ID TLV advertises the enclosure name and serial number to other interconnects Disable
The Chassis ID TLV contains the switch MAC address
16.2.5.6.1 Enhanced TLV values Enable enhanced TLV format
•
System name (BAY:)
•
Chassis ID (ENC::SERIAL NO:
•
Part description (/)
Disable enhanced TLV format
•
System name ()
•
Chassis ID ()
•
Part description (IF-MIB::ifDescr value), for example HPE VC FlexFabric 10Gb/24–Port Module 4.10 X1
204 Managing interconnects, logical interconnects, and logical interconnect groups
More information “Enable or disable enhanced type-length-value (TLV) settings” in the online help or REST API Scripting help “About logical interconnect groups” (page 202) “About logical interconnects” (page 198)
16.2.6 About firmware associated with a logical interconnect All components in a logical enclosure must either run the same firmware version or run firmware versions that are compatible to each other. You can select a single Service Pack for ProLiant (SPP) and apply it to all components in an enclosure, therefore minimizing the chance of downtime due to firmware incompatibility. You can also apply an SPP to a logical interconnect, which results in all associated interconnects having the same firmware baseline. This operation, by default, updates firmware only on those member interconnects that are running a different version of firmware and ignores the interconnects that are running the same firmware version. The firmware version associated with the logical interconnect is automatically updated when an enclosure is added and an SPP is selected for the firmware baseline. The OA and iLO firmware are updated as well. Network disruptions do not occur as long as server profiles have not yet been defined or applied in the new enclosure. However, if manage manually is selected during an enclosure add, the baseline for the interconnects is Not set. If subsequent firmware updates apply to the enclosure only, the baseline is still shown in HPE OneView as Not set. A baseline can be set for logical interconnect firmware update either when adding the enclosure using the Enclosures screen, or when updating the firmware from the Logical Enclosures screen and selecting Enclosure + logical interconnect + server profiles. If a baseline for logical interconnect is never set, the firmware for the enclosure must be managed manually.
16.2.6.1 About updating firmware for logical interconnects Firmware activation options allow you to maintain network availability and reduce the probability of outages due to human error. You also have the option of staging the firmware for later activation. You can activate the staged firmware on an individual interconnect or on all interconnects. You have the following options when updating firmware based on the logical interconnect: Option
Description
Update firmware (stage + activate)
Stages (uploads) the selected firmware to the secondary flash memory on the interconnect, and then activates the firmware as the baseline. At the end of this operation, all member interconnects are running the same firmware baseline and are compliant with one another. This option and parallel activation affects the connectivity to and from the servers until the activation is complete, but does update the firmware in the shortest time. See “About activating firmware options” (page 206) for information about parallel activation.
Stage firmware for later activation
Stages (uploads) the selected firmware to the secondary flash memory on the interconnect, but does not activate the firmware. You can activate the firmware at a later time. This option allows manual sequencing of the firmware activation and is the preferred approach to minimize service interruption.
Activate firmware
Activates the selected staged firmware.
When updating firmware based on the logical interconnect, if one or more interconnects are already running the targeted firmware version, HPE OneView excludes those interconnects from the firmware update.
16.2 Managing logical interconnects and logical interconnect groups 205
16.2.6.1.1 About activating firmware options You have the following options for activating the firmware on Ethernet and Fibre Channel interconnect modules: Option
Description
Odd/even
Activates odd numbered interconnect modules 1, 3, 5, and 7 on the left side, followed by even numbered modules 2, 4, 6, 8 on the right side.
Serial
Activates one interconnect module at a time starting with the highest numbered bay. This method is the least disruptive.
Parallel
Activates all interconnect modules at the same time. This method is the most disruptive and can cause network and storage connectivity outages.
16.2.7 About active/active and active/standby configurations When determining which Virtual Connect network configuration to use (active/active or active/standby), consider the type of network traffic the enclosure must support. For example: •
Will there be a high volume of server-to-server traffic (east/west) in the enclosure?
•
Is the traffic flow in the enclosure mainly inbound and outbound (north/south)?
By considering network traffic patterns, you can maximize the connected bandwidth or minimize server-to-server traffic leaving the enclosure. Use an active/standby configuration if network traffic is between systems in the same enclosure (east/west). This configuration minimizes or eliminates any server-to-server communications from leaving the enclosure. Use an active/active configuration if network traffic is inbound and outbound (north/south) of the enclosure.
16.2.7.1 About active/standby configurations An active/standby configuration is an Ethernet network configuration where servers in the enclosure have two NIC ports connected to the same Virtual Connect network. A single uplink set has uplinks in both interconnects. The uplinks in one interconnect are active; the uplinks in the other interconnect are standby and available in the event of a network or interconnect failure. Communications between servers do not leave the interconnect module. For external communications, all servers in the enclosure use the active uplink, regardless of which NIC is actively passing traffic. An active/standby configuration: •
Provides predictable bandwidth.
•
Does not oversubscribe top-of-rack switch (ToR) bandwidth.
An active/standby configuration has the following requirements: •
A minimum of one Ethernet network and one uplink set for each external VLAN ID you define.
16.2.7.2 About active/active configurations An active/active configuration is an Ethernet network configuration that allows active traffic on the same VLAN on multiple interconnect modules. The NICs on all the servers in the enclosure have their NICs connected to adjacent Virtual Connect modules. All uplinks are active to forward network traffic.
206 Managing interconnects, logical interconnects, and logical interconnect groups
An active/active configuration: •
Provides full use of all uplink ports (no uplink port in standby mode).
•
Allows all traffic to egress through the interconnect module connected to the NIC port without crossing the internal stacking link, if stacking is used.
•
Doubles the available bandwidth while maintaining redundancy (when combined with Smart Link).
The networks associated with an uplink set must be included in the server profile connection for the interconnect module. For example, if Net_101_A is in uplink set US_A, which has ports from the interconnect module in bay 1, Net_101_A must be associated with the downlink port connected to the interconnect module in bay 1 (for example, LOM1:1-a). When setting up an active/active configuration in an enclosure, determine if you have a single logical interconnect group or a multiple logical interconnect group per enclosure configuration. For more information, see “About multiple logical interconnect groups in an enclosure group” (page 203). •
In a single logical interconnect group configuration, have at least two Ethernet interconnect modules with stacking links in the enclosure. All interconnects are defined in one logical interconnect in the single logical interconnect group. When you set up the active/active configuration, all networks are available on both interconnects, and subsequently to any server connected to these interconnects through the use of the stacking links. Networks are created in pairs for each VLAN you want to connect.
•
In a multiple logical interconnect group configuration, where you define each interconnect in a separate logical interconnect group, and subsequently separate logical interconnects, the interconnects are no longer stacked. Because you can use the same network in both logical interconnect groups, you can create an active/active configuration with twice as many available networks.
16.2.7.2.1 Requirements for an active/active configuration An active/active configuration requires proper configuration of OS and NIC teaming. An active/active configuration also requires two Virtual Connect modules and resources that meet the following requirements. For an example of an active/active configuration for an enclosure
16.2 Managing logical interconnects and logical interconnect groups 207
group with a single logical interconnect group, see “Sample active/active configuration for single logical interconnect group” (page 209). Resource
Requirement
Best practice
Networks
For a single logical interconnect group For a single logical interconnect group configuration, create a pair of networks for each configuration, designate a network name for a VLAN you want to connect. paired network using the naming convention __ where: • At least one network for the first • could be dev, mgmt, or prod, interconnect module for example. • Another network for the second interconnect • could be A or B, 1 or 2, or right or module using the same VLAN ID and left. • Smart Link selected on both networks. For a multiple logical interconnect group configuration, you can use the same network in both logical interconnect groups.
Uplink Set
For a single logical interconnect group configuration, create a pair of uplink sets to associate the networks with the uplink ports on the interconnect module.
For a single logical interconnect group configuration, assign names to uplink sets using the naming convention _, where:
• One set of networks assigned to the uplink • could be A or B, 1 or 2, or right or set with uplinks on the first interconnect left. module • The other networks assigned to the uplink set with uplinks on the second interconnect module • Uplink ports in each uplink set are restricted to one interconnect For a multiple logical interconnect group configuration, create an uplink set on the first interconnect module and an uplink set on the second interconnect module with the same networks. Network Sets
Server Profiles
One or more pairs of network sets. Each set should include only networks that are intended to be used in the same server profile connection.
For a single logical interconnect group configuration, designate a network set name using the naming convention _, where:
For example, if Net_101_A is in uplink set US_A, which has ports from the interconnect module in bay 1, Net_101_A must be associated with the downlink port connected to the interconnect module in bay 1 (for example, LOM1:1-a)
• could be dev, mgmt, or prod for example. • could be A or B, 1 or 2, or right or left.
The physical ports to which you want to map the network or network sets. Map the profile connections to the downlink ports on the same interconnect module as the uplinks on the uplink set. This ensures that the networks associated with the uplink ports in the uplink set match the networks assigned to the profile connections in the downlink ports.
208 Managing interconnects, logical interconnects, and logical interconnect groups
16.2.7.2.2 Sample active/active configuration for single logical interconnect group Physical server 1 NIC TEAM Port 1
Port 2
d1
IO Bay 1
Network vNet 101A -Internal VLAN 3 -External VLAN 101
d1
SL1
SL1
SL2
SL2
Network vNet 101B -Internal VLAN 5 -External VLAN 101
Uplink Set U1
Uplink Set U2
X1
X1
X2
IO Bay 2
X2
VLAN 101
ToR Switch
16.2.8 About loop protection The loop protection feature enables detection of loops on downlink ports, which can be Flex-10 logical ports or physical ports. The feature applies when Device Control Channel (DCC) protocol is running on the Flex-10 port. HPE OneView network loop protection uses two methods to detect loops: 1.
2.
The interconnect periodically injects a loop detection frame into the logical interconnect and analyzes the downlink ports for the looped back detection frame. If this detection frame is found on the downlink ports, the server has a loop condition. The interconnect reviews and intercepts common loop detection frames used in other switches, such as Cisco and ProCurve to prevent any impact on the upstream switch.
When network loop protection is enabled on the Logical Interconnects screen, and a loop detection frame is received on a downlink port, the downlink port is disabled immediately until an administrative action is taken. The administrative action involves resolving the loop condition and clearing the loop protection error condition. The loop detected status on a server can be cleared by editing the server and un-assigning all networks from the connection corresponding to the server in the loop detected state. The SNMP agent supports trap generation when a loop condition is detected or cleared. You can reset loop protection from the Actions menu on the Interconnects screen.
16.2.9 About pause flood protection Ethernet switch interfaces use pause frame-based flow control mechanisms to control data flow. When a pause frame is received on a flow control enabled interface, the transmit operation is stopped for the pause duration specified in the pause frame. All other frames destined for this interface are queued up. If another pause frame is received before the previous pause timer expires, the pause timer is refreshed to the new pause duration value. If a steady stream of pause frames is received for extended periods of time, the transmit queue for that interface continues 16.2 Managing logical interconnects and logical interconnect groups 209
to grow until all queuing resources are exhausted. This condition severely impacts the switch operation on other interfaces. In addition, all protocol operations on the switch are impacted because of the inability to transmit protocol frames. Both port pause and priority-based pause frames can cause the same resource exhaustion condition. Virtual Connect interconnects provide the ability to analyze server downlink ports for pause flood conditions and take protective action by disabling the port. Virtual Connect 4.31 and later also monitors and reports on uplinks and stacking links for pause flood. The default polling interval is 10 seconds and is not customer configurable. The SNMP agent supports trap generation when a pause flood condition is detected or cleared.
16.2.10 About SNMP settings Network management systems use SNMP (Simple Network Management Protocol) to monitor network-attached devices for conditions that require administrative attention. By configuring settings on the Logical Interconnect Groups and Logical Interconnects screens, you can enable third-party SNMP managers to monitor (read-only) network status information of the interconnects. An SNMP manager typically manages a large number of devices, and each device can have a large number of objects. It is impractical for the manager to poll information from every object on every device. Instead, each SNMP agent on a managed device notifies the manager without solicitation by sending a message known as an event trap. HPE OneView enables you to control the ability of SNMP managers to read values from an interconnect. You can filter the type of SNMP trap to capture, and then designate the SNMP manager to which traps will be forwarded. By default, SNMP is enabled with no trap destinations set. When you create a logical interconnect, it inherits the SNMP settings from its logical interconnect group. To customize the SNMP settings at the logical interconnect level, use the Logical Interconnects screen or REST APIs.
16.2.11 About the Virtual Connect FlexFabric–20/40 F8 interconnect module The Virtual Connect FlexFabric–20/40 F8 Module for HPE BladeSystem c-Class has several unique features. For more information, see the HPE Virtual Connect FlexFabric–20/40 F8 Module for HPE BladeSystem c-Class Installation Instructions at http://www.hpe.com/info/qs.
Enclosure requirements CAUTION:
To avoid overheating:
•
Make sure there are 10 fans in the enclosure.
•
Do not insert more than six Virtual Connect FlexFabric–20/40 F8 modules in one enclosure.
16.2.12 About Quality of Service for network traffic Quality of Service (QoS) is a set of service requirements that the network must meet in order to ensure an adequate service level for data transmission. The goal of QoS is a guaranteed delivery system for network traffic. The QoS feature enables administrators to configure traffic queues for different priority network traffic, categorize and prioritize ingress traffic, and adjust priority settings on egress traffic. Administrators can use these settings to ensure that important traffic receives the highest priority handling while less important traffic is handled at a lower priority. Network traffic is categorized, and then classified. After being classified, traffic is given priorities and scheduled for transmission.
210 Managing interconnects, logical interconnects, and logical interconnect groups
For end-to-end QoS, all hops along the way must be configured with similar QoS policies of classification and traffic management. Traffic prioritization happens because of two things in an end-to-end QoS policy. •
At the interconnect, the packets are egressed based on the associated queue bandwidth. The more the bandwidth, the higher the priority for the associated traffic at the queue.
•
Egress dot1p remarking helps achieve priority at the next hops in the network. If the queue egress traffic is remarked to a dot1p value, and that dot1p value is mapped to a queue in the next hops with higher bandwidth, then these packets in the end-to-end network are treated with higher priority.
QoS configuration is defined in the logical interconnect group and applied to the logical interconnect. QoS statistics are collected by the interconnects. A QoS configuration is applied only on VC Ethernet and VC FlexFabric interconnects on c7000 enclosures.
Consistency state of a logical interconnect with QoS configurations The UI displays only the currently active QoS configuration that is applied on the interconnects. In addition, two inactive QoS configurations are stored for Custom (with FCoE) and Custom (without FCoE) configuration types. These are the last known QoS configurations for the corresponding configuration types, applied previously on the associated logical interconnect and logical interconnect group. While checking for consistency of a logical interconnect to its associated logical interconnect group, the compliance of inactive QoS configurations is also checked (inactive QoS configurations are not visible in the UI). Even if active QoS configurations are exactly the same between a logical interconnect and associated logical interconnect group, because of inconsistencies in inactive QoS configurations stored internally, a logical interconnect’s consistency status can be shown as Inconsistent. Perform an Update from group to bring the logical interconnect group and logical interconnect into a consistent state.
16.2.13 Add an uplink set Each uplink set must have a unique name within the logical interconnect or logical interconnect group and contain at least one network. For more information about uplink sets, see “About logical interconnects” (page 198). Prerequisites •
Required privileges: Infrastructure administrator or Network administrator
Adding an uplink set 1.
From the main menu, select Logical Interconnects, and then select the logical interconnect to edit. 2. Select Actions→Edit. 3. Click the Add uplink set button. 4. Enter the data requested on the screen. See Add or edit uplink sets in Logical Interconnects screen details in the online help for more information. 5. Click Add networks and select the networks to assign to the uplink set. 6. Click Add, or click Add + to add another network. 7. Click Add uplink ports and select the uplink ports. 8. Click Add, or click Add + to add another port. 9. Confirm the information you are entering is correct and click Create. 10. Click OK. 11. Verify that the uplink set was created in the details pane.
16.2 Managing logical interconnects and logical interconnect groups
211
16.2.14 Update firmware for logical interconnects within enclosures To update logical interconnect firmware, choose one of the following options: •
Update firmware (stage + activate)
•
Stage firmware for later activation
•
Activate firmware
NOTE: When a logical interconnect firmware update is in progress, do not initiate a firmware update from the logical enclosure of that logical interconnect. If you have HPE Virtual Connect Fibre Channel interconnects, see “Update the interconnect firmware for HPE Virtual Connect Fibre Channel interconnects” in the online help.
16.2.14.1 Stage and activate firmware for update from logical interconnect To upload the firmware and stage for activation, perform the following steps. To activate firmware that is already staged, see “Activate the logical interconnect firmware” in the online help. Prerequisites •
Required privileges: Network administrator or Infrastructure administrator
•
At least one enclosure with two interconnects added that are configured to use Ethernet and at least one logical interconnect
•
At least one or more supported SPPs uploaded to the appliance
Staging and activating firmware for update from logical interconnect 1. 2.
3. 4. 5.
From the main menu, select Logical Interconnects. From the master pane, select the logical interconnect and then do one of the following: •
Select Actions→Update firmware.
•
Select Update firmware from the Firmware panel.
From Update action, select Update firmware (stage + activate). From Firmware baseline, select the firmware bundle to install. Optional: Select Force installation to update firmware on all member interconnects and driver enclosures regardless of whether or not a member already has the updated firmware. To install a firmware version that is older than the version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware is known to cause a problem in your environment.
6. 7. 8.
Select the firmware activation method and delay for the interconnects on which to activate the firmware. Click OK. Verify the firmware version associated with the logical interconnect and its associated interconnects in the Logical Interconnects page under the Firmware view. NOTE: If the firmware is already at the selected firmware baseline, the firmware is not updated and a message displays in the Activity screen saying no update required.
16.2.14.2 Stage firmware for later activation for update from logical interconnect To upload the firmware and stage for activation later, perform the following steps. To activate firmware that was already staged, see “Activate the logical interconnect firmware” in the online help.
212 Managing interconnects, logical interconnects, and logical interconnect groups
Prerequisites •
Required privileges: Network administrator or Infrastructure administrator
•
At least one enclosure with two interconnects added that are configured to use Ethernet and at least one logical interconnect
•
At least one or more supported SPPs uploaded to the appliance
Staging firmware for later activation for update from logical interconnect 1. 2.
3. 4. 5.
From the main menu, select Logical Interconnects. From the master pane, select the logical interconnect and then do one of the following: •
Select Actions→Update firmware.
•
Select Update firmware from the Firmware pane.
From Update action, select Stage firmware for later activation. From Firmware baseline, select the firmware bundle to install. Optional: Select Force installation to update firmware on all member interconnects regardless of whether or not a member already has the updated firmware. To install a firmware version that is older than the version contained in the SPP, you must select the Force installation . You might want to install older firmware if the newer firmware is known to cause a problem in your environment.
6. 7.
Click OK. Verify the firmware version associated with the logical interconnect and its associated interconnects in the Logical Interconnects page under the Firmware view. NOTE: If the firmware is already at the selected firmware baseline, the firmware is not updated and a message displays in the Activity screen saying no update required.
16.2.14.3 Activate the firmware for update from logical interconnect During staging for later activation, the firmware is written (uploaded) into the secondary flash memory of the interconnect but is not activated. You need to activate the staged firmware for it to become the new firmware baseline. A failure while staging the firmware on one or more interconnects automatically ends the firmware update operation. Both the current firmware baseline and the installed or staged firmware versions are displayed for each interconnect on the Logical Interconnects screen. Prerequisites •
Required privileges: Network administrator or Infrastructure administrator
•
At least one enclosure with two interconnects added that are configured to use Ethernet and at least one logical interconnect
•
Previously staged firmware
Activating the firmware for update from logical interconnect 1. 2. 3. 4.
From the main menu, select Logical Interconnects, and then select the logical interconnect to manage its firmware. Select Actions→Update firmware. For Update action, select Activate firmware. Select the firmware activation method and delay for the interconnects on which to activate firmware.
16.2 Managing logical interconnects and logical interconnect groups 213
NOTE: For Odd/Even or Serial activation, Ethernet modules are updated first, then Fibre Channel modules. Fibre Channel modules will not start until all Ethernet modules are activated. 5. 6. 7.
Click OK. Check the Activity screen to determine if the firmware update action was completed. To verify that the firmware version was installed after the firmware is activated, select the Firmware view and compare the Installed and Baseline version number.
16.2.15 Update the logical interconnect configuration from the logical interconnect group Consistency checking is the validation of a logical interconnect to ensure that it matches the configuration of its parent logical interconnect group. The appliance monitors both the logical interconnect and logical interconnect group, comparing the two, and checks the following for consistency: Items
Consistency checking
Ethernet interconnect settings
Are there differences in the following logical interconnect settings from the expected configuration defined by the logical interconnect group? • Enabling Fast MAC cache failover • MAC refresh intervals • Enabling IGMP snooping • IGMP idle timeout intervals • Loop protection • Pause flood protection
Uplink Sets
Are there differences in port assignments or network associations from the configuration defined by the logical interconnect group? Did you add an uplink set?
Internal networks
Are there difference in the network assignments for server-to-server communication from the configuration defined by the logical interconnect group?
Interconnect maps
Has the logical interconnect group been edited?
Quality of Service (QoS) settings Have the network service requirements been edited?
If both configurations match, the logical interconnect Consistency state field is set to Consistent and is considered to be compliant. Any inconsistency results in an alert for the logical interconnect and the Consistency state field is set to Inconsistent with group. Updating the logical interconnect configuration from the logical interconnect group To bring a non-consistent (Inconsistent with group) logical interconnect configuration back into consistency (Consistent) with the logical interconnect group, you must reapply the settings from the logical interconnect group. NOTE: You can also select Update from group in the logical enclosure because a non-consistent logical interconnect results in a non-consistent logical enclosure.
214 Managing interconnects, logical interconnects, and logical interconnect groups
1.
From the Logical Interconnects screen, select Actions→Update from group. NOTE: The Update from group option is not available if the logical interconnect group and logical interconnect are already compliant (Consistency state field is set to Consistent). Consistency alerts are cleared automatically and settings now match the logical interconnect group. NOTE: You cannot always make a logical interconnect compliant by editing or by manually clearing the alert; typically you must select Actions→Update from group. Clearing an alert will impact the health status of the logical interconnect resource (health is equal to the state of the most severe alert that is not cleared). This is a valid use case if you intend for the logical interconnect to not be consistent but want the dashboard to report a healthy (green) status.
2. 3. 4.
Check the confirmation box, confirming you understand all of the implications. Click Yes, update to confirm. To verify that the activity is successful, check the activity for a green status in the “Notifications area” (page 89) area. If the activity is not successful, follow the instructions in the proposed resolution.
16.2.16 Create a logical interconnect group By default, a single logical interconnect group containing all the interconnects in the enclosure is automatically created when you add an enclosure. If you want to create multiple logical interconnects, create the logical interconnect groups first with the interconnects you want in each logical interconnect. See “About multiple logical interconnect groups in an enclosure group” (page 203) and “When to create a logical interconnect group” (page 203) for more information. If you want to use an existing logical interconnect group as a template, copy the logical interconnect group rather than create a new one. Prerequisites •
Required privileges: Network administrator or Infrastructure administrator
Creating a logical interconnect group 1.
2. 3.
From the main menu, select Logical Interconnect Groups, and then do one of the following: •
Select Actions→Create.
•
Click + Create logical interconnect group.
Enter a name for the logical interconnect group. Select from the list of available interconnects for each bay. See Logical interconnect group requirements for more information.
4. 5. 6. 7. 8.
Click the Edit icon of the internal network area in the graphical view. Click Add networks to select from available networks. Click OK when you are finished adding the internal networks. Click Add uplink set. Enter the data requested on the screen for each uplink set you want to create. See “Add an uplink set” (page 211) for more information. 9. Click Create to finish, or click Create + to create additional uplink sets. 10. Optional: Scroll down and, if necessary, make changes to the interconnect settings. Any logical interconnects created from the interconnect group inherit these settings. For more information, see Interconnect settings screen details in the online help. 16.2 Managing logical interconnects and logical interconnect groups 215
11. Optional: Make any changes to the SNMP settings. Any logical interconnects created from the interconnect group inherit these settings. For more information, see SNMP screen details in the online help. 12. Optional: Make any changes to the Quality of Service (QoS) settings. 13. Click Create to finish, or click Create + to create additional logical interconnect groups. 14. To verify that the logical interconnect group was created, locate the group in the details pane. 15. Optional: Select the logical interconnect group to edit, and then select Actions→Edit to make changes to the utilization sampling settings, if necessary. These settings are used in data collection for the utilization graphs displayed on the Interconnects screen. For more information, see Utilization Sampling screen details. 16. Click OK to apply any changes. 17. To verify the changes, locate them in the General view.
More information “About logical interconnect groups” (page 202)
16.2.17 Learning more •
“Logical interconnect groups” (page 50)
•
“Logical interconnects” (page 49)
•
“Uplink sets” (page 61)
•
“Troubleshooting logical interconnects” (page 403)
216 Managing interconnects, logical interconnects, and logical interconnect groups
17 Managing enclosures, enclosure groups, and logical enclosures Enclosures integrate the power, cooling, and I/O infrastructure needed to support modular server hardware, interconnect, and storage components. An enclosure group specifies a standard configuration for all of its member enclosures. Enclosure groups enable administrators to provision multiple enclosures in a consistent, predictable manner in seconds. A logical enclosure represents a logical view of a single enclosure with an enclosure group serving as a template. If the intended configuration in the logical enclosure does not match the actual configuration on the enclosure, the logical enclosure becomes inconsistent.
UI screens and REST API resources UI screen
REST API resource
Enclosures
enclosures
Enclosure Groups
enclosure-groups
Logical enclosures
logical-enclsoures
17.1 Roles •
Minimum required privileges: Infrastructure administrator or Server administrator
17.2 Managing enclosures 17.2.1 Tasks for enclosures HPE OneView online help provides information about using the UI or the REST APIs to: •
Add a c7000 enclosure to manage its contents.
•
Add a c7000 enclosure to monitor the hardware.
•
Add server hardware and other components to managed enclosures.
•
Claim a c7000 enclosure currently being managed by another appliance.
•
Collect remote support data for enclosures
•
Edit an enclosure.
•
Forcibly add a monitored c7000 enclosure currently monitored by another management system.
•
Forcibly remove a c7000 enclosure if a remove action fails.
•
Migrate a c7000 enclosure currently being managed by VCM.
•
Move a monitored c7000 enclosure to a managed status.
•
Reapply the enclosure configuration.
•
Refresh the enclosure to re-synchronize it with HPE OneView.
•
Remove a c7000 enclosure from HPE OneView.
•
Remove a server and other components from an existing enclosure.
•
View activities (alerts and tasks). 17.1 Roles 217
17.2.2 About enclosures An enclosure is a physical structure with device bays supporting compute, networking, and storage building blocks. These building blocks share the enclosure's common power, cooling, and management infrastructure. For information about enclosures, see the following topics. •
“About c7000 enclosures” (page 218)
•
“About managed c7000 enclosures” (page 218)
•
“About monitored c7000 enclosures” (page 219)
•
“About migrating c7000 enclosures managed by other management systems ” (page 220)
•
“About unmanaged and unsupported c7000 enclosures” (page 230)
17.2.2.1 About c7000 enclosures A c7000 enclosure is added into HPE OneView as a Managed (including Migrated)or Monitored enclosure. Managed
HPE OneView manages the enclosure enabling you to apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. Managed enclosures require an HPE OneView Advanced or an HPE OneView Advanced w/o iLO license. See “License types” (page 179).
Monitored
HPE OneView monitors hardware for inventory and hardware status only. Server profile management is not allowed within HPE OneView for a monitored enclosure. Monitored enclosures use a free HPE OneView Standard license. See “License types” (page 179).
Migrated
HPE OneView migrates an enclosure from Virtual Connect Manager (VCM) so that its contents can be managed in HPE OneView. If you migrate an enclosure, the existing configuration is captured and recreated in HPE OneView, provided the configuration is supported by HPE OneView.
17.2.2.2 About managed c7000 enclosures Adding an enclosure for management enables you to apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. There are different ways to add a managed enclosure into HPE OneView. •
Add an enclosure that is new to your environment (one that is not managed by another system). Any existing configuration settings are erased and not brought into HPE OneView. See “Before adding an enclosure for management” (page 219) for more information.
•
Migrate an enclosure if it is managed by Virtual Connect Manager (VCM) so that the existing configuration is captured and recreated in HPE OneView. See “About migrating c7000 enclosures managed by other management systems ” (page 220) for more information.
NOTE: You can forcibly add an enclosure from another management system. However, it removes all current configuration settings where it is currently being managed, and does not import the configuration settings into HPE OneView. Adding or migrating an enclosure for management requires an HPE OneView Advanced or an HPE OneView Advanced w/o iLO license. See “License types” (page 179). ProLiant G6 and ProLiant G7 BL680c server blades If you add an enclosure for management that contains ProLiant G6 server blade or a ProLiant BL680c server blade, the following occurs:
218 Managing enclosures, enclosure groups, and logical enclosures
•
These server blades are added to HPE OneView in a Monitored state. See “About monitored c7000 enclosures” (page 219).
•
The HPE OneView Standard license is automatically applied to these servers only, even though they are in a managed enclosure. See “License types” (page 179).
•
Firmware for these servers is not updated during the enclosure add. The server firmware must be updated manually (outside of HPE OneView) after adding the enclosure.
17.2.2.2.1 Before adding an enclosure for management Before you add an enclosure for management, consider the following: •
Do you want a single or multiple logical interconnect for all interconnects in the enclosure? See “About multiple logical interconnect groups in an enclosure group” (page 203) for more information.
•
Do you want a new or existing enclosure group?
◦
An existing enclosure group applies the configurations from that group to your new enclosure. The interconnects in the enclosure are configured automatically according to the logical interconnect groups associated with the enclosure group. For a multi-logical interconnect configuration, select the enclosure group you created that contains the multiple logical interconnect groups.
◦ •
A new enclosure group creates a configuration based on the enclosure you are adding. This automatically creates a single logical interconnect for all interconnects in the enclosure.
If you are creating a new enclosure group, enter a unique name for the group. Do you want a new or existing logical interconnect group?
◦
An existing logical interconnect group applies the configurations from that group to the interconnects.
◦
A new logical interconnect group creates a configuration based on the interconnects found in the enclosure.
17.2.2.3 About monitored c7000 enclosures You can add c7000 enclosures to inventory and monitor the hardware. This is useful when you have enclosures that have already been deployed and you cannot migrate them into HPE OneView. Enclosures with G6 and later ProLiant server blades cannot be managed, but can be monitored. Monitoring hardware in c7000 enclosures can be done with a free license called HPE OneView Standard. For more information, see “License types” (page 179). NOTE: If the firmware for any part of the enclosure does not meet the supported minimum, the enclosure will be added in an Unmanaged state. To resolve this issue, update the firmware manually (outside of HPE OneView) and then refresh the enclosure. To add a c7000 enclosure for monitoring, see "Add an enclosure to monitor the hardware" in the online help. Move a c7000 enclosure from monitored to managed Once an enclosure is monitored in HPE OneView, if you decide to change from monitored to managed, you must remove the enclosure from HPE OneView and then migrate or add it back as a managed enclosure, obtaining the appropriate license. Migration keeps the configuration settings, whereas add does not migrate the configuration. 17.2 Managing enclosures 219
17.2.2.4 About migrating c7000 enclosures managed by other management systems Enclosures managed by VCM (Virtual Connect Manager) or VCEM (Virtual Connect Enterprise Manager) can be migrated into HPE OneView. Migration recreates the configuration information for an enclosure including hardware, Virtual Connect domain, networks, and server profiles (including MAC addresses and WWNs in the profile connections). Up to four single enclosure domains managed by VCM can be migrated simultaneously to HPE OneView through the UI or REST API. VCEM-managed enclosures can be prepared for migration to HPE OneView through the VCEM GUI or a PowerShell module. See “Prepare a VCEM enclosure for migration into HPE OneView” (page 236) for more information. NOTE: HPE OneView does not support G6 server blades for migration or management. You can replace the G6 server blades with a G7 or later blade, or you can monitor the enclosure. See “About monitored c7000 enclosures” (page 219). When you add an enclosure to be migrated, you can specify an enclosure group or create a new enclosure group. See “About managed c7000 enclosures” (page 218). More information “About offline or in-service migration” (page 220) “About migrating partially stacked domains” (page 221) “About VCM settings that will not be migrated” (page 225) “Before migrating c7000 enclosures” (page 225) “About blocking issues during migration” (page 227) “About migration acknowledgments” (page 228) “Timing and type of migration” (page 121) “Best practices for migrating an enclosure from VCM into HPE OneView” (page 230) 17.2.2.4.1 About offline or in-service migration You can migrate enclosures into HPE OneView offline or in-service. Offline Servers are powered off before migration Advantages: Faster migration time and partially-stacked domain support In-service
Servers remain powered on during migration Advantage: Minimum downtime in server connectivity
Both types of migration require that: •
All blocking issues, as identified in the compatibility report, are resolved
•
All acknowledgements are understood and accepted, including additional acknowledgments for in-service migration (for example, BIOS and SR-IOV) In addition, in-service migration requires: •
A fully stacked enclosure in a dual ring or left/right vertical stacking link configuration. See recommended stacking connections in the HPE Virtual Connect for c-Class BladeSystem Setup and Installation Guide.
NOTE: Changes made during in-service migration do not take effect until the server is rebooted for the first time following the migration. Plan a reboot if one of the acknowledgements, such as an SR-IOV virtual function configuration, indicated a change which would impact your operation. If the additional in-service migration conditions cannot be met, an offline migration is recommended.
220 Managing enclosures, enclosure groups, and logical enclosures
More information “About blocking issues during migration” (page 227) “About migration acknowledgments” (page 228) 17.2.2.4.2 About migrating partially stacked domains In Virtual Connect Manager, three types of Ethernet stacking configurations are supported and can be migrated into HPE OneView: Full
Every Ethernet interconnect has a path to all other Ethernet interconnects. Full stacking is the default mode. This configuration is migrated into HPE OneView with all Ethernet and Fibre Channel interconnects in one logical interconnect group. This configuration can be migrated in-service or offline. See Figure 15: “Full stacking migration from Virtual Connect Manager to HPE OneView”.
Primary-slice
Stacking occurs only between the primary and standby Ethernet interconnects within the domain. This configuration is migrated into HPE OneView with the primary and secondary interconnects configured within one logical interconnect group. All other Ethernet interconnects are configured in their own logical interconnect group with one Ethernet interconnect per logical interconnect group. Fibre Channel interconnects are configured together in a separate logical interconnect group. This configuration must be migrated offline. See Figure 16: “Primary-slice stacking migration from Virtual Connect Manager to HPE OneView”.
Horizontal
Stacking occurs between each horizontal Ethernet interconnect pair. This configuration is migrated into HPE OneView with all horizontally-adjacent interconnects configured into one logical interconnect group. If there is no horizontally-adjacent interconnect present, when migrated, the corresponding logical interconnect group contains only a single Ethernet interconnect. This configuration must be migrated offline. Fibre Channel interconnects are configured together in a separate logical interconnect group. See Figure 17: “Horizontal stacking migration from Virtual Connect Manager to HPE OneView”.
17.2 Managing enclosures 221
Figure 15 Full stacking migration from Virtual Connect Manager to HPE OneView
222 Managing enclosures, enclosure groups, and logical enclosures
Figure 16 Primary-slice stacking migration from Virtual Connect Manager to HPE OneView
17.2 Managing enclosures 223
Figure 17 Horizontal stacking migration from Virtual Connect Manager to HPE OneView
You migrate a VCM-managed enclosure into a new or existing enclosure group. • New enclosure group — the logical interconnect groups are created based on the Virtual Connect stacking configuration. The networks and uplink sets are copied to the newly created logical interconnect group(s). For horizontal or primary-slice:
◦
Ethernet networks are copied to all logical interconnect groups containing Ethernet interconnects. Uplink sets are copied to all logical interconnect groups. Uplink set ports are copied only to the created uplink set within the logical interconnect groups containing those ports. All Ethernet settings such as QoS are migrated to the newly configured Ethernet logical interconnect groups.
◦
FCoE networks are added to the uplink set created in the logical interconnect group containing the associated uplink set ports.
224 Managing enclosures, enclosure groups, and logical enclosures
•
◦
Virtual Connect fabrics are copied as Fibre Channel uplink sets within the logical interconnect group containing the fabric uplink ports. An associated Fibre Channel network is also created.
◦
SNMP configurations are migrated to all the logical interconnect groups, including the Fibre Channel logical interconnect group.
Existing enclosure group — the existing HPE OneView logical interconnect group(s) must match the exact bay and interconnect type of the Virtual Connect configuration. Otherwise, a compatibility error occurs and the migration is blocked. For example, if a VCM-managed enclosure is Primary-slice and bays 1, 2, 3, and 4 are populated with HPE Virtual Connect FlexFabric 10Gb/24–Port Modules, an error occurs if HPE OneView does not have a matching enclosure group with the logical interconnect groups defined with the same interconnect type (HPE Virtual Connect FlexFabric 10Gb/24–Port Module) for all four bays. In addition, bays 1 and 2 must be configured together in one logical interconnect group and bays 3 and 4 must be configured into two separate logical interconnect groups (as seen in Figure 16: “Primary-slice stacking migration from Virtual Connect Manager to HPE OneView”). The attributes applied to the logical interconnect groups such as uplink sets, Ethernet settings, and SNMP configurations must also match or errors can occur.
More information “About blocking issues during migration” (page 227) 17.2.2.4.3 About VCM settings that will not be migrated The following VCM settings will not be migrated into HPE OneView. •
User account specific information such as certificates, user accounts, LDAP, RADIUS, TACACS+, session timeout, and user role configurations
•
Port monitoring configuration. After migration, port monitoring can be configured separately on each logical interconnect. See Configure a port to monitor network traffic in the online help for more information.
•
Address pools of MACs, WWNs, and serial numbers defined in VCM. HPE OneView migrates the MACs, WWNs, and serial numbers that are part of assigned profiles. NOTE: Any new addresses allocated in HPE OneView after the migration are pulled from the HPE OneView address pools. An administrator can manually define custom ranges in HPE OneView to match those that were defined in VCM to continue allocating from that range.
17.2.2.4.4 Before migrating c7000 enclosures Before you start the migration process, plan the migration. See “Planning for enclosure migration from VCM into HPE OneView” (page 121) to make sure certain requirements, such as backing up the VCM configuration, are met. The migration process is illustrated by the following figure. For details, see “Migrate a c7000 enclosure currently managed by VCM” (page 233).
17.2 Managing enclosures 225
Figure 18 Migration process
Migration from VCM to HPE OneView Administrator enters VCM-managed enclosure information into HPE OneView
After resolving all blocking issues (except server power on), the administrator powers down the servers, runs a final compatibility test, and then clicks “add” to start the migration Migrate VC configuration Compatibility and enclosure issues? hardware into HPE OneView
Administrator clicks “Test compatibility” in HPE OneView Validate Virtual Enclosure Connect domain data configuration HPE OneView analyzes the VC configuration and detects conflicts, incompatibilities, and warnings to generate a report Administrator resolves incompatibilities using VCM and/or HPE OneView
Resolve all blocking issues and evaluate warnings
Enclosure managed by HPE OneView
HPE OneView
User attention
Start/End Process
Enclosure migrated into HPE OneView
See “Planning for enclosure migration from VCM into HPE OneView” (page 121) for tips on preparing your configuration for migration. Automated functions
Once the compatibility issues have been addressed and the migration takes place, HPE OneView validates the configuration information and then automatically performs the following functions: •
Creates networks and network sets.
•
Creates a Logical Interconnect Group or uses an existing group.
•
Creates an Enclosure Group or uses an existing group.
•
Creates server profiles unassigned to servers but associated to server hardware types. The newly created HPE OneView server profiles retain the same MACs and WWNs used in the corresponding VCM server profiles.
•
Imports the enclosure and adds physical resources such as interconnects and servers.
•
Assigns server profiles.
•
For in-service migration, interconnects are reconfigured sequentially during the migration, overwriting the VCM configuration with the HPE OneView configuration. With a redundant configuration, HPE OneView detects the loss of connectivity for an interconnect and redirects traffic to the alternate path.
At the end of the migration, the Virtual Connect domain is no longer available in VCM. To migrate an enclosure, see “Migrate an enclosure managed by VCM" in the online help. 17.2.2.4.4.1 About c7000 migration and firmware
Before migrating the enclosure, make sure the firmware is at the required minimum. See the HPE OneView Support Matrix for more information. When migrating enclosures, the firmware 226 Managing enclosures, enclosure groups, and logical enclosures
baseline is automatically set to manage manually. The firmware settings in VCM are migrated to HPE OneView. HPE OneView does not allow firmware updates during the enclosure migration process. Once the enclosure is migrated to HPE OneView, you can update the firmware. See Best practices for firmware and Update firmware for enclosures in the UI help for more information. 17.2.2.4.5 About blocking issues during migration The following partial list of Virtual Connect features are considered blocking issues because they are not supported in HPE OneView. Blocking issues can also result when settings conflict between the Virtual Connect domain and the HPE OneView logical interconnect group into which the domain is being migrated. HPE OneView checks for these features and blocks the migration when these issues are found. Resolving an issue might require disabling a feature within Virtual Connect, changing a configuration in Virtual Connect, or in some cases, changing the HPE OneView logical interconnect group. If a feature is required in your environment and your enclosure contains ProLiant G6 or later server blades, you might want to consider monitoring your enclosure. See “About monitored c7000 enclosures” (page 219). NOTE: VCEM-managed enclosures can be migrated to HPE OneView. See “About migrating c7000 enclosures managed by other management systems ” (page 220) for more information. Blocking issues 1
• Advanced SR-IOV
• IGMP multicast filters and filter • SNMP v3 sets • Auto-deployment • Storage management credentials • More than 1000 networks • c3000 enclosures, ProLiant G1 • Unassigned Ethernet, iSCSI, or defined within the VC domain 2 through G6 server blades, Integrity FCoE network connections blades and Storage server blades • Multiple enclosure stacked 2 • Unsupported Fibre Channel speeds domains • Ethernet, iSCSI, and FCoE 2 • VCEM multiple FC initiators • Partially stacked domains connection speed type disabled • Federal Information Processing Standard (FIPS 140–2) 1
2
• Server VLANs mapped to alternate network VLANs
Blocking issue for mixing automatic and non-automatic settings for in-service migration. However, for offline migration, settings are set to default (virtual functions are evenly spread across all physical functions). Blocking issue for in-service migration only.
NOTE: In general, for functions that are not required in your environment, disabling the function in VCM enables you to migrate the enclosure. 17.2.2.4.5.1 About unassigned VCM server profile connections during migration
An unassigned VCM server profile connection is a connection without a specified network or fabric. There are five types of connections within VCM. •
Ethernet — One or more Ethernet networks assigned to the same server profile connection.
•
FCoE — An FCoE network associated with an uplink set. Ethernet and FCoE networks may share the same uplink set.
•
FCoE FC SAN — An FCoE connection assigned to a SAN fabric. These connections have one or more native Fibre Channel connections to the uplink ports which are part of the SAN fabric. They utilize FlexFabric physical function 2 of the adapter.
17.2 Managing enclosures 227
•
Native Fibre Channel — A native Fibre Channel adapter connection to a Fibre Channel interconnect.
•
iSCSI — An iSCSI, Ethernet network or unshared iSCSI network that is associated with an uplink set. Ethernet and iSCSI networks may share the same uplink set.
HPE OneView does not support unassigned server profile connections, so the connections are not migrated and cannot be recreated for the migrated server profile. For native Fibre Channel connections, a warning issue appears on the compatibility report. For all other connections, a blocking issue appears on the compatibility report for in-service migrations. To determine how to resolve unassigned server profile connections depends on the reason for the unassigned connection and the ramifications to the OS configuration if the connection is not migrated. More information “About blocking issues during migration” (page 227) “Migrate a c7000 enclosure currently managed by VCM” (page 233) 17.2.2.4.6 About migration acknowledgments Some issues that are not considered blocking or warning issues for VCM migration are shown as acknowledgments. Some acknowledgements do relate to warnings in the compatibility report. In either case, acknowledgments are important instructions that must be followed and acknowledged before the migration can begin. Acknowledgments display in the UI after all blocking issues are resolved and a final compatibility report is generated. In the REST API, the acknowledgments are returned in the acknowledgements attribute. For specific acknowledgements, see the following: •
“VCM configuration backup acknowledgment” (page 228)
•
“Resource modification acknowledgment” (page 228)
•
“Redundant hardware and software configuration acknowledgment for in-service migration” (page 229)
•
“BIOS acknowledgment for in-service migration” (page 229)
•
“SR-IOV acknowledgment for in-service migration” (page 229)
•
“Server profile acknowledgment” (page 230)
17.2.2.4.6.1 VCM configuration backup acknowledgment
Verify a backup of the VCM configuration (including the output from show config -includepoolinfo) has been obtained and is secured where it will be available in the event that the enclosure migration is unsuccessful. The backup is used if the VCM configuration must be reverted back to Virtual Connect Manager control. The VCM configuration backup can be created through the VCM web UI or the VCMCLI. More information Virtual Connect User Guide at http://www.hpe.com/info/virtualconnect/docs “Migrate a c7000 enclosure currently managed by VCM” (page 233) “About migration acknowledgments” (page 228) 17.2.2.4.6.2 Resource modification acknowledgment
Although HPE OneView is fully operational during a migration, do not modify HPE OneView resources until the migration is complete.
228 Managing enclosures, enclosure groups, and logical enclosures
IMPORTANT: Modifying HPE OneView resources can cause the migration to fail, leaving the enclosure unconfigured and requiring recovery before it can be made operational. The migration is complete when the task in the HPE OneView Activities screen shows migration complete. For example, do not edit networks, network sets, logical enclosures, logical interconnect groups, or server profiles for the enclosures involved in the migration. Do not perform other maintenance activities such as server power, appliance restart, or firmware update during the migration process. More information “Migrate a c7000 enclosure currently managed by VCM” (page 233) “About migration acknowledgments” (page 228) 17.2.2.4.6.3 Redundant hardware and software configuration acknowledgment for in-service migration
To minimize the impact to applications and services during an HPE OneView in-service migration, redundant hardware and software configurations are required. The fully stacked enclosure must be configured in a dual ring or left/right vertical stacking link configuration. See recommended stacking connections in the HPE Virtual Connect for c-Class BladeSystem Setup and Installation Guide. Interconnects are reconfigured sequentially during the migration, overwriting the VCM configuration with the HPE OneView configuration. At most, storage is disrupted for a single interconnect at any point during the migration and network traffic is disrupted for the even or odd numbered bays at any point during the migration. Configure redundant network and storage connections and provide failover such as network interface bonding and MPIO drivers so that network and storage traffic continues to pass on one module of the pair while the other module is reconfigured. As in a logical interconnect firmware update, the server operating system detects the loss of connectivity for the interconnect module and redirects traffic to the alternate path. More information “Migrate a c7000 enclosure currently managed by VCM” (page 233) “About migration acknowledgments” (page 228) 17.2.2.4.6.4 BIOS acknowledgment for in-service migration
In Virtual Connect Manager, administrators can configure specific boot settings (such as PXE or SAN boot) for profile connections while leaving the default USE-BIOS setting in place on other connections in the same profile. After in-service migration, the server continues to boot based on the configured boot settings. However, the first time the server is rebooted after in-service migration, any connection on the profile configured to USE-BIOS is converted to not bootable to match HPE OneView conventions. More information “Migrate a c7000 enclosure currently managed by VCM” (page 233) “About migration acknowledgments” (page 228) 17.2.2.4.6.5 SR-IOV acknowledgment for in-service migration
In VCM, administrators can specify the distribution of SR-IOV (Single Root I/O Virtualization) virtual functions across the FlexNICs in server profiles. HPE OneView distributes virtual functions evenly across all the FlexNICs in the server profile. When the SR-IOV connection setting in the Virtual Connect domain is default, VCM assigns all SR-IOV virtual functions to the third FlexNIC on the port. When migrating from VCM to HPE OneView, this redistribution takes effect the first time the server is rebooted after the migration to HPE OneView. The redistribution causes the server to reenumerate PCI devices, which can disrupt server network traffic, as a result of 17.2 Managing enclosures 229
the new device ordering. Review and revise the network configuration of hypervisors and guest virtual machines in the host OS, if needed, to avoid disrupting their network connectivity. More information “Migrate a c7000 enclosure currently managed by VCM” (page 233) “About migration acknowledgments” (page 228) 17.2.2.4.6.6 Server profile acknowledgment
Virtual Connect server profiles that are not assigned to server hardware are not migrated to HPE OneView. To migrate these server profiles: •
Assign them to server hardware, if available.
•
Manually recreate the server profiles in HPE OneView after migration. See “Perform post-migration tasks” (page 235).
More information “Migrate a c7000 enclosure currently managed by VCM” (page 233) “About migration acknowledgments” (page 228) 17.2.2.4.7 Best practices for migrating an enclosure from VCM into HPE OneView The following list comprises some best practice tips to help guide you through a migration from VCM to HPE OneView. •
Plan the migration.
•
Review your offline or in-service migration options.
•
Understand blocking issues.
•
Understand the acknowledgments.
•
Obtain the HPE OneView Advanced licenses that are required for the migrated servers.
•
If VCMCLI scripting is used, transition to the HPE PowerShell module at http:// hewlettpackard.github.io/POSH-HPOneView.
•
For in-service migration, schedule a maintenance window after the migration when the servers can be rebooted and adjustments made to accommodate any updated SR-IOV settings.
More information “About migrating c7000 enclosures managed by other management systems ” (page 220)
17.2.2.5 About unmanaged and unsupported c7000 enclosures Unmanaged enclosures An unmanaged enclosure is one that is not currently managed or monitored by HPE OneView. See “About unmanaged devices” (page 161) to learn more about unmanaged devices. Firmware that does not meet the minimum requirements can cause an enclosure to be unmanaged. To bring the enclosure under management update the firmware. Unsupported enclosures An unsupported enclosure cannot be managed by HPE OneView. However, you can place unsupported enclosures in racks. Adding unsupported enclosures to HPE OneView enables you to account for the physical space the enclosure occupies in a rack for planning and inventory purposes. If you have an enclosure with G6 ProLiant server blades, consider adding the enclosure as monitored instead of unsupported. See “About monitored c7000 enclosures” (page 219). 230 Managing enclosures, enclosure groups, and logical enclosures
ProLiant G7 or later server blades can be managed in HPE OneView. See “About managed c7000 enclosures” (page 218). HPE OneView displays basic information about unsupported enclosures, such as the model name, Onboard Administrator name, and the number of OAs in the enclosure. You can specify the maximum power for the unsupported enclosure, which allows you to define its power capacity and enables HPE OneView to generate alerts when maximum capacity is reached.
17.2.2.6 Connectivity and synchronization with HPE OneView HPE OneView monitors the connectivity status of enclosures. If HPE OneView loses connectivity with an enclosure, a notification is displayed until connectivity is restored. HPE OneView attempts to resolve connectivity issues and clears the alert automatically, but if it is unsuccessful, you must resolve the issue and manually refresh the enclosure to synchronize it. HPE OneView also makes sure the enclosures are synchronized with changes to hardware and configuration settings. However, some changes to enclosures made outside of HPE OneView (from OA, for example) might cause the enclosure to lose synchronization. You might have to manually refresh an enclosure that lose synchronization with HPE OneView. You can manually synchronize an enclosure with HPE OneView by refreshing the enclosure from the Enclosures screen. Refreshing an enclosure will refresh all devices in it. See the online help for the Enclosures screen to learn more.
17.2.3 Prerequisites for bringing a c7000 enclosure into HPE OneView Item
Requirement
Enclosure model
The enclosure must be a supported model listed in the HPE OneView Support Matrix. The enclosure is powered on.
Server hardware
The server hardware seated in an enclosure must meet the prerequisites listed in “Prerequisites for bringing server hardware into an appliance” (page 160).
Firmware
The enclosure firmware must be at least the minimum supported firmware version listed in the HPE OneView Support Matrix.
Licenses
An HPE OneView license is required to manage servers. See “About licensing” (page 179).
Onboard Administrator
The primary and standby OA must be configured with a host name or IP address and must be reachable by HPE OneView. As part of bringing an OA under management, a local user account is added, so the OA must be configured to allow for local user accounts. If the enclosure has two Onboard Administrators, both OAs must be at the same firmware version.
IP addresses
IPv4 or IPv6 configuration is required.
iLO IP address
Server hardware iLOs must be configured with IP addresses, automatically with DHCP addresses or manually with Enclosure Bay IP Addressing (EBIPA)-specified addresses. HPE OneView must be able to connect to the server hardware iLOs.
17.2 Managing enclosures 231
Item
Requirement
Interconnects
Interconnects must be configured with: IP addresses, automatically with DHCP addresses, or manually with EBIPA-specified addresses. • If you have an HPE Virtual Connect Fibre Channel interconnect, see update the logical interconnect firmware in the online help to determine if you need to update the firmware. • If you have an HPE Virtual Connect FlexFabric–20/40 F8 interconnect, see “About the Virtual Connect FlexFabric–20/40 F8 interconnect module” (page 210) for the maximum number of modules recommended per enclosure.
Open ports
The following ports must be opened between HPE OneView and the enclosure: • TCP 80, 443 • UDP 123, 161, 162
17.2.4 Checklist: connecting a server to a data center network The following configuration elements are required for a server to connect to a data center network. The server must have a networking mezzanine card in a slot corresponding to the location of the Virtual Connect interconnects in the enclosure. Configuration requirement
Why you need it
A logical interconnect group must be defined
A logical interconnect group defines the standard configurations to be used for the interconnects in the enclosure. Determine if you want to define single or multiple logical interconnect groups for the enclosure. See “About multiple logical interconnect groups in an enclosure group” (page 203).
At least one uplink set must be added to The uplink set determines which data center networks are permitted to the logical interconnect group, with at least send traffic over which physical uplink ports. It defines the networks that one network and one uplink port are to be accessible from this logical interconnect and which uplink ports can accept traffic from which networks. An enclosure group must be defined and The enclosure group specifies a standard configuration for all of its associated with one or more logical member enclosures and identifies its member logical interconnect groups. interconnect groups The enclosure group defines the logical interconnect configurations in the physical enclosure through the logical interconnect groups. Enclosure must belong to a logical enclosure
The logical enclosure identifies the enclosure group for the enclosure and the associated logical interconnect groups and logical interconnects.
Server profile must be assigned to server The server hardware provides the physical connections to at least one hardware interconnect that is part of the logical interconnect. Server profile must have at least one You do not have to know the hardware configuration, but you do have to connection, which must specify a network choose an available network or network set to specify which networks or network set the server is to use.
17.2.5 Add a c7000 enclosure Adding an enclosure brings the enclosure, server hardware, and interconnects under management. For c7000, you add an enclosure by providing its IP address or host name, along with the OA credentials.
17.2.6 Add a c7000 enclosure to monitor the hardware You can add enclosures to inventory and monitor the hardware. For more information about monitored enclosures, see “About monitored c7000 enclosures” (page 219).
232 Managing enclosures, enclosure groups, and logical enclosures
Prerequisites •
Required privileges: Infrastructure administrator or Server administrator.
Adding an enclosure to monitor the hardware 1.
2. 3. 4.
From the main menu, select Enclosures and do one of the following: •
Click + Add enclosure in the master pane.
•
Select Actions→Add.
Select Add enclosure for monitoring. Enter the data requested on the screen. Choose Add or Add +. If you have more enclosures to add, you can add the next enclosure immediately; you do not have to wait for the last Add Enclosure action to complete before starting the next.
5.
Verify that the enclosure has been added in the master pane.
17.2.7 Migrate a c7000 enclosure currently managed by VCM The following information describes how an enclosure managed by Virtual Connect Manager (VCM) can be migrated into HPE OneView through the UI.
17.2.7.1 Prerequisites •
Required privileges: HPE OneView Infrastructure administrator, Onboard Administrator, and VCM Domain Administrator.
•
OA and VCM credentials as well as the OA IP address for the enclosure.
•
For VCEM-managed enclosures: VCEM credentials to remove the Virtual Connect domain from the domain group using the VCEM web interface, or the HPE PowerShell module. See “Prepare a VCEM enclosure for migration into HPE OneView” (page 236) for more information.
•
Back up and secure the VCM configuration (including the output from show config -includepoolinfo). See “VCM configuration backup acknowledgment” (page 228) for more information.
•
Review the HPE OneView Support Matrix and verify the enclosure contains supported servers, interconnect modules, and mezzanine cards.
•
Assign server profiles before the migration or recreate server profiles after the migration, if applicable. See “Server profile acknowledgment” (page 230) for more information.
•
Ensure network connectivity with OA and iLOs in the Virtual Connect domain.
•
Ensure all interconnect modules are present and powered on within the enclosure.
17.2.7.2 Migrating an enclosure managed by VCM 1.
2. 3.
4.
From the main menu, select Enclosures and do one of the following: •
Click + Add enclosure in the master pane.
•
Select Actions→Add.
Select Add enclosure and migrate Virtual Connect domain. Enter the following information: •
OA IP address or host name of the Virtual Connect enclosure
•
Your OA credentials (user name and password)
Enter the data requested on the screen.
17.2 Managing enclosures 233
NOTE:
To migrate to a new enclosure group, select Create new enclosure group.
To migrate to an existing enclosure group, select one from the enclosure group list. 5.
Click Test compatibility. A report summary displays under Migration Details.
6.
Does the summary indicate errors? a. Yes. Click migration report to view and resolve any blocking issues. b. No. Review each acknowledgment. Each acknowledgment must be read in full (clicking each learn more link where applicable). After understanding the implications, check each acknowledgement to proceed with the migration.
7.
Is this an offline migration? a. Yes, power off the servers in the enclosure that is being migrated. b. No, proceed to the next step.
8.
Do you want to migrate another enclosure? a. Yes. Click Add+. The migration for the current enclosure is started. When the HPE OneView resources (enclosure group, logical interconnect group, networks, network sets, server hardware types, and server profiles) have been created for the current enclosure, the Add Enclosure screen prompts you to add the OA IP address for the next enclosure. NOTE: If the maximum number of four simultaneous migrations has been reached, an error displays indicating to wait until the number of migrations is below four. b.
No. Click Add. The migration for the current enclosure is started and the Activities screen displays showing the migration tasks.
If the migration is successful, the migration task shows Completed. If not, follow the proposed resolution. See “Migration is unsuccessful” (page 392) for more information. 9.
“Perform post-migration tasks” (page 235).
17.2.7.3 Migrating a VCM enclosure using REST APIs 1.
Determine if a migration is already in progress. GET /rest/migratable-vc-domains A collection of compatibility reports are returned along with the number of concurrently executing migrations and the ability to create a compatibility report or migrate an enclosure while other operations are in progress. The migratabilityState must be MigrationValid to continue.
2.
Validate the enclosure configuration. POST /rest/migratable-vc-domains •
For enclosure group, do one of the following:
◦
If you want to migrate the enclosure into an existing enclosure group, use enclosureGroupUri.
◦
If you want to migrate the enclosure into a new enclosure group, the enclosure group name is automatically generated based on the serial number.
A tasks/{id} is returned identifying the compatibility report. 234 Managing enclosures, enclosure groups, and logical enclosures
NOTE:
GET /rest/tasks/{id}
Once the task has completed, a /rest/migratable-vc-domains/{id} URI is returned. 3.
Retrieve a compatibility report using a /rest/migratable-vc-domains/{id} URI obtained in step 2. GET /rest/migratable-vc-domains{id}
4.
Does the report indicate errors? a. Yes, resolve compatibility errors. Repeat step 3 until all blocking issues are resolved. b. No, continue to the next step.
5.
Is this an offline migration? a. Yes, power off the servers in the enclosure that is being migrated, and run a final compatibility report. b. No, run a final compatibility report.
6.
Respond to the acknowledgments and import the VC enclosure. PUT /rest/migratable-vc-domains/{id} Include migrationState set to Migrated and AcknowledgementKey for each acknowledgment. The migration for the current enclosure is started.
7.
Do you want to migrate another enclosure? a. Yes. Go to step 1. b. No, proceed to the next step.
8.
Check for the completion of the migrations. GET /rest/migratable-vc-domains The migrationSubState shows Completed. If not, follow the proposed resolution.
9.
“Perform post-migration tasks” (page 235).
17.2.7.4 Perform post-migration tasks 1.
Was the migration an offline migration? a. Yes, power on the servers in the migrated enclosure. b. No, proceed to the next step.
2.
Optional: Recreate server profiles in HPE OneView, if server profiles were not assigned to server hardware before migration. a. using the information from the VCMCLI show config –includepoolinfo captured before the migration. b. Enter the MAC, WWN, Serial Number, UUID information as “user specified” to retain the same values in HPE OneView that were present in the VCM server profile.
3.
Perform the following best practices: a. Back up the new configuration in HPE OneView. b. Test network and storage connectivity. c. Plan a reboot if one of the acknowledgements, such as an SR-IOV virtual function configuration, indicated a change which would impact your operation. NOTE: During an in-service migration, some changes do not take effect until the servers are rebooted for the first time following a migration.
17.2 Managing enclosures 235
17.2.7.5 Resolve compatibility issues The migration tool detects if the features and hardware within a VCM-managed enclosure are compatible with HPE OneView. Each detected issue is grouped into a category such as hardware, domain, logical interconnect group, or server profile to identify the part of the Virtual Connect domain or HPE OneView system that is impacted. Resolving compatibility issues 1.
Review each issue and suggested resolution. NOTE: If performing an offline migration, resolve all non-power related issues first before powering down the server to limit application downtime. a.
Evaluate warnings to determine if action needs to be taken. If the warning indicates that the issue will affect your use of the configuration, then take action. Otherwise, the warning can be ignored.
b.
Resolve all blocking migration errors by modifying the configuration in VCM or HPE OneView. Resolving an issue may require disabling a feature within Virtual Connect, changing a configuration in Virtual Connect, or in some cases, changing the HPE OneView logical interconnect group. For example, if there is a mismatch with uplink sets and one of those uplink sets already exists in HPE OneView and 10 enclosures with the same configuration are to be migrated into the same enclosure group, update the uplink set in HPE OneView.
2. 3.
Re-execute the test compatibility report until all blocking issues are resolved. Continue with the migration process.
More information “About blocking issues during migration” (page 227) “About migrating c7000 enclosures managed by other management systems ” (page 220)
17.2.8 Prepare a VCEM enclosure for migration into HPE OneView An enclosure managed by Virtual Connect Enterprise Manager (VCEM) can be migrated into HPE OneView. The Virtual Connect domain for the enclosure must be removed from the Virtual Connect domain group before starting the migration process. To remove the Virtual Connect domain, use one of the following options: Option 1 — Use the VCEM GUI 1.
First, remove the Virtual Connect domains from the Virtual Connect domain group through the VCEM web interface. VCEM marks the MACs and WWNs that are assigned to profiles in the domain as "External". This ensures that VCEM does not reuse those addresses in the future. The enclosure is managed by VCM. NOTE: VCM ranges, even if originated from a VCEM domain group, will not be migrated. The individual MAC/WWN for each profile connection will be used as a user-defined ID within HPE OneView. Any new addresses assigned in the future will be allocated from the HPE OneView address pools.
2.
Follow the VCM migration process as outlined in “Before migrating c7000 enclosures” (page 225).
Option 2 — Use the HPE PowerShell module An HPE PowerShell module is available to automate the process described in Option 1. 236 Managing enclosures, enclosure groups, and logical enclosures
1. 2. 3.
Download the HPE PowerShell library from http://hewlettpackard.github.io/ POSH-HPOneView/. From the HPE PowerShell module, execute the Invoke-HPOVVcmMigration command. See the HPE PowerShell module documentation for more information. Follow the VCM migration process as outlined in “Before migrating c7000 enclosures” (page 225).
17.2.9 Effects of managing a c7000 enclosure When an enclosure is being managed by HPE OneView, the following enclosure settings are in effect: •
A management account is created.
•
SNMP is enabled and the appliance is added as an SNMP trap destination.
•
NTP (Network Time Protocol) is enabled and the appliance becomes the NTP time source.
•
The NTP default polling interval is set to 8 hours.
•
An appliance certificate is installed to enable single sign-on operations.
•
Enclosure firmware management is disabled (except for monitored enclosures).
•
Virtual Connect Manager is disabled on the Virtual Connect interconnects in this enclosure.
•
When adding an enclosure with an SPP, the Onboard Administrator (OA) and interconnect firmware updates to match the version in the SPP. The baseline is also set on each of the logical interconnects in the enclosure. as listed in the HPE OneView Support Matrix (except for monitored enclosures).
17.3 Managing enclosure groups 17.3.1 Tasks for enclosure groups The HPE OneView online help provides information about using the UI or the REST APIs to: •
Create an enclosure group
•
Edit an enclosure group
•
Delete an enclosure group
17.3.2 About enclosure groups An enclosure group is a template that defines a consistent configuration for a logical enclosure. The network connectivity for an enclosure group is defined by the logical interconnect groups associated with the enclosure group.
17.3.2.1 Enclosure groups and logical interconnect groups •
A logical interconnect group that is assigned to a bay within an enclosure group must have that bay populated within the logical interconnect group.
•
All populated bays in a logical interconnect group must be assigned to the enclosure group. For example, a logical interconnect group that has bays 1 and 2 populated must be assigned to bays 1 and 2 of the enclosure group in order for the enclosure group to be created.
17.3.3 Create an enclosure group An enclosure group is a logical resource that defines a consistent configuration for an enclosure making up a logical enclosure. The network connectivity for an enclosure group is defined by the logical interconnect groups associated with the enclosure group. 17.3 Managing enclosure groups 237
17.3.3.1 Prerequisites •
Required privileges: Infrastructure administrator or Server administrator
•
At least one created logical interconnect group
17.3.3.2 Creating an enclosure group 1.
2. 3. 4.
5. 6.
From the main menu, select Enclosure Groups, then: •
Select Actions→Create.
•
Click Create enclosure group
Specify a unique name for a new enclosure group. Enter the data requested on the screen. See the Enclosure Groups screen details in the online help if you need assistance with your entries. Optional. Enter a configuration script. Enclosure configuration scripts simplify enclosure deployment by creating a consistent configuration and eliminate the need to manually configure an enclosure via its OA (Onboard Administrator). See Configure an enclosure with an OA configuration script in the online help for more information. Click Create to create the enclosure group, or click Create + to create multiple enclosure groups. Verify that the enclosure group has been added by confirming it is listed in the master pane.
More information “About enclosure groups” (page 237)
17.4 Managing logical enclosures 17.4.1 Tasks for logical enclosures The appliance online help provides information about using the UI or the REST APIs to: •
Create a logical enclosure
•
Edit a logical enclosure
•
Delete a logical enclosure
•
Update firmware from a logical enclosure
•
Bring an unmanaged enclosure with invalid firmware under management
•
Update the logical enclosure from the enclosure group
•
Reapply the configuration of the logical enclosure
•
Configure an enclosure with an OA configuration script
•
Create a logical enclosure support dump
17.4.2 About logical enclosures A logical enclosure represents a logical view of a single enclosure with an enclosure group serving as a template. If the intended configuration in the logical enclosure does not match the actual configuration on the enclosures, the logical enclosure becomes inconsistent. Use the Logical Enclosures screen to manage firmware, configuration scripts, create a support dump, and to apply updates made from the Enclosure Groups screen to the enclosures in the logical enclosure. A logical enclosure is automatically created when a c7000 enclosure is added.
238 Managing enclosures, enclosure groups, and logical enclosures
17.4.2.1 About inconsistent logical enclosures A logical enclosure can become inconsistent in the following cases: •
The enclosure group referenced by the logical enclosure or the logical enclosure configuration script has been modified. For example, a logical interconnect group has been added, modified, or removed from the enclosure group.
•
The logical interconnects are inconsistent with the logical interconnect groups
•
Any other logical enclosure configuration is inconsistent with the enclosure group
•
There are extra or missing logical interconnects when compared to the enclosure group's inventory of logical interconnect groups.
More information “Update the logical enclosure configuration from the enclosure group” in the online help
17.4.2.2 About updating firmware from a logical enclosure You can update firmware from a logical enclosure for shared infrastructure, shared infrastructure and profiles, and OA (Onboard Administrators) only, if any. When you update the firmware for an enclosure associated with a logical enclosure, the firmware baseline configured for the logical enclosure sets the baseline on the enclosure and each of the logical interconnects in the enclosure, as well as the OA. From the Logical Enclosures screen, you can initiate firmware updates. Firmware is updated in the following order: 1. Onboard Administrators 2. Logical interconnects 3. Server hardware and their associated server profiles More information “Update the firmware in a logical enclosure” in the online help
17.4.3 Create a logical enclosure A logical enclosure is created automatically when you add an enclosure to the appliance.
17.4.4 Update firmware from a logical enclosure You can update firmware from a logical enclosure for shared infrastructure, shared infrastructure and profiles, and OA (Onboard Administrators) only, if any. NOTE: When a logical enclosure firmware update is in progress, do not initiate a firmware update from a logical interconnect that is part of that logical enclosure. Prerequisites •
Required privileges: Infrastructure administrator or Server administrator
•
One or more SPPs are added to the appliance firmware repository.
•
Power off any servers that do not have profiles.
Updating firmware from a logical enclosure 1. 2. 3. 4.
From the main menu, select Logical Enclosures. In the master pane, select the enclosure on which you want to update a firmware bundle. Select Actions→Update firmware. Enter the data requested on the screen. See screen details in the online help. 17.4 Managing logical enclosures 239
5.
Click OK. As the update progresses, if any one component of the update fails, the logical enclosure update will fail.
6.
Verify that the new firmware baseline is listed in the details pane of the Logical Enclosures screen.
More information “About updating firmware from a logical enclosure” (page 239)
17.4.5 Create a logical enclosure support dump file A logical enclosure support dump file includes content from each member logical interconnect in addition to the content of the appliance support dump. The entire bundle of files is compressed and encrypted for downloading. The consolidated logical enclosure support dump is encrypted as support dump information from the logical interconnects includes proprietary HPE intellectual property. NOTE: You can view the contents of an unencrypted appliance support dump by creating a support dump file from the Settings: Appliance screen. If instructed to create a support dump from more than one logical enclosure, navigate to each logical enclosure screen individually and create a support dump. You must wait for each support dump to complete before creating a subsequent support dump. By default, the logical enclosure support dump includes the appliance support dump. If instructed to create a logical enclosure support dump that does not contain the appliance support dump, you must use the logical enclosure REST APIs. For more information, see the REST API scripting online help for logical enclosures. Prerequisites •
A logical enclosure resource
•
Any user role can create a support dump
Creating a logical enclosure support dump 1. 2. 3.
From the main menu, select Logical Enclosures, and then select a logical enclosure. Select Actions→Create logical enclosure support dump. Click Yes, create to confirm. You can continue doing other tasks while the support dump is created in the background.
4.
When this task completes, the support dump zip file is downloaded to your browser default download folder, or you are prompted to indicate where to download the file. The logical enclosure support dump file name has the format host_name-LE-name-date-time.sdmp.
5. 6.
Verify the zip file is in the specified file location. Contact your authorized support representative for instructions on delivering the support dump file.
More information “About the support dump file” (page 358) “About logical enclosures” (page 238)
240 Managing enclosures, enclosure groups, and logical enclosures
17.5 Learning more •
“Understanding the resource model” (page 41)
•
“Managing licenses” (page 179)
17.5 Learning more 241
242
18 Managing firmware for managed devices NOTE: This chapter describes how to manage the firmware for devices managed by the appliance. For information about updating the firmware for the appliance, see “Updating the appliance” (page 295). A firmware bundle, also known as an HPE Service Pack for ProLiant (SPP), comprises a set of deliverables, a full-support ISO file, and six subset ISOs divided by HPE ProLiant server family and operating system. An SPP is a comprehensive collection of firmware and system software, all tested together as a single solution stack that includes drivers, agents, utilities, and firmware packages for HPE ProLiant servers, controllers, storage, server blades, and enclosures. Each SPP deliverable contains the Smart Update Manager (SUM), and software and firmware smart components.
UI screens and REST API resources UI screen
REST API resource
Firmware Bundles
firmware-bundles
18.1 Tasks for firmware The HPE OneView online help provides information about using the UI or the REST APIs to: •
Add a firmware bundle to the appliance firmware repository
•
Create a custom SPP.
•
Downgrade firmware
•
Establish a firmware baseline for your managed devices
•
Remove a firmware bundle from the firmware bundle repository
•
Update firmware on managed devices
•
View the firmware repository for firmware bundles to see the following:
◦
List of firmware bundles in the repository
◦
Contents of a firmware bundle
◦
Available storage space for the repository
18.2 About firmware bundles The appliance provides firmware management across the data center with no additional tools to download and install. Using the firmware management features built in to the appliance, you can define firmware baselines and perform firmware updates across many resources. When you add a resource to the appliance, the appliance automatically updates the resource firmware to the minimum version required to be managed by the appliance or version defined to be a baseline. See also “About unsupported firmware” (page 246). A firmware bundle, also known as an Service Pack for ProLiant (SPP), is a comprehensive collection of firmware and system software components, all tested together as a single solution stack that includes drivers, agents, utilities, and firmware packages. Firmware bundles enable you to update firmware on HPE ProLiant servers, controllers, storage, server blades, and enclosures.
18.1 Tasks for firmware 243
You can forcibly downgrade appliance firmware to an older version, but be aware that doing so can result in slower installation speeds and has the potential to render the device unusable.
Firmware repository An embedded firmware repository enables you to upload SPP firmware bundles and hotfixes to the appliance and deploy them across your environment according to your best practices. You can view the versions and contents of the SPPs in the repository from the Firmware Bundles screen. Selecting a firmware bundle displays its release date, supported languages and operating systems, and the bundle components. The screen also displays the amount of storage space available for additional firmware bundles on the appliance. You cannot add a firmware bundle that is larger than the amount of space available in the repository. NOTE: To ensure that your hardware has the latest and most robust firmware bundle that takes advantage of all available management features, download the latest firmware bundle to your appliance and add it to the firmware repository. HPE OneView supports 128 parallel server firmware updates for Windows and Linux, and 10 parallel server firmware updates for ESXi.
About applying SPPs as baselines You can apply SPPs as baselines to enclosures, interconnects, and server profiles, establishing a desired version for firmware and drivers across devices. When you download an SPP from http://www.hpe.com/info/spp to your local system, upload it to the firmware bundle repository on the appliance. Each SPP deliverable contains the Smart Update Manager and firmware smart components. Managing firmware for the whole enclosure can be initiated from the Enclosures screen. Logical interconnect firmware can be updated from the Logical Interconnects screen. From the Server Profiles screen, you can set the firmware baseline for the assigned server hardware. The appliance identifies firmware compatibilities issues, highlighting out-of-compliance devices for updates with the selected firmware baseline. You can manually expand the virtual disk to increase the size of the firmware repository from the default 12 GB to 100 GB (minimum total disk space of 275 GB required). The best practice is to expand the virtual disk during appliance installation. See the HPE OneView Installation Guide for more information. You can remove any or all SPPs from the firmware bundle repository. However, Hewlett Packard Enterprise recommends you have at least one SPP available at all times because an SPP is required when adding resources to the appliance that are below the minimum firmware versions for monitoring or managing. If you want to delete an SPP, Hewlett Packard Enterprise recommends that you re-assign all resources to a different SPP before removing the SPP. You assign an SPP by editing the server profile or enclosure and setting the Firmware baseline field. For c7000 enclosures, select Manage manually if you want to manage the firmware using another tool.
About uploading and using hotfixes Hewlett Packard Enterprise sometimes releases component hotfixes between main SPP releases. Hewlett Packard Enterprise notifies you that a hotfix is available to upload and provides details about the SPP to which the hotfix applies. Create a custom SPP in HPE OneView using the base SPP and the hotfix. See “Upload a hotfix” in the REST API Scripting Help for more information. The new custom SPP can be used to set the baseline on the various managed resources in HPE OneView. If a hotfix pertains to a managed resource that is already on the baseline, then the hotfix alone is applied.
244 Managing firmware for managed devices
NOTE: If the firmware update target system is Linux OS, the HPE ProLiant System ROM version listed is the ROM Linux hotfix component. If not, the latest ROM version updated in the SPP bundle is listed.
18.2.1 About updating firmware When a device is added, the firmware is automatically updated to the firmware management baseline specified, except for: •
HPE ProLiant G6 servers and HPE ProLiant G7 servers which must be managed outside of HPE OneView.
•
Virtual Connect interconnect firmware which is managed separately as part of the Logical Interconnect. See “Update firmware on logical interconnects for c7000 enclosures in the online help.
NOTE: When adding an enclosure and the OA or iLO firmware is below the minimum supported version for HPE OneView, the firmware is automatically updated using the SPP that contains the latest OA or iLO firmware while the enclosure is being added. If all SPPs have been deleted, however, such an enclosure cannot be imported. In this situation, first upload an SPP that provides at least the minimum required versions for the OA and the iLO before adding the enclosure. Every resource (OA, iLO, server, or Virtual Connect) goes offline when you upgrade its firmware. Always perform the upgrade during a maintenance window. To help minimize downtime during firmware activation, see “Maintain availability during Virtual Connect interconnect firmware upgrades” (page 247). Resource
When you update firmware
Enclosures
The OA (Onboard Administrator) is taken offline when you update firmware for an enclosure.
Server profiles
Firmware updates require that you edit the server profile to change the firmware baseline. You must power down the server hardware to which the server profile is assigned before you change the firmware baseline. Firmware baseline can be changed while server power is on if Smart Update Tools is used.
Interconnects
An interconnect is taken offline when you: • Update or activate firmware for a logical interconnect. Staging firmware does not require interconnects be taken offline. • Update firmware for an enclosure and select the option to update the enclosure, logical interconnect, and server profiles. If an interconnect has firmware that has been staged but not activated, any subsequent reboot of that interconnect activates the firmware, which takes the interconnect offline. You can prevent the loss of network connectivity for servers connected to a logical interconnect that has a stacking mode of Enclosure and a stacking health of Redundantly Connected by updating firmware using the following method: 1. Stage the firmware on the logical interconnect. 2. Activate the firmware for the interconnects in even-numbered enclosure bays. 3. Wait until the firmware update to complete and the interconnects are in the Configured state. 4. Activate the firmware for the interconnects in the odd-numbered enclosure bays.
Upgrading the firmware is based on your assigned role: •
The Server administrator role can upgrade the firmware on the enclosure OA and servers.
•
The Network administrator role can upgrade the firmware on interconnects.
•
The Infrastructure administrator role can upgrade the firmware on all devices 18.2 About firmware bundles 245
18.2.1.1 About managing firmware manually Enclosures and server profiles can be set to Manage manually which means that firmware is managed using external tools, such as SUM. HPE OneView reports firmware versions from the devices, but does not attempt to update the firmware. SUM can then manage firmware and drivers through the operating system. Virtual Connect firmware is always managed through HPE OneView. Using SUM for updates SUM can update both firmware and drivers for devices managed by HPE OneView, except for Virtual Connect interconnects. SUM is a free download from http://www.hpe.com/info/SmartUpdate. SUM to:
Description
Install or update drivers
After updating firmware using HPE OneView, use SUM to update drivers in the environment using the same SPP baseline that was applied using HPE OneView.
Update firmware
After updating firmware using SUM, refresh the affected devices in HPE OneView to reflect the new firmware version. Select Actions→Refresh from the Enclosures or Server Hardware screens. NOTE: Downgrading devices below the minimum supported firmware version is not recommended while the devices are managed by HPE OneView. If you need to downgrade below the minimum supported firmware level, remove the enclosure from HPE OneView before downgrading.
Install hotfixes
Use SUM to install hotfixes. After performing the update, refresh the affected devices in HPE OneView to reflect the new firmware version. Select Actions→Refresh from the Enclosures or Server Hardware screens.
18.3 About unsupported firmware When you add a resource to bring it under management, the resource firmware must be updated to the minimum supported level. The appliance attempts to automatically update the firmware while the resource is being added to the appliance. If the update fails, an alert is generated. NOTE: You must upload a supported SPP to the appliance firmware repository before you can update device firmware. See http://www.hpe.com/info/hpeoneview/updates to obtain HPE OneView software updates and product-specific firmware bundles.
Unsupported firmware for firmware bundles If you attempt to add a firmware bundle that contains firmware below the minimum versions supported, an alert is generated and the firmware bundle is not added to the appliance firmware repository.
Unsupported firmware for enclosures When adding an enclosure, the appliance: •
Generates an alert if the logical interconnect firmware for the interconnects is below the required minimum level or if the interconnect firmware levels do not match. You must update the logical interconnect firmware from the Logical Interconnects screen or REST APIs.
•
Updates the OA firmware automatically, if below the required minimum (Must have a supported SPP installed on the appliance)
•
Updates the iLO firmware automatically, if below the required minimum (Must have a supported SPP installed on the appliance)
246 Managing firmware for managed devices
Unsupported firmware for logical enclosures When adding a logical enclosure, the appliance: •
Generates an alert if the actual firmware versions for one or more components do not match the required minimum. Even if you do not specify a baseline SPP and iLO firmware will be updated automatically, if below the required minimum (Must have a supported SPP installed on the appliance). Select the firmware baseline from the Logical Enclosures screen or REST APIs.
Unsupported firmware for server profiles You are prevented from applying server profiles if the associated iLO firmware is below the minimum supported version, and instead, are directed to the Server Hardware screen to update iLO firmware.
Unsupported firmware for interconnects If you attempt to add an interconnect with firmware that is below the minimum supported version, an alert is generated. You must update the logical interconnect firmware from the Logical Interconnects screen or REST APIs. The Firmware panel of the Logical Interconnects screen displays the installed version of firmware and the firmware baseline for each interconnect.
18.4 Maintain availability during Virtual Connect interconnect firmware upgrades Virtual Connect (VC) interconnects reboot during the activation stage of the firmware update process, interrupting server connectivity to these modules. You can minimize the impact of module firmware activation by ensuring a redundant hardware configuration, redundantly connected networks and uplink sets, as well as properly configured NIC teaming on the servers themselves. Hewlett Packard Enterprise recommends using these network design methodologies. When updating HPE FlexFabric interconnects, you must configure SAN connectivity redundantly as well, to avoid application outages. When designing network connectivity, consider all of the dependencies that can influence the ability of the server applications to continue to pass traffic without interruption during the VC interconnect firmware update process. Verify the following aspects of a redundant design before you update firmware in downtime sensitive environments: Configuration
Description
Stacking links
Configure stacking links between VC interconnects to ensure network reachability for any server blade to any network or uplink set within the logical interconnect regardless of the server location. This plays a major role in the ability of the individual VC interconnects to sustain an outage during firmware upgrade.
Firmware activation Activate firmware manually or script the activation using the REST APIs to minimize network outage. In this case, the order of module activation plays a crucial role in how network and storage connectivity will be interrupted or preserved during a firmware update. Hewlett Packard Enterprise recommends alternating the activation of VC interconnect firmware. • If the server network and storage connectivity is redundant across horizontally adjacent VC interconnects, alternating the activation between the left and right (odd and even) side modules can minimize disruptions of network and storage connectivity. • If the server network and storage connectivity is redundant across vertically adjacent VC interconnects, the activation order must be alternated so that a server does not lose connectivity to both adapter ports at the same time to minimize disruptions of network and storage connectivity.
18.4 Maintain availability during Virtual Connect interconnect firmware upgrades 247
Configuration
Description
A and B side connectivity
Create Ethernet and Fibre Channel networks with both A and B side connectivity to allow either all uplinks in the uplink set to be in an active state at all times or to provide for a controlled failover.
Redundant network Configure NIC teaming and vSwitch configuration to ensure redundancy of the network connections connectivity, fast network path failure detection, and timely failover to a redundant path, if available. The following operating system settings allow faster link failure detection and failover initialization: • Under normal operating conditions, the Smart Link setting will alter the individual NIC port state in the vSwitch, vDS (vNetwork Distributed Switch), or teaming software by turning off the corresponding server NIC port. This causes the operating system to detect a failure and direct traffic to an alternate path. In order for the Smart Link functionality to operate as designed, valid DCC (Device Control Channel)-compatible NIC firmware and drivers must be installed on the server blade. However, during the firmware update process when VC interconnects are reset for activation, Smart Link and the DCC protocol will not be able to send a message to the NIC indicating that the link went down since the interconnect management processor is being restarted. Therefore, during firmware update operation it is the responsibility of the NIC and host OS to detect the link failures by configuring the vSwitch or vDS network failover detection option for Link Status Only in VMware ESXi Server network configuration. • In vSphere environments, Hewlett Packard Enterprise recommends to either turn OFF the high availability (HA) mode or increase the vSphere HA timeout from the default of 13 seconds to 30-60 seconds. When these options are configured, all guest operating systems will be able to survive the upgrade and the expected network outage due to the stacking link re-convergence and optimal network path recalculation. • For environments where changing network failover detection options or HA settings is not possible, use the Stage firmware for later activation option of the firmware update. VC interconnects will be updated but not activated. You can then manually activate the firmware by rebooting VC modules with the OA or by navigating in the UI to Logical Interconnects→Actions→Update firmware and selecting Activate firmware. • The Spanning Tree Edge Port feature of some switches allows a switch port to bypass the ‘listening’ and ‘learning’ stages of spanning tree and quickly transition to the ‘forwarding’ stage. By enabling this feature, edge devices immediately begin communication on the network instead of having to wait on Spanning Tree to determine if it needs to block the port to prevent a loop – a process that can take over 30 seconds with default Spanning Tree timers. Since VC interconnects are edge devices, this feature allows server NICs to begin immediate communication on the network rather than waiting for the additional 30 seconds for the spanning tree algorithm to recalculate.
18.5 Best practices for managing firmware Best practice
Description
Increase the size of the virtual disk for the SPP repository
Increase the firmware repository to 100GB by expanding the virtual disk size. See the HPE OneView Installation Guide.
Set the NIC Settings in OA
Before beginning a firmware update process on devices in the enclosure, perform these steps: 1. In OA, select Enclosure Information→Enclosure Settings→Enclosure TCP/IP Settings. 2. Select the NIC Options tab. 3. Set the NIC Settings to Auto-negotiate.
Upload the latest current SPP.
Download the latest SPP from www.hpe.com/servers/spp/download and then upload the SPP to your appliance repository. Apply your favorite filter to download an environment specific SPP. NOTE: Each SPP deliverable contains the HPE Smart Update Manager and firmware smart components.
248 Managing firmware for managed devices
Best practice
Description
Set the same firmware baseline for all devices in an enclosure.
Hewlett Packard Enterprise recommends that you set the firmware baseline using the Update Firmware option on the Logical Enclosures screen. This action updates all of the devices in the enclosure to the specified SPP level.
If you choose to create custom Login to the web portal of SPP custom download at https://spp.hpe.com/custom/ SPPs, use SPP custom Download to create a custom SPP using environment specific filters. Apply server model to create them. filter or operating system filter to create a smaller sized SPP. TIP:
Save the filter for convenience.
Update firmware in the proper sequence.
Although Hewlett Packard Enterprise recommends that you set the firmware baseline for all devices in an enclosure which will cause all firmware to be installed in the proper order, you can update firmware on specific components. If you choose to update component firmware independently, upgrade the firmware in the following order: OA, logical interconnect, and then the server profile. Hewlett Packard Enterprise recommends that you install the drivers from the same SPP that contains the firmware.
Update firmware and drivers using Smart Update Tools (SUT) when the server is powered on and running an OS
Firmware and drivers can be updated via the server profile when using Smart Update Tools. See the Smart Update Tools User Guide at www.hpe.com/info/sut-docs for installation instructions. Set SUT mode to AutoStage or AutoDeploy. Reboot in the maintenance window.
Verify the managed device setting Do not update the firmware using SUM or another external tool on a managed before updating the firmware. device unless the firmware baseline is set to Manage manually. Store SPPs in a separate location HPE OneView does not back up the firmware repository, so store SPPs in a from the appliance. repository that is not on the appliance, such as in the SUM repository used to create the custom SPP. Remove older SPPs from the firmware repository.
Have at least one SPP available at all times because an SPP is required when adding resources to the appliance that are below the minimum firmware versions for monitoring or managing. If you want to delete an older SPP, re-assign all resources using that SPP to a different SPP before removing the SPP.
More information “Managing firmware for managed devices” (page 243)
18.6 Create a custom SPP HPE sometimes releases component hotfixes between main SPP releases. Create a custom SPP in HPE OneView using the base SPP and the hotfix. To apply the hotfix on the managed resources, create a customized SPP with the hotfix. Different mechanisms are available for applying a hotfix in OneView: •
Use SPP custom download to create a new SPP with the hotfix (Hewlett Packard Enterprise recommended approach).
•
Use SUM to create a new SPP with the hotfix.
•
Upload the hotfix and create a custom SPP using HPE OneView.
NOTE: For any custom SPP you create, you must include iLO, OA, and Virtual Connect firmware. For OA, VC and iLO hotfixes, please ensure to upload the .scexe version of the hotfix. Prerequisites •
Required privileges: Infrastructure administrator, Network administrator, or Server administrator
•
Software that enables you to mount an ISO (image) file 18.6 Create a custom SPP 249
Option 1: Use SPP custom download to create a custom SPP Hewlett Packard Enterprise recommends using the SPP custom download feature to upload a customized SPP into HPE OneView. For instructions and access, go to http://hpe.com/servers/ spp. Option 2: Use SUM to create a custom ISO SPP 1. 2. 3. 4. 5. 6.
Download SUM from http://www.hpe.com/servers/hpsum. Unzip the SUM file to a directory. Download the SPP ISO file from http://www.hpe.com/info/spp to a local directory. Mount the SPP ISO file on a file system you can access, following your software instructions. Start SUM by double-clicking hpsum.bat in the \hpsum directory. From the SUM main menu, select Baseline Library→+Add Baselines. The hotfix is included in the custom baseline.
7. 8. 9.
For Location Details, browse to the hpe\swpackages directory of the mounted SPP. Click Add. Let the add operation complete before proceeding. Add any other components (updates) you have downloaded from HPE to the baseline library that you want to include in the custom SPP. 10. Select the SPP and the components from the baseline library. 11. Select Actions→Create Custom. 12. Select any of the filters you want to use; however, the following filters are required: •
Overview: Select Bootable ISO
•
OS Type: Select RHEL 5 and RHEL 6
13. Click Create ISO to create the new firmware bundle. 14. Add a firmware bundle to the appliance firmware repository. See the online help for more information. 15. Verify that the upload completed by viewing the firmware bundle contents in the details pane on the Firmware Bundles screen. Option 3: Upload hotfix and create a custom SPP Prerequisites •
Required privileges: Infrastructure administrator, Network administrator, or Server administrator
•
Minimum one valid hotfix should be available in the repository
1. 2. 3. 4. 5. 6.
From the main menu, select Firmware Bundles. Select Actions→Create Custom firmware bundle. Enter a custom spp name and select a base SPP. Click Add Hotfix to add available hotfixes. Click OK. Verify that the upload completed by viewing the firmware bundle contents in the details pane on the Firmware Bundles screen.
You can also use REST APIs to upload a hotfix and create a custom SPP. See the REST API scripting help for more information. NOTE: Uploading a hotfix to create a custom SPP is to be specifically used for applying hotfix(es) on a managed resource.
250 Managing firmware for managed devices
18.7 Update firmware on managed devices Firmware bundles enable you to update firmware on managed servers, server blades, and infrastructure (enclosures and interconnects). You can choose to update all the resources within an enclosure, just the Onboard Administrator firmware, the firmware within a logical interconnect, or firmware for a specific server using a server profile. When you choose to update all resources within an enclosure, all servers are updated even if they are not associated with a sever profile. From the Logical Enclosures screen, you can initiate firmware updates for Onboard Administrators. See “Update firmware from a logical enclosure” (page 239) for more information. You can also choose to update individual component firmware. As a best practice when updating component firmware independently, update the firmware in this order: 1. 2. 3.
Onboard Administrator Logical Interconnects Server Profiles
18.7.1 Update firmware on the logical enclosure Prerequisites •
Required privileges: Infrastructure administrator or Server administrator (for enclosures)
•
One or more SPPs are added to the appliance firmware repository.
Updating c7000 enclosure firmware on the logical enclosure When you add an enclosure or update the firmware for an enclosure, the selection of the firmware baseline on the logical enclosure sets the baseline on the enclosure and each of the logical interconnects in the enclosure, as well as the OA. 1. 2. 3. 4.
From the main menu, select Logical Enclosures. In the master pane, select the enclosure on which you want to update a firmware bundle. Select Actions→Update firmware. From Firmware baseline, select the firmware bundle to install. If you select Manage manually, you are using mechanisms outside of the appliance to manage the firmware on your devices. NOTE: To install an older firmware version than the version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware is known to cause a problem in your environment. CAUTION: Be aware that downgrading firmware can render a server unusable and might result in slower installation speeds. For example, if the iLO Firmware is downgraded to a previous version that does not use Rich Infrastructure Specification (RIS), the communication between HPE Smart Update Tools and HPE OneView will break.
5.
From Update firmware for, select one of the following options: Option
Device updated
Enclosure
OA, fan, and power supply firmware NOTE: If a firmware baseline has not been set for logical interconnects, the Baseline displays Not set. Logical interconnect baseline can be set during an add enclosure or during a logical interconnect firmware update.
Enclosure + logical interconnect + server profiles
OA, all member interconnects, and server hardware firmware (including iLO) for servers with associated server profiles
18.7 Update firmware on managed devices 251
6.
7.
Click OK. •
The firmware updates occur in the following order: OA, logical interconnects, and then server hardware.
•
Hardware components that are running the same firmware version as the update are skipped from the firmware update operation.
•
The logical interconnect update operation initiates if all of the member interconnects can be updated.
•
If you are updating server profiles, the operation overwrites any SPP baseline that was previously assigned to individual server profiles.
Verify that the new firmware baseline is listed in the details pane of the Logical Enclosures screen.
18.7.2 Update firmware with a server profile Prerequisites •
Required privileges: Infrastructure administrator or Server administrator
Updating firmware with a server profile To update the firmware for a specific server, edit the existing server profile or create a new server profile and specify the version of the SPP. NOTE: 1.
2.
The firmware baseline in the server profile will not be reapplied unless it has changed.
From the main menu, select Server Profiles, and then do one of the following: •
Click Create profile in the master pane.
•
Select a server profile in the master pane, and then select Actions→Edit.
Select the firmware bundle for Firmware baseline. To install an older firmware version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware already installed on the server is known to cause a problem in your environment, as noted in the Release Notes CAUTION: Be aware that downgrading firmware can render an appliance unusable and might result in slower installation speeds. For example, if the iLO Firmware is downgraded to a previous version that does not use Rich Infrastructure Specification (RIS), the communication between HPE Smart Update Tools and HPE OneView will break.
3.
To complete the update, do one of the following: •
If this is a new profile, click Create to create the server profile.
•
If you are editing an existing profile, click OK to update the server profile.
4.
Power on the server to activate the firmware. a. From the main menu, select Server Hardware. b. Select the server and then select Actions→Power on.
5.
Verify that the new firmware baseline is listed in the details pane on the Server Profiles screen.
252 Managing firmware for managed devices
18.7.3 Update firmware with a server profile template Prerequisites •
Required privileges: Infrastructure administrator or Server administrator
Updating firmware with a server profile template To update the firmware for a specific server, edit the existing server profile template or create a new server profile template and specify the version of the SPP. NOTE: The firmware baseline in the server profile template will not be reapplied unless it has changed. 1.
2.
From the main menu, select Server Profile Templates, and then do one of the following: •
Click Create server profile template in the master pane.
•
Select a server profile template in the master pane, and then select Actions→Edit.
Select the firmware bundle for Firmware baseline. To install an older firmware version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware already installed on the server is known to cause a problem in your environment, perhaps as noted in the Release Notes. CAUTION: Be aware that downgrading firmware can render an appliance unusable and might result in slower installation speeds. For example, if the iLO Firmware is downgraded to a previous version that does not use Rich Infrastructure Specification (RIS), the communication between HPE Smart Update Tools and HPE OneView will break.
3.
4.
To complete the update, do one of the following: •
If this is a new template, click Create to create the server profile template.
•
If you are editing an existing template, click OK to update the server profile template.
Verify that the new firmware baseline is listed in the details pane on the Server Profile Templates screen.
18.8 Learning more •
“Troubleshooting firmware bundles” (page 393)
•
“About enclosures ” (page 218)
•
“About firmware associated with a logical interconnect” (page 205)
•
“About server profiles” (page 166)
18.8 Learning more 253
254
19 Managing power, temperature, and the data center You can use the appliance to manage the power and temperature of your IT hardware. To manage and monitor hardware temperature, add your server hardware to racks, position the server hardware in the racks, and then add the racks to one or more data centers.
19.1 Managing power To manage power, you describe your power delivery devices to the appliance using the Power Delivery Devices screen or the REST APIs. The appliance discovers HPE Intelligent Power Delivery Devices (iPDUs) and their connections automatically.
UI screens and REST API resources UI screen
REST API resource
Power Delivery Devices
power-devices enclosures (power capacity) server-hardware (power capacity)
19.1.1 Roles •
Required privileges: Infrastructure administrator or Server administrator
19.1.2 Tasks for managing power The appliance online help provides information about using the UI and REST APIs to: •
Add a power delivery device.
•
Add a power connection.
•
Filter power delivery devices.
•
View last 5 minutes of power consumption for an iPDU.
•
View last 24 hours of power consumption for an iPDU.
•
Edit the properties of a power delivery device.
•
Power on or off the locator light for a power delivery device.
•
Power down a power delivery device.
•
Remove a power delivery device.
•
Resolve connectivity issues between an iPDU and the appliance.
•
Add an iPDU currently being managed by another management system.
•
View power utilization statistics.
•
Update enclosure power capacity settings (REST API only).
•
Update server hardware power capacity settings (REST API only).
19.1.3 About power delivery devices Power delivery devices provide power to IT hardware. A typical power topology in a data center includes power delivery devices such as power feeds, breaker panels, branch circuits, and power distribution units (PDUs), as well as the load segments, outlet bars, and outlet components of
19.1 Managing power 255
these devices. Adding your power delivery devices to the appliance enables power management using thermal limits, rated capacity, and derated capacity. The Power Delivery Devices screen describes the following classes of devices: •
Intelligent Power Distribution Units (iPDUs), which the appliance can automatically discover and control.
•
Other power delivery devices that the appliance cannot discover. By manually adding these devices to the appliance, they become available for tracking, inventory, and power management purposes.
Regardless of how power delivery devices are added to the appliance, the appliance automatically generates the same types of analysis (capacity, redundancy, and configuration). For iPDUs, the appliance gathers statistical data and reports errors.
Connectivity and synchronization with the appliance The appliance monitors the connectivity status of iPDUs. If the appliance loses connectivity with an iPDU, an alert displays until connectivity is restored. The appliance will try to resolve connectivity issues and clear the alert automatically, but if it cannot, you must resolve the issue and manually refresh the iPDU to bring it in synchronization with the appliance. The appliance also monitors iPDU to remain synchronized with changes to hardware and power connections. However, some changes to devices made outside of the control of the appliance (from iLO or the OA, for example) may cause them to become out of synchronization with the appliance. You may have to manually refresh devices that lose synchronization with the appliance. NOTE: Hewlett Packard Enterprise recommends that you do not use iLO or the OA to make changes to a device. Making changes to a device from its iLO or OA could cause it to lose synchronization with the appliance. You can manually refresh the connection between the appliance and an iPDU from the Power Delivery Devices screen. See the online help for the Power Delivery Devices screen to learn more.
19.2 Managing your data center In the appliance, a data center represents a physically contiguous area in which racks containing IT equipment—such as servers, enclosures, and devices—are located. The data center describes a portion of a computer room and provides a useful grouping to summarize your environment and its power and thermal requirements.
UI screens and REST API resources UI screen
REST API resource
Data Centers
datacenters
19.2.1 Roles •
Required privileges: Infrastructure administrator or Server administrator
19.2.2 Tasks for data centers The appliance online help provides information about using the UI and REST APIs to: •
Add and edit a data center.
•
Manipulate the view of a data center visualization.
256 Managing power, temperature, and the data center
•
Monitor data center temperature.
•
Remove a data center from management.
19.2.3 About data centers A data center represents a physically contiguous area in which racks containing IT equipment are located. For example, you have IT equipment in two rooms or on separate floors. You could create a data center for each of these areas. Each server, enclosure, or power distribution device in your data center can report its power requirements, but it can be difficult to understand the power and cooling requirements for your data center as a whole. The appliance enables you to bring power and cooling management of your servers, enclosures, and power delivery devices together in a single management system. The Layout view of the data center is color-coded to depict the peak temperature recorded in the last 24 hours.
Default data center: Datacenter 1 When you initialize the appliance for the first time, it creates a data center named Datacenter 1. The appliance provides this data center as a place to visualize your racks. You can rename or edit this data center to match the values and layout of your data center, you can use it as the basis for a planned data center model, or you can delete this data center without adverse effects.
Default rack placement When you add a rack to the appliance for management, the appliance displays the rack in all data centers even though its actual location is not known. If you view a data center that displays unpositioned racks, a warning appears to alert you that unpositioned racks are being displayed. When you assign a rack to a data center, it is no longer displayed in other data centers.
19.3 Managing racks Racks allow you to manage temperature, power, and depict the layout of enclosures.
UI screens and REST API resources UI screen
REST API resource
Racks
racks
19.3.1 Roles •
Required privileges: Infrastructure administrator or Server administrator
19.3.2 Tasks for racks •
Add, edit, or remove a rack.
•
Change layout of devices in a rack.
•
Set the thermal limit of a rack.
19.3.3 About racks A rack is a physical structure that contains IT equipment such as enclosures, servers, power delivery devices, and unmanaged devices (an unmanaged device uses slots in the rack and consumes power or exhausts heat, but it is not managed by the appliance). You can manage 19.3 Managing racks 257
your racks and the equipment in them by adding them to the appliance. Having your racks managed by the appliance enables you to use the appliance for space and power planning. The appliance also gathers statistical data and monitors the power and temperature of the racks it manages. When you add an enclosure to the appliance, it automatically creates a rack and places the enclosure in it. The appliance places into the rack all enclosures connected by management link cables. When enclosures are added, the appliance places them in the rack from top to bottom. When an enclosure is placed in an Intelligent Series Rack, the enclosure slots are automatically detected. For other racks, to accurately depict the layout of your enclosures within the rack you must edit the rack to place the enclosure in the proper slots. You can use the appliance to view and manage your rack configuration and power delivery topology. You can specify the physical dimensions of the rack (width, height, and depth), the number of U slots, and the location of each piece of equipment in the rack. You can specify the rack PDUs that provide power to the rack, and their physical position in the rack or on either side. You can also describe how the devices in the rack are connected to those PDUs. The appliance automatically discovers the rack height and rack model for a ProLiant server with Location Discovery Services and updates the physical locations of devices when they are relocated within and between racks for c7000 enclosures. NOTE: When the appliance discovers HPE Intelligent Series Racks, it sets the rack height automatically using the Intelligent Rack Location Discovery Services for c7000 enclosures. For non-intelligent racks or for empty racks, the default rack height is 42U. After adding a rack to the appliance for management, you can add the rack to a data center to visualize the data center layout and to monitor device power and cooling data. After the rack is under management, you can configure the power delivery topology with redundant and uninterruptible power supplies to the devices in the rack.
Rack naming The way a rack is named and how you change the name of a rack depends on how it was added to the appliance. Table 11 Rack naming Add method
Initial naming method
Name change method
Automatically added when the appliance discovers an enclosure the rack contains for c7000 enclosures
Defined by enclosure OA
Change rack name from enclosure OA
Automatically discovered from a ProLiant server with Location Discovery Services for c7000 enclosures
Assigned using rack serial number as rack name
Edit rack
Manually from the Racks screen
Defined by the user
Edit rack
19.4 Learning more •
“Monitoring power and temperature” (page 321)
•
“About utilization graphs and meters” (page 323)
258 Managing power, temperature, and the data center
20 Managing storage This chapter describes the storage resources and the tasks associated with those resources. •
Storage systems: hardware that contains multiple storage disks such as the HPE 3PAR StoreServ Storage system.
•
Storage pools: groups of physical disks in a storage system.
•
Volumes: logical storage spaces provisioned from storage pools that you can attach to server profiles.
•
Volume templates: you can create multiple volumes with the same configuration.
•
SAN managers: hardware or software systems that manages SANs
•
SANs: you can use SANs to automate fabric zoning.
Figure 19 Storage management overview
UI screens and REST API resources UI screen
REST API resource
SAN Managers
fc-sans/device-managers fc-sans/providers fc-sans/managed-sans
Storage Systems
storage-systems
Storage Pools
storage-pools
Volumes
storage-volumes
Volume Templates
storage-volume-templates
20.1 Storage systems A storage system is hardware that contains multiple storage disks such as the HPE 3PAR StoreServ Storage system.
20.1 Storage systems 259
20.1.1 Roles •
Minimum required privileges: Infrastructure administrator or Storage administrator
20.1.2 Tasks The appliance online help provides information about using the UI and REST APIs to: •
Add, edit, edit credentials, refresh, and remove a storage system
•
Add a volume
20.1.3 About storage systems A storage system (or storage array) is a storage device from which logical disks (volumes) can be provisioned and mapped or masked to servers. Bringing SAN storage systems under management of the appliance enables you to add and create volumes. You can then attach volumes to server profiles through volume attachments. This enables the server hardware assigned to the server profiles to access the SAN storage system. When adding a storage system, you must choose a domain on the storage system. You can then select storage pools from that domain on the storage system to add to the appliance. After you add storage pools, you can assign networks to the storage ports associated with the storage system. See the HPE OneView Support Matrix for a list of supported storage systems.
20.1.3.1 About HPE 3PAR StoreServ Storage systems You can connect supported HPE 3PAR StoreServ Storage systems to the appliance. You must configure a 3PAR system using the 3PAR software to bring it under management of the appliance. Partner port states Port state
Definition
Equivalent 3PAR state
none
Normal state, not failed over.
none
failing over
The port is offline and is in the process of failing over to the partner port.
failover_pending
failed over
The port is offline and has failed over to the partner port. failed_over
failed
The port is off offline and cannot fail over to the partner port.
active_down
recovering
The port is online and in the process of returning to a normal state.
failback_pending
partner port failed over
The partner port has failed over and the port is the partner active port traffic.
partner failed
The partner port has failed and the fail over operation was active_down not successful.
20.2 Storage pools Storage pools are groups of physical disks in a storage system that you can divide into logical volumes.
260 Managing storage
20.2.1 Roles •
Minimum required privileges: Infrastructure administrator or Storage administrator
20.2.2 Tasks The appliance online help provides information about using the UI and REST APIs to: •
Add and remove a storage pool
20.2.3 About storage pools A storage pool is an aggregation of physical storage resources (disks) in a storage system. Storage systems contain information about the storage ports through which they can be accessed. You can provision logical storage spaces, known as volumes, from storage pools. You can choose one or more storage pools when adding a storage system to the appliance. Storage pools are created on a storage system using the management software for that system. You cannot create or delete storage pools from the appliance—you can only add or remove them from management. After you add storage pools, you can provision volumes on them.
20.3 Volumes Volumes are logical storage spaces provisioned in storage pools. You can create multiple volumes with the same configuration using a volume template.
20.3.1 Roles •
Minimum required privileges: Infrastructure administrator, Storage administrator, or Network administrator
20.3.2 Tasks The appliance online help provides information about using the UI and REST APIs to: •
Create, add, edit, delete, and increase the capacity of a volume
•
Create a volume snapshot, create a volume from snapshot, and revert volume to snapshot
20.3.3 About volumes A volume represents a logical disk provisioned from a storage pool on a storage system. You can attach volumes to one or more servers by configuring a volume attachment in the server profile. The volume attachment manages volume presentation on the storage system ( StoreServ port selection, host and vlun creation) as well as SAN zoning on SANs (with automatic zoning enabled) that connect the server and storage system. Using volume templates, you can create multiple volumes with the same configuration. You can increase (grow) the capacity of a volume by editing it. You cannot decrease the capacity of a volume.
20.3.3.1 About snapshots A snapshot is a virtual copy of an existing volume at a point in time. You can use a snapshot as a backup of a volume, and then use the snapshot to revert a volume to the backup, or to create new volumes from the snapshot. A snapshot is a static copy of a volume at the point the snapshot is created. Snapshots are not updated to reflect changes in the volume since the snapshot was taken.
20.3 Volumes 261
A new volume created from a snapshot will be the same size as the snapshot and will contain all of the data in the snapshot. The new volume has no relationship with the volume that was used to create the snapshot. Reverting a volume to a snapshot will revert to the data the volume contained when the snapshot was taken. The size of the volume will remain the same as when it was reverted. For example, if you take a snapshot of a 50 GiB volume, grow the volume to 100 GiB, and then revert to the snapshot, the volume will be 100 GiB with the data from the 50 GiB snapshot. Reverting to a snapshot of a volume will cause all data created or changed since the snapshot was taken to be lost. Backup your data to prevent data loss.
20.4 Volume templates You can use volume templates to create multiple volumes with the same configuration.
20.4.1 Roles •
Minimum required privileges: Infrastructure administrator or Storage administrator
20.4.2 Tasks The appliance online help provides information about using the UI and REST APIs to: •
Add, edit and delete a volume template
20.4.3 About volume templates A volume template is a logical resource that enables you to create a standard configuration from which multiple volumes can be created.
20.5 SAN Managers A SAN manager is a hardware or software system that manages SANs. A SAN manager is not required to attach a volume to a server profile, but SAN managers enable automated fabric zoning.
20.5.1 Roles •
Minimum required privileges: Infrastructure administrator or Storage administrator
20.5.2 Tasks The appliance online help provides information about using the UI or the REST APIs to: •
Add, edit, and remove a SAN manager
20.5.3 About SAN managers SAN Managers are a resource in HPE OneView that represent a connection to an external entity through which SANs are discovered and managed. The external entity can be vendor-specific management software or a physical switch. SANs are created outside of HPE OneView in the SAN manager vendor’s management interface. Once created, SANs can be discovered and managed in HPE OneView using the SAN Manager resource. When creating SAN managers, it is possible to have two SAN managers discovering the same SAN, causing it to show up twice in the SAN view. When associating an HPE OneView network to the SAN, the choice of which SAN to associate determines which SAN manager will be used to manage the SAN, and the other will be removed (hidden) as HPE OneView does not permit a SAN to be managed through more than one SAN manager. 262 Managing storage
HPE OneView supports SAN managers from different vendors. See the HPE OneView Support Matrix for a list of supported SAN managers.
20.5.3.1 About zone sets A zone set is a set of zones you can configure all zones on a SAN manager by activating a zone set from the SAN manager. HPE OneView modifies the active zone set when performing zoning or alias configuration. Zone sets are not exposed in HPE OneView. Active zone set
The zone set currently enforced by the fabric.
Inactive zone set
The inactive zone sets for the SAN. Only one zone set can be activate at a time.
SAN manager
Term for Inactive zone set
HPE
Standby zone set
Cisco
Local zone set
Brocade (BNA)
Zone configurations
20.5.3.2 Configuring SAN managers to be managed by HPE OneView You must configure SAN managers using the management software provided by the SAN manager vendor to properly manage them in HPE OneView. After properly configuring the SAN manager, you can add it to HPE OneView. CAUTION: Performing zone operations from multiple switches without executing a full zone set distribution might result in the loss of zoning data. NOTE: Switch vendors support fabric world wide name (FWWN) or node port world wide name (PWWN) zone memberships. HPE OneView only uses PWWN for zone membership. Best Practice: SAN managers •
Always use a single switch to perform all zoning operations, regardless of the management software you use to perform the zoning.
•
Always use the full zone set distribution commands and settings when making zone changes. HPE OneView does this on the SAN manager and SAN through which it is managing by default.
Configuring HPE SAN managers •
You must have a valid SNMP v3 user with default read permissions. See “Quick Start: Configuring an HPE 5900 for management by HPE OneView” (page 148).
•
HPE SANs must only be managed by a single HPE OneView appliance.
Configuring Cisco SAN manager •
You must have a valid SNMP v3 user with write permissions. See “Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView” (page 149).
•
Cisco SANs must only be managed by a single HPE OneView appliance.
Configuring Brocade Network Advisor (BNA) SAN manager •
You must have a valid user account with SMIS running. See the documentation for your SAN manager for more information.
•
To allow HPE OneView to see SAN fabric topology changes automatically, you must disable Track Fabric Changes on the BNA. Otherwise, you must perform an Accept Changes 20.5 SAN Managers 263
operation on the BNA whenever you make changes to the SAN fabric topology for HPE OneView to see them. See the BNA documentation for more information on disabling Track Fabric Changes. •
BNA based SANs can be managed by one or more HPE OneView appliances.
20.6 SANs 20.6.1 Tasks The appliance online help provides information about using the UI or the REST APIs to: •
Associate a managed SAN with a network
•
Turn automated zoning on or off for a managed SAN
•
Edit a SAN
•
Download SAN endpoints table
•
Generate an Unexpected Zoning Report
20.6.2 About SANs SANs are Fibre Channel (FC) or Fibre Channel over Ethernet (FCoE) storage area networks that connect servers to storage systems. The possible states for SANs are: Discovered
A SAN that is not associated with a network. SANs are automatically discovered when a SAN manager is added to HPE OneView.
Managed
A SAN that is associated with one or more networks in HPE OneView. Only managed SANs can be configured to be automatically zoned by HPE OneView.
Direct-attach SANs HPE OneView creates a direct-attach SAN (flat SAN) automatically when you configure an enclosure with a logical interconnect that contains a direct-attach uplink set. HPE OneView names the direct-attach SAN using the format . The SAN that HPE OneView creates is a Fibre Channel (FC) direct-attach SAN that is not zoned, and cannot be edited. NOTE: HPE OneView creates a SAN for each interconnect module that is connected to a direct-attach Fibre Channel network.
20.6.2.1 About SAN zoning Zoning policy A SAN zone enables communication between devices connected to the SAN. SAN zoning policies determine how zoning should be configured on a SAN. SAN zoning policies define whether or not zoning is automated as well as the naming format of zones and aliases. In HPE OneView, you can specify the name format of the zones and aliases that will be created when you associate a storage volume to a server profile via a volume attachment. By specifying zone name and alias formats using text strings and server profile objects, you can create names that are meaningful and conform with your naming conventions. NOTE: HPE OneView performs zoning only when you add a connection to a server profile and attach a SAN storage volume to it. When you do this, HPE OneView will determine if the current zoning allows connectivity. If current zoning does not allow connectivity, HPE OneView will create the necessary zoning based on the specified zoning policy.
264 Managing storage
Automate zoning Automated zoning enables HPE OneView to automatically create, edit, and delete zones on a zoned SAN when you attach storage volumes to servers through a volume attachment in a server profile. Yes Zoning is automated. HPE OneView takes full control of the zone naming and contents based on the zoning policy for the SAN. Use automated zoning when you want HPE OneView to configure new zones for volume attachments to server profiles. Existing zones are not modified unless the SAN storage attributes defined in a server profile change. No
Zoning is not modified by HPE OneView. You must manually manage zoning.
20.7 Learning more •
“Understanding the resource model” (page 41)
•
“Troubleshooting storage” (page 418)
20.7 Learning more 265
266
21 Managing switches, logical switches, and logical switch groups Top of rack switches enable network consolidation and management of server blades as they are added to your data center. A logical switch group serves as a structural reference when building a logical switch. A logical switch enables you to aggregate one or more physical switches having a common configuration.
UI screens and REST API resources UI screen
REST API resource
Switches
switches
Logical Switches
logical-switches
Logical Switch Groups
logical-switch-groups
21.1 Managing switches 21.1.1 Roles •
Minimum required privileges: Infrastructure administrator or Network administrator
21.1.2 Tasks for switches The appliance online help provides information about using the UI or the REST APIs to: •
Update the interconnect associations by refreshing a switch.
21.1.3 About top-of-rack switches Top-of-rack switches provide a unified, converged fabric over Ethernet for LAN and SAN traffic. This unification enables network consolidation, reducing the number of adapters and cables required and eliminating redundant switches. A configuration of enclosures, server blades, and third-party devices—such as top-of-rack switches—provides scalability in managing server blades and higher demand for bandwidth from each server with access-layer redundancy. See the HPE OneView Support Matrix for the complete list of supported devices. Modular data centers, deploying both individual server blades and racks of server blades, can use a top-of-rack switch deployment model as a solution for network consolidation. You can increase data center flexibility by placing switching resources in each rack so that server connectivity can be aggregated. Integration with top-of-rack switches provides the following benefits: •
A distributed modular system that creates a scalable server access environment
•
One single point of management and policy enforcement
•
Reduced operational expenses (less cabling, reduced power consumption for operation and cooling, effective bandwidth utilization)
Currently, HPE OneView support for these resources focuses on providing a monitored view of the environment with the ability for limited configuration changes on the interconnect facing ports. Firmware update is not supported. HPE OneView supports status and configuration monitoring and compliance monitoring of Cisco Nexus top-of-rack switches when they are operating as access switches and connected directly to a Cisco FEX (Cisco Fabric Extender for BladeSystem) 21.1 Managing switches 267
in an enclosure. Within HPE OneView, you add and remove top-of-rack switches through logical switch group templates and associated logical switches. With HPE OneView, you can: •
Express the expected and actual states of the switches and FEX interconnects with corresponding compliance monitoring.
•
View physical switch information.
•
View physical port information.
•
View statistical information.
•
View health events and port state changes as alerts, from the Cisco Nexus switches.
•
Navigate to the Map view of the Cisco Nexus switches and FEX interconnects to view the relationship among these resources.
•
Detect network availability and view inconsistency among networks defined within HPE OneView and those provisioned on the Cisco Nexus switches.
21.2 Managing logical switches 21.2.1 Roles •
Minimum required privileges: Infrastructure administrator or Network administrator
21.2.2 Tasks for logical switches The appliance online help provides information about using the UI or the REST APIs to: •
Create, edit, refresh, or delete a logical switch.
•
Move a logical switch from operational mode managed to monitored.
•
Bring a logical switch into compliance with its associated logical switch group.
21.2.3 About logical switches A logical switch is added into HPE OneView as a managed or monitored logical switch. The logical switch can consist of a maximum of two physical top-of-rack switches (external to the c7000 enclosure) configured in a single stacking domain. There is a connectivity limitation of one logical interconnect to one logical switch. Interconnects within a logical interconnect cannot be connected to more than one logical switch. A logical switch is based on a logical switch group configuration. If the logical switch transitions to an Inconsistent with group state (because of changes in either the logical switch or the logical switch group), to return to a consistent state. About assigning Cisco Nexus switches to a logical switch You can create a logical switch with a maximum of two Cisco Nexus switches. When there are two Cisco Nexus switches in a logical switch, they are expected to be in a virtual port channel (vPC) environment. vPC must be configured on both switches, and they should belong to the same vPC domain. For information about supported switches, see the Hewlett Packard Enterprise Information Library for supportability information.
More information “Managed logical switches” (page 269) “Monitored logical switches” (page 269) “Logical switch configuration guidelines” (page 270) “About logical switch groups” (page 271) 268 Managing switches, logical switches, and logical switch groups
21.2.3.1 Managed logical switches Adding a logical switch for HPE OneView management enables you to apply configurations needed for the interconnect uplink ports to be provisioned at the switch internal (downlink) ports. Managed mode allows you to deploy server profile connections for interconnects, monitor operation status, collect statistics, and alert users to specific conditions and incompatibilities between the upstream switch and interconnect. When adding a logical switch, any existing configuration for ports connected to HPE OneView interconnects is re-configured based on configuration specified for the HPE OneView interconnect uplinks. Any port that is actively managed by an external management system remains unchanged and is not brought into HPE OneView management. When adding a logical switch in Managed operational mode for HPE OneView management, each switch’s Message of the Day (MOTD) banner is re-written with “This switch is being controlled by OneView Domain, Appliance ID: {}”. This message indicates that the switch is actively being managed by a specific instance of HPE OneView. This message is removed and replaced by the default Message of the Day banner message when the logical switch transitions from Managed to Monitor operational mode or when the logical switch is deleted. Before adding a managed logical switch Before you add a logical switch as managed, consider the following for Fabric Extender and Virtual Connect interconnects physically connected to the logical switch: •
When only IPv4 Ethernet networks are assigned to an uplink set at creation time, the uplink set can be physically connected to any upstream switch in the logical switch.
•
When an FCoE network is assigned to an uplink set at creation time, the uplink set is limited to single-homed physical connectivity and all uplink ports must connect to the same upstream switch in the logical switch. If a port is subsequently added to the uplink set with an FCoE network or an existing port in the uplink set is connected to a second upstream switch, that port is not available for configuration and an alert is generated. If a new port added to the uplink set is connected to the same switch as the other ports, that port is available to carry traffic and an alert is not generated. To change an uplink set from single-homed connectivity to multi-homed connectivity or vice-versa, the uplink set configuration must be deleted and re-created with the appropriate network assignments and physical configuration.
•
Make sure that LLDP is enabled on the top-of-rack switch internal (downlink) ports where Virtual Connect interconnects under HPE OneView management are connected.
More information “About logical switches” (page 268) “Logical switch configuration guidelines” (page 270)
21.2.3.2 Monitored logical switches Adding a logical switch as monitored enables HPE OneView to monitor the logical switch for operation status, collect statistics, and alert users to specific conditions and incompatibilities between the switch and Fabric Extender or Virtual Connect interconnect. In the monitored mode, deployment of the server profile connections is supported for HPE Virtual Connect interconnects but not for Fabric Extender (FEX) interconnects. More information “About logical switches” (page 268) 21.2 Managing logical switches 269
21.2.3.3 Logical switch configuration guidelines •
When Virtual Connect interconnects are connected to a logical switch, an uplink set cannot span multiple interconnects. This limitation is similar to FEX interconnects. However, multiple uplink sets are supported on a single Virtual Connect interconnect.
•
When you enable or disable a top-of-rack switch internal port, the associated port on a FEX interconnect also displays the updated port status.
•
When retrieving MAC addresses for FEX interconnects, only the entries that are associated with the managed FEX interconnects are displayed.
•
If an FCoE network is assigned to an uplink set that is configured as dual-homed, (an invalid configuration), that FCoE network is not provisioned on the switch. Deployment of any server profile connection with this FCoE network will fail.
•
When a logical switch is defined and configured with only a single physical switch, the uplink set associated with any FEX module connected to this logical switch is considered single-homed. Therefore, you can add an FCoE network to the uplink set even if the uplink set was initially created only with Ethernet networks. Deployment of any server profile connection with this FCoE network will succeed.
•
For server profiles created for server ports connected to FEX interconnects, Ethernet networks are only supported on physical function a, and FCoE networks are only supported on physical function b at the server port. When both physical functions have connections defined, traffic is split evenly across both ports.
•
If HPE OneView cannot log in to the switch, a critical alert is generated. Prevent any event on the switch that might trigger switch configuration; otherwise, the switch transitions to ConfigError state and you must reapply the configuration on the associated logical interconnects to recover.
•
If HPE OneView is unable to claim a member switch of the logical switch when the operational mode of the logical switch is Managed, the operating state of the switch transitions to Added with Error. In this case, the Message of the Day (MOTD) banner on the switch indicates that the switch is currently claimed by another HPE OneView appliance and the message “This switch is being controlled by OneView Domain, Appliance ID: {}” displays. You should remove the logical switch from that HPE OneView appliance, and then perform a refresh on the logical switch from the current HPE OneView appliance to re-initiate the claim operation.
•
HPE OneView does not fully automate configuration of FCoE connectivity on the switch specified in the logical switch. For each FCoE network specified in the uplink set, HPE OneView only provisions the VLAN for that network on the switch. Network administrators must provision additional configuration for FCoE connectivity manually on the switch in addition to what HPE OneView provisions.
◦
To deploy server profile connections to a FEX interconnect, HPE OneView provisions the virtual Fibre Channel interface (VFC), VFC binding to FEX downlink port, and VSAN interface assignment on the switch.
◦
For the deployment of server profile connections for a Virtual Connect interconnect, the Network administrator must configure the virtual Fibre Channel interface (vFC), VFC binding to server port, and VSAN interface assignment binding manually.
•
When a Nexus switch expansion module is removed, a warning alert is generated unless the module is powered off.
•
HPE OneView can detect configuration changes that occur on the switches specified in the logical switch when it no longer matches the configuration that HPE OneView provisions. Warning alerts are generated. Administrators can correct the configuration manually or reapply the configuration on the associated logical interconnects to recover.
270 Managing switches, logical switches, and logical switch groups
21.3 Managing logical switch groups 21.3.1 Roles •
Minimum required privileges: Infrastructure administrator or Network administrator
21.3.2 Tasks for logical switch groups The appliance online help provides information about using the UI or the REST APIs to: •
Create, edit, or delete a logical switch group.
21.3.3 About logical switch groups The logical switch group is a template for creating logical switches. Logical switches are an aggregation of up to two physical top-of-rack switches. Once constructed from a logical switch group, a logical switch continues to be associated with its logical switch group. Any change in consistency between the logical switch group and its associated logical switches is monitored and made visible on the associated logical switch screen in HPE OneView.
21.4 Learning more •
“Understanding the resource model” (page 41)
•
“Troubleshooting logical switches” (page 405)
21.3 Managing logical switch groups 271
272
22 Managing users and authentication The appliance requires users to log in with a valid user name and password, and security is maintained through user authentication and role based authorization. User accounts can be local, where the credentials are stored on the appliance or can be on a company or organizational directory (Microsoft Active Directory, for example) hosted elsewhere, where the appliance contacts the defined directory server to verify user credentials.
UI screens and REST API resources UI screen
REST API resource
Users and Groups
users, roles, authz, logindomains, logindomains/global-settings, and logindomains/grouptorolemapping
22.1 Roles •
Minimum required privileges: Infrastructure administrator
22.2 Tasks for managing users and groups The appliance online help provides information about using the user interface or the REST APIs to: •
Add, edit (including updating a user password), or remove a user with local authentication.
•
Add a user with directory-based authentication.
•
Add a group with directory-based authentication.
•
Designate user privileges.
•
Reset the administrator password.
•
Add an authentication directory service.
•
Allow or disable local logins.
•
Change the authentication directory service settings.
•
Set an authentication directory service as the default directory.
•
Remove an authentication directory service from the appliance.
22.3 About user accounts Role-based access The appliance provides default roles to separate responsibilities in an organization. A user role enables access to specific resources managed from the appliance. Role-based access control enforces permissions to perform operations that are assigned to specific roles. You assign specific roles to system users or processes, which gives them permission to perform certain system operations. Because a user is not assigned permissions directly, but instead acquires them through their role (or roles), individual user rights are managed by assigning the appropriate roles to the user. At initial appliance startup, there is a default administrator account with full access (Infrastructure administrator) privileges. For more information about the actions each role can perform, see “Action privileges for user roles” (page 275).
22.1 Roles 273
Local authentication You can add a user authorized to access all resources managed by the appliance (full access user) or add a user who has access based on their job responsibilities (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an authentication directory hosted locally on the appliance. The default administrator login for the appliance is automatically assigned with full access (Infrastructure administrator) privileges.
Directory-based authentication You can add a user authorized by membership to access all resources managed by the appliance (full access user) or add a user authorized by membership who has access based on their job responsibilities (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an enterprise directory.
22.4 About user roles User roles enable you to assign permissions and privileges to users based on their job responsibilities. You can assign full privileges to a user, or you can assign a subset of permissions to view, create, edit, or remove resources managed by the appliance. Table 12 User role permissions Role
Type of user
Permissions or privileges
Full
Infrastructure administrator
View, create, edit, or remove resources managed or monitored by the appliance, including management of the appliance, through the UI or using REST APIs. An Infrastructure administrator can also manage information provided by the appliance in the form of activities, notifications, and logs. Only an Infrastructure administrator can restore an appliance from a backup file.
Read only
Read only
View managed or monitored resource information. Cannot add, create, edit, remove, or delete resources.
Specialized
Backup administrator
Create and download backup files, view the appliance settings and activities. Has the authority to use scripts to log in to the appliance and run scripts to back up the appliance. Cannot restore the appliance from a backup file. NOTE: This role is specifically intended for scripts using REST APIs to log into the appliance to perform scripted backup creation and download so that you do not expose the Infrastructure administrator credentials for backup operations. Hewlett Packard Enterprise recommends that users with this role should not initiate interactive login sessions through the HPE OneView user interface.
Network administrator
View, create, edit, or remove networks, network sets, connections, interconnects, uplink sets, and firmware bundles. View related activities, logs, and notifications. Cannot manage user accounts.
274 Managing users and authentication
Table 12 User role permissions (continued) Role
Type of user
Permissions or privileges
Server administrator
View, create, edit, or remove server profiles and templates, network sets, enclosures, and firmware bundles. Access the Onboard Administrator and physical servers, and hypervisor registration. View connections, networks, racks, power, and related activities, logs, and notifications. Add volumes, but cannot add storage pools or storage systems. Cannot manage user accounts.
Storage administrator
View, add, edit, or remove storage systems. View, add, or remove storage pools. View, create, edit, add, or delete volumes. View, create, edit, or delete volume templates. View, add, or edit SAN managers. View or edit SANs.
22.5 Action privileges for user roles The following table lists the user action privileges associated with each user role. The Use privilege is a special case that allows you to associate objects to objects that you own but you are not allowed to change. For example, in a logical interconnect group, a user assigned the role of Server administrator is not allowed to define logical interconnect groups, but can use them when adding an enclosure. Table 13 Action privileges for user roles Category
Action privileges for user roles (C=Create, R=Read, U=Update, D=Delete, Use) Infrastructure Server Network Backup Storage Read administrator administrator administrator administrator administrator only
Hardware setup
activities
CRUD
CRU
CRU
R
CRU
R
CRU
alerts
RUD
RUD
RUD
—
RUD
R
RUD
appliance
CRUD
R
R
R
R
R
R
audit logs
CR
R
R
—
R
—
—
backups
CRUD
R
R
CRD
R
R
R
community string
RU
R
CRU
—
R
—
—
connections
CRUD
R
CR
R
R
R
—
connection templates
CRUD, Use
R, Use
CRUD
R
R
R
—
console users
CRUD
—
—
—
—
—
—
data centers
CRUD
CRUD
R
R
R
R
CRUD
debug logs
CRUD
CRU
CRU
—
R
R
—
device bays
CRUD
CRUD
R
R
R
R
CRUD
22.5 Action privileges for user roles 275
Table 13 Action privileges for user roles (continued) Category
Action privileges for user roles (C=Create, R=Read, U=Update, D=Delete, Use) Infrastructure Server Network Backup Storage Read administrator administrator administrator administrator administrator only
Hardware setup
domains
CRUD
R
CRU
R
R
R
—
enclosures
CRUD
CRUD
R
R
R
R
CRUD
enclosure groups
CRUD, Use
CRUD, Use
R
R
R
R
—
Ethernet networks
CRUD
R
CRUD
R
R
R
—
events
CRU
CRU
CRU
—
R
R
CR
fabrics
CRUD
R
CRUD
R
R
R
—
FC aliases
CRUD
R
R
R
CRUD
R
—
FC device managers
CRUD
R
R
R
CRUD
R
—
FC endpoints R
R
R
R
R
R
—
FC networks
CRUD
R
CRUD
R
R
R
—
FCOE networks
CRUD, Use
R
CRUD, Use
R
R
R
—
FC ports
R
R
R
R
R
R
—
FC providers
R
R
R
R
R
R
—
FC SANs
CRUD
R
R
R
CRUD
R
—
FC SAN services
CRUD
R
R
R
CRUD
R
—
FC switches
R
R
R
R
R
R
—
FC tasks
R
R
R
R
R
R
—
FC zones
CRUD
R
R
R
CRUD
R
—
firmware drivers
CRUD
CRUD
CRUD
R
R
R
R
global settings
CRUD
CRUD
CRUD
R
CRUD
R
CRUD
grouptorole mappings
CRUD
—
—
—
R
R
—
ID range vmacs (MAC addresses)
CRUD
R
CRU
R
R
R
—
ID range vsns CRUD (serial numbers)
CRU
R
R
R
R
—
ID range CRUD vwwns (World Wide Names)
R
CRU
R
R
R
—
276 Managing users and authentication
Table 13 Action privileges for user roles (continued) Category
Action privileges for user roles (C=Create, R=Read, U=Update, D=Delete, Use)
integrated tools
Infrastructure Server Network Backup Storage Read administrator administrator administrator administrator administrator only
Hardware setup
CRUD
R
R
R
R
R
—
interconnects CRUD
CR
CRUD
R
R
R
CRUD, Use
interconnect types
R, Use
R
CRUD
R
R
R
CRUD
labels
CRUD
CRUD
CRUD
R
CRUD
R
R
licenses
CRUD
CR
R
R
R
R
—
logical downlinks
R
R
R
R
R
R
—
logical CRU, Use interconnects
R, Use
RU, Use
R
R
R
—
logical CRUD, Use interconnects groups
R, Use
CRUD, Use
R
R
R
—
login domains
CRUD
—
—
—
R
R
—
login sessions
CRUD
RU
RU
RU
RU
RU
—
managed SANs
CRUD, Use
R
R, Use
R
CRUD, Use R
—
migratable VC domains
CRUD, Use
—
—
—
—
—
—
networks
CRUD, Use
R, Use
CRUD, Use
R
R
R
—
network sets
CRUD, Use
CRUD
CRUD
R
R
R
—
notifications
CRUD
CRD
CRD
R
R
R
—
organizations CRUD
—
—
—
R
R
—
ports
RU, Use
—
RU, Use
—
R
—
—
power devices
CRUD
CRUD
R
R
R
R
CRUD
racks
CRUD
CRUD
R
R
R
R
CRUD
reports
R
R
R
R
R
R
—
restores
CRUD
—
—
—
—
R
—
roles
CRUD
—
—
—
—
R
—
SANS
CRUD, Use
R
R
R
CRUD, Use R
—
SAN manager CRUD, Use
R
R
R
CRUD, Use R
—
server hardware
CRUD, Use
R
R
R
CRUD, Use
CRUD, Use
1
R
22.5 Action privileges for user roles 277
Table 13 Action privileges for user roles (continued) Category
Action privileges for user roles (C=Create, R=Read, U=Update, D=Delete, Use) Infrastructure Server Network Backup Storage Read administrator administrator administrator administrator administrator only
Hardware setup
server hardware types
CRUD, Use
CRUD, Use
R
R
R
R
CRUD, Use
server profiles
CRUD
CRUD
R
R
R
R
—
storage pools CRD
R
R
R
CRUD
R
—
storage systems
CRUD
R
R
R
CRUD
R
—
storage target ports
CRUD
R
R
R
CRUD
R
—
storage volumes
CRUD
CRUD
R
R
CRUD
R
—
storage volume attachments
CRUD
CRUD
R
R
CRUD
R
—
storage volumes templates
CRUD
R
R
R
CRUD
R
—
switches
CRUD, Use
RU
CRUD
R
R
R
—
tasks
R
R
R
R
R
R
R
trap forwarding
RU
R
R
R
R
R
—
unmanaged devices
CRUD
CRUD
R
R
R
R
CRUD
uplink sets
CRUD
R
CRUD
R
R
R
—
users
CRUD
—
—
—
—
R
—
user preferences
CRUD
—
—
—
—
R
—
1
Server administrators cannot edit bandwidths.
22.6 About authentication settings Security is maintained through user authentication and role-based authorization. User accounts can be local, where the user credentials are stored on the appliance, or they can be in a directory (Microsoft Active Directory, for example) hosted elsewhere, where the appliance contacts the designated directory server to verify the user credentials. When logging in to the appliance, each user is authenticated by the authentication directory service, which confirms the user name and password. Use the Authentication settings panel to configure authentication settings on the appliance, which is populated with default values during first-time setup of the appliance. To view or make changes to Authentication settings, log in with Infrastructure administrator privileges. No other users are permitted to change or view these settings.
278 Managing users and authentication
View and access the Authentication settings by using the UI and selecting Settings→Security→Authentication or with the REST APIs.
22.7 About directory service authentication You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same role (for example, Infrastructure administrator). An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol). After the directory service is configured, any user in the group can log in to the appliance. On the login window, a user: •
Enters their user name (typically, the Common-Name attribute, CN). The format for the user name depends on the Directory type.
•
Enters their password.
•
Selects the authentication directory service.
In the Session control, ( ) the user is identified by their name preceded by the authentication directory service. For example: CorpDir\pat
IMPORTANT: Unlike local users, if a user is deleted from an authentication directory, their active sessions remain active until that user logs out. If there is a change in the group-to-role assignment (including a deletion) for an authentication directory group while a user from that group is logged in, their current active session is not affected until they log out. Local users’ sessions are ended when such modifications are made.
Authenticating users When you add an authentication directory service to the appliance, you provide location criteria so that the appliance can find the group.
Adding a directory server If you replicate the authentication directory service for high availability or disaster tolerance, add the replicated directory service as a separate directory service. After configuring and adding a directory server, you can designate it as the default directory service.
After you add an authentication directory service and server You can: •
Add a group, which had already been defined in the directory service, so that all its members can login on the appliance.
•
Allow local logins only, which is the default.
•
Allow both local logins and logins for user accounts authenticated by the directory service.
•
Disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.
22.7 About directory service authentication 279
Considerations for configuring a Microsoft Active Directory directory service •
The following maps the Active Directory attribute to the LDAP property: LDAP property
Active Directory attribute
cn
Common-Name
uid
UID
userPrincipalName User-Principal-Name sAMAccountName
SAM-Account-Name
If the user name does not contain either an @ character (to denote a UPN) or a \ character (to denote a domain\login), then these logins are attempted in this order: 1. 2. 3. •
The user name is treated as the sAMAccountName and directory-name gets prepended (directory-name\user-name) The user name is treated as a UID. The user name is treated as a CN.
If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows. Specify the following components of the user’s name, displayed here with the corresponding attribute: User name component
Attribute
First Name
givenName
Intials
initial
Last Name
sn
The field labeled Full Name defaults to this format and this string is assigned to the cn attribute (Common Name). givenName.initials.givenName.initial.sn
In the New Object – user dialog box, you are also required to specify a User logon name. This, in combination with the DNS domain name, becomes the userPrincipalName. The userPrincipalName is an alternative name that the user can use for logging in. It is in the form: LogonName@DNSDomain
For example: [email protected]
•
Finally, as you enter the User logon name, the first twenty characters are automatically filled in in the pre-Windows 2000 logon name field, which becomes the sAMAccountName attribute.
•
CN-logins for built-in Active Directory user accounts, like Administrator, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.
22.8 Managing user passwords A user with Infrastructure administrator privileges can manage the passwords of all local users on the appliance using the UI or the REST APIs. Users without Infrastructure administrator privileges can manage only their own passwords. 280 Managing users and authentication
As Infrastructure administrator, you can view all users logged in to the appliance with the Users and Groups screen or REST APIs. Select any user, and then edit their password or assigned role. All other local users can edit their own passwords by using the UI or the REST APIs. In the UI, click the Session icon in the top banner, and then click the Edit icon to change their current password or contact information.
22.9 Reset the administrator password If you lose or forget the administrator password, use the following operation to reset it. The operation allows you to set a single-use password for the local administrator account. NOTE: This operation resets the password for a local administrator account on the appliance. It does not apply to administrator accounts authenticated by a directory service. You will need to access the Maintenance console from the appliance console, access a unique request code, and telephone your authorized support representative, who will send an authorization code after verifying your information. Prerequisites •
You have access to the appliance console.
Resetting the administrator password with the Maintenance console 1. 2. 3.
Access the virtual appliance console. Access the Maintenance console main menu. Select Reset password. The Maintenance console displays a request code. IMPORTANT: The request code is valid only while you are on the Password reset screen of the Maintenance console. If you return to the main menu or end the Maintenance console session, the request code will be invalid. You will need to start this procedure over again to acquire a new request code.
4.
Telephone your authorized support representative and provide that person with the following information: •
The name of the person requesting the password to be reset.
•
The name of the company that owns the appliance.
•
The request code from the Maintenance console.
The authorized support representative verifies the information and then sends a message to the authorized email address on file. This message contains the authorization code, also known as a response code. An ISO image, which is also the authorization code, is attached to the message. For information on how to contact Hewlett Packard Enterprise, see “Accessing Hewlett Packard Enterprise Support” (page 433). 5.
Do one of the following to enter the authorization code in the response field. IMPORTANT: invalid.
You must enter the authorization code within one hour or it becomes
•
If you are able to paste information into the Maintenance console, copy the authorization code from the email message and paste it into the response field of the Maintenance console.
•
Read the authorization code from the ISO image: 22.9 Reset the administrator password 281
1. 2. 3. 4. • 6. 7. 8. 9. 10. 11.
Save the ISO image attached to the email message. Mount the ISO image as a virtual media mount (a virtual CD-ROM). Select Read from ISO in the Maintenance console. The Maintenance console reads the ISO image and, after a moment, automatically fills in the response field with the authorization code.
Type the authorization code into the response field.
Determine a single-use administrator password. When prompted, enter and reenter the new password. Select OK to set the single-use password. Log into the UI with this account, using the single-use password. Set a new password for this account in the screen provided. Verify by logging out, then logging into this account with the new password.
See also •
“Accessing Hewlett Packard Enterprise Support” (page 433).
•
[Conditionalized for FusionGuide and FusionHelp] “About the Maintenance console” (page 471)
22.10 Learning more •
“Controlling access for authorized users” (page 69)
282 Managing users and authentication
23 Backing up an appliance This chapter describes how to use the UI, REST APIs, or a custom-written PowerShell script to save your appliance resource configuration settings and management data to a backup file.
UI screens and REST API resources UI screen
REST API resource
Settings→Actions
backups
23.1 Roles Users with Infrastructure administrator and Backup administrator privileges can create and download backup files, however, only the Infrastructure administrator can restore an appliance from a backup file. The Backup administrator has the authority to use scripts to log in to the appliance and run scripts to back up the appliance. This role is specifically intended for scripted backup creation and download. Hewlett Packard Enterprise recommends that users with this role should not initiate interactive login sessions through the HPE OneView user interface.
23.2 About backing up the appliance HPE OneView provides the ability to save your configuration settings and management data to a backup file and enables you to use that backup to restore a corrupted appliance in the event of a catastrophic failure. The backup process involves creating a backup file and then downloading that file so that you can store it to a safe and secure (off-appliance) location for future use. You can schedule automatic backup operations and designate a remote location for the backup file. For advice on creating and archiving a backup file, see “Best practices for backing up an appliance” (page 285). For the procedure on creating a backup file from the UI, see “Back up an appliance manually” (page 285). To configure automatic backups stored remotely, see “Configure automatic remote backups” (page 287). IMPORTANT: In the unlikely event you need to restore the appliance, Hewlett Packard Enterprise recommends backing up your appliance configuration on a regular basis, preferably daily and especially: •
After adding hardware
•
After changing the appliance configuration
•
Before and after updating the appliance firmware
To prevent a backup file from being overwritten or deleted, download it and save it to an off-appliance location before running the next backup process. The appliance stores one backup file or one support dump file on the appliance at a time. Creating a backup file replaces the current backup file or support dump file. Likewise, creating a support dump file replaces the previous support dump or the backup file. If you start a backup while a support dump is in progress, the backup operation does not proceed until the support dump operation completes. If you (as the Infrastructure administrator) start a support dump while a backup operation is in progress, you have the option of cancelling the backup and proceeding with the support dump.
23.1 Roles 283
HPE OneView provides a Backup administrator user role specifically for backing up the appliance by permitting access to other resource views without permitting actions on those resources, or other tasks. Only the Infrastructure administrator or the Backup administrator can create a backup file, either through the UI or REST APIs. What the backup process backs up
What the backup process does not back up
• HPE OneView database
• Non-data files: Static files that are installed as part of the execution environment, and are not specific to the appliance or managed environment configuration
• System files:
◦
Non-database data
◦
Audit log
◦
License files
• Log files (except the Audit log file) • Appliance network configuration • First-time setup configuration files • Firmware bundles • Any server settings, such as the following, that HPE OneView has not set:
◦
Boot and BIOS configuration settings.
◦
SAN and Local storage configurations
◦
Network configurations
Settings such as these are neither validated by nor persisted by HPE OneView
Use a backup file to do the following: •
Restore the appliance from which the backup file was created.
•
Restore the settings to a different appliance. For example, if an appliance fails and cannot be repaired, you can use a backup file to restore the management configuration settings and management data to a replacement appliance created from the same version of the virtual machine image.
REST APIs let you: •
Schedule a backup process from outside the appliance.
•
Collect backup files according to your site policies.
•
Integrate with enterprise backup and restore products.
284 Backing up an appliance
23.3 Best practices for backing up an appliance Method
Description
Creating
Always use the HPE OneView backup feature to back up your appliance. CAUTION: Do not use any hypervisor-provided capabilities or snapshots to back up HPE OneView appliances because doing so can cause synchronization errors and result in unpredictable and unwanted behavior.
Frequency
Hewlett Packard Enterprise recommends backing up your appliance configuration with the automatic remote backup feature regularly, preferably daily. Hewlett Packard Enterprise also recommends backing up your appliance manually: • After adding hardware • After changing the appliance configuration • Before and after updating the appliance firmware You should always have a backup file with the same firmware version as the appliance. Otherwise, a restore operation will fail. You can back up the appliance while it is in use and while normal activity is taking place. You do not need to wait for tasks to stop before creating a backup file.
Archiving
The backup file format is proprietary. Hewlett Packard Enterprise recommends that you: 1. Create and download the backup file. 2. Store the backup file in a safe, off-appliance location to protect your sensitive data. Hewlett Packard Enterprise provides REST APIs for integration with enterprise backup products.
23.4 Determining your backup policy A backup file is an snapshot of the appliance configuration and management data at the time the backup file was created. Hewlett Packard Enterprise recommends that you create regular backups, preferably once a day and after you make hardware or software configuration changes in the managed environment. As an alternative to using Settings→Backup→Actions→Create backup from the appliance UI, you can write and run a script to automatically create and download an appliance backup file. You can schedule the backup script to run automatically in interactive or batch mode on a regular basis. Only a user with Backup administrator or Infrastructure administrator privileges can run the script interactively. Hewlett Packard Enterprise provides and recommends a remote backup facility for storing backup files. After an initial configuration, backups are taken automatically on the specified day and time and sent to a user’s folder on an SSH or SFTP server.
23.5 Back up an appliance manually A backup file saves the configuration settings and management data for your appliance. You can recover from a catastrophic failure by restoring your appliance from the backup file. For more information, see “About backing up the appliance” (page 283). NOTE: To reduce the size of the backup file and the time it takes to create it, the firmware bundles you have uploaded to the appliance are not included in the backup file. Prerequisites •
Minimum required privileges: Infrastructure administrator, or Backup administrator
•
You have completed all the best practices for backing up an appliance. 23.3 Best practices for backing up an appliance 285
Backing up an appliance manually 1.
From the main menu, select Settings and do one of the following: •
Click Create backup in the Backup panel.
•
Click Backup on the Settings screen, and then select Actions→Create backup.
While the backup file is being created, a progress bar appears in the Overview pane. Wait for the backup file creation to complete. 2.
Optionally, click the Create backup notification banner for more information and the name of the backup file, which has the format: appliance-host-name_backup_yyyy-mm-dd_hhmmss.bkp
3. 4.
5.
Verify that the backup file was created correctly. The backup file name should reflect the current date and time. After the backup file is created, do one of the following to download the backup file from the appliance: •
Click Download backup in the Backup panel.
•
Select Actions→Download backup.
Select the appropriate option in the dialog box to save the backup file for safekeeping: •
Select Transfer backup to remote backup location to store the backup file in the specified remote backup location. For information on configuring the remote backup location and enabling that feature, see “Configure automatic remote backups” (page 287).
•
Select Download the backup to my computer to store the backup file on the local computer.
Do not store the backup file on the appliance. More information About backing up the appliance Best practices for backing up an appliance Configure automatic remote backups Troubleshooting: Backup file creation or download action fails
23.6 Using REST APIs to create and download an appliance backup file After the backup is initiated, a TaskResource URI is created that you use to track the progress of the backup. When the backup is complete, you can use a GET REST API operation to download and change the backup file name. The latest backup is stored on the appliance and is replaced when a new backup is initiated.
Prerequisites •
Minimum required session ID privileges: Backup administrator
Creating and downloading an appliance backup file using REST APIs 1. Create the backup file. POST /rest/backups 2. Download the backup file. GET /rest/backups/archive/{backup URI}
286 Backing up an appliance
NOTE: After the POST operation is complete, a TaskResource URI and backup URI are returned. You can use the TaskResource URI to monitor the progress of the backup. Use the backup URI to refer to a specific backup when downloading the backup file or performing another operation.
23.7 Creating a custom script to create and download an appliance backup file If you prefer to write a customized script to create and download your appliance backup file, and schedule that script to run on a schedule according to your IT policies, see “Sample backup script” (page 439) for a sample PowerShell script.
23.8 Configure automatic remote backups Prerequisites •
Minimum required privileges: Infrastructure administrator, Backup administrator
•
User account on a remote computer and the credentials for that account.
Configuring automatic remote backups 1. 2.
3.
From the main menu, select Settings. Do one of the following: •
In the Backup panel, click
•
Click Backup, and then select Actions→Edit backup.
.
Supply the data requested in the Edit Backup screen. NOTE:
Some fields are hidden or revealed according to selections.
When scheduling an automatic remote backup, enter the Time as two numeric values separated by a colon.. 4. 5.
Click OK. Verify the success of the configuration by monitoring the progress of the test backup file that is generated and transmitted.
More information “About backing up the appliance” (page 283)
23.9 Disable automatic remote backups Prerequisites •
Minimum required privileges: Infrastructure administrator
Disabling automatic remote backups 1. 2.
3.
From the main menu, select Settings. Do one of the following: •
In the Backup panel, click
•
Click Backup, and then select Actions→Edit backup.
.
In the Edit Backup screen, select Enable remote backup location to remove the check mark. The remainder of the screen is no longer displayed.
23.7 Creating a custom script to create and download an appliance backup file 287
4.
Click OK. The scheduling data is retained in case you want to enable automatic remote backups again.
More information “About backing up the appliance” (page 283)
23.10 Learning more •
“Basic troubleshooting techniques ” (page 357)
288 Backing up an appliance
24 Restoring an appliance from a backup file This chapter describes how to use the UI, REST APIs, or a custom-written PowerShell script to restore a corrupted appliance from a backup file. A restore operation is required only to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways.
UI screens and REST API resources UI screen
REST API resource
Settings→Actions
restores
For more information about restoring an appliance, see the online help for the Settings screen. IMPORTANT: Do not use any hypervisor-provided capabilities or snapshots to restore an HPE OneView appliance because doing so can cause synchronization errors and result in unpredictable and unwanted behavior.
24.1 Roles Users with Infrastructure administrator or Backup administrator privileges can create and download backup files, however, only an Infrastructure administrator can restore an appliance from a backup file.
24.2 About restoring the appliance Restoring an appliance from a backup file replaces all management data and most configuration settings with the data and settings in the backup file, including user names and passwords, audit logs, but does not include the appliance IP address settings. The appliance is not operational during the restore operation and it can take several hours to perform; the more resources and devices to restore, the longer the restore operation takes. A restore operation cannot be canceled or undone after it has started. The appliance blocks login requests while a restore operation is in progress. IMPORTANT: A restore operation is required to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways. Therefore, after the restore operation is complete, you can restore an appliance from a backup file that was created on the same appliance or, if an appliance fails and cannot be repaired, from
24.1 Roles 289
a backup file from a different appliance. In this case, the backup file must have been created from an appliance running the same version of HPE OneView. Actions during the restore operation Description Validates the resource inventory
During a restore operation, the appliance firmware validates the resource inventory (enclosures, servers, interconnects) and reconciles the data in the backup file with the current state of the managed environment. The state of the managed environment is likely to be different from the state of that environment at the time the backup file was created. After the restore operation, the appliance uses alerts to report any discrepancies that it cannot resolve automatically.
Rediscovers enclosures to validate contents
During the restore operation, the appliance rediscovers each enclosure to validate its contents—especially to ensure that the appliance can still claim them and that the given instance of HPE OneView is the manager of the enclosure. Then the appliance rediscovers each server and clears the virtual IDs of any servers added to an enclosure since the last time the backup file was created. The appliance also refreshes all rack servers to ensure they are claimed.
Clears virtual IDs
The appliance clears virtual IDs for server hardware that does not have a profile assigned but does have virtual IDs configured. These servers most likely had a profile assigned after the last backup was made. See also “Post-restoration tasks” (page 294).
You can use the UI to upload a backup file and restore the appliance from it. You can also use REST APIs for this purpose.
290 Restoring an appliance from a backup file
24.3 Best practices for restoring an appliance Topic
Best Practice
Before you begin
1. Note the passwords you use. Maintain a list of the current user accounts on the appliance. The restore operation resets the user names and passwords to those that were in effect when the backup file was created. 2. Create a support dump. Use the support dump to diagnose failures that occurred before the restore operation. 3. Download the existing audit logs, and store them for safekeeping. The restore operation restores the audit logs from the backup file, overwriting the existing logs. 4. Stop all automatically scheduled backups. If HPE OneView is configured for automatic backups, backups resume after the appliance is restored. 5. Make the backup file accessible to the appliance from which you plan to issue the upload request. If you are using an enterprise backup product to archive backup files, follow any steps required by your backup product to prepare for the restore operation. WARNING! The local backup file is removed during the restore process. Download the backup file and store it in a safe, off-appliance location for future restorations. 6. If you added hardware to the appliance after the backup file was created, that hardware is not in the appliance database when the restore process completes. Then, if you restore from the backup file, you must add that hardware to the appliance and then repeat any other configuration changes (such as assigning server profiles) that were made between the time the backup file was created and the restore process completed.
Inform users
• Make sure that all users logged in to the appliance log out. Users who are logged in when the restore operation begins are automatically logged out, losing whatever work was in progress. All users are blocked from logging in during the restore operation.
Use the right backup file
• Use the latest backup file to restore the appliance. The backup file will not include any changes made after the backup file was created. • Make sure the appliance IP addresses are the ones you want the appliance to use after the restore operation. Appliance IP addresses are not restored from the backup file. • Ensure that the appliance being restored and the appliance on which the backup file was created have the same firmware version; otherwise, the restore operation fails. The platform type, hardware model, and the major and minor numbers of the appliance firmware must match to restore a backup. The format of the appliance firmware version is as follows: majornumber.minornumber.revisionnumber-buildnumber The revision and build numbers do not need to match. If the backup file is incompatible with the firmware on the appliance, the upload returns an error and the restore operation stops. You will need to update the firmware or select a different backup file. • If it is necessary to restore a backup to a new appliance and the old appliance is still functioning (the hardware has not failed), delete the old appliance. Deleting the appliance ensures that it no longer manages the devices it was managing when the backup file was created. Serious errors can occur if multiple appliances attempt to manage the same devices.
24.4 Restore an appliance from a backup file Restoring an appliance from a backup file replaces all management data and most configuration settings on the appliance. You are directed to re-enter unresolved data, if applicable. For more information, see “About restoring the appliance” (page 289).
24.3 Best practices for restoring an appliance 291
Prerequisites •
Minimum required privileges: Infrastructure administrator.
•
You have completed all the best practices for restoring an appliance.
IMPORTANT: If you are using a backup file created on another appliance to restore a new or replacement appliance: 1. Install HPE OneView on the new or replacement appliance. For instructions, see the HPE OneView Installation Guide. 2. Configure the new appliance with the same network settings as the appliance on which the backup file was created. Thus, you can use the network to upload the backup file to the new appliance. For more information on the network configuration settings, see the online help for the add or edit appliance screen details. If the network configuration for the new appliance does not exactly match the network configuration in the backup file, the network configuration will not match the information in the network certificates in the backup file. As a result, the browser loses connection with the appliance and the appliance cannot be restored. 3.
When the new appliance network is configured, continue the restore operation described in the following procedure.
Restoring an appliance from a backup file Follow the procedure for the scenario that applies to your environment and practices: •
“Scenario: Select a backup file and start the restoration immediately”
•
“Scenario: Select a backup file and start the restoration later”
Scenario: Select a backup file and start the restoration immediately 1. 2.
From the main menu, select Settings, and then select Backup. Select Actions→Restore from backup. A dialog box opens.
3. 4.
Read the on-screen notification, then select Select a backup file. Do one of the following: •
Drag the backup file and drop it into the indicated text box.
•
Click Browse, and then select the backup file to upload.
NOTE: Not all browsers and browser versions offer the ability to drag and drop files onto applications. 5.
Click Upload and restore. Wait until the restore process is complete. A status page indicates progress. When the restore process completes, you are returned to the login page where you can log in to the restored appliance.
6.
Upload the firmware bundles used by your server profiles, enclosures, and logical interconnects. These were not saved as part of the backup file. Refer to each profile's Firmware baseline setting to determine the file name for the required baseline. If you used HPE OneView to create a custom SPP, use the CMDLET Restore-HPOVCustomBaseline to re-create the custom SPP after the base SPP and the hotfixes are uploaded to the repository. For more information, see https://github.com/ HewlettPackard/POSH-HPOneView/wiki/Restore-HPOVCustomBaseline .
292 Restoring an appliance from a backup file
7.
Verify that the restore operation was successful by logging in to the appliance and successfully resolving any discrepancies that the restore operation cannot resolve automatically. See “Post-restoration tasks” (page 294).
Scenario: Select a backup file and start the restoration later 1. 2.
From the main menu, select Settings, and then select Backup. Select Actions→Restore from backup. A dialog box opens.
3. 4.
Read the on-screen notification, then select Select a backup file. Do one of the following: •
Drag the backup file and drop it into the indicated text box.
•
Click Browse, and then select the backup file to upload.
NOTE: Not all browsers and browser versions offer the ability to drag and drop files onto applications. 5.
Click Upload only. Wait until the file upload is complete. A progress bar appears. The file name, creation date, and version are displayed when the file upload is complete.
6. 7. 8.
When you are ready to restore the appliance from the backup file, return to the dialog box and verify that the backup file is correct and uploaded. Select Restore from a backup file. Click Restore. Wait until the restore process is complete. A status page indicates progress. When the restore process completes, you are returned to the login page where you can log in to the restored appliance.
9.
Upload the firmware bundles used by your server profiles, enclosures, and logical interconnects. These were not saved as part of the backup file. Refer to each profile's Firmware baseline setting to determine the file name for the required baseline. You do not need to upload the default baseline, Service Pack for ProLiant - Base Firmware, which is included in the appliance image. If you used HPE OneView to create a custom SPP, use the CMDLET Restore-HPOVCustomBaseline to re-create the custom SPP after the base SPP and the hotfixes are uploaded to the repository. For more information, see https://github.com/ HewlettPackard/POSH-HPOneView/wiki/Restore-HPOVCustomBaseline .
10. Verify the restore operation was successful by logging in to the appliance and successfully resolve any discrepancies that the restore operation cannot resolve automatically. See “Post-restoration tasks” (page 294).
24.4 Restore an appliance from a backup file 293
24.5 Using REST APIs to restore an appliance from a backup file Prerequisites •
Minimum required session ID privileges: Infrastructure administrator
•
You have uploaded a backup file to the appliance.
Restoring the appliance from a backup file using REST APIs 1. Initiate the restore process. POST /rest/restores The {restore URI} is returned. 2. List the status of the restore process. GET /rest/restores
24.6 Creating a custom script to restore an appliance If you prefer to write a script to restore an appliance from a backup file, see “Sample restore script” (page 450) for a sample PowerShell script that you can customize for your environment.
24.7 Post-restoration tasks During a restore operation, the appliance reconciles the data in the backup file with the current state of the managed environment. There are some discrepancies that a restore operation cannot resolve automatically; for example, if servers were added after the backup file was created. The network configuration on these servers is unknown to the appliance after a restore and could result in duplicate MAC addresses and World Wide Names (WWNs), as a result. After a restore operation completes, you must manually resolve any remaining alerts and add these servers back into the appliance to eliminate the risk of duplicate IDs. You must also perform manual cleanup of hardware (servers, interconnects, and enclosures) if server profiles are forcibly unassigned or the hardware is forcibly removed without first being unconfigured. Preventing duplicate IDs on the network after a restore 1.
After a restore operation is complete, re-add any enclosure or server hardware added since the selected backup. NOTE: For any enclosures added since the last backup that you decide not to re-add after the restore, avoid duplicate IDs by running the Onboard Administrator SSH command clear vcmode on these enclosures. Running this command ensures the virtual MACs and WWNs on the server blades in the enclosure have been cleared.
2.
For any server profile alerts about the profile not matching the server hardware: a. Identify all server profiles with a mismatch-type of error message. Make a list of these server profiles and the assigned server hardware. b. Power off the server, and then unassign all of the server profiles individually. From the Server Profiles screen, select Actions→Edit, and then select Unassign from the server hardware drop down selector. Click OK. c. Select Actions→Edit again, and then reassign all of the documented profiles to the documented server hardware.
3.
For any alerts about ID ranges, the Network administrator should examine the address and identifier ranges and edit them, if needed. Re-create any profiles for the servers in any enclosures that were added in step 1.
4.
294 Restoring an appliance from a backup file
25 Managing the appliance 25.1 Updating the appliance You manage appliance updates from the Settings screen or by using the REST APIs.
UI screens and REST API resources UI screen
REST API resource
Settings
appliance/firmware
25.1.1 Roles •
Minimum required privileges: Infrastructure administrator
25.1.2 Tasks Updating the appliance requires a single user accessing the appliance and causes the appliance to restart. This does not disrupt the operation of the devices under management, but does result in an outage of the appliance. The appliance online help provides information about using the UI or the REST APIs to: •
Determine if a newer appliance update is available. (Minimum required privileges: Read only, Network administrator, or Infrastructure administrator)
•
Update the appliance. (Minimum required privileges: Infrastructure administrator)
25.1.3 About appliance updates The appliance runs a combination of software and firmware. Maintaining up-to-date appliance software and firmware fixes problems, improves performance, and adds new features to the appliance. The appliance does not automatically notify you when an update is available, you must determine if an appliance update file has been released. To view the installed version of appliance firmware, use the Settings→Appliance view. Then, verify if a newer version of an appliance update file is available to download from the www.hpe.com/info/hpeoneview/updates website. Before you update the appliance, examine the HPE OneView Release Notes to learn about supported upgrade paths, new features delivered in the update, best practices, limitations, troubleshooting hints and tips, and whether you must restart the appliance after it is updated. NOTE: When you download the appliance update file, a link to the update HPE OneView Release Notes appears in the download dialog box. Hewlett Packard Enterprise recommends clicking that link to read and then save and print the information for future reference. Once the download starts, you cannot access that link again. You manage appliance updates from the Settings→Appliance→Actions→Update appliance menu or by using the REST APIs. An appliance update is installed from a single file during the update process. You can either download the file directly to the appliance or to another computer and then transfer the file to the appliance. When you install an appliance update, the appliance restarts and goes offline. When the appliance is offline, it does not affect the managed resources—they continue to operate while the appliance is offline.
25.1 Updating the appliance 295
25.1.4 Learning more For more information about obtaining software updates, see “Support and other resources” (page 433).
25.2 Managing appliance availability Managing and maintaining appliance availability starts with configuring the appliance virtual machine for high availability as described in “Planning for high availability” (page 115), and following the best practices described in “Best practices for managing a VM appliance” (page 296). In the event of an appliance shutdown, your managed resources continue to operate. For more information about how the appliance handles an unexpected shutdown, and what you can do to recover, see: •
“How the appliance handles an unexpected shutdown” (page 298)
•
“What to do when an appliance restarts” (page 298)
The appliance online help provides information about using the UI or the REST APIs to shut down or restart the appliance.
UI screens and REST API resources UI screen
REST API resource
Settings
appliance/shutdown
25.2.1 Roles •
Minimum required privileges: Infrastructure administrator
25.2.2 Tasks The appliance online help provides information about using the UI or the REST APIs to: •
Shut down the appliance (Minimum required privileges: Infrastructure administrator)
•
Restart the appliance. (Minimum required privileges: Infrastructure administrator)
25.2.3 Best practices for managing a VM appliance Hewlett Packard Enterprise recommends the following guidelines for managing your VM appliance from the virtual console:
Best practices for managing a VMware vSphere virtual machine Do •
Use thick provisioning. (Required)
• Use shares and reservations to ensure adequate CPU performance. Do not •
Use thin provisioning.
•
Update the VMware tools. If VMware Tools show Out of Date or Unmanaged, they are running correctly. These status messages are not a problem, because the tools are available and running. VMware tools are updated with each HPE OneView software update.
•
Revert to a VM snapshot (unless under specific circumstances, as instructed by your authorized support representative).
296 Managing the appliance
•
Set the Synchronize guest time with host option in the vSphere client when the HPE OneView appliance is configured to use NTP. HPE OneView automatically sets the appropriate Synchronize guest time with host setting during network configuration. When HPE OneView is configured to use NTP servers, the Synchronize guest time with host option is disabled. If HPE OneView is not configured to use NTP servers, it synchronizes to the host VM clock and the Synchronize guest time with host option is enabled. In this case, configure the VM host to use NTP.
•
Reduce the amount of memory assigned to the VM.
Best practices for managing a Microsoft Hyper-V virtual machine Do • Use fixed size. Do not •
Update integration services.
•
Revert to a VM checkpoint (unless under specific circumstances, as instructed by your authorized support representative).
•
Reduce the amount of memory assigned to the VM.
•
Enable Dynamic Memory. See https://technet.microsoft.com/en-us/library/ hh831766(v=ws.11).aspx.
25.2.4 Shut down the appliance from the UI Use this procedure to perform a graceful shutdown of the appliance from the UI. Prerequisites •
Minimum required privileges: Infrastructure administrator.
•
Ensure that all tasks have been completed or stopped, and that all other users are logged off.
Shutting down the appliance from the UI 1. 2.
From the main menu, select Settings and then click Appliance. Select Actions→Shut down. A dialog box opens to inform you that all users will be logged out and ongoing tasks will be canceled.
3. 4.
Select Yes, shut down in the dialog box. Verify by observing the shutdown.
25.2.5 Restart the appliance from the UI Use this procedure to perform a graceful shutdown and restart of the appliance from the UI. You are returned to the login screen. Prerequisites •
Minimum required privileges: Infrastructure administrator.
•
Ensure that all tasks have been completed or stopped, and that all other users are logged off. Otherwise, restarting the appliance disconnects users and interrupts running tasks.
Restarting the appliance from the UI 1.
From the main menu, select Settings and then click Appliance.
25.2 Managing appliance availability 297
2.
Select Actions→Restart. A dialog box opens to inform you that users will be logged out and running tasks will be interrupted.
3. 4.
Select Yes, restart in the dialog box. Verify by logging in when the login screen reappears.
25.2.6 How the appliance handles an unexpected shutdown The appliance has features, such as automatic backup and high availability, to enable it to automatically recover from an unexpected shutdown, and managed resources continue to operate while the appliance is offline. However, Hewlett Packard Enterprise recommends that you use the appliance high-availability and backup features to ensure that the appliance is backed up daily, and when you make significant configuration changes, such as adding or deleting a network.
Appliance recovery operations When the appliance restarts, it performs the following operations: •
Detects tasks that were in progress and resumes those tasks, if it is safe to do so. If the appliance cannot complete a task, it notifies you that the task has been interrupted or is in some other error state.
•
Attempts to detect differences between the current environment and the environment at the time the appliance shut down, and then refreshes its database with the detected changes. If you determine that the appliance data does not match the current environment, you can request that the appliance refresh the data for certain resources, such as enclosures.
Appliance recovery during a firmware update of a managed resource If the appliance shuts down during a firmware update of a managed resource, when the appliance restarts, it detects the failed update and marks the firmware update tasks as being in an error state. To update the firmware for this resource, you must re-initiate the firmware update task.
What to do when an appliance restarts The online help provides information about using the user interface or the REST APIs to: •
Check for critical alerts or failed tasks and follow the provided resolution instructions
•
Manually refresh a resource if the resource information displayed appears to be incorrect or inconsistent
•
Create a support dump (recommended for unexpected crashes to help support personnel to troubleshoot a problem)
•
Update firmware for a resource, if a firmware update task was in progress when the appliance shut down.
25.3 Managing settings On the Settings screen, appliance information is divided into panels where, at a glance, you see the current status of such categories as Scopes and Proxy settings.
UI screens and REST API resources UI screen
REST API resource
Settings→Scopes
/rest/scopes
Settings→Proxy
/rest/proxy
298 Managing the appliance
25.3.1 Roles •
Required privileges: Infrastructure administrator
25.3.2 Tasks The online help provides information on the following tasks: •
Create, delete, and edit a new scope.
•
Assign a resource to a scope.
•
Configure the appliance HTTPS proxy settings.
25.3.3 Reset the appliance to the original factory settings A factory reset restores the appliance to the original factory settings. It does not change the installed firmware version. You have the option of preserving or erasing the appliance network settings. You might need to reset the appliance either to decommission it (so that you can migrate the hardware) or to return the appliance to a known state for reuse (for example, to restore the appliance from a backup file). CAUTION: •
This action erases appliance data including logs and managed device settings in HPE OneView. This action does not affect the configuration of managed devices in any way. Therefore, manual clean-up of devices might be required if HPE OneView will no longer manage them.
•
REST API calls and GUI operations are not allowed during the reset action.
Prerequisites •
Minimum required privileges: Infrastructure administrator
•
Ensure that all tasks have been completed or stopped, and that all other users are logged off.
Resetting the appliance to the original factory settings 1.
2. 3. 4. 5. 6.
If you are decommissioning the appliance and its managed environment, remove all hardware from HPE OneView management, for example: •
Delete or un-assign all server profiles.
•
Delete all logical enclosures.
•
Delete any storage volumes allocated within HPE OneView.
•
Reset managed devices (configured through IP address pools) to default IP addressing.
From the main menu, select Settings and then click Appliance. Select Actions→Factory Reset. Optionally select Preserve appliance network settings to erase the appliance data without losing network connectivity, for example, to rebuild the appliance. Select OK. If you are decommissioning the appliance, ensure that all hardware managed by HPE OneView is removed from management.
This action displays a progress bar while it is running. Logins are disabled automatically. When the appliance reset is completed after several minutes, you can log in and set up your appliance as you did for the first time. 25.3 Managing settings 299
25.3.4 About appliance proxy settings The Proxy panel allows you to set the HTTPS proxy, port number for client connections, and whether authentication requires a username and a password.
25.3.5 About scopes A scope is a grouping of resources that can be used to restrict the range of an operation or action. For example, you can create scopes based on: •
Organization or department (Marketing, Research and Development, Finance)
•
Usage (Production, Development, Testing)
•
Skills (Linux, Windows)
When scopes are defined and resources assigned to them, you: •
Restrict the resources displayed in the user interface (UI) to those assigned to the scope.
•
Can configure filtered email notifications for alerts based on previously-defined scopes.
“Scope-enabled resource categories” (page 300) lists the categories of resources that can be added to a scope. There are categories of resources that cannot be added to a scope. More information About email notification of alerts
25.3.5.1 Scope-enabled resource categories Only the following resource types can be added to or removed from a scope: •
Enclosures
•
Server Hardware
•
Networks (Ethernet, FC, and FCoE)
•
Network Sets
•
Interconnects, excluding SAS resources
•
Logical Interconnects, excluding SAS resources
•
Logical Interconnect Groups, excluding SAS resources
•
Switches
•
Logical Switches
•
Logical Switch Groups
IMPORTANT: For email notification of alerts, resources that are not categorized here are included in any scope. An email notification filter that specifies one or more scopes does not eliminate alerts generated by resources that are not currently categorized here are sent. Inhibiting alerts from non-scope resources requires the use of associated resource categories, which is described in “Edit an email recipient and filter entry” in the online help..
25.4 Managing addresses and ID pools A default set of virtual ID pools for MAC addresses, WWNs, and serial numbers are provided at startup. If you need additional addresses or identifiers, you can add autogenerated or custom ranges of ID pools. You manage the ID pools from the UI Settings screen or by using the REST APIs.
300 Managing the appliance
UI screens and REST API resources UI screen
REST API resource
Settings
id-pools
25.4.1 Roles •
Minimum required privileges: Infrastructure administrator
25.4.2 Tasks for addresses and identifiers The appliance online help provides information about using the UI or the REST APIs to: •
View a list of active ID pools and their properties.
•
Add an autogenerated ID pool for MAC addresses, WWNs, or serial numbers.
•
Add a custom ID pool range for MAC addresses, WWNs, or serial numbers.
25.4.3 About ID pools An ID pool is a collection of one or more ranges that you can be randomly generate or specify to provide large address spaces. By default, one virtual ID pool each of contiguous MAC addresses, WWNs, and serial numbers are created automatically when you initialize the appliance. The pools are composed of address and ID ranges. You can individually enable or disable a range, or delete any unused ranges. ID pool ranges do not conflict with physical IDs, provided the virtual ranges you create exclude the physical ID ranges.
Supported ID pools ID pool
Description
Virtual MAC addresses (vMAC) • 6 byte quantity represented as 12 hexadecimal characters, bytes separated by a colon (:) • Unicast address ranges only, multicast bit must not be set Virtual World Wide Names (vWWN)
• 8 byte quantity represented as 16 hexadecimal characters, bytes separated by a colon (:)
Virtual Serial Numbers (vSN)
• 10 alphanumeric characters, uppercase
25.4.4 Add an IPv4 subnet and address range An IPv4 subnet and address range can be added to support an iSCSI network.
Prerequisites •
Minimum required privileges: Network administrator, Infrastructure administrator
Adding an IPv4 subnet and address range 1.
2. 3.
From the main menu, select Settings, and then do one of the following: •
Click Addresses and Identifiers, and then click Actions→Edit.
•
Hover your pointer in the Addresses and Identifiers panel, and then click the icon.
Edit
Click Add IPv4 subnet and address range and enter the requested subnet information. Click Add address range and enter the requested address information. 25.4 Managing addresses and ID pools 301
4. 5. 6. 7.
Click Add, or Add + to add additional address ranges. Click Add, or Add + to add additional subnets and address ranges. Click OK to submit the changes. Confirm that the new address range appears in the IPv4 Subnets and Address Ranges panel.
25.5 Managing the security features of the appliance To learn about the security features of the appliance, see “Understanding the security features of the appliance” (page 65).
25.6 Enabling or disabling Hewlett Packard Enterprise support access to the appliance HPE OneView contains a technical feature that will allow an on-site authorized support representative to access your system, through the system console, to assess problems that you have reported. This access will be controlled by a password generated by Hewlett Packard Enterprise that will only be provided to the authorized support representative. You can disable access at any time while the system is running.
UI screens and REST API resources UI screen
REST API resource
Settings
appliance/settings
25.6.1 Roles •
Minimum required privileges: Infrastructure administrator
25.6.2 Tasks The appliance online help provides information to enable or disable Hewlett Packard Enterprise support access from either the Settings screen or the REST APIs.
25.7 Managing TLS certificates A Transport Layer Security (TLS) certificate certifies the identity of the appliance. The certificate is required by the underlying HTTP server to establish a secure (encrypted) communications channel with the client web browser. You manage certificates from the Settings screen or by using the appliance settings REST APIs.
UI screens and REST API resources UI screen
REST API resource
Settings
certificates
302 Managing the appliance
25.7.1 Roles •
Minimum required privileges for all tasks except as noted: Infrastructure administrator
25.7.2 Tasks The appliance online help provides information about using the UI or the REST APIs to: •
Create a self-signed certificate.
•
Create a certificate signing request.
•
Import a certificate.
•
View the TLS certificate settings (Minimum required privileges: Infrastructure administrator, Backup administrator, or Read only).
25.7.3 Learning more See “Understanding the security features of the appliance” (page 65).
25.8 Managing the Hewlett Packard Enterprise public key The Hewlett Packard Enterprise public key verifies that: •
Hewlett Packard Enterprise created its software packages (RPMs) and updates.
•
The code was not modified after it was signed.
25.8.1 Roles •
Minimum required privileges: Infrastructure administrator
25.8.2 Tasks The appliance online help provides information about managing public keys from the Settings screen or by using the REST APIs to: •
Acquire and install the Hewlett Packard Enterprise public key.
•
View the Hewlett Packard Enterprise public key.
25.9 Downloading audit logs The audit log helps the security administrator understand what security-related actions took place. You can gather log files and other information that your authorized support representative needs so that they can diagnose and troubleshoot an appliance.
UI screens and REST API resources UI screen
REST API resource
Settings
audit-logs
25.9.1 Roles •
Minimum required privileges: Infrastructure administrator
25.9.2 Tasks The appliance online help provides information how to download the audit logs from the Settings screen or by using the REST APIs. 25.8 Managing the Hewlett Packard Enterprise public key 303
25.9.3 Download audit logs The audit log shows the security administrator what security-related actions took place. You can download log files and other information for your authorized support representative to use to diagnose and troubleshoot an appliance. Prerequisites •
Minimum required privileges: Infrastructure administrator
Downloading audit logs 1. 2. 3. 4.
From the main menu, select Settings. Click Security. Select Actions→Download audit logs. The appliance generates a compressed file of the audit logs and downloads it to your local computer. The compressed file is named following this format: audit-logs-yyyy_mm_dd-hh_mm_ss
yyyy_mm_dd indicates the date, and hh_mm_ss indicates the time the file was created. The name of the audit log file is displayed on the screen. The audit log file is downloaded to the default download folder. If no default download folder is configured in your browser, you are prompted to specify a destination file. 5.
Verify the log was downloaded to the correct folder.
25.9.4 Learning more •
“Understanding the audit log” (page 71)
•
“Choosing a policy for the audit log” (page 72)
304 Managing the appliance
Part V Monitoring The chapters in this part describe using the appliance to monitor your data center. You use the information in this part after the appliance has been configured and the data center resources have been added to the appliance.
306
26 Monitoring data center status, health, and performance This chapter describes the recommended best practices for monitoring data center status, health, and performance using HPE OneView.
26.1 Daily monitoring As part of the daily monitoring of your data center, it is important to be able to quickly scan the appliance-managed resources to assess the overall health of your data center. By reviewing the UI screens, you are able to rapidly analyze the state and condition of your data center.
26.1.1 Initial check: the Dashboard The Dashboard provides an at-a-glance visual health summary of the appliance resources you are authorized to view. The Dashboard can display a health summary of the following: •
Server Profiles
•
Server Hardware
•
Enclosures
•
Logical Interconnects
•
Storage Pools
•
Volumes
•
Appliance alerts
The status of each resource is indicated by an icon: OK ( ), Warning ( ), or Critical ( ). You can link to the resource screens in the UI for more information by clicking on the status icons displayed for each resource. To learn more about the Dashboard screen, see “Using the Dashboard screen” (page 316).
26.1.2 Activities The Activity screen provides a log of health and status notifications. The appliance verifies the current activity of resources in your environment, and posts alerts to the Activity screen and to the associated resource screens for you to review. The Activity screen is also a database of all tasks that have been run, either synchronously or asynchronously, and initiated by the user or system. It is similar to an audit log, but provides more detail and is easily accessed from the UI.
26.1.3 Utilization graphs For certain resources, the appliance collects CPU, power, and temperature utilization statistics from management processors (the iLO, Onboard Administrator, and iPDU). Utilization graphs enable you to understand recent utilization statistics relative to available capacity, see utilization trends over time, and see historical utilization over time. Hover over the utilization area in the UI to display tool tips. The Enclosures screen
View historical metrics of power consumption (average, peak, and power cap) and temperature.
The Server Hardware screen
View historical metrics of CPU utilization/CPU frequency, power consumption (average, peak, and power cap), and temperature.
The Power Delivery Devices screen
View historical metrics of power consumption (average and peak and previous 5 minutes, previous 24 hours). 26.1 Daily monitoring 307
The Racks screen
View historical metrics of power consumption (average, peak, and power cap) and temperature.
The Interconnects screen
View uplink port statistics of the bit transfer rates (transmitted and received).
The Storage systems screen
View capacity amount of storage in tebibyte (TiB) of space.
To learn more about utilization graphs, see “Monitoring power and temperature” (page 321).
26.1.4 Monitor data center temperature The appliance provides detailed monitoring data that you can use to determine the power and cooling capabilities of the devices in your data center. The overall cooling in your data center might be sufficient; however, there might be areas that are insufficiently cooled due to conditions such as poor airflow, concentration of excessive heat output, or wrap-around airflow at the ends of aisles. To easily identify temperature issues and look for thermal hotspots in all areas in your data center, use the 3D visualization features provided by the Data Centers UI screen. To learn more about temperature, see “Monitoring power and temperature” (page 321).
26.2 Best practices for monitoring data centers The following are recommended best practices for using HPE OneView appliance to ensure the health of the managed components in your data center environment.
26.2.1 Best practices for monitoring health with the appliance UI Hewlett Packard Enterprise recommends the following best practices to monitor the health of the resources in your environment.
General health monitoring steps NOTE: You can view health and alerts on all managed servers and some monitored servers. See the HPE OneView Support Matrix for more information on monitored server hardware. Monitoring step
Related information
1. Navigate to the Activity screen and filter activities, using the filtering options that work best for the situation.
“About Activity” (page 311) “Using the Dashboard screen” (page 316)
You can also start from the Dashboard screen to see alerts for specific resources. 2. Navigate to a specific resource screen to view the specific activities “Icon descriptions” (page 87) for that resource. On the resource screen, verify the state of the resource instances via health status icons. 3. Investigate each resource instance with a warning or error status. 4. Expand critical and warning alerts to see their full descriptions, and click Event details to view additional information about the event(s) that caused the alert. 5. Follow the instructions in the recommended resolution (if any) or research the alert to correct the problem. NOTE: If an alert is Active and no action is required, you can clear the alert. If an alert is Locked, you cannot clear the alert without fixing the condition that caused it.
To monitor the current health of a network, navigate to the Interconnects and Logical Interconnects resources to view recent activity, alerts and notifications, and current health status. 308 Monitoring data center status, health, and performance
26.2.2 Best practices for monitoring health using SCMB or REST APIs To ensure the health of the components in your data center environment, use the State-Change Message Bus (SCMB) to receive health status messages. SCMB uses asynchronous messaging to notify subscribers of changes to managed resources—both logical and physical. For example, you can receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes. To use REST APIs to monitor health, see the following: •
Overall health monitoring
•
Server hardware health monitoring
•
Network health monitoring
Overall health monitoring NOTE: You can view health and alerts on all managed servers and some monitored servers. To see what servers can be monitored, see monitored server hardware in the HPE OneView Support Matrix. Monitoring step • Filter alerts based on severity or date to view current health issues. GET /rest/alerts?filter="severity='{UNKNOWN, OK, WARNING, CRITICAL}'"&filter="created='{YYYY-MM-DDThh:mm:ss.sssZ}'"
NOTE:
The DISABLED severity is not applicable to alerts.
See the REST API scripting online help for more information about alerts. • Get alerts for a specific physical resource type, such as server hardware. GET /rest/alerts?filter="physicalResourceType='{physical_server}'" See the REST API scripting online help for more information about server hardware. View the originating event(s) that caused a specific alert. 1. Select an alert. GET /rest/alerts/ 2. Get a specific alert using the alert ID. GET /rest/alerts/{id} 3. Get the associated event(s). GET /rest/events/{id} • Fix the problem. Use the recommended fix (perform a GET operation on the specific alert resource and view the correctiveAction attribute), or research the alert.
26.2 Best practices for monitoring data centers 309
Server hardware health monitoring A server or servers turn to a warning or critical status when something is not correct within the appliance. If a server profile has been applied to a failed server, the server profile will also be in a failed status. Monitoring step • Use details from the alert to fix the problem. When available, attempt the recommended fix first. In some cases, additional research of the alert might be needed to best determine the fix. GET /rest/alerts?filter="physicalResourceType='{physical_servers}'"&filter="severity='{WARNING, CRITICAL}'"
See the REST API scripting online help for more information on alerts. • Make sure that server profiles are appropriately assigned to the server hardware. See the REST API scripting online help for more information on server profiles.
Network health monitoring To determine the current health of a network or networks on the appliance, view alerts for interconnects and logical interconnects to verify the correct connections. To list alerts, you can perform a GET operation on alerts and filter for alerts related to interconnects. To list states, you can perform a GET operation on interconnects and logical interconnects and filter for an OK state.
310 Monitoring data center status, health, and performance
Monitoring step View alerts for interconnects. 1. Select an interconnect alert. GET /rest/alerts?filter="physicalResourceType='{interconnect}'"&filter="severity='{WARNING, CRITICAL}'" 2. Get a specific alert using the alert ID. GET /rest/alerts/{id} See the REST API chapter in the online help for more information on interconnects. Filter for logical interconnects with unhealthy stacking. 1. Get unhealthy logical interconnect. GET /rest/logical-interconnects?filter="stackingHealth='{Unknown, Disconnected}'"
2. View specific unhealthy interconnect using the interconnect ID. GET /rest/logical-interconnects/{id} See the REST API chapter in the online help for more information on logical interconnects. • Use information provided in the alert to fix the problem. Use the recommended fix if there is one, or research the alert. See the REST API scripting online help for more information on alerts.
26.3 Managing activities The appliance online help provides information about using the UI or the REST APIs to: •
View activities for a resource.
•
Filter activities by health, status, or date.
•
Assign an owner to an alert.
•
Add a note to an alert.
•
Clear an alert.
•
Restore a cleared activity to the active state.
26.3.1 About Activity The Activity screen lists alerts and other notifications about appliance activity and events occurring in your data center. You can filter, sort, and expand areas of the screen to refine how information is displayed. Links within activity details also enable you to view additional information about specific resources, especially if the notification is reporting an event that requires immediate attention.
Activity screen components The image shown here illustrates the important areas on the screen that you can use to monitor, resolve, and manage activity.
26.3 Managing activities
311
OneView
Search
Activity 300 1
All types
All
All statuses
All states
All time
All owners
Reset
2 Actions
6
Name
Resource
Worst case power consumption for the power delivery device Lab N32 Rack [4,2] PDU A is 7,676 Watts which exceeds its capacity by 3,683 Watts
Lab N32 Rack [4,2] PDU A
7
Date
State
Owner
3 3
unassigned
v
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nov 20 12:35 pm
Active
X
Power Delivery Devices
Resolution Verify that the capacity of 3,9993 Watts is specified correctly. Change the system configuration or apply a power cap to prevent the attached devices from exceeding the capacity.
5
Notes Write a note
Health category Power
4
Event details corrective Action
1
By default, the Activity screen shows All alerts, tasks, and events that have occurred. To quickly filter the default activity list to display the notifications that require your attention, click the icon to switch from All to Needs attention. Use the filters and date range selectors on the Filters menu bar to pinpoint the type of activity you want to see. To expand choices for any filtering selector on the filter banner, click the icon next to each filtering selector
2 3 4
5
Use the Actions menu to assign, clear, or restore selected notifications. To assign an alert or other notification to a specific user, select a name listed in the Owner column of each notification. When a notification is expanded, click the Event details link to view more details about this notification, which is where you might find specific corrective action for an activity that requires your attention. Start typing in the note box to add instructions or other information to a notification. TIP: You can click and drag the lower right corner of the note box to expand the box for better viewing or easier editing.
6
7
Click the
icon to expand the view of a notification to see all information about it. Click
the icon to collapse the notification into a single-line summary. If a notification is reporting a status other than OK (green), click the link to view details about the resource that generated the notification.
26.3.2 Activity types: alerts and tasks 26.3.2.1 About alerts The appliance uses alert messages to report issues with the resources it manages and monitors. The resources generate alerts to notify you that some meaningful event occurred and that an action might be required. An event describes a single problem or change that occurred on a resource. For example, an event might be an SNMP trap received from a server's (iLO) management processor.
312 Monitoring data center status, health, and performance
Each alert includes the following information about the event it reports: severity, state, description, and urgency. You can clear alerts, assign owners to alerts, and add notes to alerts. While alerts have an active or locked state, they contribute to a resource’s overall displayed status. After you change their state to Cleared, they no longer affect the displayed status. IMPORTANT: The appliance keeps a running count of incoming alerts. At intervals of 500 alert messages, the appliance determines if the number of alerts has reached 75,000. When it does, an auto-cleanup occurs, which deletes alert messages until the total number is fewer than 74,200. When the auto-cleanup runs, it first removes the oldest cleared alerts. Then it deletes the oldest alerts by severity starting with the least severe. More information “Service alerts” (page 315)
26.3.2.2 About tasks All user- or system-initiated tasks are reported as activities: •
User-initiated tasks are created when a user adds, creates, removes, updates, or deletes resources.
•
Other tasks are created by processes running on the appliance, such as gathering utilization data for a server.
The task log provides a valuable source of information that you can use to resolve an issue. You can determine the type of task performed, whether the task was completed, when the task was completed, and who initiated the task. The types of tasks are: Task type
Description
User
A user-initiated task, such as creating, editing, or removing an enclosure group or a network set
Appliance
An appliance-initiated task, such as updating utilization data
Background
A task performed in the background. This type of task is not displayed in the log.
IMPORTANT: The appliance maintains a tasks database that holds information for approximately 6 months' worth of tasks or 50,000 tasks. If the tasks database exceeds 50,000 tasks, blocks of 500 tasks are deleted until the count is fewer than 50,000. Tasks older than 6 months are removed from the database. The tasks database and the stored alerts database are separate.
26.3 Managing activities 313
26.3.3 Activity states Activity
State
Description
Alert
Active
The alert has not been cleared or resolved. A resource’s active alerts are considered in the resource’s overall health status. Active alerts contribute to the alert count summary.
Locked
An Active alert that was set (locked) by an internal resource manager. You cannot manually clear a Locked alert. Examine the corrective action associated with an alert to determine how to fix the problem. After the problem is fixed, the resource manager moves the alert to the Active state. At that time, you can clear or delete the alert. A resource’s locked alerts contribute to its overall status.
Cleared
The alert was addressed, noted, or resolved. You clear an activity when it no longer needs to be tracked. The appliance clears certain activities automatically. Cleared activities do not affect the resource’s health status and they are not counted in the displayed summaries.
Service alert
Pending
The support case is pending submission to HPE.
Submitted
The support case has been submitted to HPE.
Received
HPE has received the support case.
Open
The support case is open.
Closed
The support case is closed. NOTE:
A support case can be closed without any action:
• If it is for a test event • If the device is not enabled for remote support • If the device is not covered under support contract or under warranty
Task
Error
The service request encountered an error during processing.
None
There is no service alert. This is the default value.
Completed
The task started and ran to completion.
Running
The task has started and is running, but has not yet completed.
Pending
The task has not yet run.
Interrupted
The task ran, but was interrupted. For example, it could be waiting for a resource
Error
A task failed or generated a Critical alert. Investigate Error states immediately.
Terminated
A task was gracefully shut down or cancelled.
Warning
An event occurred that might require your attention. A warning can mean that something is not correct within the appliance. Investigate Warning states immediately.
314 Monitoring data center status, health, and performance
26.3.4 Activity statuses The status represented for all HPE OneView resources represents the status for that single resource and does not represent the roll-up status of sub-components. For example, the status for an enclosure does not aggregate status for all server blades and servers, but rather just the status of the enclosure (Onboard Administrator, fans, and power supplies). Status
Description
Critical
A critical alert message was received, or a task failed or was interrupted. Investigate Critical status activities immediately.
Warning
An event occurred that might require your attention. A warning can mean that something is not correct within the appliance and it needs your attention. Investigate Warning status activities immediately.
OK
For an alert, OK indicates normal behavior or information from a resource. For a task, OK indicates that it completed successfully.
Unknown
The status of the alert or task is unknown. The status of a task that is set to run at a later time is Unknown.
Disabled
A task was prevented from continuing or completing.
26.3.5 Service alerts A device (for example, an iLO) might generate a service alert associated with an alert. When it is displayed in the Activity screen, the service alert provides service information including a case identifier (Case ID) and primary contact information to facilitate a service call. The primary contact information was entered when Remote Support was configured. For devices that are under warranty or actively covered under a support contract, Remote Support automatically closes and clears service alerts when conditions become normal; for example, after a faulty fan is replaced. Remote Support takes no action on devices that are not actively covered under a support contract. More information “Activity states” (page 314)
26.4 Managing email notifications The appliance online help provides information about using the UI to: •
Configure the appliance for email notification of alerts.
•
Add an email recipient and filter.
•
Edit an email recipient and filter entry.
•
Enable or disable an email recipient and filter.
•
Clear an alert.
•
Delete an email recipient and filter entry.
26.5 About email notification of alert messages This feature notifies specified recipients when a certain alert occurs.
26.4 Managing email notifications 315
When this feature is configured and enabled, the appliance performs these steps in addition to posting the alert: •
The appliance compares the alert to configured search criteria.
•
If the alert matches, it creates an email message containing the text of the alert.
•
The appliance sends the email message to designated recipients in both plain text and HTML MIME types. Sending in both types allows the recipient’s mail application to determine the display.
You can enable or disable this email notification feature, or you can enable or disable individual filter notifications, as required. The appliance provides for as many as 100 recipient and filter combinations, and allows as many as 50 recipients in a single email message. This flexibility lets you fine-tune which alert messages are sent and to whom. For example, you can configure the appliance to send Warning alerts to one recipient and Critical alerts to another. You can verify the configuration by sending test messages.
26.6 Configure the appliance for email notification of alerts Use this procedure to configure the appliance for sending email messages of alerts. Later, you can add, edit, or delete entries for recipients or filters. NOTE:
Email notification filters can only be configured for alert messages.
Prerequisites •
Minimum required privileges: Infrastructure administrator
Configuring the appliance for email notification of alerts 1.
From the main menu, navigate to the Settings screen.
2. 3.
Locate the Notifications panel and click . Supply the data requested in the Email panel of the Edit Notifications screen: NOTE: The SMTP server is automatically determined from the domain name in the email address for the appliance. If you need to specify the SMTP settings, click SMTP options to supply them.
4.
Proceed to add one or more entries.
26.7 Using the Dashboard screen 26.7.1 Learning about the Dashboard The charts on the Dashboard provide a visual representation of the general health and status of the appliance and managed resources in your data center. From the Dashboard, you can immediately see resources that need your attention. For direct access to resources needing your attention, click the resource name. Each time you log in to the appliance, the Dashboard is the first screen you see. Select Dashboard from the main menu any time you want to see the Dashboard charts. The Dashboard displays status of the most relevant resources that are associated with assigned user roles. If you are assigned multiple roles, such as Network and Storage roles, the default dashboard displays the combination of resources that each role would see on the dashboard. You can customize your Dashboard display by adding, deleting, and moving resource panels.
316 Monitoring data center status, health, and performance
26.7.2 Dashboard screen details IMPORTANT: The Dashboard is blank the first time you log in to the appliance because you have not yet configured any resources. If this is the first time you are logging in to the appliance, see “Quick Start: Initial configuration of HPE OneView” (page 127) to define your data center environment and bring your infrastructure under appliance management. Hover your pointer over a chart slice to view the count of resource instances being represented by that slice. If you hover over a different slice in the same chart, the text and count displayed in the center of the chart changes. Click on a slice to be taken to the resource page filtered by the status or value associated with the slice. If you view the Dashboard on a narrow screen, the charts are arranged vertically for resources with multiple charts, and you can use the scroll bar to navigate to each chart. The Dashboard displays the following chart types: Chart type
Description
Status
A Status chart summarizes health status. The number displayed next to the resource name indicates the total number of resource instances known to the appliance. To learn more, click the resource name to display the resource's main screen and view detailed health and status information. On a Status chart, a dark-gray chart slice indicates the number of resources that are not reporting information because they are either disabled or are not being managed by the appliance. To filter the view of a resource based on its status, click the status icon. To learn more about health status and severity icons, see “Icon descriptions” (page 87).
Servers with profiles
The Servers with profiles chart reports the count of server hardware instances with server profiles assigned to them. If the chart is not solid blue, hover your pointer over the light-gray chart slice to see the count of servers without server profile assignments.
Blade bays
The Blade bays chart reports the count of server hardware instances in all managed enclosure bays. If the chart is not solid blue, hover your pointer over the light-gray chart slice to see the count of empty enclosure bays.
26.7.3 How to interpret the Dashboard charts Dashboard chart colors help you to quickly interpret the reported data. Table 14 Dashboard chart colors Color
Indication
Green
A healthy status
Yellow
An event has occurred that might require your attention
Red
A critical condition requires your immediate attention
Blue
For a status graph, the resource instances that match the data being measured (a solid blue chart indicates 100%) For custom graphs, there may be different shades of blue, each representing a different value for an attribute.
26.7 Using the Dashboard screen 317
Table 14 Dashboard chart colors (continued) Color
Indication
Light gray
The resource instances that do not match the data being measured (used in combination with blue to total 100%)
Dark gray
Resource instances reporting status other than OK, Warning, or Critical, that is, they are Disabled or Unknown
Status icons To assist you in identifying resources that are not in a healthy state, status icons indicate the number of resources with a status of OK (
), Warning (
), or Critical (
).
You can select a status icon to view the resource’s main screen, with resource instances filtered by that status or click on the donut slice of the same color. If no resources are defined or if no resource instances are detected with a particular status (indicated by the number zero), the associated icon is nearly colorless (very pale gray). To learn how to interpret the data displayed on the charts, see the numbered descriptions that appear after the figure. Figure 20 Dashboard sample
1
2
Click a resource name to view the resource’s main screen for more information. The adjacent number identifies how many instances of that resource are being managed by the appliance. In this example, three enclosures have been added to the appliance, and one is in a healthy status. When you hover your pointer over a dashboard panel, additional icons appear as shown on the Enclosures panel.
318 Monitoring data center status, health, and performance
•
The remove or delete (x) icon removes the panel from the dashboard.
•
The move ( dashboard.
) cursor allows you to move the panel to a different position on the
• 3
For custom panels, the edit ( ) icon also appears, which allows you toedit a custom panel. The sample chart for the Interconnects resource shows a total of seven interconnects of which four are in a Critical state and the other three are reporting a healthy status. Click the Critical status icon to open the Interconnects screen to begin investigating the cause.
4
On a Status chart, a dark-gray slice represents the count of resources that are not reporting status information because the resource is disabled or the status is not known. The sample chart for the Server Hardware resource shows a total of 30 instances of server hardware, of which 14 are either disabled or are unknown devices. Hover your pointer over the dark-gray chart slice to see a count of server hardware instances with a Disabled and Unknown status.
5 6
7
The icon enables you to customize your dashboard by adding custom or pre-defined panels. See “Customizing the dashboard” (page 319) to learn more about customizing panels. The Ethernet Networks chart illustrates a customized panel where a user has defined the number of Ethernet networks assigned to that user. For more examples, see “Customizing the dashboard” (page 319). The Storage Pools chart reports the state of storage pools that are being managed by the appliance, if any. See “About storage pools” (page 261) to learn more about storage pools.
8
The Appliance Alerts area summarizes important appliance-related alerts, typically about back up and licensing issues. Alerts related to other resources are not included here. If one appliance alert is detected, the alert text appears here. For multiple alerts, the number of alerts are shown, and you can click Appliance to go directly to the Activity screen for a filtered view of all appliance-related alerts. See “About Activity” (page 311) to learn more about alerts.
26.7.4 Customizing the dashboard You can customize the dashboard to show panels that interest you. •
You can select from a set of pre-defined panels such as Unassigned Alerts or Server Profiles.
•
You can create or edit your own custom panel by selecting the data you want to view through the use of dashboard queries.
•
You can rearrange or move panels on the dashboard to suit your needs.
•
You can remove panels that do not interest you.
NOTE: If you want to clear any dashboard customizations and restore the dashboard to the default, see the online help for information on resetting the dashboard..
26.8 Managing remote support 26.8.1 About remote support Register with Hewlett Packard Enterprise to allow automatic case creation for hardware failures on servers and enclosures and to enable Proactive Care. Once enabled, all eligible devices added in the future will be automatically enabled for remote support. 26.8 Managing remote support 319
Eligible devices are Gen8 and newer blades and rack servers and enclosures. NOTE:
Servers must be at iLO 2.1 firmware level or above to be enabled for remote support
Hewlett Packard Enterprise will contact you to ship a replacement part or send an engineer for devices that are under warranty or support contract. Remote support enables Proactive Care services including Proactive Scan reports and Firmware/Software Analysis reports with recommendations that are based on collected configuration data. Remote support is secure. No business data is collected, only device-specific configuration and fault data. All communications are outbound only and use industry standard TLS encryption ensuring confidentiality and integrity of the information.
More information Remote support doc
26.8.2 About channel partners The Partner ID uniquely identifies a partner as an HPE Authorized Partner. Hewlett Packard Enterprise is the default channel partner if no other channel partner is assigned.
HPE Authorized Resellers By enabling remote support, you enable the reseller to access configuration reports and contract warranty reports in Insight Online in the HPE Support Center, as well as configuration details and some contract and warranty details.
HPE Authorized Service Partners In addition to the above information provided to Authorized Resellers, the Service Partner has access to service event status and reports, with links into the HPE Channel Services Network portal.
26.8.3 About data collection Basic collection sends configuration information to Hewlett Packard Enterprise for analysis and proactive services in accordance with your warranty and service agreements. This data is transmitted every 30 days. Enclosures only support basic collection. Active health sends information about the server’s health, configuration, and run-time telemetry to Hewlett Packard Enterprise. This information is used to troubleshoot issues and closed-loop quality analysis. This data is transmitted every 7 days.
320 Monitoring data center status, health, and performance
27 Monitoring power and temperature HPE OneView enables you to monitor the power and temperature of your hardware environment.
Power and temperature monitoring feature overview The appliance: •
Displays 3D color-coded hardware temperature visualization (UI only)
•
Collects and reports power metric statistics
•
Collects and reports temperature metric statistics
•
Displays utilization statistics using customizable utilization graphs (UI only)
Power and temperature monitoring features by resource •
Data Centers
◦ •
•
•
Color-coded temperature visualization of racks and the server hardware in them
Enclosures and Server Hardware
◦
Alerts for degraded and critical temperature and power
◦
Proactive analysis and alerting for power configuration errors
◦
Utilization graphs for power and temperature statistics
Power Delivery Devices
◦
Alerts on power thresholds
◦
Proactive analysis and alerting for power configuration errors
◦
Utilization graphs for power and temperature statistics
Racks
◦
Proactive analysis and alerting for power configuration errors
◦
Utilization graphs for power and temperature statistics
27.1 Monitoring power and temperature with the UI The Data Centers screen provides a 3D visualization of your hardware environment, and uses a color-coded system to display temperature data for your hardware. The Utilization panel and Utilization graphs display utilization power and temperature statistics via the Utilization view on the Enclosures, Interconnects (utilization graphs only), Power Delivery Devices, Racks, and Server Hardware screens.
27.1.1 Monitoring data center temperature The Data Centers resource provides a visualization of the racks in your data center and displays their peak temperature using a color-coded system. To enable this, you must first specify the physical positions of your racks and the position of the components in them using the Data Centers resource. You can use temperature visualization to identify over-cooled areas of your data center. You can close vent tiles in areas that have low peak temperatures to increase airflow to areas that have 27.1 Monitoring power and temperature with the UI 321
insufficient cooling. If the entire data center is over-cooled, you can raise the temperature to save on cooling costs. Prerequisites •
Required privileges: Server administrator.
•
You have created a data center and positioned your racks in it.
•
The placement of racks in your data center accurately depicts their physical locations.
•
You have specified a thermal limit for your rack using the Racks screen, if your policy dictates a limit (optional).
Temperature collection and visualization details •
The visualization displays peak rack temperature using a color-coded system. The rack is colored based on the highest peak temperature (over the last 24 hours) of the device in the rack with the highest peak temperature recorded (of devices which support ambient temperature history reporting).
•
Temperatures are determined using the temperature utilization data collected from each device.
•
Background data collection occurs at least once a day, so the reported peak temperature for a rack will be within the past 48 hours.
•
Racks without an observed peak temperature with 48 hours are depicted without color coding (gray).
Figure 21 3D data center visualization
27.1.1.1 Manipulating the view of the data center visualization You can zoom in or zoom out and adjust the viewing angle of the data center from the Overview view or Layout view of the Data Centers screen.
322 Monitoring power and temperature
Prerequisites •
Required privileges: Server administrator
NOTE: The data center view controls do not appear in the Layout panel of the Overview view until you hover your pointer over the panel. Manipulating the view of the data center visualization To change the data center view, do one or more of the following: •
Move the horizontal slider left to zoom in and right to zoom out.
•
Move the vertical slider up and down to change the vertical viewing angle.
•
Click and drag the rotation dial to change the horizontal viewing angle.
27.1.2 Monitoring power and temperature utilization Utilization statistics for power and temperature are displayed on: •
The Utilization panel
•
Utilization graphs in the Utilization view
27.1.2.1 About the Utilization panel The Enclosures, Power Delivery Devices, Racks, Server Hardware, and Storage Systems screens display a Utilization panel in the Overview for each resource. The possible states of the Utilization panel are: Panel contents
Reason
Utilization meters display utilization data.
The appliance has collected data and it is being displayed.
A licensing message is displayed.
Server hardware without an iLO Advanced license will not display utilization data.
no data is displayed.
The appliance has not collected data during the previous 24 hours.
not set is displayed (a gray meter with hash marks).
The meter might not be set for the following reasons: • The page is loading and the data is not yet available. • There is no utilization data prior to the most recent 5 minute collection period. There may be historic data in the utilization graphs. • Enclosures will not display temperature data if none of the servers are powered on. • Racks will not display data if there are no devices mounted on the rack and the rack thermal limit is not set.
not supported is displayed.
Utilization data gathering is not supported on the device.
See the online help for Utilization for more information.
27.1.2.2 About utilization graphs and meters The appliance gathers and reports CPU, power consumption, temperature, and capacity data for certain resources via utilization graphs and utilization meters.
27.1 Monitoring power and temperature with the UI 323
NOTE: The minimum data collection interval is 5 minutes (averaged) and the maximum is one hour (averaged). Utilization graphs can display a range of data up to a maximum of three years. Table 15 Utilization statistics gathered by resource Utilization metric Resource
Power
Temperature
Custom
Enclosures
✓
✓
✓
Racks
✓
✓
Power Delivery Devices
✓
Server Hardware
CPU
✓
✓
Storage Systems
✓
Capacity
✓ ✓
NOTE: You can use the Interconnects screen to view utilization graphs that display data transfer statistics for interconnect ports. See the online help for the Interconnects screen. Utilization statistics and licensing Utilization statistics and graphs are disabled for server hardware that does not have an iLO license assigned. See “About licensing” (page 179) to learn more. If utilization is disabled, the Utilization panel displays a message stating the reason it is disabled in the details pane for the unlicensed resource.
324 Monitoring power and temperature
Utilization graphs
1 2
3
4
Primary graph: The large primary utilization graph displays metric data (vertical axis) for your devices over an interval of time (horizontal axis) using a line to graph data points. Horizontal axis: The horizontal axis on the primary utilization graph depicts the time interval for the data being displayed, with the most recent interval data on the right. The minimum time interval is two minutes and the maximum is five days. Vertical axis: The vertical axis on the primary utilization graph depicts the interval for the metric displayed in the corresponding unit of measurement down the left side of the graph. The interval for each unit of measurement is fixed and cannot be changed. Graphs that display two metrics with different units of measurement have a second interval down the right side of the graph. The measurement value at the top of the graph represents the maximum utilization capacity for a given metric. Navigation graph: The navigation graph below the primary graph displays the maximum time interval of available data. Use the navigation graph to select the time interval you want to display in the primary graph by highlighting the interval with your pointing device.
See the online help for more information on creating a custom utilization graph and how to change the level of detail that the graph displays.
27.2 REST API power and temperature monitoring 27.2.1 Update enclosure power capacity settings To update the enclosure capacity settings, perform a PUT operation that includes only the calibratedMaxPower attribute. View the enclosure capacity settings attributes by using a GET operation, edit the calibratedMaxPower attribute, and then perform a PUT operation that includes only the edited calibratedMaxPower attribute. 27.2 REST API power and temperature monitoring 325
Prerequisites •
Minimum required session ID privileges: Server administrator
Updating enclosure capacity settings using REST APIs 1. Select an enclosure URI. GET /rest/enclosures 2. Get the enclosure capacity using the URI from step 1. GET {enclosure URI}/environmentalConfiguration 3. Edit the enclosure capacity. The only attribute to send in the response body is calibratedMaxPower. Do not send all attributes from the GET operation. 4. Update the enclosure capacity. PUT {enclosure URI}/environmentalConfiguration
27.2.2 Update server hardware power capacity settings To update server hardware capacity settings, perform a PUT operation that includes only the calibratedMaxPower attribute. View server hardware capacity settings attributes by using a GET operation, edit the calibratedMaxPower attribute, and then perform a PUT operation that includes only the edited calibratedMaxPower attribute.
Prerequisites •
Minimum required session ID privileges: Server administrator
Updating server hardware capacity settings using REST APIs 1. Select a server hardware URI. GET /rest/server-hardware 2. Get the current server hardware capacity using the URI from step 1. GET {server hardware URI}/environmentalConfiguration 3. Edit the server hardware capacity. The only attribute to send in the response body is calibratedMaxPower. Do not send all attributes from the GET operation. 4. Update the server hardware capacity. PUT {server hardware URI}/environmentalConfiguration
326 Monitoring power and temperature
28 Using a message bus to send data to subscribers 28.1 About accessing HPE OneView message buses HPE OneView supports asynchronous messaging to notify subscribers of changes to managed resources—both logical and physical – and changes to metrics on managed resources. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes, and you can stream power, thermal and CPU metrics for managed resources. Using HPE OneView REST APIs, you can obtain certificates to access the two message buses described in this chapter: the State-Change Message Bus or the Metric Streaming Message Bus. The message content is sent in JSON (JavaScript Object Notation) format and includes the resource model. Before you can set up subscription to messages, you must create and download an AMQP (Advanced Message Queuing Protocol ) certificate from the appliance using REST APIs. Next, you connect to the message bus using the EXTERNAL authentication mechanism with or without specifying a user name and password. This ensures that you use certificate-based authentication between the message bus and your client. After connecting to the message bus, you set up a queue with the queue name empty, and AMQP generates a unique queue name. You use this queue name to bind your client to exchanges and receive messages. To connect to the message and set up a queue, you must use a client that supports the AMQP .
28.2 Using the State-Change Message Bus (SCMB) 28.2.1 Connect to the SCMB Prerequisites •
Minimum required session ID privileges: Infrastructure administrator
To use the SCMB, you must do the following tasks: •
Use REST APIs to create and download an Advanced Message Queuing Protocol (AMQP) certificate from the appliance.
•
Connect to the SCMB using one or both of these methods:
◦
Use the “EXTERNAL” authentication mechanism
◦
Connect without sending a user name and password
Using one of these methods ensures that certificate-based authentication is used. •
Set up a queue with an empty queue name. AMQP generates a unique queue name. You use this queue name to bind to exchanges and receive messages.
28.1 About accessing HPE OneView message buses 327
Create and download the AMQP client certificate Creating and downloading the client certificate, private key, and root CA certificate 1. Create the certificate. POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCertV2","commonName":"default"} 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 4. After you connect the client to the SCMB, you can “Set up a queue to connect to the HPE OneView SCMB exchange” (page 328)
Figure 22 Connecting the client to the SCMB
1
2
The SCMB consumer requests a client certificate as part of the registration process. The appliance manages the client certificates in a JVK (Java KeyStore) file.
3
4
The appliance issues a client certificate to the SCMB consumer. The SCMB client provides an SSL client certificate to create a connection with the appliance.
5
6
The appliance can revoke the SCMB client certificate to deny access to the SCMB client. The client is managed into a CRL (Certificate Revocation List) file. The appliance authenticates the SCMB client using the client certificate.
28.2.2 Set up a queue to connect to the HPE OneView SCMB exchange The state change messages are published to the HPE OneView SCMB exchange name. To subscribe to messages, you must create a queue or connect to an existing queue that receives messages from the SCMB exchange based on a routing key. When you create a queue, you define the routing key associated with the queue to receive specific messages.
328 Using a message bus to send data to subscribers
NOTE: The routing key is case sensitive. The change-type requires an initial capital letter. The resource-category and resource-uri are lower-case. For example, if you set the change-type in the routing key to created instead of Created, you do not receive any messages. The routing key syntax is: scmb.resource-category.change-type.resource-uri where: scmb
The HPE OneView exchange name.
resource-category
The category of resource. For a complete list of resources, see the HPE OneView REST API Reference chapter in the online help.
change-type
The type of change that is reported. Valid values are Created, Updated, and Deleted.
resource-uri
The URI of the specific resource associated with the state-change message.
NOTE: The task resources routing key syntax is scmb.resource-category and does not use change-type and resource-uri. To receive messages about all task resources: •
scmb.#
•
scmb.tasks
Sample queues Subscription
Example
Receive all SCMB messages for physical servers
scmb.server-hardware.#
Receive all messages for created connections
scmb.connections.Created.#
Receive all messages for the enclosure with the URI /rest/enclosures/Enc1234
scmb.enclosures.*./rest/enclosures/Enc1234
Receive all created messages (for all resource categories and types)
scmb.*.Created.#
NOTE: To match everything after a specific point in the routing key, use the # character. This example uses # in place of resource-uri. The message queue receives all server-hardware resource URIs.
NOTE: To match everything for an individual field in the routing key, use the asterisk (*). This example uses * in place of change-type. The message queue receives all change types: Created, Updated, and Deleted.
28.2.3 JSON structure of message received from the SCMB The following table lists the attributes included in the JSON payload of each message from the SCMB. The resource model for the HPE OneView resource is included in the resource attribute. To view all resource models, see the HPE OneView REST API Reference chapter in the online help. Attribute
Data type
Description
resourceUri
String
The URI for the resource.
changeType
String
The state-change type: Created, Updated, or Deleted. For details, see “ChangeType values” (page 330).
28.2 Using the State-Change Message Bus (SCMB) 329
Attribute
Data type
Description
newState
String
The new state of the resource.
eTag
String
The ETag for the resource when the state change occurred.
timestamp
String
The time the message was sent.
newSubState
String
If substate messages are required (for substate machines associated with a primary state), this is the resource-specific substate.
resource
Object
The resource model.
associatedTask
String
If a task is not associated with this message, the value is null.
userInitiatedTask String
The value of the userInitiated attribute included in the associatedTask attribute.
changedAttributes Array
A list of top-level attributes that have changed based on the POST or PUT call that caused the state-change message to be sent.
data
Object
Additional information about the resource state change.
ChangeType values ChangeType value
Description
Created
The resource is created or is added to HPE OneView.
Updated
The resource state, attributes, or both are updated.
Deleted
The resource is permanently removed from HPE OneView.
Example 2 JSON example { "resourceUri" : "/rest/enclosures/123xyz", "changeType" : "Created", "newState" : "Managed", "eTag" : "123456", "timestamp" : "2013-07-10T18:30:44Z", "newSubState" : "null", "resource" : { "category" : "enclosures", "created" : "2013-07-10T18:30:00Z", ... }, "associatedTask" : "/rest/tasks/4321", "userInitiatedTask" : "true", "changedAttributes" : [], "data" : {}, }
28.2.4 Example to connect and subscribe to SCMB using .NET C# Prerequisites In addition to completing the prerequisites, you must complete the example-specific prerequisites before using the .NET C# examples.
330 Using a message bus to send data to subscribers
To use the .Net C# examples, add the following to the Windows certificate store: •
CA root certificate.
•
Client certificate
•
Private key
To try the .Net C# examples, do the following: 1.
Download the root CA certificate. GET /rest/certificates/ca
2.
3. 4.
Save the contents in the response body into a text file named rootCA.crt. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes. Import the rootCA.crt file into the Windows certificate store under Trusted Root Certification Authorities. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default
5.
Save the contents of the client certificate and private key in the response body into a text file named scmb.crt. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- for the client certificate. Next, copy and paste everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- for the private key. You must include the dashes, but do not include the quotes.
28.2 Using the State-Change Message Bus (SCMB) 331
Example 3 Using .Net C# to directly reference client certificate Convert the client certificate and private key to PKCS format for .Net. openssl.exe pkcs12 -passout pass:default -export -in scmb.crt -out scmb.p12
Example public void Connect() { string exchangeName = "scmb"; string hostName = "OneView.domain"; string queueName = ""; string routingKey = "scmb.#"; ConnectionFactory factory = new ConnectionFactory(); factory.AuthMechanisms = new RabbitMQ.Client.AuthMechanismFactory[] { new ExternalMechanismFactory() }; factory.HostName = hostname; factory.Port = 5671; factory.Ssl.CertPath = @".\scmb.p12"; factory.Ssl.CertPassphrase = "default"; factory.Ssl.ServerName = hostname; factory.Ssl.Enabled = true; IConnection connection = factory.CreateConnection(); IModel model = connection.CreateModel(); queueName = model.QueueDeclare(queueName, false, false, false, null); model.QueueBind(queueName, exchangeName, routingKey, null); using (Subscription sub = new Subscription(model, queueName)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.Ack(); } } }
Example 4 Using .Net C# to import certificate to Microsoft Windows certificate store Import the scmb.crt into your preferred Windows certificate store. Example public void Connect() { string exchangeName = "scmb"; string hostName = "OneView.domain"; string queueName = ""; string routingKey = "scmb.#"; string userName = "rabbitmq_readonly"; X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadWrite); X509Certificate cert = store.Certificates .Find(X509FindType.FindBySubjectName, userName, false) .OfType() .First(); ConnectionFactory factory = new ConnectionFactory(); factory.AuthMechanisms = new RabbitMQ.Client.AuthMechanismFactory[] { new ExternalMechanismFactory() }; factory.HostName = hostname; factory.Port = 5671; factory.Ssl.Certs = new X509CertificateCollection(new X509Certificate[] { cert }); factory.Ssl.ServerName = hostname; factory.Ssl.Enabled = true; IConnection connection = factory.CreateConnection(); IModel model = connection.CreateModel(); queueName = model.QueueDeclare(queueName, false, false, false, null); model.QueueBind(queueName, exchangeName, routingKey, null); using (Subscription sub = new Subscription(model, queueName)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.Ack(); } } }
332 Using a message bus to send data to subscribers
NOTE: .Net C# code example 2 (Microsoft Windows certificate store) is referencing the Trusted Root Certificate Authorities store, located under Local Computer. •
StoreName.Root = Trusted Root Certificate Authorities
•
StortLocation.LocalMachine = Local Computer
28.2.5 Example to connect and subscribe to SCMB using Java 1.
Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default
2.
Save the contents of the client certificate in the response body into a text file named default-client.crt. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes.
3.
Save the contents of the private key in the response body into a text file named default-client.key. You must copy and paste everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----, including the dashes, but not including the quotes.
4.
Create a PKCS12 keystore from the private key and the public certificate. openssl pkcs12 -export -name myclientcert -in default-client.crt -inkey default-client.key -out myclient.p12
5.
Convert the PKCS12 keystore into a JKS keystore. keytool -importkeystore -destkeystore c:\\MyKeyStore -srckeystore myclient.p12 -srcstoretype pkcs12 -alias myclient
28.2 Using the State-Change Message Bus (SCMB) 333
Example 5 Example to connect and subscribe to SCMB using Java //c://MyKeyStore contains client certificate and private key. Load it into Java Keystore final char[] keyPassphrase = "MyKeyStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); ks.load(new FileInputStream("c://MyKeyStore"), keyPassphrase); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, keyPassphrase); //c://MyTrustStore contains CA certificate. Load it into Java Trust Store final char[] trustPassphrase = "MyTrustStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); tks.load(new FileInputStream("c:\\MyTrustStore"), trustPassphrase); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(tks); //load SSLContext with keystore and truststore. final SSLContext c = SSLContext.getInstance("SSL"); c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); final ConnectionFactory factory = new ConnectionFactory(); factory.setHost("192.168.2.144"); //Set Auth mechanism to "EXTERNAL" so that commonName of the client certificate is mapped to AMQP user name. Hence, No need to set userId/Password here. factory.setSaslConfig(DefaultSaslConfig.EXTERNAL); factory.setPort(5671); factory.useSslProtocol(c); final Connection conn = factory.newConnection(); final Channel channel = conn.createChannel(); //do not specify queue name. AMQP will create a queue with random name starting with amq.gen* e.g. amq.gen-32sfQz95QJ85K_lMBhU6HA final DeclareOk queue = channel.queueDeclare("", true, false, true, null); //Now get the queue name from above call and bind it to required Exchange with required routing key. channel.queueBind(queue.getQueue(), "scmb", "scmb.#"); //Now you should be able to receive messages from queue final GetResponse chResponse = channel.basicGet(queue.getQueue(), false); if (chResponse == null) { System.out.println("No message retrieved"); } else { final byte[] body = chResponse.getBody(); System.out.println("Received: " + new String(body)); } channel.close(); conn.close();
28.2.6 Examples to connect and subscribe to SCMB using Python The Python code examples show how to connect and subscribe to the SCMB. For more information about Python (Pika AMQP client library and AMQP client library), see http:// pika.readthedocs.org/, http://www.python.org/, and https://pypi.python.org/pypi/amqplib/.
28.2.6.1 Installation 1.
Install the pika and amqp libraries. a. Download and install the setuptools (Python setup.py install) at https://pypi.python.org/ pypi/setuptools#downloads. b. Install the pika tools. When you install the pika or amqp libraries, run the same python setup.py install command from the downloaded pika or amqp directory.
2.
Create the certificate. POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCertV2","commonName":"default"}
3.
Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default
334 Using a message bus to send data to subscribers
4.
Save the contents of the client certificate in the response body into a text file named client.pem. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with CR/LF (carriage return / line feed).
5.
Save the contents of the private key in the response body into a text file named key.pem. You must copy and paste everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----, including the dashes, but not including the quotes. You must replace all instances of \n with CR/LF (carriage return / line feed).
6.
Download the root CA certificate. GET /rest/certificates/ca
7.
Save the contents in the response body into a text file named caroot.pem. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with CR/LF (carriage return / line feed).
28.2.6.2 Pika Example 6 Pika example When you invoke the script, you must pass –host:{hostname or IP}. See the following examples: •
--host:192.168.1.1
•
–host:my-appliance.example.com
IMPORTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. import pika, ssl from optparse import OptionParser from pika.credentials import ExternalCredentials import json import logging logging.basicConfig() ############################################### # Callback function that handles messages def callback(ch, method, properties, body): msg = json.loads(body) timestamp = msg['timestamp'] resourceUri = msg['resourceUri'] resource = msg['resource'] changeType = msg['changeType'] print print print print print print
("%s: Message received:" %(timestamp)) ("Routing Key: %s" %(method.routing_key)) ("Change Type: %s" %(changeType)) ("Resource URI: %s" %(resourceUri)) ("Resource: %s" %(resource))
# Pem Files needed, be sure to replace the \n returned from the APIs with CR/LF # caroot.pem - the CA Root certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCert","commonName":"default"} # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CERTIFICATE----# key.pem is the key with -----BEGIN RSA PRIVATE KEY----# Setup our ssl options ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", "cert_reqs": ssl.CERT_REQUIRED, "server_side": False}) parser = OptionParser() parser.add_option('--host', dest='host',
28.2 Using the State-Change Message Bus (SCMB) 335
help='Pika server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() # Connect to RabbitMQ host = options.host print ("Connecting to %s:5671, to change use --host hostName " %(host)) connection = pika.BlockingConnection( pika.ConnectionParameters( host, 5671, credentials=ExternalCredentials(), ssl=True, ssl_options=ssl_options)) # Create and bind to queue EXCHANGE_NAME = "scmb" ROUTING_KEY = "scmb.#" channel = connection.channel() result = channel.queue_declare() queue_name = result.method.queue channel.queue_bind(exchange=EXCHANGE_NAME, queue=queue_name, routing_key=ROUTING_KEY) channel.basic_consume(callback, queue=queue_name, no_ack=True) # Start listening for messages channel.start_consuming()
28.2.6.3 AMQP Example 7 AMQP example When you invoke the script, you must pass –host:{hostname or IP}. See the following examples: •
--host:192.168.1.1
•
–host:my-appliance.example.com
IMPORTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. #!/usr/bin/env python from optparse import OptionParser from functools import partial import amqplib.client_0_8 as amqp def callback(channel, msg): for key, val in msg.properties.items(): print ('%s: %s' % (key, str(val))) for key, val in msg.delivery_info.items(): print ('> %s: %s' % (key, str(val))) print ('') print (msg.body) print ('-------') print msg.delivery_tag channel.basic_ack(msg.delivery_tag) # # Cancel this callback # if msg.body == 'quit': channel.basic_cancel(msg.consumer_tag) def main(): parser = OptionParser() parser.add_option('--host', dest='host', help='AMQP server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() host = options.host+":5671" # Pem Files needed, be sure to replace the \n returned from the APIs with CR/LF # caroot.pem - the CA Root certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCert","commonName":"default"}
336 Using a message bus to send data to subscribers
# # #
#
GET /rest/certificates/client/rabbitmq/keypair/default client.pem is the key with -----BEGIN CERTIFICATE----key.pem is the key with -----BEGIN RSA PRIVATE KEY----ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", "cert_reqs": CERT_REQUIRED, "server_side": False}) print ('Connecting to host %s, to change use --host hostName ' %host) conn = amqp.Connection(host, login_method='EXTERNAL', ssl=ssl_options) print ('Successfully connected, creating and binding to queue') ch = conn.channel() qname, _, _ = ch.queue_declare() ch.queue_bind(qname, 'scmb', 'scmb.#') ch.basic_consume(qname, callback=partial(callback, ch)) print ('Successfully bound to queue, waiting for messages') #pyamqp:// # # Loop as long as the channel has callbacks registered # while ch.callbacks: ch.wait() ch.close() conn.close()
if __name__ == '__main__': main()
28.2.7 Re-create the AMQP client certificate If you change the appliance name, you must re-create the AMQP client certificate.
Prerequisites •
Minimum required session ID privileges: Infrastructure administrator
Re-creating and downloading the client certificate, private key, and root CA certificate 1. Revoke the certificate. DELETE /rest/certificates/ca/rabbitmq_readonly Request body is not required. NOTE: When you revoke the default client certificate, the appliance re-generates the CA certificate, AMQP server certificate, and the default client certificate. 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca
28.3 Using the Metric Streaming Message Bus (MSMB) The Metric Streaming Message Bus (MSMB) is an interface that uses asynchronous messaging to notify subscribers about the most recent metrics of the managed resources. You can configure the interval and the metrics that you want to receive using the REST APIs.
28.3 Using the Metric Streaming Message Bus (MSMB) 337
28.3.1 Connect to the MSMB Prerequisites To use the MSMB, you must do the following tasks: •
Use REST APIs to create and download an Advanced Message Queuing Protocol (AMQP) certificate from the appliance.
•
Connect to the MSMB using one or both of these methods:
◦
Use the “EXTERNAL” authentication mechanism
◦
Connect without sending a user name and password
Using one of these methods ensures that certificate-based authentication is used. •
Set up a queue with an empty queue name. AMQP generates a unique queue name. You use this queue name to bind to exchanges and receive messages.
Create and download the AMQP client certificate Creating and downloading the client certificate, private key, and root CA certificate 1. Create the certificate. POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCertV2","commonName":"default"} 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 4. After you connect the client to the MSMB, you can “Set up a queue to connect to the HPE OneView MSMB exchange” (page 339).
Figure 23 Connecting the client to the MSMB
1
The MSMB consumer requests a client certificate as part of the registration process.
3
4
The appliance issues a client certificate to the MSMB consumer. The MSMB client provides a SSL client certificate to
338 Using a message bus to send data to subscribers
5
The appliance can revoke the MSMB client certificate to deny access to the MSMB client. The client is managed
2
The appliance manages the client certificates in a JVK (Java KeyStore) file.
create a connection with the appliance. 6
into a CRL (Certificate Revocation List) file. The appliance authenticates the MSMB client using the client certificate.
28.3.2 Set up a queue to connect to the HPE OneView MSMB exchange The metric streaming messages are published to the HPE OneView MSMB exchange name. To subscribe to messages, you must create a queue or connect to an existing queue that receives messages from the MSMB exchange based on a routing key. When you create a queue, you define the routing key associated with the queue to receive specific messages. Exchange Name: msmb Routing Key: msmb.# where: msmb
The HPE OneView exchange name for metric streaming.
Sample queues Subscription
Example
Receive all MSMB messages for physical servers, enclosures, and power devices
The exchange is msmb The routing key is msmb.# Configure metric relay using Metric Streaming configuration API.
28.3.3 JSON structure of message received from the MSMB The following table lists the attributes included in the JSON payload of each message from the MSMB. The resource model for the HPE OneView resource is included in the resource attribute. To view all resource models, see the HPE OneView REST API Reference chapter in the online help. Attribute
Data type
Description
resourceUri
String
The URI for the resource.
changeType
String
The state-change type: Created, Updated, or Deleted.
newState
String
The new state of the resource.
eTag
String
The ETag for the resource when the state change occurred.
timestamp
String
The time the message was sent.
newSubState
String
If substate messages are required (for substate machines associated with a primary state), this is the resource-specific substate.
resource
MetricData
The resource model.
associatedTask
String
If a task is not associated with this message, the value is null.
userInitiatedTask String
The value of the userInitiated attribute included in the associatedTask attribute.
changedAttributes Array
A list of top-level attributes that have changed based on the POST or PUT call that caused the state-change message to be sent.
data
Object
Additional information about the resource state change.
28.3 Using the Metric Streaming Message Bus (MSMB) 339
MetricData Attribute
Data type
Description
startTime
String
The starting time of the metric collection.
sampleIntervalInSeconds Integer
Interval between samples.
numberOfSamples
Integer
Number of samples in the list for each metric type.
resourceType
String
Identifies the category of resource. The supported devices are server-hardware, enclosures, and power-devices.
resourceDataList
List
Metric sample list.
uri
String
Canonical URI of the resource.
category
String
Identifies the category of resource. The supported devices are server-hardware, enclosures, and power-devices.
created
Timestamp
Date and time when the resource was created.
modified
Timestamp
Date and time when the resource was last modified.
eTag
String
Entity tag/version ID of the resource, the same value that is returned in the ETag header on a GET of the resource.
type
String
Uniquely identifies the type of the JSON object.
340 Using a message bus to send data to subscribers
Example 8 Structure of message received from the MSMB { "eTag": null, "resourceUri": "/rest/enclosures/09SGH100X6J1", "changeType": "Updated", "newState": null, "newSubState": null, "associatedTask": null, "userInitiatedTask": false, "changedAttributes": null, "data": null, "resource": { "type": "MetricData", "resourceType": "enclosures", "resourceDataList": [ { "metricSampleList": [ { "valueArray": [ null ], "name": "RatedCapacity" }, { "valueArray": [ 523 ], "name": "AveragePower" }, { "valueArray": [ 573 ], "name": "PeakPower" }, { "valueArray": [ null ], "name": "PowerCap" }, { "valueArray": [ 23 ], "name": "AmbientTemperature" }, { "valueArray": [ null ], "name": "DeratedCapacity" } ], "resourceId": "09SGH100X6J1" } ], "numberOfSamples": 1, "sampleIntervalInSeconds": 300, "startTime": "2014-09-17T08:43:36.294Z", "eTag": null, "modified": null, "created": null, "category": "enclosures", 28.3 Using the Metric Streaming Message Bus (MSMB) 341
"uri": "/rest/enclosures/09SGH100X6J1" }, "timestamp": "2014-09-17T08:48:36.819Z" }
28.3.4 Example to connect and subscribe to MSMB using .NET C# Prerequisites In addition to completing the prerequisites, you must complete the example-specific prerequisites before using the .NET C# examples. To use the .Net C# examples, add the following to the Windows certificate store: •
CA root certificate.
•
Client certificate
•
Private key
To try the .Net C# examples, do the following: 1.
Download the root CA certificate. GET /rest/certificates/ca
2.
3. 4.
Save the contents in the response body into a text file named rootCA.crt. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes. Import the rootCA.crt file into the Windows certificate store under Trusted Root Certification Authorities. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default
5.
Save the contents of the client certificate and private key in the response body into a text file named msmb.crt. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- for the client certificate. Next, copy and paste everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- for the private key. You must include the dashes, but do not include the quotes.
342 Using a message bus to send data to subscribers
Example 9 Using .Net C# to directly reference client certificate Convert the client certificate and private key to PKCS format for .Net. openssl.exe pkcs12 -passout pass:default -export -in msmb.crt -out msmb.p12
Example public void Connect() { string exchangeName = "msmb"; string hostName = "OneView.domain"; string queueName = ""; string routingKey = "msmb.#"; ConnectionFactory factory = new ConnectionFactory(); factory.AuthMechanisms = new RabbitMQ.Client.AuthMechanismFactory[] { new ExternalMechanismFactory() }; factory.HostName = hostname; factory.Port = 5671; factory.Ssl.CertPath = @".\msmb.p12"; factory.Ssl.CertPassphrase = "default"; factory.Ssl.ServerName = hostname; factory.Ssl.Enabled = true; IConnection connection = factory.CreateConnection(); IModel model = connection.CreateModel(); queueName = model.QueueDeclare(queueName, false, false, false, null); model.QueueBind(queueName, exchangeName, routingKey, null); using (Subscription sub = new Subscription(model, queueName)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.Ack(); } } }
Example 10 Using .Net C# to import certificate to Microsoft Windows certificate store Import the msmb.crt into your preferred Windows certificate store. Example public void Connect() { string exchangeName = "msmb"; string hostName = "OneView.domain"; string queueName = ""; string routingKey = "msmb.#"; string userName = "rabbitmq_readonly"; X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadWrite); X509Certificate cert = store.Certificates .Find(X509FindType.FindBySubjectName, userName, false) .OfType() .First(); ConnectionFactory factory = new ConnectionFactory(); factory.AuthMechanisms = new RabbitMQ.Client.AuthMechanismFactory[] { new ExternalMechanismFactory() }; factory.HostName = hostname; factory.Port = 5671; factory.Ssl.Certs = new X509CertificateCollection(new X509Certificate[] { cert }); factory.Ssl.ServerName = hostname; factory.Ssl.Enabled = true; IConnection connection = factory.CreateConnection(); IModel model = connection.CreateModel(); queueName = model.QueueDeclare(queueName, false, false, false, null); model.QueueBind(queueName, exchangeName, routingKey, null); using (Subscription sub = new Subscription(model, queueName)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.Ack(); } } }
28.3 Using the Metric Streaming Message Bus (MSMB) 343
NOTE: Using .Net C# to import certificate to Microsoft Windows certificate store references the Trusted Root Certificate Authorities store, located under Local Computer. •
StoreName.Root = Trusted Root Certificate Authorities
•
StortLocation.LocalMachine = Local Computer
28.3.5 Example to connect and subscribe to MSMB using Java 1.
Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default
2.
Save the contents of the client certificate in the response body into a text file named default-client.crt. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes.
3.
Save the contents of the private key in the response body into a text file named default-client.key. You must copy and paste everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----, including the dashes, but not including the quotes.
4.
Create a PKCS12 keystore from the private key and the public certificate. openssl pkcs12 -export -name myclientcert -in default-client.crt -inkey default-client.key -out myclient.p12
5.
Convert the PKCS12 keystore into a JKS keystore. keytool -importkeystore -destkeystore c:\\MyKeyStore -srckeystore myclient.p12 -srcstoretype pkcs12 -alias myclient
344 Using a message bus to send data to subscribers
Example 11 Example to connect and subscribe to MSMB using Java //c://MyKeyStore contains client certificate and private key. Load it into Java Keystore final char[] keyPassphrase = "MyKeyStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); ks.load(new FileInputStream("c://MyKeyStore"), keyPassphrase); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, keyPassphrase); //c://MyTrustStore contains CA certificate. Load it into Java Trust Store final char[] trustPassphrase = "MyTrustStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); tks.load(new FileInputStream("c:\\MyTrustStore"), trustPassphrase); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(tks); //load SSLContext with keystore and truststore. final SSLContext c = SSLContext.getInstance("SSL"); c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); final ConnectionFactory factory = new ConnectionFactory(); factory.setHost("192.168.2.144"); //Set Auth mechanism to "EXTERNAL" so that commonName of the client certificate is mapped to AMQP user name. Hence, No need to set userId/Password here. factory.setSaslConfig(DefaultSaslConfig.EXTERNAL); factory.setPort(5671); factory.useSslProtocol(c); final Connection conn = factory.newConnection(); final Channel channel = conn.createChannel(); //do not specify queue name. AMQP will create a queue with random name starting with amq.gen* e.g. amq.gen-32sfQz95QJ85K_lMBhU6HA final DeclareOk queue = channel.queueDeclare("", true, false, true, null); //Now get the queue name from above call and bind it to required Exchange with required routing key. channel.queueBind(queue.getQueue(), "msmb", "msmb.#"); //Now you should be able to receive messages from queue final GetResponse chResponse = channel.basicGet(queue.getQueue(), false); if (chResponse == null) { System.out.println("No message retrieved"); } else { final byte[] body = chResponse.getBody(); System.out.println("Received: " + new String(body)); } channel.close(); conn.close();
28.3.6 Examples to connect and subscribe to MSMB using Python The Python examples show how to connect and subscribe to the MSMB. For more information about Python (Pika AMQP client library and AMQP client library), see Introduction to Pika (http:// pika.readthedocs.org/, http://www.python.org/), and AMQP Client Library (https:// pypi.python.org/pypi/amqplib/).
28.3.6.1 Installation 1.
Install the pika and amqp libraries. a. Download and install the setup tools (Python setup.py install) at https:// pypi.python.org/pypi/setuptools#downloads. b. Install the pika tools. When you install the pika or amqp libraries, run the same python setup.py install command from the downloaded pika or amqp directory.
2.
Create the certificate. POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCertV2","commonName":"default"}
28.3 Using the Metric Streaming Message Bus (MSMB) 345
3.
Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default
4.
Save the contents of the client certificate in the response body into a text file named client.pem. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with CR/LF (carriage return / line feed).
5.
Save the contents of the private key in the response body into a text file named key.pem. You must copy and paste everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----, including the dashes, but not including the quotes. You must replace all instances of \n with CR/LF (carriage return / line feed).
6.
Download the root CA certificate. GET /rest/certificates/ca
7.
Save the contents in the response body into a text file named caroot.pem. You must copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with CR/LF (carriage return / line feed).
28.3.6.2 Pika Example 12 Pika example When you invoke the script, you must pass –host:{hostname or IP}. See the following examples: •
--host:192.168.1.1
•
–host:my-appliance.example.com
IMPORTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. import pika, ssl from optparse import OptionParser from pika.credentials import ExternalCredentials import json import logging logging.basicConfig() ############################################### # Callback function that handles messages def callback(ch, method, properties, body): msg = json.loads(body) timestamp = msg['timestamp'] resourceUri = msg['resourceUri'] resource = msg['resource'] changeType = msg['changeType'] print print print print print print
("%s: Message received:" %(timestamp)) ("Routing Key: %s" %(method.routing_key)) ("Change Type: %s" %(changeType)) ("Resource URI: %s" %(resourceUri)) ("Resource: %s" %(resource))
# Pem Files needed, be sure to replace the \n returned from the APIs with CR/LF # caroot.pem - the CA Root certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCert","commonName":"default"} # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CERTIFICATE----# key.pem is the key with -----BEGIN RSA PRIVATE KEY----# Setup our ssl options ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem",
346 Using a message bus to send data to subscribers
"cert_reqs": ssl.CERT_REQUIRED, "server_side": False}) parser = OptionParser() parser.add_option('--host', dest='host', help='Pika server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() # Connect to RabbitMQ host = options.host print ("Connecting to %s:5671, to change use --host hostName " %(host)) connection = pika.BlockingConnection( pika.ConnectionParameters( host, 5671, credentials=ExternalCredentials(), ssl=True, ssl_options=ssl_options)) # Create and bind to queue EXCHANGE_NAME = "msmb" ROUTING_KEY = "msmb.#" channel = connection.channel() result = channel.queue_declare() queue_name = result.method.queue channel.queue_bind(exchange=EXCHANGE_NAME, queue=queue_name, routing_key=ROUTING_KEY) channel.basic_consume(callback, queue=queue_name, no_ack=True) # Start listening for messages channel.start_consuming()
28.3.6.3 AMQP Example 13 AMQP example When you invoke the script, you must pass –host:{hostname or IP}. See the following examples: •
--host:192.168.1.1
•
–host:my-appliance.example.com
IMPORTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. #!/usr/bin/env python from optparse import OptionParser from functools import partial import amqplib.client_0_8 as amqp def callback(channel, msg): for key, val in msg.properties.items(): print ('%s: %s' % (key, str(val))) for key, val in msg.delivery_info.items(): print ('> %s: %s' % (key, str(val))) print ('') print (msg.body) print ('-------') print msg.delivery_tag channel.basic_ack(msg.delivery_tag) # # Cancel this callback # if msg.body == 'quit': channel.basic_cancel(msg.consumer_tag) def main(): parser = OptionParser() parser.add_option('--host', dest='host', help='AMQP server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args()
28.3 Using the Metric Streaming Message Bus (MSMB) 347
host = options.host+":5671" # Pem Files needed, be sure to replace the \n returned from the APIs with CR/LF # caroot.pem - the CA Root certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq Request body: {"type":"RabbitMqClientCert","commonName":"default"} # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CERTIFICATE----# key.pem is the key with -----BEGIN RSA PRIVATE KEY-----
#
ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", "cert_reqs": CERT_REQUIRED, "server_side": False}) print ('Connecting to host %s, to change use --host hostName ' %host) conn = amqp.Connection(host, login_method='EXTERNAL', ssl=ssl_options) print ('Successfully connected, creating and binding to queue') ch = conn.channel() qname, _, _ = ch.queue_declare() ch.queue_bind(qname, 'msmb', 'msmb.#') ch.basic_consume(qname, callback=partial(callback, ch)) print ('Successfully bound to queue, waiting for messages') #pyamqp:// # # Loop as long as the channel has callbacks registered # while ch.callbacks: ch.wait() ch.close() conn.close()
if __name__ == '__main__': main()
28.3.7 Re-create the AMQP client certificate If you change the appliance name, you must re-create the AMQP client certificate. NOTE:
If the certificates are already created, you can skip this step.
Prerequisites •
Minimum required session ID privileges: Infrastructure administrator
Re-creating and downloading the client certificate, private key, and root CA certificate 1. Revoke the certificate. DELETE /rest/certificates/ca/rabbitmq_readonly Request body is not required. NOTE: When you revoke the default client certificate, the appliance re-generates the CA certificate, AMQP server certificate, and the default client certificate. 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca
348 Using a message bus to send data to subscribers
29 Generating reports HPE OneView offers predefined reports to help you manage your appliance and its environment. You can view the reports in the UI or generate them using REST API. You can also save the reports as a Microsoft Excel workbook (*.xlsx) or CSV MS-DOS (*.csv).
UI screens and REST API resources UI screen
REST API resource
Reports
reports
29.1 Roles •
Minimum required privileges: Infrastructure administrator (for local users report)
29.2 Tasks for reports The appliance online help provides information about using the UI or the REST APIs to: •
View a report.
•
Save a report.
29.1 Roles 349
350
30 Using data services Using REST APIs, you can collect metrics from devices managed by HPE OneView and preserve that data remotely from the HPE OneView appliance for viewing in other software tools. This gives you the flexibility to further analyze the data in meaningful ways.
30.1 About data services Using data services, you can make data available for offline analysis and troubleshooting. For information on supported data types, see the following sections on metric streaming and log forwarding.
30.1.1 About metric streaming The HPE OneView REST APIs allow you to configure the relay of enclosure, server-hardware, and power-devices performance metrics over MSMB. Following is the list of metrics supported. •
•
•
Enclosures:
◦
Rated Capacity: The limit of the enclosure’s peak power consumption, in watts.
◦
Derated Capacity: The limit of the enclosure’s average power consumption, in watts.
◦
Ambient Temperature: The temperature of the enclosure over the time interval in Celsius or Fahrenheit.
◦
Average Power: The average power consumption of the device over the time interval, in watts.
◦
Powercap: The power cap set for the enclosure, in watts.
◦
Peak Power: The peak power consumption of the enclosure over the time interval, in watts.
Power-devices:
◦
Average Power: The average power consumption of the device over the time interval, in watts.
◦
Peak Power: The peak power consumption of the device over the time period, in watts.
Server-hardware:
◦
CPU Utilization: The percentage of CPU utilized by the device over the time interval.
◦
CPU Average Frequency: The speed of the device CPU over the time interval, in GHz.
◦
Ambient Temperature: The temperature of the enclosure over the time interval in Celsius or Fahrenheit.
◦
Average Power: The average power consumption of the device over the time interval, in watts.
◦
Powercap: The user-defined power cap set for server-hardware.
◦
Peak Power: The peak power consumption of the device over the time period, in watts.
30.1.2 About log forwarding to a remote syslog server REST APIs can be used to configure the remote syslog destination. Once configured, the logs are streamed directly from the device using rsyslog. 30.1 About data services 351
30.2 REST API to enable metric streaming Metrics for managed resources can be streamed at a specified interval. •
/rest/metrics/capability
•
/rest/metrics/configuration
Table 16 Recommended metric frequency of relay for a maximum number of devices by device type Device type
Max Frequency Max Frequency Max Frequency Max Frequency Max devices (sec) devices (sec) devices (sec) devices (sec) devices Frequency (sec)
Enclosure
5
300
5
300
10
600
20
900
40
1800
Power-devices 10
300
10
300
20
900
40
1800
80
3600
Server-hardware 40
300
80
600
160
900
320
1800
640
3600
For example, the recommended configuration for 640 servers, 80 power devices, and 40 enclosures is as follows: { "sourceTypeList": [ { "frequencyOfRelayInSeconds": 3600, "sampleIntervalInSeconds": 300, "sourceType": "/rest/server-hardware" }, { "frequencyOfRelayInSeconds": 3600, "sampleIntervalInSeconds": 300, "sourceType": "/rest/power-devices" }, { "frequencyOfRelayInSeconds": 1800, "sampleIntervalInSeconds": 300, "sourceType": "/rest/enclosures" } ] }
30.2.1 Roles •
Minimum required privileges: Infrastructure administrator
30.2.2 Tasks for metrics REST API The appliance online help provides information about using the REST APIs to •
Fetch metric streaming capability
•
Fetch metric streaming configuration
•
Update metric streaming configuration
NOTE: When configured, metrics are streamed only for servers with HPE OneView Advanced license.
30.3 REST API to leverage remote system logs The remoteSyslog REST API allows you to implement a remote system log server to receive and retain remote Syslog data and to configure the data relay.
352 Using data services
This REST API allows you to configure a remote syslog destination server and port. Once configured, all servers with HPE OneView Advanced license and enclosures will forward the logs to this remote syslog server. •
/rest/logs/remoteSyslog
30.3.1 Roles •
Minimum required privileges: Infrastructure administrator
30.3.2 Tasks for remoteSyslog REST API The appliance online help provides information about using the REST APIs to •
Fetch remoteSyslog configuration
•
Update remoteSyslog configuration
30.3 REST API to leverage remote system logs 353
354
Part VI Troubleshooting The chapters in this part include information you can use when troubleshooting issues in your data center, and information about restoring the appliance from a backup file in the event of a catastrophic failure.
356
31 Troubleshooting HPE OneView has a variety of troubleshooting tools you can use to resolve issues. By following a combined approach of examining screens and logs, you can obtain a history of activity and of the errors encountered along the way. For specific troubleshooting instructions, select a topic from the following list. Category
Learn more
• Activity
• “Basic troubleshooting techniques ” (page 357)
• Appliance
• “Create a support dump file” (page 359)
• Appliance network setup
• “Create a support dump for authorized technical support using REST API scripting” (page 360)
• Enclosures and enclosure groups • Firmware bundles • Interconnects
• “Using the virtual appliance console” (page 437) • “Troubleshooting locale issues” (page 403)
• Licensing • Logical interconnects • Logical switches • Networks • Server hardware • Server profiles • Storage • User accounts and groups
31.1 Basic troubleshooting techniques HPE OneView has a variety of troubleshooting tools you can use to resolve issues. By following a combined approach of examining screens and logs, you can obtain a history of activity and the errors encountered. •
The Activity screen displays a log of all changes made on the appliance, whether user-initiated or appliance-initiated. It is similar to an audit log, but with finer detail and it is easier to access from the UI. The Activity screen also provides a log of health alerts and status notifications.
•
Download an audit log to help an administrator understand what security relevant actions took place on the system.
•
Create a support dump file to gather logs and other information required for debugging into an encrypted, compressed file that you can send to your authorized support representative for analysis.
•
Review reports for interconnect, server, and enclosure status. Reports can also provide inventory information and help you see the types of server models and processors in your data center. They can also show you what firmware needs to be updated.
31.1 Basic troubleshooting techniques 357
NOTE:
If the UI is not available, you can use the Maintenance console for troubleshooting.
Recommendation
Details
Look for a message
About syntax errors: • The user interface checks for syntax when you enter a value. If you make a syntax error, an instructional message appears next to the entry. The user interface or command line continues to display messages until you enter the correct value.
About network setup errors: • Before applying them, the appliance verifies key network parameters like the IP address and the fully qualified domain name (FQDN), to ensure that they have the proper format. • After network settings are applied, the appliance performs additional validation, such as reachability checks and host name to IP lookup. If a parameter is incorrect, the appliance generates an alert that describes validation errors for the Network Interface Card (NIC), and the connection between the browser and the appliance can be lost.
About reported serious errors: • Check connectivity to the enclosure from the appliance. • Create a support dump and contact your authorized support representative. Examine the Activity screen
To find a message for an activity: NOTE: You might need to perform these steps from the virtual console. 1. Locate recent activities with a Critical or Warning status. 2. Expand the activity to see recommendations on how to resolve the error. 3. Follow the instructions.
Examine the appliance virtual machine
When VM host is down or nonresponsive: 1. From the local computer, use the ping command to determine if you can reach the appliance. • If the ping command is successful, determine that the browser settings, especially the proxy server, are correct. Consider bypassing the proxy server. • If the ping command did not reach the appliance, ensure that the appliance is connected to the network. 2. Log onto hypervisor to verify that the hypervisor is running. 3. Verify that the virtual guest for the appliance is operational. 4. Ensure that the VM host configuration is valid. Verify the accuracy of the IP address and other network parameters for the VM host. 5. Examine the hypervisor performance data. If the appliance is running at 100% utilization, restart the hypervisor.
31.2 About the support dump file Some error messages recommend that you create a support dump of the appliance and send it to an authorized support representative for analysis. The support dump process performs the following functions: •
Deletes any existing support dump file
• •
Gathers logs and other information required for debugging Creates a compressed file with a name in the following format: hostname-identifier—timestamp.sdmp Where, for support dump files created from the UI, identifier is either CI (indicating an appliance support dump) or LE (indicating a logical enclosure support dump).
358 Troubleshooting
The support dump contains data that might be considered customer sensitive such as hostnames, IP addresses, and the appliance audit log. Unless you specify otherwise, all data in the support dump file is encrypted so that only an authorized support representative can access it. You can choose not to encrypt the support dump file if you are an Infrastructure administrator. This can be useful if you have an onsite, authorized support representative or if your environment prohibits outside connections. You can also validate the contents of the support dump file and verify that it does not contain data considered sensitive in your environment. IMPORTANT: If the appliance is in an error state, a special Oops screen is displayed. Anyone can create an encrypted support dump file from that screen without the need for logging in or other authentication. The support dump file contains the following: •
Operating system logs
•
Product logs
•
The results of certain operating system and product-related commands
Items logged in the support dump file are recorded according to UTC time. About logical enclosure support dumps You can create a logical enclosure support dump, which, by default, includes the appliance support dump. The logical enclosure support dump file includes content from each member logical interconnect. After the logical enclosure support dump is created, it is incorporated into the appliance support dump and the entire bundle of files is compressed into a zip file and encrypted for downloading. NOTE: To create a logical enclosure support dump that does not contain the appliance support dump, you must use the logical enclosure REST APIs. For more information, see the REST API scripting online help for logical enclosures. See also •
“Create a support dump file” (page 359)
31.3 Create a support dump file Use this procedure to create a support dump file for the appliance only or for the logical enclosure and the appliance. Prerequisites •
Minimum required privileges: Network administrator, Server administrator, Infrastructure administrator, Backup administrator, Read only NOTE: Only the Infrastructure administrator has the option of not encrypting a support dump file. When a user with a different role creates a support dump file, it is encrypted automatically.
Creating a support dump file 1.
For an appliance support dump file, do one of the following: •
From the main menu, click Settings, and then in the Appliance panel, click Create support dump.
•
From the main menu, click Settings, click Appliance, and then select Actions→Create support dump.
31.3 Create a support dump file 359
2.
If you are an Infrastructure administrator, choose whether or not to encrypt the support dump file: a. To encrypt the support dump file, confirm that the Enable support dump encryption check box is selected. b. To turn off encryption, clear the Enable support dump encryption check box.
3.
Click Yes, create. You can continue doing other tasks while the support dump file is created.
4.
5. 6.
The support dump file is downloaded when this task is completed. If your browser settings specify a default download folder, the support dump file is placed in that folder. Otherwise, you are prompted to indicate where to download the file. Verify that the support dump file was saved to the correct folder. Contact your authorized support representative for instructions on how to transfer the support dump file to Hewlett Packard Enterprise. For information on contacting Hewlett Packard Enterprise, see “Accessing Hewlett Packard Enterprise Support” (page 433).
IMPORTANT: Unless you specify otherwise, the support dump file is encrypted so that only an authorized support representative can view its contents. The Hewlett Packard Enterprise data retention policy requires that all sent support dump files be deleted after use. See also •
“About the support dump file” (page 358)
•
Troubleshooting: Cannot create a support dump file
31.4 Create a support dump for authorized technical support using REST API scripting Some error messages recommend that you create a support dump of the appliance to send to an authorized support representative for analysis. The support dump process: •
Deletes any existing support dump file
•
Gathers logs and other information required for debugging
•
Creates a compressed file
Unless you specify otherwise, all data in the support dump file is encrypted so that it is accessible only by an authorized support representative. You might choose not to encrypt the support dump file if you have an onsite, authorized support representative or if your environment prohibits outside connections. You can also validate the contents of the support dump file and verify that it does not contain sensitive data such as passwords. IMPORTANT: If the appliance is in an error state, you can still create an encrypted support dump file without logging in or other authentication. The support dump file contains the following: •
Operating system logs (from /var/log)
•
Product logs (from /ci/logs)
•
The results of certain operating system and product-related commands
Items logged in the support dump file are recorded in UTC (Coordinated Universal Time).
360 Troubleshooting
Prerequisites •
Minimum required session ID privileges: Infrastructure administrator
Creating a support dump using REST APIs 1. Create a support dump. POST /rest/appliance/support-dumps 2. Use the value of the uri element in the Response Body from the POST in step 1 to download the support dump. GET /rest/appliance/support-dumps/{file name}
IMPORTANT: Unless you specify otherwise, the support dump file is encrypted so that only authorized support personnel can view its contents. In accordance with the Hewlett Packard Enterprise data retention policy, support dump files sent to Hewlett Packard Enterprise are deleted after use.
31.5 Troubleshooting activity Use the following information to troubleshoot alerts that appear on the Activity screen.
31.5.1 Alerts are not generated Symptom Alerts not generated. Cause The appliance is out of compliance. The server hardware exceeds the number of licenses. Action 1. 2.
Apply a license to server hardware. Apply the licenses to unlicensed server hardware.
31.5.2 Alert is locked Symptom An alert is locked and cannot be cleared. Cause The locked alert was created by a resource. Action 1. 2. 3.
Expand the alert and follow the recommended action described in Resolution. If you need more information, expand the Event details and see the details for correctiveAction. When the resource detects a change, it will automatically change the alert status to Cleared.
31.5.3 Alerts are not visible in the user interface Symptom You cannot access the Alerts screen or alerts are not posted there. 31.5 Troubleshooting activity 361
Cause Improper permission Action 1. 2. 3.
If possible, log in as a privileged user. Otherwise, request that the Infrastructure administrator change your role so that you can see alerts for the physical resource type. Log in again. View the Activity screen.
31.5.4 Alert status is reported as blank or unexpected Symptom The status of the alert is other than: •
Critical
•
Warning
•
OK
•
Unknown
Cause Action 1. 2.
Clear the alert. Restore the alert.
31.5.5 Alert state is unexpected Symptom The state of the alert is other than •
Active
•
Locked
•
Cleared
Cause A resource reported an unexpected alert state for an underlying problem. Action 1. 2. 3.
Expand the alert and follow the recommended action described in Resolution. If you need more information, expand the Event details and see the details for correctiveAction. When the resource detects a change, it will automatically change the alert state to Cleared.
31.6 Troubleshooting the appliance Audit log: •
“Audit log is absent ” (page 372)
•
“Audit log could not be downloaded ” (page 372)
•
“Audit entries are not logged ” (page 372)
362 Troubleshooting
Backup/Restore: •
“Cannot create or download a backup file ” (page 368)
•
“Restore action was unsuccessful ” (page 372)
Restart/Shutdown: •
“Appliance did not shut down” (page 374)
•
“Cannot restart the appliance after a shutdown” (page 375)
•
“Unexpected appliance shutdown” (page 364)
Security/Authentication: •
“Unable to import a certificate ” (page 370)
•
“Certificate was revoked ” (page 371)
•
“Invalid certificate chain prevents operations ” (page 371)
•
“Invalid certificate content prevents operations ” (page 371)
•
“You cannot log in ” (page 376)
•
“Cannot log in after a factory reset action” (page 376)
Support dump: •
“Support dump was not created ” (page 369)
•
“Support dump file not saved ” (page 370)
•
“Cannot create unencrypted support dump ” (page 370)
Update: •
“Cannot update appliance” (page 364)
•
“Appliance update file downloads, but update fails” (page 365)
•
“Appliance update is unsuccessful” (page 366)
Other: •
“Appliance performance is slow” (page 363)
•
“Browser does not display the HPE OneView user interface” (page 366)
•
“Icons are not visible on the appliance dashboard” (page 367)
•
“Could not retrieve the browser session ” (page 367)
•
“Reinstall the remote console ” (page 376)
31.6.1 Appliance performance is slow Symptom The appliance operates, but its performance is slow. Cause The appliance configuration is not set for optimum performance.
31.6 Troubleshooting the appliance 363
Action 1.
2. 3. 4. 5. 6.
Ensure that the physical components satisfy the requirements described in the HPE OneView Support Matrix. •
VM host with ProLiant G7-class CPUs or later
•
VM with two 2 GHz or greater virtual CPUs
Ensure proper network connection between the appliance and managed devices. Ensure power management is not enabled. Ensure the hypervisor is not overloaded. Ensure the available storage is acceptable. Ensure the host is not overloaded. Examine the virtual machine’s performance data (performance counters). If the hypervisor host is running at 100% utilization. Consider: •
Restarting the VM host
•
Moving the appliance to a VM host with more resources, especially one that is not as busy
•
Using reservations or shares on the hypervisor host
7.
From the local computer, use the ping command to determine if the round-trip time of the ping is acceptable. Long times can indicate browser problems. 8. Determine that the browser settings are correct. 9. Consider bypassing the proxy server. 10. Ensure the scale limits are not exceeded. See the HPE OneView Support Matrix. 11. Create a support dump and contact your authorized support representative.
31.6.2 Unexpected appliance shutdown Symptom Appliance crash Cause Unplanned shutdowns Actions to take after a crash •
Unexpected shutdowns are rare. Check for critical alerts or failed tasks. Follow the resolution instructions, if provided.
•
Manually refresh a resource (Actions→Refresh) if the resource information displayed appears to be incorrect or inconsistent.
•
Create a support dump (Settings→Actions→Create support dump) for unexpected shutdowns to help your authorized support representative troubleshoot the problem.
31.6.3 Cannot update appliance Symptom The update appliance operation fails.
Solution 1 Cause Improper permission 364 Troubleshooting
Action Required privileges: Infrastructure administrator 1. 2.
Log in to the appliance as the Infrastructure administrator. Perform the update operation again.
Solution 2 Cause Appliance cannot access the network. Action “Appliance cannot access the network” (page 379)
Solution 3 Cause Appliance certificate is invalid, expired, or changed. Action 1. 2.
Examine the certificate settings from the Security pane of the Settings screen. Acquire a new appliance certificate if it is invalid or expired. Depending on the certificate type, see “Create a self-signed certificate” (page 74) or “Create a certificate signing request” (page 73).
3. 4. 5.
Refresh the browser page. Accept the new certificate. Retry the update operation.
31.6.4 Appliance update file downloads, but update fails Symptom The update file was successfully downloaded but the update operation does not update the appliance.
Solution 1 Cause The download file is too large for the browser. Action 1. 2.
Verify that the download size is within the capabilities of the browser. Use a different browser.
Solution 2 Cause File was deleted from the appliance. Action 1.
Download the update file.
31.6 Troubleshooting the appliance 365
2.
Retry the update operation. , See the online help for details.
Solution 3 Cause The version of the appliance is outside the range of versions that apply to the update. Action 1. 2.
Download a supported version (based on the appliance version) of the update file. Retry the update operation. For information, see the online help.
31.6.5 Appliance update is unsuccessful Any blocking or warning conditions affecting the appliance update are displayed prior to the update operation. Symptom Update fails Cause Action 1. 2. 3.
Confirm you are not upgrading to the same version already installed. Verify that all status indicators for LAN, CPU, and memory in the Appliance panel in the Settings screen are green before retrying the update. Create a support dump and contact your HPE support representative.
31.6.6 Browser does not display the HPE OneView user interface Symptom The browser does not display the HPE OneView user interface.
Solution 1 Cause The browser is not supported. Action Use a supported browser.
Solution 2 Cause The browser cache is full. Action 1. 2.
Clear the browser cache and try again. Refresh or reload the browser.
366 Troubleshooting
Solution 3 Cause Javascript is not enabled. Action Enable Javascript on the browser.
Solution 4 Cause There is a connectivity issue with the appliance. Action 1. 2. 3.
Verify that the browser proxy setting is accurate. Refresh or reload the browser. Verify that the appliance can access the network. “Appliance cannot access the network” (page 379).
31.6.7 Icons are not visible on the appliance dashboard Symptom The dashboard is displayed without icons. Cause A timeout occurred before the browser could load the icons Action 1. 2.
Refresh or reload the browser. Verify that the appliance can access the network. “Appliance cannot access the network” (page 379).
31.6.8 Could not retrieve the browser session Symptom The browser does not display the session or the session appears frozen.
Solution 1 Cause Session timed out Action 1. 2.
Log out. Log back in to start a new session.
Solution 2 Cause You were logged out of the session.
31.6 Troubleshooting the appliance 367
Action Log in to start a new session.
31.6.9 Cannot create or download a backup file Symptom A backup file could not be created or downloaded.
Solution 1 Cause Other related operations are in progress. Only one backup file can be created at a time. A backup file cannot be created during the restore operation or while a previous backup file is being uploaded or downloaded. Action Required privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Verify that no other backup or restore operation is running. Look for a progress bar in the Settings screen or a completion noted in the Activity sidebar. 3. Wait until the operation is complete. 4. If an alert appears, follow its resolution to a. Retry the backup operation. b. If the backup operation fails, restart the appliance. c. Run the backup operation again after restarting the appliance.
Solution 2 Cause Network connectivity issues prevent the download. Action Ensure that the network is correctly configured and performing as expected.
Solution 3 Cause A profile operation was running during the backup operation resulting in any of the following: •
Duplicate GUIDs in the network
•
Server with settings from a previous profile
•
Error message: The operation was interrupted
•
Error message: The configuration is inconsistent
Action 1. 2. 3. 4.
Log in as the Infrastructure administrator. Identify the server affected. Unassign the profile from the server. Reassign the profile to the server.
368 Troubleshooting
5.
6. 7.
If either error message was reported, determine any factors (not related to HPE OneView) that contributed to this condition, such as: •
Was the server moved?
•
Was the server power turned off?
Create a support dump file. Report this issue to your authorized support representative.
Symptom Cannot download the backup file because a related operation is in progress. Cause A backup file cannot be uploaded or downloaded while a backup file creation or restore operation is in progress. Action •
Ensure that another backup or restore operation is not running. They are indicated with a progress bar in the Settings screen.
Symptom The backup file does not appear to be downloading. Cause Downloading a large backup file can take several minutes or more, depending on the complexity of the appliance configuration. Action •
Wait until the operation completes. Monitor the operation by observing the progress bar in the Settings screen.
31.6.10 Support dump was not created Symptom Cannot find the expected support dump
Solution 1 Cause Insufficient time elapsed Action 1. 2.
Wait. Creating a support dump file can take several minutes. If the log files are large or if the system is extensive, creating a support dump file can take even longer. Retry the create support dump action.
Solution 2 Cause Only the Infrastructure administrator can create a support dump file from the Oops screen.
31.6 Troubleshooting the appliance 369
Action Provide the credentials for the Infrastructure administrator and try again.
31.6.11 Support dump file not saved Symptom The support dump file is absent on the appliance.
Solution 1 Cause You can easily miss notifications of automatic downloads if the browser settings are not set correctly. Action 1. 2. 3.
Verify that the download has completed. Verify the browser settings . Retry the create support dump action and examine the download progress bar in the Activity sidebar.
Solution 2 Cause Insufficient disk space for the support dump file on the client side. Action 1. 2.
Ensure that the local computer has enough disk space to accommodate the support dump file. Retry the create support dump action.
31.6.12 Cannot create unencrypted support dump Symptom You can create an encrypted support dump file, but not an unencrypted one. Cause You do not have proper authorization to create an unencrypted support dump file. Only the Infrastructure administrator can do so. Action 1. 2. 3. 4. 5.
Log into the appliance as the Infrastructure administrator. Retry the create support dump action. Specify the unencrypted support dump option. Create the support dump. Verify success by examining the progress bar.
31.6.13 Unable to import a certificate Symptom The appliance did not allow or accept the action of importing a certificate.
370 Troubleshooting
Solution 1 Cause Your login account does not give you permission to import a certificate. Action Required privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Try the action again.
Solution 2 Cause Appliance lost connection with browser. Action Required privileges: Infrastructure administrator 1. Verify that the network is working properly. “Appliance cannot access the network” (page 379) 2.
Wait for the web server to restart, and then try the action again.
31.6.14 Certificate was revoked Symptom The Certificate Authority no longer recognizes the certificate. Cause The certificate is no longer valid. Action 1. 2.
As Infrastructure administrator, create or acquire a new certificate for the appliance. Generate a new signing request.
31.6.15 Invalid certificate chain prevents operations Symptom The certificate chain in the remote appliance was corrupted. Action Required privileges: Infrastructure administrator 1. As Infrastructure administrator, create or acquire a new certificate for the appliance. 2. Generate a new signing request.
31.6.16 Invalid certificate content prevents operations Symptom Cause The format of the certificate is invalid.
31.6 Troubleshooting the appliance 371
Action Required privileges: Infrastructure administrator 1. As Infrastructure administrator, create or acquire a new appliance with a valid format. “Create a certificate signing request” (page 73) or “Create a self-signed certificate” (page 74) 2.
Import the new certificate.
31.6.17 Audit log could not be downloaded Symptom No action menu item for downloading the audit log is visible. Cause Improper authorization. Action 1. 2.
Log in as the Infrastructure administrator. Download the audit log.
31.6.18 Audit entries are not logged Symptom Entries in the audit log are missing. Cause The audit log was edited which resulted in stopping the logging. Action Restart the appliance to resume logging.
31.6.19 Audit log is absent Symptom The audit log was deleted. Action Restart the appliance to create an audit log and resume logging.
31.6.20 Restore action was unsuccessful Symptom The restore and factory reset operations failed, and the appliance could not restart.
Solution 1 Cause The backup file is incompatible. Action 1.
Log in as Infrastructure administrator.
372 Troubleshooting
2.
Retry the restore operation with a recent backup file that fulfills this criteria: The appliance being restored has the same HPE OneView major and minor version numbers as the appliance on which the backup file was created. The Settings screen displays the version number in this format: Version major.minor.nn-nnnnn month—day—year
3.
Reconcile any discrepancies that the restore operation could not resolve automatically.
Solution 2 Cause A serious error occurred. Action 1. 2. 3.
Log in as Infrastructure administrator. Create a support dump file, in case you might need to contact an authorized support representative. If possible, reset the appliance to factory settings. Otherwise, create a new virtual machine appliance from the provided image file (OVF file template).
4.
Retry the restore operation.
Cause An unrecoverable error occurred during the restore operation Action If an unrecoverable error occurs during the restore operation, you will have to re-create the appliance virtual machine from the virtual machine image supplied by Hewlett Packard Enterprise. Cause Restore operation failed. Action Required privileges: Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Create a support dump file, in case you might need to contact an authorized support representative . 3.
Create a new virtual machine appliance from the provided image file (OVF file template). For more information, see the HPE OneView Installation Guide.
4.
Do one or both of the following:
5.
•
Retry the restore operation, specifying the most recent backup file.
•
Try the restore operation with another backup file that is compatible with the appliance.
If the problem persists, contact your authorized support representative.
Cause The status of the restore operation is IN PROGRESS, but the percentage of change does not change for 2.5 hours or more.
31.6 Troubleshooting the appliance 373
Action 1. 2. 3.
Log in as Infrastructure administrator. Restart the appliance. Do one or both of the following: •
Retry the restore operation, specifying the most recent backup file.
•
Try the restore operation with another backup file that is compatible with the appliance.
Symptom Server hardware is booting from wrong device or incorrect BIOS settings Cause BIOS, firmware, and boot settings were changed after the backup and before the restore operation. Action 1. 2. 3. 4.
Log in as the Infrastructure administrator. Verify the BIOS firmware, and boot settings. Unassign the profiles. Reassign each profile to its corresponding server.
Symptom Restore operation does not restore server profile. Cause The restore operation timed out or failed. Action Required privilege: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Create a support dump file. 3. Do one of the following: a. Retry the restore operation, specifying the most recent backup file. b. Try the restore operation with another backup file that is compatible with the appliance. 4.
Verify that all the necessary actions were followed to put the profiles back in-line with the environment. If there is a profile still in an inconsistent state, there might be incorrect behavior in the data center.
31.6.21 Appliance did not shut down Symptom The appliance stayed up in spite of a shutdown operation. Cause An internal server error might have occurred. Action Required privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Retry the shutdown action. 3. Use the hypervisor to perform a graceful shut down. 374 Troubleshooting
4. 5.
If the problem persists, create a support dump. Contact your authorized support representative and provide them with the support dump. “Accessing Hewlett Packard Enterprise Support” (page 433).
31.6.22 Cannot restart the appliance after a shutdown Symptom The restart action resulted in a shutdown, but not a restart. Cause An internal server error might have occurred. Action Required privileges: Infrastructure administrator 1. 2. 3. 4. 5.
Log in as the Infrastructure administrator. Retry the restart action. Retry the restart action from the hypervisor. If the problem persists, create a support dump. Contact your authorized support representative and provide them with the support dump. “Accessing Hewlett Packard Enterprise Support” (page 433).
31.6 Troubleshooting the appliance 375
31.6.23 You cannot log in Symptom
Possible cause and recommendation
There is no login screen.
Appliance not yet started or browser not behaving correctly
There is a login screen, but the appliance rejects your login.
Authentication for the local user account is invalid
1. 2. 3. 4.
Wait for the appliance to start completely. Refresh your browser and try again. Open a new browser and try again. As Infrastructure administrator, use the REST APIs to restart the appliance.
1. Retype your login name and password in case you made an error. 2. Verify your login name and role settings with the Infrastructure administrator. If the appliance was reset to its original factory settings, the Infrastructure administrator might need to reinstate you. 3. As Infrastructure administrator, do the following: a. Verify the account name and ensure that a role is assigned to the user. b. Restart the appliance and try again.
Authentication for the Authentication directory service is invalid 1. Retype your login name and password, and choose the correct authentication directory in case you made an error. 2. Verify your login name and your group and role settings with the Infrastructure administrator. If the appliance was reset to its original factory settings, the Infrastructure administrator might need to reinstate you. 3. As Infrastructure administrator, do the following: a. Verify the account name and ensure that the user is a member of the group in the directory service. b. Verify that the authentication directory service is configured properly. c. Verify that the directory service server is operational. See “Directory service not available ” (page 426) d. Verify that the directory service host certificate is valid. If not, reacquire a certificate and install it. e. Contact the directory service provider to ensure that the credentials are accurate. f. Restart the appliance and try again.
31.6.24 Cannot log in after a factory reset action Symptom Log in not accepted following a factory reset operation. Cause The authentication was deleted by the factory reset. Action Log in to the appliance with the default credentials that you used when you logged in for the first time.
31.6.25 Reinstall the remote console When running Firefox or Chrome on a Windows client, the first-time installation of the iLO remote console prevents the installation dialog box from being displayed again. If you need to reinstall the console software, you must reset the installation dialog box. Symptom Installation dialog box is not displayed. 376 Troubleshooting
Cause If you installed the iLO remote console software using one browser (Firefox or Chrome), but are using another browser, the dialog box that prompts you to install the software is displayed, even if the software is already installed. Action To reinstall the console, press the Shift key and select Actions→Launch console. Reinstall the software 1. 2.
Click Install software and close all of the dialog boxes for installing the application. Click My installation is complete — Launch console to launch the console after it is installed.
31.6.26 Appliance is offline, manual action is required Symptom The Maintenance console indicates that the appliance is offline and manual action is required to restore operation safely. Neither appliance in the appliance cluster is active. Constraints for data integrity prevent the automatic activation of the appliance.
Solution 1 Cause Network issues or multiple disconnects might have caused the outage. Action 1. 2.
Restore high availability by correcting the cause of the outage, if possible. Ensure that all network cables are properly connected. Bring the enclosure back online. Use the Maintenance console View details command to identify the appliance for which the status cannot be confirmed. The appliance is identified in terms of its enclosure and appliance bay number. If the corresponding enclosure is offline, powering it on could correct the problem.
3.
If the enclosure cannot be brought back online, move the appliance to an operational enclosure. Whenever possible, install clustered appliances in different enclosures to improve fault protection.
Solution 2 Cause An appliance is nonfunctional and high availability cannot be restored. Action IMPORTANT:
This procedure requires you to override data integrity protection.
Use extreme care when following this procedure
31.6 Troubleshooting the appliance 377
1.
Determine the location of both appliances in the appliance cluster. The location is given in terms of the enclosure and appliance bay. The Maintenance console View details action, from either appliance, can provide this information for the other appliance. CAUTION:
2.
3.
Misidentifying the appliance can result in unrecoverable data loss.
Determine whether each appliance: •
Is present in the enclosure.
•
Is powered on.
•
Shows a warning in the Maintenance console Notification banner regarding changes that have not been synchronized between appliances.
Select the appliance to activate. Use the following criteria: •
If one appliance shows an unsynchronized changes warning, select it.
•
Select the other appliance if an appliance:
◦
Is lost and cannot be recovered.
◦
Cannot be brought online.
If the lost appliance contained unsynchronized changes, unrecoverable data loss could occur. 4.
Ensure the unselected appliance: •
Is powered off,
•
Is removed from the enclosure, or
•
Was just restarted.
This step is critical to ensure that both appliances do not become active at the same time. Otherwise, it will be impossible to resynchronize them, and unrecoverable data loss will result. 5.
In the Maintenance console of the selected appliance, select Activate and confirm the action. Refer to the appliance state to monitor progress.
31.6.27 Appliance is offline and unusable Symptom The Maintenance console indicates that an appliance is offline and unusable because of incomplete data. Neither appliance in the appliance cluster is active. Constraints for data integrity prevent the automatic activation of the appliance. Cause An appliance in an Offline / Unusable (incomplete data) state experienced an outage while its data was being synchronized or it encountered a disk write error. The appliance cannot be activated in this state. Action 1.
Reconnect the offline/unusable appliance with the other appliance in the cluster. The other appliance likely has the most up-to-date data. Reestablishing a connection between the appliances will allow data synchronization to complete.
378 Troubleshooting
2.
Bring the up-to-date appliance enclosure back online. Use the View details command in the up-to-date appliance Maintenance console to locate its location (enclosure and appliance bay). If its enclosure is offline, powering it on could correct the problem.
3.
If the enclosure cannot be brought back online, move the up-to-date appliance to an operational enclosure. Whenever possible, install clustered appliances in different enclosures to improve fault protection.
4. 5.
Ensure that all such cables are connected properly. Restore from backup If the up-to-date appliance is in an irrecoverable state, use a backup copy of the appliance data to restore operation: a. b. c.
Factory reset or reimage both appliances. Restore one appliance from a recent compatible backup file. Allow the other (or another) appliance to join into a high availability cluster with the restored appliance.
If a replacement appliance is required, you can add it later to restore high availability.
31.7 Troubleshooting the appliance network setup 31.7.1 Appliance cannot access the network Symptom Operations that require network access do not function. Cause The appliance network was not properly configured. Action 1. 2. 3. 4.
Log in as Infrastructure administrator. Verify that the IP address assignment is correct. Verify that the DNS IP address is correct. Verify that the DNS server is not behind a firewall. If it is, modify the firewall settings.
5. 6. 7.
Verify that the DNS server is operational. Verify the gateway address for your network is correct. Log in to the appliance as Infrastructure administrator and correct the network settings.
31.7.2 Appliance cannot retrieve DNS information from DHCP server Symptom The DHCP server does not provide access to IP addresses. Cause DNS or the DHCP server was not properly configured
31.7 Troubleshooting the appliance network setup 379
Action 1. 2.
Verify that each DNS IP address is correct. Verify that the DNS server is not behind a firewall. If it is, you might need to modify the firewall settings.
3. 4. 5.
Verify that the DNS server is operational. Use the virtual appliance console to determine that the DHCP server is configured correctly. If necessary, use static address assignment instead of DHCP.
31.7.3 DNS server is unreachable Symptom An alert message reports that an IP address is not responding as a DNS server. Action Required privileges: Infrastructure administrator 1. 2. 3.
Verify that each DNS IP address is correct. Verify that the DNS server is operational. Verify that the DNS server is not behind a firewall. If it is, you might need to modify the firewall settings.
4.
Change the network settings accordingly.
31.7.4 Gateway server is unreachable Symptom An alert message reports that an IP address is not a valid gateway. Cause Action Required privileges: Infrastructure administrator 1. Verify the gateway address for your network. 2. Verify that the gateway server is operational. 3. Change the network settings accordingly.
31.7.5 Cannot change network settings Symptom You are unable to change network settings. Cause Improper permission Action 1. 2. 3.
If possible, log in as a privileged user. Otherwise, request that the Infrastructure administrator change your role so that you can change network settings. Log in again. Change the network setting.
380 Troubleshooting
31.7.6 NTP synchronization fails Symptom Appliance time and date settings do not match the NTP server.
Solution 1 Cause Appliance is not properly configured for NTP. The configuration of the appliance contains an error. Action 1. 2. 3.
As an Infrastructure administrator, verify that the host name or IP address you specified is an NTP server. Examine the Appliance panel of the Settings screen to confirm that the IP address of the NTP server is correct. Verify that the NTP server is not behind a firewall. If it is, you might need to modify the firewall settings.
4. 5.
Verify that the NTP server is up and communicating. Synchronize the appliance clock with the NTP server. For more information, see the online help. Allow sufficient time for the appliance and the NTP server to synchronize. This could be as long as one hour for a global NTP server.
Solution 2 Cause Appliance time differs from NTP server by more than 1000 seconds. The appliance cannot synchronize with the NTP server. Action 1.
Edit the appliance time and locale settings. For a virtual appliance, synchronize the appliance with the VM host to synchronize the appliance’s time to the current time according to the VM host. For a physical appliance, set the appliance’s time manually.
2. 3.
Verify that the time according to the appliance matches the NTP server’s time. Synchronize the appliance with the NTP server. For more information, see the online help. NOTE:
HPE recommends using four NTP servers while synchronizing the appliance.
Allow sufficient time for the appliance and the NTP server to synchronize. This could be as long as ten minutes.
31.8 Troubleshooting email notifications Use the following information to troubleshoot alerts that appear on the Notifications panel of the Settings screen.
31.8 Troubleshooting email notifications 381
31.8.1 Cannot configure email notification of alerts Symptom You cannot configure the email notification of alerts feature. Cause You do not have the necessary permissions to use this feature. Action 1. 2. 3.
Log in to the appliance as the Infrastructure administrator. Add or edit an email recipient and filter entry. Verify that you were able to add or edit the email recipient and filter entry successfully. The recipient will be listed in the panel.
31.8.2 Unable to connect through Symptom The appliance is not able to connect through the sending email host name. The appliance cannot send alert messages using the configured email address.
Solution 1 Cause One or more parameters for configuring email notification is invalid, preventing the appliance from reaching the host used for sending email. Action 1. 2. 3. 4.
As Infrastructure administrator, view the configuration parameters. See the online help for more information. Correct any invalid configuration parameter. Save the configuration. Verify the configuration either by pinging the host or by sending a test message.
Solution 2 Cause The appliance is experiencing network issues, which prevents the appliance from sending email messages. Action 1. 2.
As Infrastructure administrator, verify that the host name for the sending email address is on the network by pinging the host. See Appliance cannot access the network to resolve problems connecting with the network.
31.8.3 Host does not respond as an SMTP server Symptom The host name, which should send the email messages, is not responding as an SMTP server.
382 Troubleshooting
Solution 1 Cause The host name was not configured correctly. Action 1. 2. 3. 4. 5. 6.
As Infrastructure administrator, verify that the host name for the sending email address is on the network by pinging the host. Verify the port number used is correct. View the parameters for configuring email notification of alerts. For information, see the online help. Update the Email parameters as needed. Save the configuration. Verify the configuration with the telnet command. For example: telnet mail.example.com 25
7.
Verify also by monitoring email notifications.
Solution 2 Cause The SMTP server used for sending email notification has TLS/SSL security protocols. Action 1.
Verify the connection to the SMTP server using the correct port with the telnet command. For example: telnet mail.example.com 587
2. 3.
View the parameters for configuring email notification of alerts. For information, see the online help. Ensure that the SMTP server does not have TLS/SSL support. Update the Email parameters as needed.
4. 5.
Save the configuration. Verify the configuration with the telnet command. For example: telnet mail.example.com 25
6.
Verify also by monitoring email notifications.
Solution 3 Cause The email notification configuration has an invalid password for the SMTP server. The email cannot be sent because it fails to provide the correct authentication. Action 1.
Use the telnet command to connect to the SMTP server to verify the password. For example: telnet mail.example.com
2. 3.
View the parameters for configuring email notification of alerts. For information, see the online help. Ensure that the SMTP server password is correct. Update the Email parameters as needed. 31.8 Troubleshooting email notifications 383
4. 5.
Save the configuration. Verify by monitoring email notifications.
31.8.4 Unable to deliver email messages to some email IDs Symptom Some users receive email messages regarding alerts but other users do not receive the same messages.
Solution 1 Cause The recipient is either not configured or not configured correctly. Action 1. 2.
As Infrastructure administrator, follow the procedure for editing an email recipient in the online help so that you can view the recipient and filter entries. Verify that the recipient is specified. Correct the entry as needed.
3.
Verify that the email address of each recipient is valid. Correct the entry as needed.
4.
Verify by monitoring email notifications.
Solution 2 Cause The email message is filtered and thus not delivered because it is considered junk mail or spam. Action 1. 2. 3.
If the host sending the email and the recipient are in the same domain, examine the email application of the recipient. Ensure that the email application does not block the message and that it does not treat the message as spam or send it to a junk folder. Verify by monitoring email notifications.
31.8.5 Designated recipients are not receiving email notifications of events Symptom No configured recipient is receiving email notification of alerts.
Solution 1 Cause Email notification is currently disabled. Action 1.
As the Infrastructure administrator, view the configuration parameters.
2. 3. 4.
Ensure that email notification feature is enabled. Ensure that each email recipient and filter entry is appropriately enabled or disabled. Verify by monitoring email notifications.
384 Troubleshooting
Solution 2 Cause Recipients cannot receive email messages because their parameters are not configured properly. Action 1. 2. 3.
As the Infrastructure administrator, view the configuration parameters. Verify that the recipient is specified and that their email address is valid. If the recipient is not specified, do one of the following, as appropriate: •
Include the recipient in the list of email addresses for an existing filter by editing the recipient and filter entry.
•
Add the recipient to a new filter.
For information on these procedures, see the online help. 4.
Verify by monitoring email notifications.
Solution 3 Cause The configuration for the email recipient contains an invalid filter specification that does not capture any alerts for notification. Action 1. 2. 3.
As Infrastructure administrator, follow the procedure for editing an email recipient in the online help to view the filter entries. Examine the alerts reported in the Activity screen and note the alerts you believe should have been captured by the filter. Review the filter entries. Ensure that the filter is defined precisely and accurately.
4. 5.
Save the email recipient and filter entry. Verify the configuration by monitoring email notifications.
31.8.6 Frequent, irrelevant email messages Symptom Email messages that do not pertain to certain recipients are sent to them. Cause The configuration for the email recipient contains a filter specification that allows unwanted, irrelevant alerts. Action Required privileges: Infrastructure administrator
31.8 Troubleshooting email notifications 385
1. 2.
3. 4.
As Infrastructure administrator, follow the procedure for editing an email recipient in the online help to view the filter entries. Review the filter entries: •
Ensure that there are no empty filter entries. When the filter entry is empty, an email message is generated for any alert.
•
Ensure that filter entries are unique. Otherwise, at least twice as many messages are sent.
•
Be precise when specifying the filter criteria. Edit the filter entry so that it acts on only the alerts for which you want to be notified.
Save the email recipient and filter entry. Verify the configuration by monitoring email notifications.
31.8.7 Test message could not be sent Symptom A test message was sent, but none of the recipients received it.
Solution 1 Cause One or more parameters for configuring email notification is invalid, preventing the appliance from reaching the host used for sending email. Action 1. 2. 3. 4.
As Infrastructure administrator, view the parameters for configuring email notification of alerts. For more information, see the online help. Correct any invalid configuration parameter. Save the configuration. Verify the configuration either by pinging the host or by sending a test message again.
Solution 2 Cause The appliance is experiencing network issues, which prevents the appliance from sending email messages. Action 1. 2.
As Infrastructure administrator, verify that the host name for the sending email address is on the network by pinging the host. See Appliance cannot access the network to resolve problems connecting with the network.
31.8.8 Some test messages were not received Symptom Some recipients receive the test message but other recipients do not receive the same message.
Solution 1 Cause The recipient is either not configured or not configured correctly.
386 Troubleshooting
Action 1. 2.
As Infrastructure administrator, follow the procedure for editing an email recipient in the online help so that you can view the recipient and filter entries. Verify that the recipient is specified. Correct the entry as needed.
3.
Verify that the email address of each recipient is valid. Correct the entry as needed.
4.
Verify by sending another test message.
Solution 2 Cause The test message was filtered and thus not delivered because it is considered junk mail or spam. Action 1. 2. 3.
If the host sending the email and the recipient are in the same domain, examine the email application of the recipient. Ensure that the email application does not block the message and that it does not treat the message as spam or send it to a junk folder. Verify by sending another test message.
31.9 Troubleshooting enclosures and enclosure groups •
“Add or remove enclosure is unsuccessful” (page 387)
•
“Migration is unsuccessful” (page 392)
•
“Invalid OA certificate” (page 392)
31.9.1 Add or remove enclosure is unsuccessful Symptom Unable to add a c7000 enclosure Cause Action If adding a c7000 enclosure is not successful, a notification panel provides the reason why and provides a solution to the problem. Often, the resolution is to click the add link embedded in the message; the add action rediscovers all components and updates its knowledge of the enclosure. Enclosure is already being managed by some other management software and is claimed by that software 1.
2.
If a first-time enclosure add does not succeed, verify that the enclosures prerequisites listed in the online help are met. Verify that the data you entered on the screen is correct, and try the action again. Follow the guidance in the notification panel for the corrective action you need to take to successfully add the enclosure. Failures can occur during the add action if all information about an enclosure, its servers, or interconnect modules cannot be acquired. When this happens, an explanation of the
31.9 Troubleshooting enclosures and enclosure groups 387
problem and the component that caused the problem (the enclosure, a server, an interconnect) is provided in a notification panel. 3.
To re-add an enclosure, click the add link in the notification message panel (if there is one), or start the add action again from the Add Enclosure screen, supplying the address and credentials for the enclosure's Onboard Administrator.
To forcibly add the enclosure to the appliance, see the online help for enclosures. Symptom Unable to forcibly add a c7000 enclosure Cause Action You forcibly added a c7000 enclosure but received an error message. This happens in cases where there is a VCMode set and Virtual Connect (VC) is managing the enclosure. 1.
Manual clean-up of the configuration is needed, investigate the following items: •
The management URL might still point to the appliance. If so, it needs to be reset to point at the first interconnect in the enclosure. To fix this, use the following ssh commands to go into the Onboard Administrator (using administrator credentials) and change the management URL to point to the first active VC interconnect's IP address: clear vcmode Disassociates the enclosures from the appliance.
2.
restart interconnect N
(where N is the bay number of a VC interconnect) Performing this step for every VC interconnect in the enclosure causes the interconnect to revert to a default configuration.
restart oa N
(where N is the bay number of the active Onboard Administrator) This causes the OA to obtain the management URL from the first VC interconnect.
After manual configuration, see the online help for adding enclosures.
Symptom An existing enclosure is detected as being new after a midplane is replaced. Cause Action You replaced the enclosure midplane but did not follow the recommended procedure in the hardware documentation. Recommendation: Re-add the enclosure. Symptom Unable to remove a c7000 enclosure
388 Troubleshooting
Cause Action You might be unable to remove a c7000 enclosure for the following reasons: •
Lack of communication with the hardware during the remove action can prevent the appliance from being able to properly manage the interconnect, server hardware, and enclosure settings. To forcibly remove an enclosure from the appliance due to lack of communication, see the online help for enclosures.
•
The enclosure is not removed from the appliance. This is typically a problem on the appliance itself, and the best resolution is to follow instructions in the notification panels.
•
The enclosure is removed but due to a communication failure, the configuration requires manual intervention to correct.
If manual clean-up of the configuration is needed, investigate the following items: •
•
The management URL might still point to the appliance. If so, it needs to be reset to point at the first interconnect in the enclosure. To fix this, use the following ssh commands to go into the Onboard Administrator (using administrator credentials) and change the management URL to point to the first active VC interconnect's IP address: clear vcmode Disassociates the enclosures from the appliance. restart interconnect N
(where N is the bay number of a VC interconnect) Performing this step for every VC interconnect in the enclosure causes the interconnect to revert to a default configuration.
restart oa N
(where N is the bay number of the active Onboard Administrator) This causes the OA to obtain the management URL from the first VC interconnect.
The interconnects might still be claimed by the appliance. If this is the case, you have to remove the interconnects manually.
Symptom Unable to unconfigure single sign-on (SSO) on the Onboard Administrator when adding or removing an enclosure Cause Action Resolution: Remove all certificates and restart the OA (Onboard Administrator). 1. 2. 3. 4. 5. 6.
From the OA user interface, select Users/Authentication. Select HPE SSO integration, in the right pane. Verify that Settings, Trust mode is set to Trust by Certificate. Select the Certification Information tab and remove all HPE SSO Certificates. Reboot the OA. Re-add the enclosure.
31.9.2 Unassigned server profile connections cannot be migrated Symptom The HPE OneView migration compatibility report shows a warning or blocking issue due to an unassigned server profile connection. To determine how to resolve an unassigned server profile 31.9 Troubleshooting enclosures and enclosure groups 389
connection depends on the reason for the unassigned connection and the ramifications to the OS configuration if the connection is not migrated. Review the following solutions to determine the cause of the issue and how to resolve it.
Resolve server profile connections associated with a specific adapter port Cause An unassigned server profile connection cannot be migrated. The connection was created in VCM to associate with a specific adapter port. VCM associates Ethernet connections to server adapter ports with a round-robin algorithm. If a connection is needed to map to a mezzanine port instead of a LOM port, an unassigned connection is created in VCM to force the mapping. The first two connections are unassigned and the next two connections map to the mezzanine ports. HPE OneView allows a server profile connection to be directly associated with a specific adapter port. During migration, HPE OneView maps the specific connections associated with the server in VCM to the specific adapter ports in HPE OneView. Because the unassigned connection is not migrated, the removal of the corresponding interface within the operating system might cause issues. Action In VCM, perform one of the following actions based on the type of connection. •
Fibre Channel — If an OS impact is not expected, proceed with the migration without the connection. If an OS impact is expected, resolve the issue after migration.
•
FCoE — Assign a network with an uplink set containing an uplink port.
•
FCoE FC SAN and native Fibre Channel — Assign a SAN fabric with an uplink port or proceed with the migration without the connection.
•
iSCSI — Assign a network to the server profile connection or proceed with the migration without the connection.
•
Ethernet — Do one or more of the following:
◦
If the downlink port status is irrelevant, assign an unused, private network to eliminate server-to-server traffic.
◦
If the downlink port must be disabled, associate a private network with an uplink set with an unused port. Enable Smart link on the network.
◦
If the connection is not necessary, delete the connection.
Assign a network for pre-allocated virtual MAC/WWNs Cause An unassigned server profile connection cannot be migrated. The connection was created in VCM as a placeholder for pre-allocation. Pre-allocation of virtual MAC/WWNs requires a network or fabric association with a profile connection. Action In VCM, perform one of the following actions based on the type of connection. •
FCoE — Assign a network with an uplink set containing an uplink port.
•
FCoE FC SAN and native Fibre Channel — Assign a SAN fabric with an uplink port or proceed with the migration without the connection.
390 Troubleshooting
•
iSCSI — Assign a network to the server profile connection or proceed with the migration without the connection.
•
Ethernet — Do one or more of the following:
◦
If the downlink port status is irrelevant, assign an unused, private network to eliminate server-to-server traffic.
◦
If the downlink port must be disabled, associate a private network with an uplink set with an unused port. Enable Smart link on the network.
◦
If the connection is not necessary, delete the connection.
Plan for mitigation for place holders created for an absent interconnect Cause An unassigned server profile connection cannot be migrated. The connection was created in VCM as a redundant FC or FCoE connection between vertical interconnects. If redundant FC or FCoE connections are created between vertical interconnects (for example, when using two adapters for redundancy) instead of horizontally-adjacent interconnects, VCM requires a connection placeholder for the adapter even though the adapter port is not associated with an interconnect. HPE OneView does not require a placeholder since connections can be directly associated with a specific adapter port. For FC connections, the detection of a placeholder connection to an absent interconnect is a warning issue on the HPE OneView compatibility report, regardless of the server power status because the interface associated with the placeholder connection is present for the adapter port, even after server reboot. For FCoE connections, if the server power is on, the detection is a blocking issue on the compatibility report because the removal of the connection might result in the removal of the OS interface when the server is rebooted. Action •
FC SAN — Proceed with the migration.
•
FCoE and offline migration — Determine if there will be OS impact and plan for mitigation after the migration.
•
FCoE and in-service migration — Power off the server and determine if there will be OS impact and plan for mitigation after the migration.
Remove FCoE, iSCSI, and FC connections created automatically by default Cause An unassigned server profile connection cannot be migrated. The connection was created in VCM because the VCM GUI automatically associates connections with FCoE, iSCSI, and FC interconnects. Action If they are not needed, delete the FCoE, iSCSI, and FC connections from the server profile. More information “About unassigned VCM server profile connections during migration” (page 227) “About blocking issues during migration” (page 227) “Migrate a c7000 enclosure currently managed by VCM” (page 233)
31.9 Troubleshooting enclosures and enclosure groups 391
31.9.3 Migration is unsuccessful Symptom You see a message indicating HPE OneView is unable to migrate the VCM enclosure. Cause Failures can occur during the add action if all information about an enclosure, its servers, or interconnect modules cannot be acquired. When this happens, an explanation of the problem and the component that caused the problem (the enclosure, a server, an interconnect) is provided in the compatibility report. Action 1. 2. 3.
Review each issue listed in the compatibility report and perform the corrective action. Retry the migration. If the migration cannot be performed, revert back to Virtual Connect Manager by performing the following steps: a. Remove all server profiles that were created during the migration. b. Remove the enclosure from the appliance c. From the OA UI, reset the lowest bay Virtual Connect interconnect. d. From the VC module, log in with the factory default credentials and then recover the VC configuration from the backup file.
Symptom You see a message indicating the migration of the enclosure did not complete. Cause Migration has occurred but the migration task in HPE OneView does not show completed. This error can appear if an appliance restart occurred during the migration. Action 1. 2. 3.
View the migration tasks in the Activity view and follow any proposed resolutions. If the problem persists, refresh the enclosure. If the problem continues, reset the migrationsubstate by performing the following steps: a. Obtain the “auth:{token}”. GET /rest/login-sessions b.
Enter the following command using the {AUTH} token obtained from step 1: curl -ik -X PATCH -H "Content-Type:application/json" -H "X-API-Version:300" -H "auth:${AUTH}" -d '{"op":"replace","path":"/migrationState","value":"NotApplicable"}
31.9.4 Invalid OA certificate Symptom Invalid certificate message is displayed Cause The OA single sign-on certificate can be corrupted when the OA firmware is downgraded to a lower version and then is upgraded to a higher version.
392 Troubleshooting
Action Reset the OA: 1. 2. 3.
From the OA UI, select security+HPESIM SSO. Delete the corrupted certificate, which is shown in yellow. To re-install the original certificate, refresh the enclosure.
31.10 Troubleshooting firmware bundles 31.10.1 Incorrect credentials Symptom The iLO user name or password is not valid Cause While attempting to update server firmware, the user name or password you supplied is not valid for an iLO management processor or incorrect credentials specified for a server. Action To resolve the issue, enter the correct credentials and add the enclosure again. Symptom Unable to get Onboard Administrator (OA) credentials Cause OA credentials are unavailable. While attempting to update firmware, the appliance was unable to get Onboard Administrator (OA) credentials for the enclosure. Action To resolve the issue, enter the correct credentials and add the enclosure again.
31.10.2 Lost iLO connectivity Symptom Connection error Cause Action Recommendation 1. 2.
Reset the server to restore network connectivity to the server's management processor Update the firmware again.
31.10.3 SUM errors Symptom Unable to remove the firmware upgrade log files
31.10 Troubleshooting firmware bundles 393
Cause Action Recommendation 1. 2.
Restart the appliance. Update the firmware again.
Symptom Unable to initiate the firmware update request Cause Action Update the firmware again.
31.10.4 Failed firmware update on enclosure add NOTE: When adding an enclosure, the OA or iLO firmware might fail to update to the minimum version due to network or power outages, or other issues. The device is listed in an Unmanaged state. Symptom OA firmware failed to update Cause Action Recommendation 1. 2. 3. 4. 5. 6. 7.
From the main menu, select Enclosures. In the master pane, select the unmanaged enclosure. Select Actions→Update firmware. Select an SPP for the Firmware baseline. Select Enclosure for Update firmware for. Click OK. To verify that the activity is successful, check the activity for a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area.
Symptom iLO firmware failed to update Cause Action Recommendation 1. 2. 3.
From the main menu, select Server Hardware. In the master pane, select the unmanaged server hardware. Select Actions→Update iLO firmware.
394 Troubleshooting
NOTE: You will only see "Update iLO firmware" if the iLO firmware is below the minimum required and the server hardware is listed in an Unmanaged Unsupported Firmware state. 4. 5.
Click OK. To verify that the activity is successful, check the activity for a green status in the Notifications area. If the activity is not successful, follow the instructions in the proposed resolution.
31.10.5 Failed firmware update on all devices in an enclosure When attempting to update firmware on all devices in an enclosure, the update process may fail on some servers. Symptom Unable to get the results from HP SUM Cause TCP/IP Settings in the OA are not set to Auto-negotiate. Action 1. 2. 3. 4.
In OA, select Enclosure Information→Enclosure Settings→Enclosure TCP/IP Settings. Select the NIC Options tab. Set the NIC Settings to Auto-negotiate. In HPE OneView, retry the firmware update process. a. From the main menu, select Enclosures. b. In the master pane, select the enclosure. c. Select Actions→Update firmware. d. Select an SPP for the Firmware baseline. e. Select Enclosure + logical interconnect + server profiles for Update firmware for. f. Click OK. g. To verify that the activity is successful, check the activity for a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area.
31.11 Troubleshooting interconnects 31.11.1 Interconnect edit is unsuccessful Symptom A notification displays that modifying an interconnect was unsuccessful. Cause Interconnect edit is unsuccessful. Action 1. 2.
Verify that the prerequisites listed in the online help are met. Follow the instructions provided by any notification message.
31.11 Troubleshooting interconnects 395
NOTE: When the interconnect has been edited successfully, a notification will display in the banner at the top of the screen, and the desired port setting and port status will be displayed.
31.11.2 Interconnect modules are in an incorrect state Symptom Interconnect module is in an Inventory state. Cause The interconnect module is not part of a logical interconnect. Action To bring the interconnect module into a managed or monitored state: 1. 2. 3.
Locate or create the logical interconnect group for the enclosure using the Logical Interconnect Groups screen. From the main menu, select Enclosure Groups. Edit the enclosure group and add the logical interconnect group from step 1. From the main menu, select Logical Enclosures and update the logical enclosure configuration from the enclosure group.
Symptom Interconnect modules are in a Maintenance state. Cause There is an OA credential caching issue if interconnect modules report their state as Maintenance. Action If interconnect modules are in a Maintenance state: You have to re-add the enclosure. 1. 2.
From the main menu, select Enclosures→Add. Provide the enclosure information (IP/FQDN, Administrator account and password), and click the Add button.
This will initiate rediscovery of the enclosure and its components. Symptom Interconnect modules are in an Unmanaged state.
Solution 1 Cause Interconnect bay has a mismatch with the expected type. The logical interconnect group is expecting a different interconnect than what is in the enclosure. Action 1. 2. 3.
Remove the unexpected interconnect from the enclosure Insert the expected interconnect into the enclosure. Use the interconnect by updating the logical interconnect group.
396 Troubleshooting
Solution 2 Cause Interconnect has firmware installed which is less than the minimum supported baseline version. Action •
For an Virtual Connect Fibre Channel interconnect:
◦
The enclosure contains an Virtual Connect Fibre Channel interconnect with IPv6 addresses and the interconnect firmware version is less than 4.10, the minimum supported baseline version.
◦
The enclosure contains only an Virtual Connect Fibre Channel interconnect by itself or with other Virtual Connect Fibre Channel interconnects and the interconnect firmware version is less than 4.10, the minimum supported baseline version.
Recommendation If the interconnect firmware version is at or above the minimum to import (v3.15), you can update to the supported version after adding the interconnect. If interconnect firmware is below version 3.15, then follow these steps: 1. Remove the enclosure from the Enclosures screen. 2. Update the interconnect firmware for Virtual Connect Fibre Channel interconnects as described in the online help. 3. Add the enclosure on the Enclosures screen. •
For an interconnect that is not an Virtual Connect Fibre Channel, update the interconnect firmware for the logical interconnect as described in the online help.
See the HPE OneView Support Matrix for the complete list of supported firmware versions.
31.11.3 Replace an Virtual Connect interconnect in a managed enclosure Symptom Interconnect status is Missing or Incompatible. Cause Interconnect module was in use when it was removed from an enclosure. A Virtual Connect Fibre Channel module is in use if any of the following conditions exist: •
Interconnect module is in an interconnect bay using a Virtual Connect release earlier than the minimum supported version
•
The networks associated with the uplink ports on the interconnect module are being used by a server profile
Action If a Virtual Connect Fibre Channel module was in use and configured at the time it was physically removed, it must be replaced by a module of the same model and type. Symptom Interconnect failure Cause Interconnect failed and must be replaced.
31.11 Troubleshooting interconnects 397
Action 1. 2. 3. 4. 5.
Unplug all interconnect cables and remove the interconnect from the enclosure. Insert the replacement interconnect, and then re-plug in all interconnect cables. Log into the appliance. From the main menu, select Logical Interconnects, and then select the logical interconnect that contains the replaced interconnect From the view menu, select Activity. An activity for the added interconnect appears in the activity list. •
If the interconnect firmware version is the same or greater than the supported minimum firmware version, the appliance automatically applies the logical interconnect group to the replaced interconnect and the interconnect is ready to use.
•
If the interconnect firmware is less than the supported minimum firmware baseline, an alert is generated and you must update the firmware as shown in step 6.
NOTE: 6.
To view the installed firmware, select Firmware from the view selector.
Update the firmware on the interconnects. For Fibre Channel interconnects, see below. For FlexFabric interconnects, go to step 7. NOTE: Fibre Channel interconnects with a firmware version that is below the HPE OneView minimum version cannot be managed by HPE OneView. You must remove the enclosure to update or delete the firmware outside of HPE OneView. If the Fibre Channel interconnects are below the minimum version, remove the enclosure from HPE OneView and update the Fibre Channel interconnects to the minimum version. Alternatively, remove the interconnects from the HPE OneView managed enclosure and insert into an enclosure which is not managed by HPE OneView and update the firmware to the minimum version. The minimum version requirements are listed in the HPE OneView Support Matrix. a.
b. c. d. e.
7.
Either remove the enclosure from HPE OneView or physically remove the Fibre Channel interconnects and place them into an enclosure that is not currently being managed by HPE OneView. Use the Onboard Administrator or the external DHCP server to assign an IPv4 address to the interconnect. Use HP SUM or the Virtual Connect Support Utility (VCSU) to update the firmware on the interconnect. Add the enclosure to HPE OneView or return the Fibre Channel interconnects to an HPE OneView-managed enclosure. Optional: If the Fibre Channel interconnects are intended to support an IPv6 address, use the Onboard Administrator or an external DHCP server to assign an IPv6 address to the interconnect.
See “Update a firmware bundle on managed devices“ in the online help for firmware update information. Firmware update progress will be shown at the top of the Logical Interconnects screen. When the upgrade is finished, the appliance automatically applies the Logical interconnect group and the interconnect is ready to use.
31.12 Troubleshooting licenses 31.12.1 Restore a license key that has been erased from an enclosure Onboard Administrator If you perform a factory reset on an enclosure, any license embedded on the Onboard Administrator (OA) is erased, and you must manually retrieve and re-add the license key. 398 Troubleshooting
NOTE: You need your entitlement certificate (physical or electronic document) to restore the license key. Symptom The license key embedded on the OA is not discovered when you add the enclosure. Cause The license key embedded on the OA has been erased. Action 1. 2.
Go to the Hewlett Packard Enterprise Licensing for Software Portal at http://www.hpe.com/ software/licensing-support to activate, register, and download your license key(s). Add the keys to the appliance from the Settings screen.
31.12.2 The license assigned does not match the type specified Symptom Server hardware is assigned a license that is different from the one specified when it was added to the appliance.
Solution 1 Cause The server hardware has an embedded license. Action Embedded licenses override the license policy or type specified when the enclosure or rack server was added. Server hardware with an existing, permanent iLO Advanced license will be assigned an HPE OneView Advanced w/o iLO license.
Solution 2 Cause A server that was previously managed by the appliance has been added again. Action If a server was previously managed by the appliance and had an HPE OneView Advanced license applied, it will be assigned that same license when it is added, regardless of the license type specified.
31.12.3 Licensing numbers appear to be inaccurate Symptom Recently added or assigned licenses are not reported in the licensing graphs. Cause The license graphs are not up to date.
31.12 Troubleshooting licenses 399
Action •
Refresh the Settings screen for the license graphs to display recent changes.
Symptom The license graphs show a higher number of licensed server hardware than the current number of server hardware under management. Cause Server hardware that has been assigned an HPE OneView Advanced license has been removed from management. When server hardware that has been assigned an HPE OneView Advanced license is removed from management, the license remains assigned to it. This could cause the number of servers licensed to be higher than the number of licensed server hardware currently being managed. Action •
Use the REST API to view the entire list of all servers assigned to licenses.
Symptom Cannot find license count for HPE OneView Standard license. Cause The appliance does not display HPE OneView Standard license counts. Action To obtain a count of server hardware licensed with an HPE OneView Standard license: 1. From the Server Hardware screen, click in the Smart Search box and for Scope select Server Hardware. 2. In the Smart Search box, type state:Monitored and press Enter. The master pane will display all monitored server hardware. All monitored server hardware is assigned an HPE OneView Standard license.
31.12.4 Could not view license details Symptom License details are not available for the appliance. Cause There is no license assigned to the appliance. Action Required privileges: Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Assign the license. 3. View the license details again. Symptom The filter criteria is blank or incorrect. The appliance could not return any results. Cause The filter criteria was not accurate and could not return any results. 400 Troubleshooting
Action Required privileges:Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Correct the filter criteria. 3. View the license details again.
31.12.5 Could not add license Symptom You are unable to add a license for the appliance.
Solution 1 Cause License key is blank, incorrect, or invalid. Action 1. 2.
Log in as Infrastructure administrator. Verify the license key that you entered. Do not try to add a license key for a product that supports iLO to one that does not. Likewise, do not apply a license key for a product that does not support iLO to one that does.
3. 4. 5.
Provide proper values and make sure that the license key format is valid. Try again. If the problem persists, contact your authorized support representative.
Solution 2 Cause The license key expired. Action 1. 2. 3.
Log in as Infrastructure administrator. Acquire a valid, current license key. Try again with the new license key.
Solution 3 Cause Invalid date and time setting for appliance. The license is not yet active. It is too early to add the license. Action 1. 2. 3.
Confirm the date and time setting of the appliance. Inspect the date and time when the license becomes active. If the problem persists, contact your authorized support representative.
31.12.6 Could not add license key Symptom You are unable to add a license key for the appliance. 31.12 Troubleshooting licenses 401
Solution 1 Cause The license key is blank, incorrect, or invalid. Action Required privileges: Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Verify the license key that you entered. Do not try to add a license key for a product that supports iLO to one that does not. Likewise, do not apply a license key for a product that does not support iLO to one that does. 3. 4. 5.
Provide proper values and make sure that the license key format is valid. Try again. If the problem persists, contact your authorized support representative.
Solution 2 Cause License key has expired. Action 1. 2. 3.
Log in as Infrastructure administrator. Acquire a valid, current license key. Try again with the new license key.
Solution 3 Cause Invalid date and time setting for appliance. The license is not yet active. It is too early to add the license. Action 1. 2. 3.
Confirm the date and time setting of the appliance. Inspect the date and time when the license becomes active. If the problem persists, contact your authorized support representative.
31.12.7 Could not apply license Symptom A license or license key could not be applied to an instance.
Solution 1 Cause All the licenses in the license key are in use. The instance that you tried to license is recorded as unlicensed. Action 1. 2. 3.
Log in as Infrastructure administrator. Acquire a new license key. Try again with the new license key.
402 Troubleshooting
Solution 2 Cause The license that you are trying to apply is already in use. Action 1. 2.
If there are remaining unused licenses, try again with another license. Otherwise, acquire a license key with unused licenses and try again with a license from the new license key.
Solution 3 Cause The license was applied to an instance or a product that is already licensed. Action 1. 2.
Verify the instance or product that you are trying to license. If necessary, try again with the correct instance or product name.
31.13 Troubleshooting locale issues Symptom
Possible cause and recommendation
Messages returned from REST API calls specifying Chinese (zh) or Japanese (ja) in the Accept-Language header are not displayed correctly
When using a Microsoft Windows Command Prompt window to invoke REST APIs (either directly or via scripts run in the Command Prompt window), messages returned from REST API calls specifying Chinese (zh) or Japanese (ja) in the Accept-Language header are not displayed correctly.
HPE OneView returns messages using the UTF-8 encoding. This is not supported by current versions of the Command Prompt window 1. When using a Command Prompt window, set the REST API accept-language header to a locale that is supported by Command Prompt such as en-us. 2. Redirect the output of the REST call to a text file and view the file using Windows tools such and Notepad which supports UTF-8. 3. Use other third-party tools available for Windows that support UTF-8. For example, users have reported that the Cygwin environment for Windows supports UTF-8.
31.14 Troubleshooting logical interconnects 31.14.1 I/O bay occupancy errors Symptom Cause Change in interconnect state Action Interconnect state errors can be caused by: •
Interconnect missing from an IO bay (Interconnect state is Absent)
•
Unsupported interconnect model found in an IO bay (Interconnect state is Unsupported)
•
Unable to manage interconnect in IO bay due to unsupported firmware (Interconnect state is Unmanaged)
31.13 Troubleshooting locale issues 403
•
Mismatch between the interconnect type and the type specified by logical interconnect group
•
Mismatch of horizontally adjacent interconnect modules
31.14.2 Uplink set warnings or errors Symptom Uplink set not operational Cause Uplink set not operational due to: •
One or more uplinks are not in operation due to a bad cable, no cable, lack of transceiver, or invalid transceiver
•
No networks assigned
•
DCBX information is missing for an FCoE network
Action 1.
2. 3.
Verify that the following prerequisites are met: •
At least one network is defined
•
You have Network administrator privileges or equivalent to manage networks.
•
DCBX information is required for FCoE networks
Verify that the data you entered on the Add Uplink Set screen is correct, and that the uplink set name is unique. Retry the operation.
31.14.3 Physical interconnect warnings or errors Symptom Interconnect-level warnings or errors Cause Interconnect warnings or errors can be caused by: •
Downlink with a deployed connection is not operational
•
Incorrect firmware version (different from firmware baseline version)
•
Configuration error
•
Hardware fault
•
Lost communication
•
Administratively disabled ports
Action
31.14.4 Firmware update errors Symptom Firmware update fail entries shown in the Activity log.
404 Troubleshooting
Cause Interconnect firmware errors can be caused by: •
Restarting interconnect modules while a firmware update is in progress.
•
Starting a firmware update while another firmware update is already in progress.
•
An interconnect in the Logical Interconnect is not in a Configured state before starting the upgrade.
•
HPE OneView cannot communicate with the Onboard Administrator for the enclosure.
Action •
Do not restart interconnect modules while a firmware update is in progress.
•
Check the Activity Log for more information about the root cause. 1. If staging firmware failed, check the Activity Log, correct the problem and restart the update. 2. If activating firmware failed, check the Activity Log, and then manually activate the firmware. Then confirm the VC interconnect firmware versions in HPE OneView are the same versions shown in OA.
•
Make sure that all interconnects in the Logical Interconnect are in the Configured state before starting the upgrade.
•
If a firmware update persistently fails, see the online help to create a logical interconnect support dump file and contact your Hewlett Packard Enterprise support representative.
31.14.5 Pause flood condition detected on a Flex-10 physical port Symptom All Flex-10 logical ports associated with physical ports are disabled. Cause When pause flood protection is enabled, this feature detects pause flood conditions on server downlink ports and disables the port. The port remains disabled until an administrative action is taken. Action 1.
Resolve the issue with the NIC on the server causing the continuous pause generation. This might include updating the NIC firmware and device drivers. Rebooting the server might not clear the pause flood condition if the cause of the pause flood condition is in the NIC firmware. In this case, the server must be completely disconnected from the power source to reset the NIC firmware.
2.
Re-enable the disabled ports by resetting the pause flood protection. You can reset pause flood protection from the Actions menu on the Interconnects screen.
31.15 Troubleshooting logical switches 31.15.1 Switch communications Symptom Unable to communicate with the switch
31.15 Troubleshooting logical switches 405
Cause Incorrect switch type or invalid credentials Action Incorrect switch type •
Edit the logical switch group to specify the correct top-of-rack switch type and number of switches
Invalid credentials The user name or password is not valid for the switch. •
Edit the logical switch and enter new credentials
31.16 Troubleshooting networks 31.16.1 Network create operation is unsuccessful Symptom Network creation is unsuccessful. Cause The network configuration is incorrect. Action 1.
2.
Verify that: •
The network name is unique. The VLAN ID is appended to the network name when creating multiple tagged networks using a bulk operation.
•
The number of networks does not exceed the maximum as indicated in the HPE OneView Support Matrix.
•
The number of private networks does not exceed the maximum as indicated in the HPE OneView Support Matrix.
Retry the create network operation.
31.17 Troubleshooting reports 31.17.1 Cannot view reports Symptom You cannot access any reports. Cause Improper authorization
406 Troubleshooting
Action •
Log out, then log in with a user role that allows you to review reports. For example:
◦
Infrastructure administrator
◦
Network administrator
◦
Server administrator
◦
Storage administrator
◦
Read only
31.18 Troubleshooting scopes 31.18.1 Cannot add scope Symptom Clicking Create or Create+ does not generate a scope.
Solution 1 Cause The scope name was entered with invalid characters. Action Re-enter the scope name using only alphanumeric characters, the plus sign (+), and space characters for the scope name.
Solution 2 Cause The name given for the scope is already in use. Action Supply a unique name for the scope.
31.18.2 Cannot edit or delete scope Symptom REST API call failed with Error 412, “Precondition Failed”. Cause The eTag passed in the “If-Match” request header does not match the current eTag of the scope being edited or deleted. Action Try the operation again with either a current eTag or the eTag set to “*”.
31.19 Troubleshooting server hardware For information on specific server hardware issues, see the HPE OneView Release Notes.
31.18 Troubleshooting scopes 407
31.19.1 Server add or remove is unsuccessful If the add server action is not successful, a notification panel provides the reason why the action failed and provides a solution to the problem. Often, the resolution is to click the add link embedded in the message; the add action rediscovers all components and updates its knowledge of the server. Symptom Cannot add a server Cause Server is already being managed by some other management software and is claimed by that software. Action 1.
Follow the instructions in the notification panel. Failures can occur if all information about a server cannot be acquired. When this happens, an explanation of the problem and the component that caused the problem is provided in a notification panel.
2.
To re-add a server, click the add retry or the refresh link in the notification message panel (if there is one), or start the add action again from the Add Server screen.
NOTE: •
If the server is in an unmanaged state and is claimed, the resolution is to refresh. If the server is not claimed, the resolution is to add.
Symptom Add server failed
Solution 1 Cause A server previously associated with this profile is re-inserted in a different place (different bay or enclosure). Action •
The edit link within the expanded message causes the new server location to be pre-populated in the edit profile dialog box location field when it is displayed.
Same server, different bay 1.
Manually move the server profile to a server in a different bay using the Edit Server Profile screen. If you come to this screen via the edit link in the error message, it is automatically populated for the server hardware value, with the appropriate change indications at the bottom of the dialog box. See “About moving a server profile” (page 168) for more information.
2.
Click OK.
Solution 2 Cause Different server, same bay
408 Troubleshooting
Action Server profiles are associated by UUID to a specific server. If the wrong server is inserted in the bay, a message is displayed. The Server Hardware hyperlink points to the new server’s Server Hardware screen. Connections will still show a disabled status. The Server Hardware screen appears normal because it does not recognize it was ever associated with a server profile. See “About editing a server profile” (page 167) and “About migrating server profiles” (page 169) for more information.
Solution 3 Cause A server does not have a valid serial number and product ID. Action When replacing the system board, set the serial number and product ID using the Advanced Options in the HPE ROM-Based Setup Utility (RBSU) before inserting the server into the bay. Symptom Cannot remove a server Cause Lack of connectivity with the server hardware can prevent the remove action from being successful. Action The server is not removed from the appliance. The likely cause is an internal problem on the appliance and the best resolution is to follow the instructions in the notification panel. The server is removed but due to communication failure, the configuration requires manual intervention to correct. In the case where manual configuration is needed, investigate the following: •
The management URL might still point to the appliance, leave it alone. To manually clean up after removal, use the Force option to add the server back under a new appliance manager.
•
Remove _HPEOneViewAdmin administrative user, from the list of iLO users through the iLO.
•
Remove the SNMP trap destination, which is the IP address of the appliance, from the list of trap targets.
•
Navigate to the HPE OneView page in the iLO web interface, and then click the Delete button in the Delete this remote manager configuration from this iLO dialog.
31.19.2 Cannot control power on server Server hardware power control depends on both the HPE Integrated Lights-Out (iLO) on the target server hardware, and in the case of ProLiant servers, the Onboard Administrator module in the host enclosure. If you have difficulty with server power control, examine recent configuration and security changes which might affect this feature. Often the iLO event log can be a useful starting point to see these changes.
31.19 Troubleshooting server hardware 409
Another area to examine for ProLiant servers are the power management policies of the enclosure. Verify the Onboard Administrator to ensure sufficient power is available and the power operations policy is appropriate. Hardware could have failed as well. Use the Integrated Management Log (IML) on the iLO for Power On Self Test (POST) errors to determine if a hardware failure has occurred. If a power on or power off action fails, follow the instructions in the notification message.
31.19.3 Lost connectivity to server hardware after appliance restarts When the appliance restarts after a crash, the server inventory is evaluated for any long-running activity that failed, such as applying server profile settings, that might have been in progress when the crash occurred. You can recover by performing the same action again, such as reapplying the server profile settings. The appliance resynchronizes the servers. During resynchronization, each server hardware enters the resyncPending state. A full resynchronization of individual server hardware includes rediscovering the server hardware, verifying the server hardware power state and updating the resource state accordingly, and updating the health status. The appliance creates a task queue for each task during a resynchronization operation.
31.19.4 Replace a server with an assigned server profile Symptom Server Hardware failure Cause Server hardware failed and must be replaced. Action 1. 2. 3.
Gracefully shut down the server hardware. Remove the original server and install the replacement server. If the server hardware type of the replacement server matches the server hardware type of the original server then: a. If the Affinity defined in the profile is set to Device bay, the server profile will be automatically re-assigned to the new server. Proceed to step 5. b. If the Affinity is set to Device bay + server hardware, the server profile must be edited and re-saved to allow the appliance to reconfigure the profile for the new server. No changes to the server profile are required. Proceed to step 5.
4.
If the server hardware type of the replacement server does not match the server hardware type of the original server a new profile must be created that matches the server hardware type of the replacement server. The original profile assigned to the server must be unassigned or deleted and the new profile assigned to the replacement server. Or, the server hardware type must be updated to match the inserted hardware. If the iLO firmware version is greater than or equal to the minimum required firmware version, proceed to Step 6. The minimum iLO firmware version is available in the HPE OneView Support Matrix. If the replacement server has an iLO firmware version less than the minimum required firmware version, an alert on the Server Hardware screen is displayed and the server status is Unmanaged/Unsupported Firmware. a. Select Actions→Update iLO firmware. b. Click OK.
5.
6.
If the iLO firmware version is different from the baseline and the server profile is assigned to a Gen8 server or later, the iLO server firmware can be updated automatically with the re-assignment of the server profile.
410 Troubleshooting
a. b. c. d. e.
From the main menu, select Server Profiles, and then select the server profile to edit. Select Actions→Edit. If needed, select the proper server hardware. To manage the firmware update manually, from the Firmware baseline list, select managed manually. To automatically update the firmware, select the appropriate firmware baseline. To force install the firmware, select Force installation. Click OK.
If the firmware version is different from the baseline and the server profile is assigned to a G7 server, you must update the firmware outside of the appliance.
31.19.5 Replace a server adapter on server hardware with an assigned server profile IMPORTANT: The replacement adapter must match the old adapter. If the replacement adapter does not match the old adapter, the server hardware type will change. If a server profile was assigned to that server hardware, a new server profile must be created to support the changed server hardware type. Symptom Server adapter failure Cause Server adapter failed and must be replaced. Action 1. 2. 3.
Gracefully shut down the server. Replace the adapter on the server. If the corresponding server profile is configured with virtual identifiers (MAC & WWN addresses) proceed to step 4. If the profile is configured with physical identifiers (MAC & WWN), consider the following: a. Due to change in the identifiers, any Ethernet network configurations may be lost on the OS and may require a reconfiguration. b. The server host WWN may need to be updated in your storage network zone and on the storage array.
4.
Check the firmware version of the new adapter. a. From the main menu, select Server Hardware or Server Profiles, and then select the server hardware or server profile that contains the replaced adapter. b. From the Server Hardware screen or Server Profile screen, select Actions→Launch console. The iLO Remote Console is launched. c. Power on the server and check the firmware version of the new adapter during boot. NOTE: To check that the firmware version matches your firmware baseline, from the main menu, select Firmware Bundles, and select your firmware baseline. Scroll through the list of firmware to find what is offered in your baseline and compare it to your adapter firmware.
5.
If the firmware version is different from the baseline and the server profile is assigned to a Gen8 server or later, the server firmware can be updated automatically with the re-assignment of the server profile. a. From the main menu, select Server Profiles, and then select the server profile to edit. b. Select Actions→Edit. If needed, select the proper server hardware. 31.19 Troubleshooting server hardware
411
c. d. e.
To manage the firmware update manually, from the Firmware baseline list, select managed manually. To automatically update the firmware, select the appropriate firmware baseline. To force install all of the firmware, even if it is the same or newer, select Force installation. Click OK. NOTE: If the firmware version is different from the baseline and the server profile is assigned to a G7 server, you must update the firmware outside of the appliance.
31.20 Troubleshooting server profiles 31.20.1 Server profile is not created or updated correctly When a server profile is not created or updated correctly, a notification appears at the top of the screen stating the profile operation was not successful; click the notification area to show more details. Also, the status icon next to the server profile name indicates it is in an Error condition (
). The profile remains on the appliance, but you must edit the profile to correct it. When you
correct the server profile, the profile status changes to OK (
).
Symptom Cause Server profile is not created or updated correctly. Action Verify the following conditions: 1. 2.
Verify that the prerequisites listed in the online help have been met. Verify that the following conditions are TRUE: •
The latest SPP is installed and applied
•
A profile name has been entered and is unique
•
The selected server hardware is powered off
•
The server hardware is in the No Profile Applied state, has the correct firmware, the ports are mapped to the correct interconnect, and the device bay has no profile assigned to it
•
The server hardware is able to power cycle, and a user did not shut down the server hardware while the profile settings were being applied
•
You applied the correct iLO and system ROM firmware levels
•
You are using supported server hardware
•
The iLO has an IP address and network connectivity
•
Communication exists with the server hardware iLO, including but not limited to whether the iLO is functioning, network cabling is connected and functional, and there are no problems with switches or interconnects in the management network
•
The appliance and managed resources are not separated by a firewall
•
The add enclosure operation successfully completed.
•
The OA has network connectivity
•
The add server hardware operation successfully completed.
412 Troubleshooting
3.
•
The specified network or network set is available on the server hardware port.
•
The interconnects are in the Configured state, and have the correct firmware.
•
The logical interconnect configuration matches its logical interconnect group.
•
There are no duplicate networks on a physical port.
•
If multiple adapters are installed, all adapters must have the same firmware version.
•
User-specified addresses are unique and have correct format
When the issues have been addressed, either edit the profile or delete the profile and create another profile.
If the server profile has duplicate networks on the same physical port: •
Change the connection to a different port
•
Change the connection to use a different VLAN
Symptom Cannot find a network when adding a connection Cause Action Verify that the following condition is true: •
The logical interconnect group is set up with the networks configured into uplink sets.
Symptom Cannot add a connection from the profile Cause Action Verify that the following conditions are true: •
The interconnects in the logical interconnect group are in the Configured state and have the correct firmware.
•
The servers are in the No Profile Applied state, have the correct firmware, and the ports are mapped to the correct interconnect.
Symptom A profile operation timeout when applying BIOS settings. Cause The server hardware or its iLO are powered-off/reset or the appliance cannot collect progress information from the iLO. Action •
In most cases, retrying the operation resolves the problem.
Symptom Auto-assignment for FlexNIC fails while assigning or deploying connections.
31.20 Troubleshooting server profiles 413
Cause Invalid configuration •
Auto-assignment for FlexNIC connections does not validate the following:
◦
Bandwidth oversubscription on the physical port
◦
Maximum networks (VLANs) on the physical port
◦
Duplicate networks (VLANs) on the physical port
Action •
Manual assignment is required.
31.20.2 Cannot apply the server profile Symptom Cannot apply the server profile Cause Action If you received an error that Intelligent Provisioning failed to boot in the required period of time, perform these steps: 1. 2.
Attempt to boot into Intelligent Provisioning manually on the affected system by pressing F10 during POST. If manually booting to Intelligent Provisioning works, then retry the operation from HPE OneView. If manual booting still fails, reboot the iLO and then retry step 1.
3.
If the previous steps fail and the server is a BL465c with an active Smart Array Controller, disable the IOMMU on the server temporarily using RBSU. a. During system boot, press F9 to enter the RBSU. b. Select System Options. c. Select Processor Options. d. Select AMD-Vi (IOMMU). e. Select Disabled. f. Save and exit RBSU.
4.
If booting still fails, install the latest version of Intelligent Provisioning found at http://hpe.com/ info/intelligentprovisioning..
Symptom Cannot verify the status of the server hardware Cause Action To verify the operational status of the server hardware: 1. 2. 3.
Click Cancel to exit from the Create Server Profile screen. From the main menu, navigate to the Server Hardware screen. Find, and then select the server hardware.
414 Troubleshooting
31.20.3 Profile operations are not successful Symptom Message indicates that the server is managed by another management system Cause The enclosure is no longer managed by HPE OneView. Action To prevent losing all allocated virtual IDs, perform the following steps before forcibly deleting the server profile. 1. Use REST APIs or Powershell to get the server profile. GET /rest/server-profiles 2. 3.
Force delete the profile using the UI or REST APIs. Recreate the IDs using the User Specified option in the UI, or use REST APIs to create the server profile: a. Get the server profile. GET /rest/server-profiles b.
Edit the server profile. 1) Remove uri, serverHardwareTypeUri, enclosureGroupUri, enclosureUri, and enclosureBay. 2) Change the serverHardwareUri value to the server the profile is going to be associated to. 3) Change serialNumberType from Virtual to UserDefined. 4) In the connections property, change macType from Virtual to UserDefined. 5) In the connections property, change wwpnType from Virtual to UserDefined. 6) In the connections property, if applicable change networkUri with the correct networks.
c.
Create the server profile. POST /rest/server-profiles
31.20.4 Cannot update or delete profile Symptom Unable to update profile: MyProfile or make additional firmware changes Cause A firmware update is in progress. Action •
Wait until the firmware install is complete.
Solution 1 Symptom Unable to delete profile: MyProfile or cannot make additional firmware changes
31.20 Troubleshooting server profiles 415
Cause A firmware update is in progress. Action Do one of the following: 1. 2.
Wait until the firmware installation is complete. It is highly recommended that you do not abort before the installation is completed. Select the Force delete option.
Solution 2 Cause Server is not powered off. Action To delete a profile: •
Power off the server.
NOTE: Momentary press is allowed at all times but Press and Hold is restricted as it might send the server to an inconsistent state. Symptom Unable to power off server profile Cause Press and hold operation is denied. Action Do one of the following: •
Momentarily press the power button and SUT will ensure none of the hardware goes to an inconsistent state.
•
Try the Press and hold power operation after SUT has moved to a terminal state.
NOTE: •
The Press and hold power operation is not allowed while HPE Smart Update Tools is updating firmware or drivers.
•
It is highly recommended that you wait until the firmware installation is complete and that you do not abort the process.
Symptom Cannot complete firmware installation Cause The firmware on {server} does not match the firmware baseline.
416 Troubleshooting
Action •
If you selected to update firmware using HPE SUT, you need to install HPE SUT to complete the firmware and driver update.
31.20.5 Inconsistent firmware versions Symptom Firmware installation not complete or does not match baseline. Cause Firmware does not match firmware baseline. Action Do one of the following: •
Install and run Smart Update Tools.
•
Edit the server profile to use the “Firmware only” option for firmware baseline installation.
Symptom Unable to update firmware
Solution 1 Cause Baseline not supported with Smart Update Tools. Action Do one of the following: •
Select a baseline that has HP SUM 7.4 or above and iLO firmware version 2.30 or above. For information about HP SUM, see the HP SUM Best Practices Implementation Guide at: www.hpe.com/info/hpsum/documentation.
•
Edit the affected server profiles to use Firmware only.
Solution 2 Cause Server does not have required license for virtual media. Action Apply an iLO Advanced license on the server or apply an iLO hotfix for 2.30. Symptom Servers powered on, but not configured for SUT. Cause Servers are powered on but their server profiles are not configured to use Smart Update Tools. Action Edit the affected server profiles and select a firmware update option that uses Smart Update Tools.
31.20 Troubleshooting server profiles 417
NOTE: This symptom can also appear when attempting Logical Enclosure shared infrastructure and server profile firmware update. Symptom Any failure to update firmware and OS drivers. Cause Some components did not deploy. Action 1.
2.
If a few components fail to deploy, log in to the target server OS and run gatherlogs bat/sh (use either bat or sh based on whether the OS is Windows or Linux, respectively). gatherlogs is located in the target server staging directory. To identify the staging directory, use the hpesut—status command from the staging directory and send the report to HPE for troubleshooting. See the Smart Update Tools User Guide at: http://www.hpe.com/info/hpsut/docs.
31.21 Troubleshooting storage 31.21.1 Brocade Network Advisor (BNA) SAN manager fails to add Symptom Adding the SAN manager fails with the error “No SAN manager can be found at the specified location.”
Solution 1 Cause The BNA or the Standalone SMI Agent is not installed on a server Action •
See the BNA software documentation.
Solution 2 Cause A BNA administrator account with full access is not configured and available for use by the appliance. Action •
See the BNA software documentation.
Solution 3 Cause The Common Information Model Object Manager (CIMOM) is not installed and configured on the server.
418 Troubleshooting
Action •
See the BNA software documentation.
Solution 4 Cause The BNA SSL setting and the SSL setting for the BNA on the appliance do not match. Action 1. 2.
3. 4.
Use the BNA software to verify whether or not SSL is enabled. See the BNA software documentation for more information. From the SAN Managers screen, verify that the Use SSL setting on the appliance for BNA matches the SSL setting in the BNA software. If the SSL setting does not match: a. From the main menu, select SAN Managers, and do one of the following: •
In the master pane, select the BNA and select Actions→Edit.
•
Hover your pointer device in the details pane and click the Edit icon.
For Use SSL, change the value so that it matches the SSL setting in the BNA software. Click Ok to save your changes.
31.21.2 Unable to establish connection with Brocade Network Advisor (BNA) SAN manager Symptom
Possible cause and recommendation
Unable to establish a connection with the SAN manager
The CIMOM is not bound to the NIC that is on the same subnet as the appliance Binding the CIMOM to an NIC on the same subnet as the appliance is required for the appliance to connect and communicate with the BNA network management software. • See the BNA software documentation.
31.21.3 Volume not available to server hardware Symptom Volume not accessible on the server.
Solution 1 Cause A possible cause of a volume not being accessible on the server is that the SAN zone is improperly configured or missing. Action The following are recommended solutions: Re-enable the attachment (Managed SAN case) 1. 2. 3. 4.
From the main menu, select Server Profiles. In the master pane, select a server profile and select Actions→Edit. Under SAN Storage locate the volume attachment and select Enable. Click OK.
31.21 Troubleshooting storage 419
Create or configure the zone using the SAN management software (no managed SAN) •
See the SAN manager documentation.
Using managed SANs 1. 2.
Verify that the SAN manager and SAN is associated with the network. Verify that Automate zoning is enabled.
Automated zoning is not enabled on the SAN Verify that the zone has been manually configured. 1.
See the SAN manager documentation.
Cause A possible cause of a volume not being accessible on the server is that the Server initiators are not logged into the fabric because the interconnect port is disabled. Action The following are recommended solutions: Enable the interconnect port on the appliance 1. 2. 3. 4.
From the main menu, select Interconnects. In the master pane, select an interconnect and select Actions→Edit. Locate the port you want to enable and select Enable. Click OK.
You can also use the REST API to complete this task. REST API: /rest/interconnects/{id}/ports See the HPE OneView REST API Reference for more information. Re-configure the logical interconnect group 1. 2. 3. 4. 5. 6. 7.
From the main menu, select Logical Interconnect Groups. In the master pane, select a logical interconnect group and select Actions→Edit. Edit the uplink sets to connect the networks with the desired interconnect ports. Click OK. Verify that the logical interconnect group link comes online. From the main menu, select Logical Interconnects. In the master pane, select a logical interconnect and select Actions→Update from group.
You can also use the REST API to complete this task. REST API: /rest/logical-interconnect-groups/{id} and /rest/logical-interconnects/{id}/compliance See the HPE OneView REST API Reference for more information. Verify the cabling 1.
Verify the physical cabling is configured as intended.
Solution 2 Cause A possible cause of a volume not being accessible on the server is that the connection has not been defined in the server profile.
420 Troubleshooting
Action Add a connection to a network in the server profile 1. 2. 3. 4. 5. 6.
From the main menu, select Server Profiles. In the master pane, select a server profile and select Actions→Edit. Under Connections click Add Connection. For Device type select Fibre Channel over Ethernet. For Network select a network that is connected to the storage system and click Add. Click OK.
31.21.4 Volume is visible from the storage system but not visible on the appliance Symptom
Possible cause and recommendation
Volume is not in a normal state
A possible cause of a volume not being visible on the appliance is that the volume has been moved to a storage pool that is not managed by the appliance.
Move the volume to a pool that is managed by the appliance and refresh the volume using the storage system software • See the storage system documentation.
Bring the storage pool in which the volume resides under management of the appliance NOTE: If the volume was moved by Adaptive Optimization, Hewlett Packard Enterprise recommends bringing all pools that Adaptive Optimization might use under management of the appliance. This will ensure that the volume is still available to the appliance if it is moved by Adaptive Optimization. 1. From the main menu, select Storage Pools, and do one of the following: • Click + Add storage pool in the master pane. • Select Actions→Add. 2. For Storage System, select the storage system that contains the storage pools you want to add. 3. For Storage Pool, select the storage pool you want to add. 4. Click Add to add the storage pool, or click Add + add another pool. You can also use the REST API to complete this task. REST API: /rest/storage-pools See the HPE OneView REST API Reference for more information.
31.21.5 Target port failure Symptom Target port is in a failure state.
Solution 1 Cause Target port failure is that the Actual and Expected network are mismatched. The expected network needs to be updated on the appliance. Action To update the expected network on the appliance 1. 2.
From the main menu, select Storage Systems. In the master pane, select the storage system and select Actions→Edit.
31.21 Troubleshooting storage 421
3. 4.
For the port change the Expected Network so that it matches the Actual Network. Click OK.
You can also use the REST API to complete this task. REST API: /rest/storage-systems/{id} See the HPE OneView REST API Reference for more information.
Solution 2 Cause The physical cabling is improperly configured (Fabric attach). Action •
Verify that the cabling between the storage system and the SAN switch is properly configured.
Solution 3 Cause Port failed on device. Action •
Examine your storage system hardware. Repair as necessary.
Solution 4 Cause The enclosure that is physically connected to the storage system has not been added to the appliance (Direct attach). Action •
Use the Enclosures screen to add the enclosure to the appliance.
You can also use the REST API to complete this task. REST API: /rest/enclosures See the HPE OneView REST API Reference for more information.
Solution 5 Cause The physical cabling is improperly configured (Direct attach). Action •
Verify that the cabling between the storage system and the enclosure interconnects is properly configured.
31.21.6 Zone operations fail on Cisco SAN manager Symptom Zone operations on Cisco SAN manager fail. Cause The snmpd service has crashed. 422 Troubleshooting
View the SAN manager log from the SAN manager software to verify that the snmpd service has crashed. One cause of the snmpd service crashing is out-of-date firmware on the SAN manager. Action Update the firmware on the SAN manager to the latest version 1. 2.
Follow the manufacturer’s instructions for updating the firmware on the SAN manager. Re-try the zone operation on the appliance.
31.21.7 Storage system port is in an undesired state Storage system port is in a failing over state Cause The port is offline and is in the process of failing over to the partner port. Action Wait for the state to change. Storage system port is in a failed over state Cause The port is offline and has failed over to the partner port. Action Resolve the issue with the port on the storage system. Verify connectivity to the infrastructure. Storage system port is in a failed state Cause The port is off offline and cannot fail over to the partner port. Action Verify the status and configuration of both storage ports. Verify cabling or other infrastructure issues. Storage system port is in a recovering state Cause The port is online and in the process of returning to a normal state. Action Wait for the state to change. Storage system port is in a partner port failed over state Cause The partner port has failed over and the port is the partner port traffic. Action Resolve the issue with the partner port on the storage system. Verify port connectivity to the infrastructure. 31.21 Troubleshooting storage 423
Storage system port is in a partner failed state Cause The partner port has failed and the fail over operation was not successful. Action Verify the status and configuration of both storage ports. Verify for cabling or other infrastructure issues.
31.22 Troubleshooting user accounts 31.22.1 Incorrect privileges Users must have view privileges (at minimum) on a managed object to see that object in the user interface. Symptom Unable to see specific resource information or perform a resource task Cause Your assigned role does not have the correct privileges. Action Request a different role or an additional role from the Infrastructure administrator in order to do your work.
31.22.2 Cannot modify local user account Symptom You cannot add, edit, or delete a local user account.
Improper authorization Cause You do not have proper authorization or you entered invalid parameters. Action 1. 2.
Log in to the appliance as the Infrastructure administrator. Try to add, edit, or delete the user account again.
Network issues Action 1. 2. 3.
Log in to the appliance as the Infrastructure administrator. See “Appliance cannot access the network” (page 379) Try to add, edit, or delete the user account again.
Appliance certificate needs to be updated Cause The appliance certificate is invalid or it has expired.
424 Troubleshooting
Action 1. 2. 3. 4. 5. 6.
Log in to the appliance as the Infrastructure administrator. Acquire a new appliance certificate. Refresh the browser page. Accept the new certificate. Add the user account. Try to add, edit, or delete the user account again.
31.22.3 Cannot delete local user account Symptom The deletion fails with error code 500. Action 1.
Perform the following REST API call to modify the user account to be deleted: PUT https://{appl}/rest/users
2.
Try to delete the user account again.
31.22.4 Unauthenticated user or group Each user is authenticated on login to the appliance by the authentication service that confirms the user name and password. The Edit Authentication screen enables you to configure authentication settings on the appliance; the default values are initially populated during first time setup of the appliance. Symptom Unable to configure a directory user or group Cause Authentication settings incorrect Action To configure authentication settings: 1. 2. 3. 4. 5.
From the Users screen, click Add Directory User or Group. Click add a directory. From the Edit Authentication screen, click Add directory. Provide the requested information. Click OK.
31.22.5 User public key is not accepted Symptom User public key does not work or is not accepted. Cause Hidden characters introduced during a copy/paste operation change the key code.
31.22 Troubleshooting user accounts 425
Action •
Enter the key again, taking care to prevent special characters from being injected into the key when pasting it into the public key field.
•
Only RSA keys are supported.
31.22.6 Directory service not available Symptom The directory service could not be accessed by the appliance.
Solution 1 The server for the directory service cannot be accessed. Cause Either the server for the directory service or the network is down. Action 1. 2. 3.
Run theping command on the directory server IP address or host name to determine if it is online. Verify that the appliance network is operating correctly. Contact the directory service administrator to determine if the server is down.
Solution 2 Cause Configuration errors prevent the directory service from being reached Action 1. 2. 3. 4. 5. 6.
Verify that the name of the directory service is unique and entered correctly. Duplicate names are not accepted. Verify that the Directory type is correct. Ensure that the Base DN fields and, for OpenLDAP, the User naming attribute field, and Organizational unit fields are correct. Verify that the credentials of the authentication directory service administrator are correct. Verify that the group is configured in the directory service. Ensure that the role assigned to the group is correct.
31.22.7 Cannot add directory service Symptom You cannot add a directory service to the appliance.
Solution 1 Cause An external problem disconnected the directory server host. Action 1. 2.
Log in as the Infrastructure administrator Verify that the settings for the directory service host are accurate.
426 Troubleshooting
3. 4. 5.
Locally run the ping command on the directory server’s IP address or host name to determine if it is on-line. Verify that the port for LDAP communication with the directory service is port 636. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See “Ports required for HPE OneView” (page 76).
6. 7.
Verify that the appliance network is operating correctly. Determine that the appliance is functioning properly and that there are enough resources.
Solution 2 Cause The directory server host is refusing to authenticate the appliance because the certificate has expired. Action 1. 2.
Log in as the Infrastructure administrator Verify the login name and password are accurate. Contact the directory service provider to ensure that the credentials are accurate.
3.
Reacquire and install the directory service host certificate.
Solution 3 Cause The certificate is not in valid x509 format. Action 1. 2. 3. 4.
Log in as the Infrastructure administrator Correct the configuration and try again. Re-acquire and install the directory service host certificate, if necessary. Contact the directory service provider to ensure that the credentials are accurate.
Solution 4 Cause The certificate does not contain the x509v3 key usage extension. Action 1. 2. 3.
Log in as the Infrastructure administrator Ensure that the certificate contains the key usage extension. Re-acquire and install the directory service host certificate, if necessary.
Solution 5 Cause The directory server host cannot authenticate the appliance because the credentials are invalid. Action 1. 2.
Log in as the Infrastructure administrator Verify the login name and password are accurate. 31.22 Troubleshooting user accounts 427
3. 4. 5.
Verify the search context information is accurate; you might be trying to access a different account or group. Re-acquire and install the directory service host certificate. Contact the directory service provider to ensure that the credentials are accurate.
31.22.8 Cannot add server for a directory service Symptom You cannot configure a server for the directory service.
Solution 1 Cause The appliance lost connection with the directory service, but that connection was lost. Action 1. 2. 3.
Verify that the settings for the directory service host are accurate. Verify that the correct port is used for the directory service. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See “Ports required for HPE OneView” (page 76).
4. 5. 6.
Locally run the ping command on the directory service host’s IP address or host name to determine if it is on-line. Verify that the appliance network is operating correctly. [Conditionalized for TBunsupported] If the appliance is hosted on a virtual machine, determine that it is functioning properly and there are enough resources.
Solution 2 Cause There is an authentication error when logging in to the server for the directory service. 1. 2. 3.
Verify that the login name and password are accurate. Reacquire and install the directory service host certificate. Contact the directory service provider to ensure that the credentials are accurate.
Solution 3 Cause There are incorrect parameters when the directory service was configured. Action 1. 2. 3. 4. 5.
Verify that the name of the directory service is unique and entered correctly. Duplicate names are not accepted. Verify that the Directory type is correct. Ensure that the Base DN fields and, for OpenLDAP, the User naming attribute field, and Organizational unit fields are correct. Verify that the credentials of the authentication directory service administrator are correct. Verify that the group is configured in the directory service.
428 Troubleshooting
31.22.9 Cannot add directory group Symptom The directory group could not be added as a group on the appliance.
Solution 1 Cause The specified authentication directory and group specified already exist. Groups must be unique. Action 1. 2.
Log in as Infrastructure administrator. Reassign the current group to another role, or otherwise make the group unique.
Solution 2 Cause An external problem disconnected the directory server host. Action 1. 2. 3. 4.
Log in as the Infrastructure administrator. Verify that the settings for the directory service host are accurate. Verify that the correct port is used for the directory service. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See “Ports required for HPE OneView” (page 76).
5. 6. 7.
Locally run the ping command on the directory service host IP address or host name to determine if it is online. Verify that the appliance network is operating correctly. If the appliance is hosted on a virtual machine, determine that the virtual machine is functioning properly and enough resources are allocated to it.
Solution 3 Cause Authentication problems prevented the appliance from logging in to the directory service. Action 1. 2. 3. 4.
Log in as the Infrastructure administrator. Verify that the login name and password are accurate. Reacquire and install the directory service host certificate. Contact the directory service provider to ensure that the credentials are accurate.
31.22.10 Cannot find directory group Symptom A specified group could not be found in the authentication directory service.
31.22 Troubleshooting user accounts 429
Solution 1 Cause Either the group is not configured in the authentication directory service or the search parameters contained an error. Action 1. 2. 3. 4. 5. 6.
Log in as the Infrastructure administrator Verify the credentials for the authentication directory service. Verify that the directory service is operational. Verify the name of the group. Contact the directory service administrator to verify that the group account is configured in the directory service. Try to find the group again. For more information, see “About directory service authentication” (page 279).
Solution 2 Cause The directory type was incorrectly specified. For example, an Active Directory service might have be specified as OpenLDAP. Action 1. 2.
Log in as the Infrastructure administrator Verify that the settings for the directory service are accurate.
Solution 3 Cause The specified search of the authentication directory service does not contain any groups. Action 1. 2. 3. 4.
Log in as the Infrastructure administrator Verify the directory server configuration. For OpenLDAP, ensure that the directory server user has read privileges (rscdx) so that HPE OneView can read the search results. For OpenLDAP, add all search contexts to retrieve the wanted group or groups. Use the Add button to generate additional multiple organizational units, with which to specify the UID or CN.
Solution 4 Cause An error occurred while accessing directory groups. Directory service servers could not be reached. Action 1. 2. 3.
Log in as the Infrastructure administrator Verify the directory server configuration. Verify the connection to the directory server host.
430 Troubleshooting
4.
For OpenLDAP, add all search contexts to retrieve the wanted group or groups. Use the Add button to generate additional multiple organizational units, with which to specify the UID or CN.
Solution 5 Cause An external problem prevented the appliance from reaching the server configured for the directory service. Action 1. 2. 3.
Log in as the Infrastructure administrator Verify the connection to the directory server host. See “Cannot add server for a directory service ” (page 428). Verify the directory server configuration.
31.22 Troubleshooting user accounts 431
432
32 Support and other resources •
Accessing Hewlett Packard Enterprise Support
•
“Accessing updates” (page 433)
•
“Websites” (page 434)
•
Customer self repair
•
Documentation feedback
32.1 Accessing Hewlett Packard Enterprise Support •
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance
•
To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc
Information to collect •
Technical support registration number (if applicable)
•
Product name, model or version, and serial number
•
Operating system name and version
•
Firmware version
•
Error messages
•
Product-specific reports and logs
•
Add-on products or components
•
Third-party products or components
32.2 Accessing updates •
Some software products provide a mechanism for accessing software updates through the product interface. Review your product documentation to identify the recommended software update method.
•
To download product updates, go to either of the following:
◦
Hewlett Packard Enterprise Support Center Get connected with updates page: www.hpe.com/support/e-updates
◦
Software Depot website: www.hpe.com/support/softwaredepot
•
To view and update your entitlements, and to link your contracts and warranties with your profile, go to the Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials
32.1 Accessing Hewlett Packard Enterprise Support 433
IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
32.3 Websites Website
Link
Hewlett Packard Enterprise Information Library
www.hpe.com/info/enterprise/docs
Hewlett Packard Enterprise Support Center
www.hpe.com/support/hpesc
Contact Hewlett Packard Enterprise Worldwide
www.hpe.com/assistance
OneView Docs
www.hpe.com/info/oneview/docs
Subscription Service/Support Alerts
www.hpe.com/support/e-updates
Software Depot
www.hpe.com/support/softwaredepot
Customer Self Repair
www.hpe.com/support/selfrepair
Remote Support for HPE OneView FAQ document
Remote support doc
Single Point of Connectivity Knowledge (SPOCK) Storage www.hpe.com/storage/spock compatibility matrix HPE Virtual Connect user guides
http://www.hpe.com/info/virtualconnect
HPE Virtual Connect command line references HPE 3PAR StoreServ Storage
http://www.hpe.com/info/storage
HPE Integrated Lights-Out
http://www.hpe.com/info/ilo
HPE BladeSystem enclosures
http://www.hpe.com/servers/bladesystem
HPE ProLiant server hardware websites
• General information: www.hpe.com/info/servers • BL series server blades: http://www.hpe.com/info/ blades • DL series rack mount servers: http://www.hpe.com/ servers/dl
Storage white papers and analyst reports
www.hpe.com/storage/whitepapers
32.4 Remote support Remote support is available with supported devices as part of your warranty or contractual support agreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on your product's service level. Hewlett Packard Enterprise strongly recommends that you register your device for remote support. If your product includes additional remote support details, use search to locate that information.
Remote support and Proactive Care information HPE Get Connected www.hpe.com/services/getconnected HPE Proactive Care services www.hpe.com/services/proactivecare 434 Support and other resources
HPE Proactive Care service: Supported products list www.hpe.com/services/proactivecaresupportedproducts HPE Proactive Care advanced service: Supported products list www.hpe.com/services/proactivecareadvancedsupportedproducts
Proactive Care customer information Proactive Care central www.hpe.com/services/proactivecarecentral Proactive Care service activation www.hpe.com/services/proactivecarecentralgetstarted
32.5 Customer self repair Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR. For more information about CSR, contact your local service provider or go to the CSR website: www.hpe.com/support/selfrepair
32.6 Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
32.5 Customer self repair 435
436
A Using the virtual appliance console A.1 Using the virtual appliance console The virtual appliance console has a restricted browser interface that supports the following: •
Appliance networking configuration in non-DHCP environments
•
Password reset requests for the Administrator account
•
Advanced diagnostics for authorized support representatives
Use the virtual appliance console to access the appliance and configure the appliance network for the first time. The virtual appliance console enables you to bootstrap an appliance onto the network in non-DHCP environments. The virtual appliance console is not intended to be a full-featured replacement for your browser. The virtual appliance console starts a browser session; The browser takes up the full screen; you cannot add tabs. You cannot perform any operation that requires you to select a file from a dialog box, including uploading software updates and firmware bundles (SPPs). Only basic browsing, including forward and backward navigation, are enabled. Table 17 Key combinations for the virtual appliance console Key combination
Function
Alt-←
(Alt and left arrow)
Browse backward
Alt-→
(Alt and right arrow)
Browse forward
Ctrl-+
(Ctrl and plus sign)
Zoom in
Ctrl--
(Ctrl and hyphen)
Zoom out
Ctrl-0
(Ctrl and zero)
Reset zoom
Ctrl-F
Search
Ctrl-R or F5
Reload/Refresh
Ctrl-Alt-Backspace
Restart the browser interface
A.1 Using the virtual appliance console 437
438
B Backup and restore script examples B.1 Sample backup script As an alternative to using Settings→Actions→Create backup from the appliance UI, you can write and run a script to automatically create and download an appliance backup file. Example 14 “Sample backup.ps1 script” provides a sample PowerShell script that uses REST calls to create and download an appliance backup file. Cut and paste this sample script into a file on a Windows system that runs PowerShell version 3.0, and edit the script to customize it for your environment. See the REST API online help for more information about REST APIs. You can schedule the backup script to run automatically in interactive or batch mode on a regular basis (Hewlett Packard Enterprise recommends daily backups). Only a user with Backup administrator or Infrastructure administrator privileges can run the script interactively. •
To run the script interactively, do not include any parameters. The script prompts you to enter the appliance host name, appliance user name and password, and the name of a file to store these parameters for batch mode executions. Enter the name and password of a user with the Backup administrator or Infrastructure administrator role. The user name and password are stored encrypted. Hewlett Packard Enterprise recommends that you run the script interactively the first time. Then, you can schedule the script to run automatically in the background using the parameter file created by the first run.
•
To run the script in batch mode, specify the name of the file containing the parameters on the command line. Hewlett Packard Enterprise recommends that you install cURL with the SSL option to improve performance. The sample script works without cURL, but it might take several hours to download a large backup file. To download cURL, see: http://curl.haxx.se/download.html NOTE: You might also need to install Microsoft Visual C++ Redistributable, the MSVCR100.dll file, available here: •
64 bit: http://www.microsoft.com/download/en/details.aspx?id=14632
•
32 bit: http://www.microsoft.com/download/en/details.aspx?id=5555
Make sure the path environment variable includes the path for cURL.
Sample script The sample script makes the following calls to create and download a backup file: 1. Calls queryfor-credentials() to get the appliance host name, user name, and password by either prompting the user or reading the values from a file. 2. Calls login-appliance() to issue a REST request to obtain a session ID used to authorize backup REST calls. 3. Calls backup-appliance() to issue a REST request to start a backup. 4. Calls waitFor-completion() to issue REST requests to poll for backup status until the backup completes. 5. Calls get-backupResource() to issue a REST request to get the download URI. 6. Calls download-backup() to issue a REST request to download the backup.
B.1 Sample backup script 439
Example 14 Sample backup.ps1 script # (C) Copyright 2012-2014 Hewlett Packard Enterprise Development LP ########################################################################################################################### # Name: backup.ps1 # Usage: {directory}\backup.ps1 or {directory}\backup.ps1 filepath # Parameter: $filepath: optional, uses the file in that path as the login credentials. ie: host address, username, # password, and, optionally, the Active Directory domain name # Purpose: Runs the backup function on the appliance and downloads it onto your machine's drive # in current user's home directory # Notes: To improve performance, this script uses the curl command if it is installed. The curl command must # be installed with the SSL option. # Windows PowerShell 3.0 must be installed to run the script ########################################################################################################################### #tells the computer that this is a trusted source that we are connecting to (brute force, could be refined) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } $global:interactiveMode = 0 # The scriptApiVersion is the default Api version (if the appliance supports this level # or higher). This variable may be changed if the appliance is at a lower Api level. $global:scriptApiVersion = 3 # Using this Api version or greater requires a different interaction when creating a backup. Set-Variable taskResourceV2ApiVersion -option Constant -value 3 try { #this log must be added if not already on your computer New-EventLog -LogName Application -Source backup.ps1 -ErrorAction stop } catch [System.Exception] { #this is just to keep the error "already a script" from showing up on the screen if it is already created } ##### Querying user for login info ##### function queryfor-credentials () { <# .DESCRIPTION Gathers information from User if in manual entry mode (script ran with zero arguments) or runs silently and gathers info from specified path (script ran with 1 argument) .INPUTS None, this function does not take inputs. .OUTPUTS Returns an object that contains the login name, password, hostname and ActiveDirectory domain to connect to. .EXAMPLE $variable = queryfor-credentials #runs function, saves json object to variable. #> if ($args[0] -eq $null) { Write-Host "Enter appliance name (https://ipaddress)" $appliance = Read-Host # Correct some common errors $appliance = $appliance.Trim().ToLower() if (!$appliance.StartsWith("https://")) { if ($appliance.StartsWith("http://")) { $appliance = $appliance.Replace("http","https") } else { $appliance = "https://" + $appliance } } Write-Host "Enter username" $username = Read-Host -AsSecureString | ConvertFrom-SecureString Write-Host "Enter password" $SecurePassword = Read-Host -AsSecureString | ConvertFrom-SecureString Write-Host "If using Active Directory, enter the Active Directory domain" Write-Host " (Leave this field blank if not using Active Directory.)" $ADName = Read-Host Write-Host "Would you like to save these credentials to a file? (username and password encrypted)" $saveQuery = Read-Host $loginVals = [pscustomobject]@{ userName = $username; password = $SecurePassword; hostname = $appliance; authLoginDomain = $ADName } $loginJson = $loginVals | convertTo-json $global:interactiveMode = 1
440 Backup and restore script examples
if ($saveQuery[0] -eq "y") #enters into the mode to save the credentials { Write-Host "Enter file path and file name to save credentials (example: C:\users\bob\machine1.txt)" $storagepath = Read-Host try { $loginJson | Out-File $storagepath -NoClobber -ErrorAction stop } catch [System.Exception] { Write-Host $_.Exception.message if ($_.Exception.getType() -eq [System.IO.IOException]) # file already exists throws an IO exception { do { Write-Host "Overwrite existing credentials for this machine?" [string]$overwriteQuery = Read-Host if ($overwriteQuery[0] -eq 'y') { $loginJson | Out-File $storagepath -ErrorAction stop $exitquery = 1 } elseif ($overwriteQuery[0] -eq 'n') { $exitquery = 1 } else { Write-Host "Please respond with a y or n" $exitquery = 0 } } while ($exitquery -eq 0) } else { Write-Host "Improper filepath or no permission to write to given directory" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Improper filepath, $storagepath " $_.Exception.message return } } $savedLoginJson = Get-Content $storagepath Write-Host "Run backup?" $continue = 0 do { $earlyExit = Read-Host if ($earlyExit[0] -eq 'n') { return } elseif ($earlyExit[0] -ne 'y') { Write-Host "Please respond with a y or n" } else { $continue = 1 } } while ($continue -eq 0) } else { return $loginJson } } elseif ($args.count -ne 1) { Write-Host "Incorrect number of arguments, use either filepath parameter or no parameters." return } else { foreach ($arg in $args) { $storagepath = $arg } try { $savedLoginJson = Get-Content $storagepath -ErrorAction stop } catch [System.Exception] { Write-Host "Login credential file not found. Please run script without arguments to access manual entry mode."
B.1 Sample backup script 441
Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Login credential file not found. Please run script without arguments to access manual entry mode." return } } return $savedloginJson } ##### getApiVersion: Get X_API_Version ##### function getApiVersion ([int32] $currentApiVersion,[string]$hostname) { <# .DESCRIPTION Sends a web request to the appliance to obtain the current Api version. Returns the lower of: Api version supported by the script and Api version supported by the appliance. .PARAMETER currentApiVersion Api version that the script is currently using .PARAMETER hostname The appliance address to send the request to (in https://{ipaddress} format) .INPUTS None, does not accept piping .OUTPUTS Outputs the new active Api version .EXAMPLE $global:scriptApiVersion = getApiVersion() #> # the particular Uri on the Appliance to reqest the Api Version $versionUri = "/rest/version" # append the Uri to the end of the IP address to obtain a full Uri $fullVersionUri = $hostname + $versionUri # use setup-request to issue the REST request api version and get the response try { $applianceVersionJson = setup-request -Uri $fullVersionUri -method "GET" -accept "application/json" -contentType "application/json" if ($applianceVersionJson -ne $null) { $applianceVersion = $applianceVersionJson | convertFrom-Json $currentApplianceVersion = $applianceVersion.currentVersion if ($currentApplianceVersion -lt $currentApiVersion) { return $currentApplianceVersion } return $currentApiVersion } } catch [System.Exception] { if ($global:interactiveMode -eq 1) { Write-Host $error[0].Exception.Message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].Exception.Message } } } ##### Sending login info ##### function login-appliance ([string]$username,[string]$password,[string]$hostname,[string]$ADName) { <# .DESCRIPTION Attempts to send a web request to the appliance and obtain an authorized sessionID. .PARAMETER username The username to log into the remote appliance .PARAMETER password The correct password associated with username .PARAMETER hostname The appliance address to send the request to (in https://{ipaddress} format) .PARAMETER ADName The Active Directory name (optional) .INPUTS None, does not accept piping .OUTPUTS
442 Backup and restore script examples
Outputs the response body containing the needed session ID. .EXAMPLE $authtoken = login-appliance $username $password $hostname $ADName #> # the particular Uri on the Appliance to reqest an "auth token" $loginUri = "/rest/login-sessions" # append the Uri to the end of the IP address to obtain a full Uri $fullLoginUri = $hostname + $loginUri # create the request body as a hash table, then convert it to json format if ($ADName) { $body = @{ userName = $username; password = $password; authLoginDomain = $ADName } | convertTo-json } else # null or empty { $body = @{ userName = $username; password = $password } | convertTo-json } # use setup-request to issue the REST request to login and get the response try { $loginResponse = setup-request -Uri $fullLoginUri -method "POST" -accept "application/json" -contentType "application/json" -Body $body if ($loginResponse -ne $null) { $loginResponse | convertFrom-Json } } catch [System.Exception] { if ($global:interactiveMode -eq 1) { Write-Host $error[0].Exception.Message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].Exception.Message } } } ##### Executing backup ###### function backup-Appliance ([string]$authValue,[string]$hostname) { <# .DESCRIPTION Gives the appliance the command to start creating a backup .PARAMETER authValue The authorized sessionID given by login-appliance .PARAMETER hostname The location of the appliance to connect to (in https://{ipaddress} format) .INPUTS None, does not accept piping .OUTPUTS The task Resource returned by the appliance, converted to a hashtable object .EXAMPLE $taskResource = backup-Appliance $sessionID $hostname #> # append the REST Uri for backup to the IP address of the Appliance $bkupUri = "/rest/backups/" $fullBackupUri = $hostname + $bkupUri # create a new webrequest and add the proper headers (new header, auth, is needed for authorization # in all functions from this point on) try { if ($global:scriptApiVersion -lt $taskResourceV2ApiVersion) { $taskResourceJson = setup-request -Uri $fullBackupUri -method "POST" -accept "application/json" -contentType "application/json" -authValue $authValue } else { $taskUri = setup-request -Uri $fullBackupUri -method "POST" -accept "application/json" -contentType "application/json" -authValue $authValue -returnLocation $true if ($taskUri -ne $null) { $taskResourceJson = setup-request -Uri $taskUri -method "GET" -accept "application/json" -contentType "application/json" -authValue $authValue } } if ($taskResourceJson -ne $null) {
B.1 Sample backup script 443
return $taskResourceJson | ConvertFrom-Json } } catch [System.Exception] { if ($global:interactiveMode -eq 1) { Write-Host $error[0].Exception.Message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].Exception.Message } } } ##### Polling to see if backup is finished ###### function waitFor-completion ([object]$taskResource,[string]$authValue,[string]$hostname) { <# .DESCRIPTION Checks the status of the backup every twenty seconds, stops when status changes from running to a different status .PARAMETER taskResource The response object from the backup-appliance method .PARAMETER authValue The authorized session ID .PARAMETER hostname The appliance to connect to (in https://{ipaddress} format) .INPUTS None, does not accept piping .OUTPUTS The new task resource object, which contains the Uri to get the backup resource in the next function .EXAMPLE $taskResource = waitFor-Completion $taskResource $sessionID $hostname #> # extracts the Uri of the task Resource from itself, to poll repeatedly $taskResourceUri = $taskResource.uri if ($taskResourceUri -eq $null) { # Caller will provide the error message return } # appends the Uri to the hostname to create a fully-qualified Uri $fullTaskUri = $hostname + $taskResourceUri # retries if unable to get backup progress information $errorCount = 0 $errorMessage = "" if ($global:interactiveMode -eq 1) { Write-Host "Backup initiated." Write-Host "Checking for backup completion, this may take a while." } # a while loop to determine when the backup process is finished do { try { # creates a new webrequest with appropriate headers $taskResourceJson = setup-request -Uri $fullTaskUri -method "GET" -accept "application/json" -authValue $authValue -isSilent $true # converts the response from the Appliance into a hash table $taskResource = $taskResourceJson | convertFrom-Json # checks the status of the task manager $status = $taskResource.taskState } catch { $errorMessage = $error[0].Exception.Message $errorCount = $errorCount + 1 $status = "RequestFailed" Start-Sleep -s 15 continue } # Update progress bar if ($global:interactiveMode -eq 1) { $trimmedPercent = ($taskResource.completedSteps) / 5
444 Backup and restore script examples
$progressBar = "[" + "=" * $trimmedPercent + " " * (20 - $trimmedPercent) + "]" Write-Host "`r Backup progress: $progressBar " $taskResource.completedSteps "%" -NoNewline } # Reset the error count since progress information was successfully retrieved $errorCount = 0 # If the backup is still running, wait a bit, and then check again if ($status -eq "Running") { Start-Sleep -s 20 } } while (($status -eq "Running" -or $status -eq "RequestFailed") -and $errorCount -lt 20); # if the backup reported an abnormal state, report the state and exit function if ($status -ne "Completed") { if ($global:interactiveMode -eq 1) { Write-Host "`n" Write-Host "Backup stopped abnormally" Write-Host $errorMessage } else { #log error message Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Backup stopped abnormally" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errorMessage } return $null } # upon successful completion of task, outputs a hash table which contains task resource else { Write-Host "`n" $taskResource return } } ##### Gets the backup resource ##### function get-backupResource ([object]$taskResource,[string]$authValue,[string]$hostname) { <# .DESCRIPTION Gets the Uri for the backup resource from the task resource and gets the backup resource .PARAMETER taskResource The task resource object that we use to get the Uri for the backup resource .PARAMETER authValue The authorized sessionID .PARAMETER hostname the appliance to connect to (in https://{ipaddress} format) .INPUTS None, does not accept piping .OUTPUTS The backup resource object .EXAMPLE $backupResource = get-BackupResource $taskResource $sessionID $applianceName #> # the backup Resource Uri is extracted from the task resource if ($global:scriptApiVersion -lt $taskResourceV2ApiVersion) { $backupUri = $taskResource.associatedResourceUri } else { $backupUri = $taskResource.associatedResource.resourceUri } if ($backupUri -eq $null) { # Caller will provide the error message return } # construct the full backup Resource Uri from the hostname and the backup resource uri $fullBackupUri = $hostname + $backupUri # get the backup resource that contains the Uri for downloading try { # creates a new webrequest with appropriate headers $backupResourceJson = setup-request -Uri $fullBackupUri -method "GET" -accept "application/json" -auth $authValue if ($backupResourceJson -ne $null)
B.1 Sample backup script 445
{ $resource = $backupResourceJson | convertFrom-Json if ($global:interactiveMode -eq 1) { Write-Host "Obtained backup resource. Now downloading. } $resource return
This may take a while ..."
} } catch [System.Exception] { if ($global:interactiveMode -eq 1) { Write-Host $error[0].Exception.Message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].Exception.Message } } } ##### Function to download the backup file ##### function download-Backup ([PSCustomObject]$backupResource,[string]$authValue,[string]$hostname) { <# .DESCRIPTION Downloads the backup file from the appliance to the local system. Tries to use the curl command. The curl command has significantly better performance especially for large backups. If curl isn't installed, invokes download-Backup-without-curl to download the backup. .PARAMETER backupResource Backup resource containing Uri for downloading .PARAMETER authValue The authorized sessionID .PARAMETER hostname The IP address of the appliance .INPUTS None, does not accept piping .OUTPUTS The absolute path of the download file .EXAMPLE download-backup $backupResource $sessionID https://11.111.11.111 #> $downloadUri = $hostname + $backupResource.downloadUri $fileDir = [environment]::GetFolderPath("Personal") $filePath = $fileDir + "\" + $backupResource.id + ".bkp" $curlDownloadCommand = "curl -o " + $filePath + " -s -f -L -k -X GET " + "-H 'accept: application/octet-stream' " + "-H 'auth: " + $authValue + "' " + "-H 'X-API-Version: $global:scriptApiVersion' " + $downloadUri $curlGetDownloadErrorCommand = "curl -s -k -X GET " + "-H 'accept: application/json' " + "-H 'auth: " + $authValue + "' " + "-H 'X-API-Version: $global:scriptApiVersion' " + $downloadUri try { $testCurlSslOption = curl -V if ($testCurlSslOption -match "SSL") { invoke-expression $curlDownloadCommand } else { if ($global:interactiveMode -eq 1) { Write-Host "Version of curl must support SSL to get improved download performance." } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Version of curl must support SSL to get improved download performance" } return download-Backup-without-curl $backupResource $authValue $hostname } if ($LASTEXITCODE -ne 0) { $errorResponse = invoke-expression $curlGetDownloadErrorCommand if ($global:interactiveMode -eq 1)
446 Backup and restore script examples
{ Write-Host "Download using curl error: $errorResponse" } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Download error: $errorResponse" } if (Test-Path $filePath) { Remove-Item $filePath } return } if ($global:interactiveMode -eq 1) { Write-Host "Backup download complete!" } } catch [System.Management.Automation.CommandNotFoundException] { return download-Backup-without-curl $backupResource $authValue $hostname } catch [System.Exception] { Write-Host "Not able to download backup" Write-Host $error[0].Exception return } return $filePath } ##### Function to download the Backup file without using the curl command ##### function download-Backup-without-curl ([PSCustomObject]$backupResource,[string]$authValue,[string]$hostname) { <# .DESCRIPTION Downloads the backup file from the appliance to the local system (without using curl) .PARAMETER backupResource Backup resource containing Uri for downloading .PARAMETER authValue The authorized sessionID .PARAMETER hostname The IP address of the appliance .INPUTS None, does not accept piping .OUTPUTS The absolute path of the download file .EXAMPLE download-backup-without-curl $backupResource $sessionID https://11.111.11.111 #> # appends Uri ( obtained from previous function) to IP address $downloadUri = $hostname + $backupResource.downloadUri $downloadTimeout = 43200000 # 12 hours $bufferSize = 65536 # bytes # creates a new webrequest with appropriate headers [net.httpsWebRequest]$downloadRequest = [net.webRequest]::create($downloadUri) $downloadRequest.method = "GET" $downloadRequest.AllowAutoRedirect = $TRUE $downloadRequest.Timeout = $downloadTimeout $downloadRequest.ReadWriteTimeout = $downloadTimeout $downloadRequest.Headers.Add("auth", $authValue) $downloadRequest.Headers.Add("X-API-Version", $global:scriptApiVersion) # accept either octet-stream or json to allow the response body to contain either the backup or an exception $downloadRequest.accept = "application/octet-stream;q=0.8,application/json" # creates a variable that stores the path to the file location. Note: users may change this to other file paths. $fileDir = [environment]::GetFolderPath("Personal") try { # connects to the Appliance, creates a new file with the content of the response [net.httpsWebResponse]$response = $downloadRequest.getResponse() $responseStream = $response.getResponseStream() $responseStream.ReadTimeout = $downloadTimeout #saves file as the name given by the backup ID $filePath = $fileDir + "\" + $backupResource.id + ".bkp" $sr = New-Object System.IO.FileStream ($filePath,[System.IO.FileMode]::create) $responseStream.CopyTo($sr,$bufferSize)
B.1 Sample backup script 447
$response.close() $sr.close() if ($global:interactiveMode -eq 1) { Write-Host "Backup download complete!" } } catch [Net.WebException] { $errorMessage = $error[0].Exception.message #Try to get more information about the error try { $errorResponse = $error[0].Exception.InnerException.Response.getResponseStream() $sr = New-Object IO.StreamReader ($errorResponse) $rawErrorStream = $sr.readtoend() $error[0].Exception.InnerException.Response.close() $errorObject = $rawErrorStream | convertFrom-Json if (($errorObject.message.length -gt 0) -and ($errorObject.recommendedActions.length -gt 0)) { $errorMessage = $errorObject.message + " " + $errorObject.recommendedActions } } catch [System.Exception] { #Use exception message } if ($global:interactiveMode -eq 1) { Write-Host $errorMessage } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errorMessage } return } return $filePath } function setup-request ([string]$uri,[string]$method,[string]$accept,[string]$contentType = "",[string]$authValue = "",[object]$body = $null,[bool]$isSilent=$false, [bool]$returnLocation=$false) { try { [net.httpsWebRequest]$request = [net.webRequest]::create($uri) $request.method = $method $request.accept = $accept $request.Headers.Add("Accept-Language: en-US") if ($contentType -ne "") { $request.ContentType = $contentType } if ($authValue -ne "") { $request.Headers.Item("auth") = $authValue } $request.Headers.Item("X-API-Version") = $global:scriptApiVersion if ($body -ne $null) { $requestBodyStream = New-Object IO.StreamWriter $request.getRequestStream() $requestBodyStream.WriteLine($body) $requestBodyStream.flush() $requestBodyStream.close() } # attempt to connect to the Appliance and get a response [net.httpsWebResponse]$response = $request.getResponse() if ($returnLocation) { $taskUri = $response.getResponseHeader("Location") $response.close() return $taskUri } else { # response stored in a stream $responseStream = $response.getResponseStream() $sr = New-Object IO.StreamReader ($responseStream) #the stream, which contains a json object, is read into the storage variable $rawResponseContent = $sr.readtoend() $response.close() return $rawResponseContent } } catch [Net.WebException]
448 Backup and restore script examples
{ $errorMessage = $error[0].Exception.message #Try to get more information about the error try { $errorResponse = $error[0].Exception.InnerException.Response.getResponseStream() $sr = New-Object IO.StreamReader ($errorResponse) $rawErrorStream = $sr.readtoend() $error[0].Exception.InnerException.Response.close() $errorObject = $rawErrorStream | convertFrom-Json if (($errorObject.message.length -gt 0) -and ($errorObject.recommendedActions.length -gt 0)) { $errorMessage = $errorObject.message + " " + $errorObject.recommendedActions } } catch [System.Exception] { #Use exception message } if ($isSilent) { throw $errorMessage } elseif ($global:interactiveMode -eq 1) { Write-Host $errorMessage } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errorMessage } #No need to rethrow since already recorded error return } } ##### Start of function calls ##### #gets the credentials from user, either manual entry or from file $savedLoginJson = queryfor-credentials $args[0] if ($savedLoginJson -eq $null) { #if an error occurs, it has already been logged in the queryfor-credentials function return } #extracts needed information from the credential json try { $savedLoginJson = "[" + $savedLoginJson + "]" $savedloginVals = $savedLoginJson | convertFrom-Json $SecStrLoginname = $savedloginVals.userName | ConvertTo-SecureString -ErrorAction stop $loginname = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecStrLoginName)) $hostname = $savedloginVals.hostname $SecStrPassword = $savedloginVals.password | ConvertTo-SecureString -ErrorAction stop $password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecStrpassword)) $adname = $savedloginVals.authLoginDomain } catch [System.Exception] { if ($global:interactiveMode -eq 1) { Write-Host "Failed to get credentials: " + $error[0].Exception.Message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Failed to get credentials: " + $error[0].Exception.Message } } #determines the active Api version $global:scriptApiVersion = getApiVersion $global:scriptApiVersion $hostname if ($global:scriptApiVersion -eq $null) { if ($global:interactiveMode -eq 1) { Write-Host "Could not determine appliance Api version" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not determine appliance Api version" return }
B.1 Sample backup script 449
#sends the login request to the machine, gets an authorized session ID if successful $authValue = login-appliance $loginname $password $hostname $adname if ($authValue -eq $null) { if ($global:interactiveMode -eq 1) { Write-Host "Failed to receive login session ID." } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Failed to receive login session ID." return } #sends the request to start the backup process, returns the taskResource object $taskResource = backup-Appliance $authValue.sessionID $hostname if ($taskResource -eq $null) { if ($global:interactiveMode -eq 1) { Write-Host "Could not initialize backup" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not initialize backup" return } #loops to keep checking how far the backup has gone $taskResource = waitFor-completion $taskResource $authValue.sessionID $hostname if ($taskResource -eq $null) { if ($global:interactiveMode -eq 1) { Write-Host "Could not fetch backup status" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not fetch backup status" return } #gets the backup resource $backupResource = get-backupResource $taskResource $authValue.sessionID $hostname if ($backupResource -eq $null) { if ($global:interactiveMode -eq 1) { Write-Host "Could not get the Backup Resource" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not get the Backup Resource" return } #downloads the backup file to the local drive $filePath = download-Backup $backupResource $authValue.sessionID $hostname if ($filePath -eq $null) { if ($global:interactiveMode -eq 1) { Write-Host "Could not download the backup" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not download the backup" return } if ($global:interactiveMode -eq 1) { Write-Host "Backup can be found at $filePath" Write-Host "If you wish to automate this script in the future and re-use login settings currently entered," Write-Host "then provide the file path to the saved credentials file when running the script." Write-Host "ie: " $MyInvocation.MyCommand.Definition " filepath" } else { Write-Host "Backup completed successfully." Write-Host "The backup can be found at $filePath." } Write-EventLog -EventId 0 -LogName Application -Source backup.ps1 -Message "script completed successfully"
B.2 Sample restore script As an alternative to using Settings→Actions→Restore from backup from the appliance UI, you can write and run a script to automatically restore the appliance from a backup file. NOTE:
Only a user with Infrastructure administrator privileges can restore an appliance.
450 Backup and restore script examples
Example 15 “Sample restore.ps1 script” provides a sample script that restores the appliance from a backup file or obtains progress about an ongoing restore process.
Sample script If you do not pass parameters to the script, the script uploads and restores a backup file. 1. Calls query-user() to get the appliance host name, user name and password, and backup file path. 2. Calls login-appliance() to issue a REST request to get a session ID used to authorize restore REST calls. 3. Calls uploadTo-appliance() to upload the backup to the appliance. 4. Calls start-restore() to start the restore. 5. Calls restore-status() to periodically check the restore status until the restore completes. If you pass the -status option to the script, the script verifies and reports the status of the last or an ongoing restore until the restore process is complete: 1. Calls recover-restoreID() to get the URI to verify the status of the last or an ongoing restore. 2. Calls restore-status() to periodically verify the restore status until the restore completes.
B.2 Sample restore script 451
Example 15 Sample restore.ps1 script #(C) Copyright 2012-2014 Hewlett Packard Enterprise Development LP ########################################################################################################################### # Name: restore.ps1 # Usage: {directory}\restore.ps1 or {directory}\restore.ps1 -status https://{ipaddress} # Purpose: Uploads a backup file to the appliance and then restores the appliance using the backup data # Notes: To improve performance, this script uses the curl command if it is installed. The curl command # must be installed with the SSL option. # Windows PowerShell 3.0 must be installed to run the script ########################################################################################################################### # tells the computer that this is a trusted source we are connecting to (brute force, could be refined) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } # The scriptApiVersion is the default Api version (if the appliance supports this level # or higher). This variable may be changed if the appliance is at a lower Api level. $global:scriptApiVersion = 3 ##### Obtain information from user ##### function query-user () { <# .DESCRIPTION Obtains information needed to run the script by prompting the user for input. .INPUTS None, does not accept piping .OUTPUTS Outputs an object containing the obtained information. .EXAMPLE $userVals = query-user #> Write-Host "Restoring from backup is a destructive process, continue anyway?" $continue = 0 do { $earlyExit = Read-Host if ($earlyExit[0] -eq 'n') { return } elseif ($earlyExit[0] -ne 'y') { Write-Host "Please respond with a y or n" } else { $continue = 1 } } while ($continue -eq 0) do { Write-Host "Enter directory backup is located in (ie: C:\users\joe\)" $backupDirectory = Read-Host # Add trailing slash if needed if (!$backupDirectory.EndsWith("\")) { $backupDirectory = $backupDirectory + "\" } Write-Host "Enter name of backup (ie: appliance_vm1_backup_2012-07-07_555555.bkp)" $backupFile = Read-Host # Check if file exists $fullFilePath = $backupDirectory + $backupFile if (! (Test-Path $fullFilePath)) { Write-Host "Sorry the backup file $fullFilePath doesn't exist." } } while (! (Test-Path $fullFilePath)) Write-Host "Enter appliance IP address (ie: https://10.10.10.10)" $hostname = Read-Host # Correct some common errors $hostname = $hostname.Trim().ToLower() if (!$hostname.StartsWith("https://")) { if ($hostname.StartsWith("http://")) { $hostname = $hostname.Replace("http","https") } else { $hostname = "https://" + $hostname } }
452 Backup and restore script examples
Write-Host "Enter username" $secUsername = Read-Host -AsSecureString $username = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($secUsername)) Write-Host "Enter password" $secPassword = Read-Host -AsSecureString $password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($secPassword)) $absolutePath = $backupDirectory + $backupFile Write-Host "If using Active Directory, enter the Active Directory domain" Write-Host " (Leave this field blank if not using Active Directory.)" $ADName = Read-Host $loginVals = @{ hostname = $hostname; userName = $username; password = $password; backupPath = $absolutePath; backupFile = $backupFile; authLoginDomain = $ADName; } return $loginVals } ##### getApiVersion: Get X_API_Version ##### function getApiVersion ([int32] $currentApiVersion,[string]$hostname) { <# .DESCRIPTION Sends a web request to the appliance to obtain the current Api version. Returns the lower of: Api version supported by the script and Api version supported by the appliance. .PARAMETER currentApiVersion Api version that the script is currently using .PARAMETER hostname The appliance address to send the request to (in https://{ipaddress} format) .INPUTS None, does not accept piping .OUTPUTS Outputs the new active Api version .EXAMPLE $global:scriptApiVersion = getApiVersion() #> # the particular Uri on the Appliance to reqest the Api Version $versionUri = "/rest/version" # append the Uri to the end of the IP address to obtain a full Uri $fullVersionUri = $hostname + $versionUri # use setup-request to issue the REST request api version and get the response try { $applianceVersionJson = setup-request -Uri $fullVersionUri -method "GET" -accept "application/json" -contentType "application/json" if ($applianceVersionJson -ne $null) { $applianceVersion = $applianceVersionJson | convertFrom-Json $currentApplianceVersion = $applianceVersion.currentVersion if ($currentApplianceVersion -lt $currentApiVersion) { return $currentApplianceVersion } return $currentApiVersion } } catch [System.Exception] { if ($global:interactiveMode -eq 1) { Write-Host $error[0].Exception.Message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].Exception.Message } } } ##### Send the login request to the appliance ##### function login-appliance ([string]$username,[string]$password,[string]$hostname,[string]$ADName) { <# .DESCRIPTION Attempts to send a web request to the appliance and obtain an authorized sessionID.
B.2 Sample restore script 453
.PARAMETER username The username to log into the remote appliance .PARAMETER password The correct password associated with username .PARAMETER hostname The appliance address to send the request to (in https://{ipaddress} format) .PARAMETER ADName The Active Directory name (optional) .INPUTS None, does not accept piping .OUTPUTS Outputs the response body containing the needed session ID. .EXAMPLE $authtoken = login-appliance $username $password $hostname $ADName #> # the particular URI on the Appliance to reqest an "auth token" $loginURI = "/rest/login-sessions" # append the URI to the end of the IP address to obtain a full URI $fullLoginURI = $hostname + $loginURI # create the request body as a hash table, then convert it to json format if ($ADName) { $body = @{ userName = $username; password = $password; authLoginDomain = $ADName } | convertTo-json } else # null or empty { $body = @{ userName = $username; password = $password } | convertTo-json } try { # create a new webrequest object and give it the header values that will be accepted by the Appliance, get response $loginRequest = setup-request -Uri $fullLoginURI -method "POST" -accept "application/json" -contentType "application/json" -Body $body Write-Host "Login completed successfully." } catch [System.Exception] { Write-Host $_.Exception.message Write-Host $error[0].Exception return } #the output for the function, a hash table which contains a single value, "sessionID" $loginRequest | convertFrom-Json return } ##### Upload the backup file to the appliance ##### function uploadTo-appliance ([string]$filepath,[string]$authinfo,[string]$hostname,[string]$backupFile) { <# .DESCRIPTION Attempts to upload a backup file to the appliance. Tries to use the curl command. The curl command has significantly better performance especially for large backups. If curl isn't installed, invokes uploadTo_appliance-without-curl to upload the file. .PARAMETER filepath The absolute filepath to the backup file. .PARAMETER authinfo The authorized session ID returned by the login request .PARAMETER hostname The appliance to connect to .PARAMETER backupFile The name of the file to upload. Only used to tell the server what file is contained in the post request. .INPUTS None, does not accept piping .OUTPUTS The response body to the upload post request. .EXAMPLE $uploadResponse = uploadTo-appliance $filePath $sessionID $hostname $fileName #> $uploadUri = "/rest/backups/archive" $fullUploadUri = $hostname + $uploadUri $curlUploadCommand = "curl -s -k -X POST " +
454 Backup and restore script examples
"-H 'content-type: multipart/form-data' " + "-H 'accept: application/json' " + "-H 'auth: " + $authinfo + "' " + "-H 'X-API-Version: $global:scriptApiVersion' " + "-F file=@" + $filepath + " " + $fullUploadUri Write-Host "Uploading backup file to appliance, this may take a few minutes..." try { $testCurlSslOption = curl -V if ($testCurlSslOption -match "SSL") { $rawUploadResponse = invoke-expression $curlUploadCommand if ($rawUploadResponse -eq $null) { return } $uploadResponse = $rawUploadResponse | convertFrom-Json if ($uploadResponse.status -eq "SUCCEEDED") { Write-Host "Upload complete." return $uploadResponse } else { Write-Host $uploadResponse return } } else { Write-Host "Version of curl must support SSL to get improved upload performance." return uploadTo-appliance-without-curl $filepath $authinfo $hostname $backupFile } } catch [System.Management.Automation.CommandNotFoundException] { return uploadTo-appliance-without-curl $filepath $authinfo $hostname $backupFile } catch [System.Exception] { Write-Host "Not able to upload backup" Write-Host $error[0].Exception return } } ##### Upload the backup file to the appliance without using the curl command ##### function uploadTo-appliance-without-curl ([string]$filepath,[string]$authinfo,[string]$hostname,[string]$backupFile) { <# .DESCRIPTION Attempts to upload a backup to the appliance without using curl. .PARAMETER filepath The absolute filepath to the backup file. .PARAMETER authinfo The authorized session ID returned by the login request .PARAMETER hostname The appliance to connect to .PARAMETER backupFile The name of the file to upload. Only used to tell the server what file is contained in the post request. .INPUTS None, does not accept piping .OUTPUTS The response body to the upload post request. .EXAMPLE $uploadResponse = uploadTo-appliance $filePath $sessionID $hostname $fileName #> $uploadUri = "/rest/backups/archive" $fullUploadUri = $hostname + $uploadUri $uploadTimeout = 43200000 # 12 hours $bufferSize = 65536 # bytes try { [net.httpsWebRequest]$uploadRequest = [net.webRequest]::create($fullUploadUri) $uploadRequest.method = "POST" $uploadRequest.Timeout = $uploadTimeout $uploadRequest.ReadWriteTimeout = $uploadTimeout $uploadRequest.SendChunked = 1 $uploadRequest.AllowWriteStreamBuffering = 0
B.2 Sample restore script 455
$uploadRequest.accept = "application/json" $boundary = "----------------------------bac8d687982e" $uploadRequest.ContentType = "multipart/form-data; boundary=----------------------------bac8d687982e" $uploadRequest.Headers.Add("auth", $authinfo) $uploadRequest.Headers.Add("X-API-Version", $global:scriptApiVersion) $fs = New-Object IO.FileStream ($filepath,[System.IO.FileMode]::Open) $rs = $uploadRequest.getRequestStream() $rs.WriteTimeout = $uploadTimeout $disposition = "Content-Disposition: form-data; name=""file""; filename=""encryptedBackup""" $conType = "Content-Type: application/octet-stream" [byte[]]$BoundaryBytes = [System.Text.Encoding]::UTF8.GetBytes("--" + $boundary + "`r`n") $rs.write($BoundaryBytes,0,$BoundaryBytes.Length) [byte[]]$contentDisp = [System.Text.Encoding]::UTF8.GetBytes($disposition + "`r`n") $rs.write($contentDisp,0,$contentDisp.Length) [byte[]]$contentType = [System.Text.Encoding]::UTF8.GetBytes($conType + "`r`n`r`n") $rs.write($contentType,0,$contentType.Length) $fs.CopyTo($rs,$bufferSize) $fs.close() [byte[]]$endBoundaryBytes = [System.Text.Encoding]::UTF8.GetBytes("`n`r`n--" + $boundary + "--`r`n") $rs.write($endBoundaryBytes,0,$endBoundaryBytes.Length) $rs.close() } catch [System.Exception] { Write-Host "Not able to send backup" Write-Host $error[0].Exception } try { [net.httpsWebResponse]$response = $uploadRequest.getResponse() $responseStream = $response.getResponseStream() $responseStream.ReadTimeout = $uploadTimeout $streamReader = New-Object IO.StreamReader ($responseStream) $rawUploadResponse = $streamReader.readtoend() $response.close() if ($rawUploadResponse -eq $null) { return } $uploadResponse = $rawUploadResponse | convertFrom-Json if ($uploadResponse.status -eq "SUCCEEDED") { Write-Host "Upload complete." return $uploadResponse } else { Write-Host $rawUploadResponse Write-Host $uploadResponse return } } catch [Net.WebException] { Write-Host $error[0] $errorResponse = $error[0].Exception.InnerException.Response.getResponseStream() $sr = New-Object IO.StreamReader ($errorResponse) $frawErrorStream = $sr.readtoend() $error[0].Exception.InnerException.Response.close() $errorObject = $rawErrorStream | convertFrom-Json Write-Host $errorObject.errorcode $errorObject.message $errorObject.resolution return } } ##### Initiate the restore process ##### function start-restore ([string]$authinfo,[string]$hostname,[object]$uploadResponse) { <# .DESCRIPTION Sends a POST request to the restore resource to initiate a restore. .PARAMETER authinfo The authorized sessionID obtained from login. .PARAMETER hostname The appliance to connect to. .PARAMETER uploadResponse The response body from the upload request. Contains the backup URI needed for restore call. .INPUTS None, does not accept piping
456 Backup and restore script examples
.OUTPUTS Outputs the response body from the POST restore call. .EXAMPLE $restoreResponse = start-restore $sessionID $hostname $uploadResponse #> # append the appropriate URI to the IP address of the Appliance $backupUri = $uploadResponse.uri $restoreUri = "/rest/restores" $fullRestoreUri = $hostname + $restoreURI $body = @{ type = "RESTORE"; uriOfBackupToRestore = $backupUri } | convertTo-json # create a new webrequest and add the proper headers try { $rawRestoreResponse = setup-request -uri $fullRestoreUri -method "POST" -accept "application/json" -contentType "application/json" -authValue $authinfo -Body $body $restoreResponse = $rawRestoreResponse | convertFrom-Json return $restoreResponse } catch [Net.WebException] { Write-Host $_.Exception.message } } ##### Check for the status of ongoing restore ##### function restore-status ([string]$authinfo = "foo",[string]$hostname,[object]$restoreResponse,[string]$recoveredUri = "") { <# .DESCRIPTION Uses GET requests to check the status of the restore process. .PARAMETER authinfo **to be removed once no longer a required header** .PARAMETER hostname The appliance to connect to .PARAMETER restoreResponse The response body from the restore initiation request. .PARAMETER recoveredUri In case of a interruption in the script or connection, the Uri for status is instead obtained through this parameter. .INPUTS None, does not accept piping .OUTPUTS None, end of script upon completion or fail. .EXAMPLE restore-status *$authinfo* -hostname $hostname -restoreResponse $restoreResponse or restore-status -hostname $hostname -recoveredUri $recoveredUri #> $retryCount = 0 $retryLimit = 5 $retryMode = 0 # append the appropriate URI to the IP address of the Appliance if ($recoveredUri -ne "") { $fullStatusUri = $hostname + $recoveredUri write-host $fullStatusUri } else { $fullStatusUri = $hostname + $restoreResponse.uri } do { try { # create a new webrequest and add the proper headers (new header, auth is needed for authorization $rawStatusResp = setup-request -uri $fullStatusUri -method "GET" -accept "application/json" -contentType "application/json" -authValue $authinfo $statusResponse = $rawStatusResp | convertFrom-Json $trimmedPercent = ($statusResponse.percentComplete) / 5 $progressBar = "[" + "=" * $trimmedPercent + " " * (20 - $trimmedPercent) + "]" Write-Host "`rRestore progress: $progressBar " $statusResponse.percentComplete "%" -NoNewline } catch [Net.WebException] { try
B.2 Sample restore script 457
{ $errorResponse = $error[0].Exception.InnerException.Response.getResponseStream() $sr = New-Object IO.StreamReader ($errorResponse) $rawErrorStream = $sr.readtoend() $error[0].Exception.InnerException.Response.close() $errorObject = $rawErrorStream | convertFrom-Json Write-Host $errorObject.message $errorObject.recommendedActions } catch [System.Exception] { Write-Host "`r`n" $error[1].Exception } # The error may be transient; retry several times. If it still fails, return with an error. $retryCount++ $retryMode = 1 if ($retryCount -le $retryLimit) { Write-Host "In restore-status retrying GET on $fullStatusUri. retry count: $retryCount`r`n" sleep 5 continue } else { Write-Host "`r`nRestore may have failed! Could not determine the status of the restore." return } } if ($statusResponse.status -eq "SUCCEEDED") { Write-Host "`r`nRestore complete!" return } if ($statusResponse.status -eq "FAILED") { Write-Host "`r`nRestore failed! System should now undergo a reset to factory defaults." } Start-Sleep 10 } while (($statusResponse.status -eq "IN_PROGRESS") -or ($retryMode -eq 1)) return } ##### Recovers Uri to the restore resource if connection lost ##### function recover-restoreID ([string]$hostname) { <# .DESCRIPTION Uses GET requests to check the status of the restore process. .PARAMETER hostname The appliance to end the request to. .INPUTS None, does not accept piping .OUTPUTS The Uri of the restore task in string form. .EXAMPLE $reacquiredUri = recover-restoredID $hostname #> $idUri = "/rest/restores/" $fullIdUri = $hostname + $idUri try { $rawIdResp = setup-request -uri $fullIdUri -method "GET" -contentType "application/json" -accept "application/json" -authValue "foo" $idResponse = $rawIdResp | convertFrom-Json } catch [Net.WebException] { $_.Exception.message return } return $idResponse.members[0].uri } function setup-request ([string]$uri,[string]$method,[string]$accept,[string]$contentType = "",[string]$authValue="0", [object]$body = $null) { <# .DESCRIPTION A function to handle the more generic web requests to avoid repeated code in every function. .PARAMETER uri The full address to send the request to (required) .PARAMETER method The type of request, namely POST and GET (required)
458 Backup and restore script examples
.PARAMETER accept The type of response the request accepts (required) .PARAMETER contentType The type of the request body .PARAMETER authValue The session ID used to authenticate the request .PARAMETER body The message to put in the request body .INPUTS None .OUTPUTS The response from the appliance, typically in Json form. .EXAMPLE $responseBody = setup-request -uri https://10.10.10.10/rest/doThis -method "GET" -accept "application/json" #> try { [net.httpsWebRequest]$request = [net.webRequest]::create($uri) $request.method = $method $request.accept = $accept $request.Headers.Add("Accept-Language: en-US") if ($contentType -ne "") { $request.ContentType = $contentType } if ($authValue -ne "0") { $request.Headers.Item("auth") = $authValue } $request.Headers.Add("X-API-Version: $global:scriptApiVersion") if ($body -ne $null) { #write-host $body $requestBodyStream = New-Object IO.StreamWriter $request.getRequestStream() $requestBodyStream.WriteLine($body) $requestBodyStream.flush() $requestBodyStream.close() } # attempt to connect to the Appliance and get a response [net.httpsWebResponse]$response = $request.getResponse() # response stored in a stream $responseStream = $response.getResponseStream() $sr = New-Object IO.StreamReader ($responseStream) #the stream, which contains a json object is read into the storage variable $rawResponseContent = $sr.readtoend() $response.close() return $rawResponseContent } catch [Net.WebException] { try { $errorResponse = $error[0].Exception.InnerException.Response.getResponseStream() $sr = New-Object IO.StreamReader ($errorResponse) $rawErrorStream = $sr.readtoend() $error[0].Exception.InnerException.Response.close() $errorObject = $rawErrorStream | convertFrom-Json Write-Host "errorCode returned:" $errorObject.errorCode Write-Host "when requesting a $method on $uri`r`n" Write-Host $errorObject.message ";" $errorObject.recommendedActions } catch [System.Exception] { Write-Host $error[1].Exception.Message } throw return } }
##### Begin main ##### #this checks to see if the user wants to just check a status of an existing restore if ($args.count -eq 2) { foreach ($item in $args)
B.2 Sample restore script 459
{ if ($item -eq "-status") { [void]$foreach.movenext() $hostname = $foreach.current # Correct some common errors in hostname $hostname = $hostname.Trim().ToLower() if (!$hostname.StartsWith("https://")) { if ($hostname.StartsWith("http://")) { $hostname = $hostname.Replace("http","https") } else { $hostname = "https://" + $hostname } } } else { Write-Host "Invalid arguments." return } } $reacquiredUri = recover-restoreID -hostname $hostname if ($reacquiredUri -eq $null) { Write-Host "Error occurred when fetching active restore ID. No restore found." return } restore-status -recoveredUri $reacquiredUri -hostname $hostname return } elseif ($args.count -eq 0) { $loginVals = query-user if ($loginVals -eq $null) { Write-Host "Error passing user login vals from function query-host, closing program." return } #determines the active Api version $global:scriptApiVersion = getApiVersion $global:scriptApiVersion $loginVals.hostname if ($global:scriptApiVersion -eq $null) { Write-Host "Could not determine appliance Api version" return } $authinfo = login-appliance $loginVals.userName $loginvals.password $loginVals.hostname $loginVals.authLoginDomain if ($authinfo -eq $null) { Write-Host "Error getting authorized session from appliance, closing program." return } $uploadResponse = uploadTo-appliance $loginVals.backupPath $authinfo.sessionID $loginVals.hostname $loginVals.backupFile if ($uploadResponse -eq $null) { Write-Host "Error attempting to upload, closing program." return } $restoreResponse = start-restore $authinfo.sessionID $loginVals.hostname $uploadResponse if ($restoreResponse -eq $null) { Write-Host "Error obtaining response from Restore request, closing program." return } restore-status -hostname $loginVals.hostname -restoreResponse $restoreResponse -authinfo $authinfo.sessionID return } else { Write-Host "Usage: restore.ps1" Write-Host "or" Write-Host "restore.ps1 -status https://{ipaddress}" return }
460 Backup and restore script examples
C Authentication directory service This appendix provides additional information to help you correctly apply search context fields for adding an authentication directory service to the HPE OneView appliance.
C.1 Microsoft Active Directory configurations C.1.1 Users and groups in same OU The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the users and groups are organized under the same organizational unit, OU. For information on the Add Directory screen, see the online help.
Search context
Field 1
Field 2
Field 3
CN
CN=Organizational_Unit
DC=domain,DC=domain
In this example, the domain is example.com, and users and groups are located under the Users container, the default organizational unit.
The entries for the Search context fields that would authenticate the user named server_admin are:
Search context
Field 1
Field 2
Field 3
CN
CN=Users
DC=example,DC=com
C.1.2 Users and groups in different OUs, under same parent The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the users and groups
C.1 Microsoft Active Directory configurations 461
are in separate OUs, but those OUs are both under another parent OU. For information on the Add Directory screen, see the online help.
Search context
Field 1
Field 2
Field 3
CN
OU=Organizational_Unit
DC=domain,DC=domain
In this example, there is a parent OU named Accounts with two children, Users and Groups. The domain is example.com.
The entries for the Search context fields that would authenticate a user in the Users OU are:
Search context
Field 1
Field 2
Field 3
CN
OU=Accounts
DC=example,DC=com
C.1.3 Users and groups in different OUs, under different parents The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the user and group accounts are in separate OUs (shown as OU1 and OU2). For information on the Add Directory screen, see the online help.
Search context
Field 1
Field 2
Field 3
CN
OU=child_OU,OU=parent_OU + DC=domain,DC=domain ...
In this example, there are two separate OUs, User Accounts and Group Accounts in the domain example.com.
462 Authentication directory service
Specifying the OU takes the form: OU=child_OU,OU=parent_OU
In the example, there are four different accounts that can be specified: OU=Admin Users,OU=User Accounts,DC=example.DC=com OU=Finance Users,OU=User Accounts,DC=example.DC=com OU=Admin,OU=Group Accounts,DC=example.DC=com OU=Others,OU=Group Accounts,DC=example.DC=com
You can combine search contexts, up to 10, by using the + character in Field 2. This construct is known as multiple Relative Distinguished Names (RDNs). For this example, the entries for the Search context fields to authenticate these users and groups are:
Search context
Field 1
Field 2
Field 3
CN
OU=Admin Users,OU=User DC=example,DC=com Accounts + OU=Finance Users,OU=User Accounts + OU=Admin,OU=Group Accounts + OU=Others,OU=Group Accounts
C.1.4 Built-in groups Microsoft Active Directory features built-in groups, in which certain groups are automatically located in predefined containers. These built-in groups include: •
Domain Users
•
Domain Admins
•
Enterprise Admins
The Microsoft Active Directory Domain Users group contains all users that were created in the domain. In this example, all the user accounts under Users are included in Domain Users:
C.1 Microsoft Active Directory configurations 463
However, user accounts in the Domain Users group will not be authenticated. You must specify the organizational unit or units. For more information on built-in groups and their behavior, see the Microsoft documentation.
C.2 OpenLDAP directory configuration The following table provides the general mapping for the Search context fields in the Add Directory screen for an OpenLDAP configuration in which the users and groups are organized under different organizational units, OUs. For information on the Add Directory screen, see the online help.
Search context
Field 1
Field 2
Field 3
CN
OU=Organizational_Unit
DC=domain,DC=domain
In this example, user accounts are located under the People OU and groups are located under the Groups OU:
464 Authentication directory service
For this example, the entries for the Search context fields to authenticate users, but not groups, are:
Search context
Field 1
Field 2
Field 3
CN
OU=People
DC=example,DC=com
NOTE: The Groups OU is not valid for Search context field 2. By default, all groups are only searched under the Groups OU. For OpenLDAP, groups must always be created under the Groups OU.
C.3 Validate the directory server configuration For information on these requirements, see Add Directory screen details and Add Directory Server screen details in the online help. In addition, there must be valid search contexts so that the group or groups can be identified and accessed. Use the following procedure to verify a proper directory server configuration. Prerequisites •
Minimum required privileges: Infrastructure administrator.
•
The server that hosts the authentication directory service must:
◦
Communicate through SSL.
◦
Agree on the SSL port for LDAP.
◦
Be accessible through a fully qualified domain name or IP address.
◦
Have an available SSL certificate, based on an RSA algorithm.
Validating the directory server configuration 1.
Determine if there is a connection to the directory server with the ping command: ping directory_server_host_name
2.
Verify that the public key for the directory server certificate is based on an RSA algorithm. If the directory server is actually a number of DNS servers that are running as a round robin DNS server, each server has a unique certificate. Use the nslookup to list the servers and choose one.
C.3 Validate the directory server configuration 465
Connect to a server using the openssl s_client command. Specify the host name and port. Copy the server certificate to the Certificate field of the Add Directory Server screen. Verify that the certificate specifies the public key as RSA (n bits). The default option for Microsoft Active Directory is RSA 2048 bits. 3.
Ensure that the certificate’s timestamp is older than the appliance time. This can be a concern if the appliance and the directory are synchronized to different time servers or if they are running in different time zones.
4.
Validate the search contexts by running ldapsearch command from the appliance console. Search context CN
CN=Users
DC=example,DC=com Username: server_admin
For this example, the ldapsearch command, using TLS/SSL, would resemble the following: LDAPTLS_CACERT=location_of_certificate ldapsearch -LLL –Z -H ldaps://host_name:port -b "base-DN" -D "bind-DN" –W [cn/uid/ssAMAccountName/userPrincipalName]
For this example, ldapsearch, not using TLS/SSL, would resemble the following: ldapsearch -LLL -H ldap://IP_address:389 -b "cn=users,dc=example,dc=com" -D "cn=server_admin,cn=users,dc=example,dc=com" –W CN
C.4 LDAP schema object classes The following illustrates groups, by directory type, created with object classes. Such LDAP groups need to be added to HPE OneView and assigned roles. See the online help for information on assigning roles.
Active Directory Under Active Directory, a group can be created with any of these LDAP schema object classes: •
groupofNames
•
groups
•
groupofUniqueNames
View group members by examining the properties of the group name as in this example:
466 Authentication directory service
OpenLDAP
Under OpenLDAP, a group can be created with either of these LDAP Schema object classes: •
groupofUniqueNames
•
groupofNames
A group created with the objectClass as groupOfUniqueNames has its members under uniqueMember as in this example.
A group created with the objectClass as groupOfNames or groups has its members under member as shown here.
C.4 LDAP schema object classes 467
468 Authentication directory service
D HPE Smart Update Tools installation with HPE Insight Control server provisioning See the Smart Update Tools User Guide at www.hpe.com/info/sut-docs for installation instructions.Smart Update Tools (SUT) can be installed along with HPE Insight Control server provisioning on ProLiant servers. SUT is installed in Auto Deploy mode. In Auto Stage mode, SUT stages the components on the host server in a temporary location. After SUT is installed, any further action requires the OS administrator to run commands from the command line. To change the deploy mode for SUT to On Demand, Manual or scripted mode, which allows you to control all requests as command-line arguments on the server, see the Smart Update Tools User Guide at www.hpe.com/info/sut-docs. To perform scaled deployments across all servers in your data center, see the Smart Update Tools User Guide at www.hpe.com/info/sut-docs. NOTE: When you set SUT to run in automatic mode, SUT runs in the background on the host server. HPE OneView and SUT communicate via the HPE iLO REST interface. The firmware install state displayed in HPE OneView is always kept up to date.
469
470
E Maintenance console •
“About the Maintenance console” (page 471)
•
“About the Maintenance console password” (page 473)
•
“About the factory reset operation” (page 474)
•
“Access the Maintenance console” (page 474)
•
“Log in to the Maintenance console” (page 475)
•
“Maintenance console main menu screen details” (page 475)
•
“Maintenance console Details screen details” (page 476)
•
“Maintenance console appliance states” (page 477)
•
“Perform a factory reset using the Maintenance console ” (page 478)
•
“Reset the administrator password with the Maintenance console” (page 479)
•
“Reset the Maintenance console password” (page 480)
•
“Restart the appliance using the Maintenance console” (page 480)
•
“Shut down the appliance using the Maintenance console” (page 481)
•
“View the appliance details” (page 481)
E.1 About the Maintenance console The Maintenance console is an important tool for troubleshooting appliance issues when HPE OneView is not available. For information on accessing the Maintenance console, see Access the Maintenance console. The Maintenance console, shown in Figure 24 (page 472), provides a limited set of administrative commands that might be required when you cannot access the appliance’s web user interface (UI).
E.1 About the Maintenance console 471
Figure 24 Example of the Maintenance console main menu
In the upper left of most Maintenance console screens, the local appliance is identified by its host name. The Maintenance console displays an icon and a message about the state of the appliance, which can indicate one of following actions is occurring: •
Normal operation
•
Appliance is offline
•
Appliance is being updated
•
Appliance is starting up, shutting down, restarting, or temporarily unavailable
•
Appliance is being restored from a backup file
•
Appliance is being reset to factory default settings
Commands The body of the main menu contains commands that can be used: •
To view the appliance details.
•
To restart the local appliance.
•
To shut down the appliance.
•
To reset the administrator password.
•
To perform a factory reset of the appliance.
•
To launch a service console, which an authorized support representative can use to diagnose or repair a problem.
•
To log out of the Maintenance console.
472 Maintenance console
NOTE: The commands displayed by the Maintenance console depend on the current state of the appliance. Navigation •
Use the tab and arrow keys to navigate within the Maintenance console screen.
•
Commands are displayed with corresponding hot keys. These keys are shown within brackets in Figure 24 (page 472). Pressing a hot key selects the command.
•
You can use the Enter key to invoke a selection. That is, after you make a selection, pressing Enter runs the command. See also •
Access the Maintenance console
•
Log in to the Maintenance console
•
View the appliance details
•
Restart the appliance using the Maintenance console
•
Shut down the appliance using the Maintenance console
•
Reset the administrator password with the Maintenance console
•
Perform a factory reset of the appliance using the Maintenance console
E.2 About the Maintenance console password The Maintenance console has no initial password. To set it, see “Reset the Maintenance console password” (page 480). Maintenance console passwords must meet the following minimum requirements: •
Fourteen (14) characters long
•
One uppercase alpha character
•
One lowercase alpha character
•
One numeric character
•
One special character
Backup operations do not back up the Maintenance console password. Ensure that you can remember or retrieve the Maintenance console password in some other way. IMPORTANT: You can only reset the password by resetting the appliance to its original factory settings, which reverts the Maintenance console password to its initial setting, none. More information “About the Maintenance console” (page 471) “Reset the Maintenance console password” (page 480) “About the factory reset operation” (page 474)
E.2 About the Maintenance console password 473
E.3 About the factory reset operation A factory reset restores the appliance to the original factory settings, but does not change the installed firmware version. CAUTION: By default, the factory reset operation erases appliance data, including logs, network settings, and managed device settings in HPE OneView. You have the option of explicitly preserving network settings and logs. Preserving network settings is the safest option when trying to recover an appliance from an error because the appliance remains accessible from the network. Ensure that you have a recent backup file before performing this operation. The factory reset operation can be performed from the UI or from the Maintenance console. Use the factory reset operation for either of these reasons: •
To decommission the appliance so that you can migrate the hardware or
•
To return the appliance to a known state for reuse (for example, to restore the appliance from a backup file).
More information Reset the appliance to the original factory settings Perform a factory reset operation using the Maintenance console About backing up the appliance
E.4 Access the Maintenance console Access the Maintenance console through the virtual console or through an SSH connection. NOTE: Use the credentials for the local Infrastructure administrator credentials when prompted. You can reset the administrator password from the Maintenance console.
Access the Maintenance console from an SSH connection NOTE: Hewlett Packard Enterprise recommends the use of these tools for accessing the Maintenance console through an SSH connection: •
PuTTY
•
MTPuTTY
•
vSphere/vCenter Console
Accessing the Maintenance console using SSH 1. 2. 3. 4.
Invoke one of the recommended tools on your local computer. Access the virtual appliance console by specifying its fully qualified domain name or its IP address. Enter the user name maintenance at the login prompt. Log into the Maintenance console.
Accessing the Maintenance console from the virtual console 1. 2. 3.
Access the virtual appliance console. Enter the user name maintenance at the login prompt. Log into the Maintenance console.
More information “About the Maintenance console” (page 471)
474 Maintenance console
E.5 Log in to the Maintenance console When you access the Maintenance console, you are presented with either a login screen or the Maintenance console main menu: •
Access through the appliance console, the Maintenance console main menu is presented immediately. After you enter your first command and before it runs, the login screen is presented. Two exceptions are the Reset password and Launch service console, which require a challenge/response authorization. For information on resetting the password, see “Reset the administrator password with the Maintenance console” (page 479).
•
Access through SSH presents the login screen immediately.
To log in, enter the user name and password of a local Infrastructure administrator account on this appliance. NOTE: You cannot log in using an Infrastructure administrator account that is authenticated by an authentication directory service. The Maintenance console login remains valid for one hour. After one hour of inactivity, you must reenter the password. The Maintenance console session closes after 24 hours of inactivity. More information “About the Maintenance console” (page 471) “Access the Maintenance console” (page 474) “Maintenance console main menu screen details” (page 475)
E.6 Maintenance console main menu screen details Screen component Description Title
Identifies the HPE OneView Maintenance console.
Appliance identifier
Identifies an appliance by its host name. Is located directly beneath the Title
Icon
Indicates the general state of the appliance. The icon is located in the upper right of the console screen.
State text
Displays one to three lines of additional text to elaborate on the state indicated by the icon. Example states include: Restoring from backup Starting
Notification banner
Notifies or warns of a situation regarding the appliance. The Notification banner spans the width of the Maintenance console. The Notification banner is not displayed when no notification is pending.
Commands
Lists the available commands that are appropriate to the state of the appliance. Examples include: View details Restart Shut down Reset password Factory reset Launch service console
E.5 Log in to the Maintenance console 475
See also •
“About the Maintenance console” (page 471)
•
“Access the Maintenance console” (page 474)
•
“Log in to the Maintenance console” (page 475)
•
“View the appliance details” (page 481)
•
“Restart the appliance using the Maintenance console” (page 480)
•
“Shut down the appliance using the Maintenance console” (page 481)
•
“Reset the administrator password with the Maintenance console” (page 479)
E.7 Maintenance console Details screen details The View Details command displays this screen. Screen component Description Title
Identifies the HPE OneView Maintenance console.
Appliance identifier
Identifies an appliance by its host name. Located directly beneath the Title
Icon
Indicates the general status of the appliance in the upper right.
State text
Displays one to three lines of additional text to elaborate on the icon state. State text examples include: Restoring from backup Starting Active
Notification banner
Notifies or warns of a situation regarding the appliance or appliance cluster. The Notification banner spans the width of the Maintenance console. The Notification banner is hidden when no notification is pending.
Host name
Displays the host name of the appliance.
IP address
Displays the IP address of the appliance.
Model
The model number of the appliance running HPE OneView.
Firmware
The version number of the firmware running on the HPE OneView appliance and the date the firmware was last updated.
Serial number
The serial number of the appliance.
476 Maintenance console
E.8 Maintenance console appliance states The Maintenance console displays an icon and a message in the upper right corner about the state of the appliance. The state might depend on the situation, especially for a highly available appliance cluster, and an action might also be required. State
Situation
Action
Active
The local appliance is the active appliance of the appliance cluster and is running normally.
Active
Not an appliance cluster.
Contact your authorized support representative to replace the failed disk
The disk of the active appliance has failed.
Contact your authorized support representative to replace the failed disk
Disk has failed
The standby appliance assumes control as the single appliance. The disk of the standby appliance has failed.
Contact your authorized support representative to replace the failed disk
The active appliance continues operating as a single appliance. Active
The local appliance is running normally.
Standby is synchronizing
The peer appliance is being synchronized. It cannot be activated if a failure occurs before the synchronization completes.
Active
The local appliance is running normally but cannot reach the peer appliance.
Standby is unreachable Unsynchronized changes
The peer appliance cannot become the active appliance in case of a failure.
Standby
The local appliance is the standby appliance in the appliance cluster and is running normally.
Standby
The disk on the local appliance failed.
Disk has failed
Contact your authorized support The local appliance can no longer serve representative to replace the failed disk as the standby appliance in the appliance cluster. The disk on the peer appliance failed. The local appliance is currently the standby appliance, but it will be activated automatically.
Standby Synchronizing
See the alerts listed in the Activity screen for more details and a resolution.
Contact your authorized support representative to replace the failed disk
The local appliance is the standby appliance and it is being synchronized. It cannot be activated if a failure occurs before synchronization completes.
Offline Manual action required Offline Unrecoverable error
The local appliance cannot be activated For information on resolving this issue, automatically because it cannot confirm see “Appliance is offline, manual action is that the peer appliance is not running. required” (page 377) The appliance failed with an unrecoverable error.
For information on resolving this issue, see “Oops” (page 86).
E.8 Maintenance console appliance states 477
State
Situation
Offline
The local appliance cannot be activated For information on resolving this issue, because it lacks a complete copy of the see “Appliance is offline, manual action is appliance data. required” (page 377)
Unusable (incomplete data) Resetting
Action
The appliance is being reset to factory default settings. In an appliance cluster, this operation occurs before the standby appliance becomes the active appliance.
Restarting
The appliance is restarting and will be available shortly.
Restoring from backup
The appliance will be restarted after the restoration completes.
Starting
The local appliance is starting up and will be available shortly.
Starting Recovering from failure
The peer appliance experienced a failure For information on determining the cause and the local appliance is becoming of the failure, see “Unexpected appliance active. shutdown” (page 364).
Shutting down
The local appliance is shutting down.
Temporarily unavailable
The local appliance is in a transition, and its state will change.
Updating
The local appliance is undergoing a firmware update.
E.9 Perform a factory reset using the Maintenance console Prerequisites •
Ensure that all users are logged out and all ongoing work is completed.
•
Back up all user files.
•
Create a support dump file and save it to an external location for safekeeping.
Performing a factory reset using the Maintenance console 1. 2. 3.
Access the Maintenance console main menu. Select Factory reset in the main menu. In the subsequent dialog box, do one of the following: a. Enter Y to continue the factory reset operation. CAUTION: This option erases the network settings and logs. Use this option to decommission an appliance. b.
Enter P to continue with the factory reset operation, but preserve the network settings and logs. Use this option if you want to restore an appliance from a backup file or if you want to apply a new configuration.
c. Enter N to cancel the factory reset operation and return to the main menu. Confirm that you want to perform the factory reset in the subsequent dialog boxes. 4.
In the next dialog box, do one of the following: a. Enter Y to continue the factory reset operation. b. Enter N to cancel the factory reset operation and return to the main menu.
478 Maintenance console
5.
Verify by observing the operation.
More information “About the factory reset operation” (page 474)
E.10 Reset the administrator password with the Maintenance console If you lose or forget the local administrator password, use the following procedure to reset it. This operation provides a unique request code that you use when contacting your authorized support representative. IMPORTANT: The request code is valid only while you are on the Password reset screen of the Maintenance console. If you return to the main menu or end the Maintenance console session, the request code will be invalid. You will need to start this procedure over again to acquire a new request code. You will need to contact your authorized support representative, who will send an authorization code (also known as a response code) after verifying your information. IMPORTANT:
You must enter the authorization code within one hour or it becomes invalid.
NOTE: •
This capability is not available if you accessed the Maintenance console through SSH. If the password for another local Infrastructure administrator is known, use the User interface (UI) to reset the administrator password.
•
This operation resets the password for a local administrator account on the appliance. It does not apply to administrator accounts authenticated by a directory service.
•
This operation allows you to set a single-use password for the local administrator account. Use that single-use password the next time you log in to the UI with this account. You will be prompted to set a new password.
For information on how to contact Hewlett Packard Enterprise, see Accessing Hewlett Packard Enterprise Support. Prerequisites •
You have access to the appliance console.
Resetting the administrator password with the Maintenance console 1. 2. 3.
Access the virtual appliance console. Access the Maintenance console main menu. Select Reset password. The Maintenance console displays a request code.
4.
Telephone your authorized support representative and provide that person with the following information: •
The name of the person requesting the password to be reset.
•
The name of the company that owns the appliance.
•
The request code from the Maintenance console.
The authorized support representative verifies the information and then sends a message to the authorized email address on file. This message contains the authorization code. An ISO image, which is also the authorization code, is attached to the message.
E.10 Reset the administrator password with the Maintenance console 479
5.
Do one of the following to enter the authorization code in the response field: •
If you are able to paste information into the Maintenance console, copy the authorization code from the email message and paste it into the response field of the Maintenance console.
•
Read the authorization code from the ISO image: 1. Save the ISO image attached to the email message. 2. Mount the ISO image as a virtual media mount (a virtual CD-ROM). 3. Select Read from ISO in the Maintenance console. 4. The Maintenance console reads the ISO image and, after a moment, automatically fills in the response field with the authorization code.
•
Enter the authorization code into the response field manually.
6. Determine a single-use administrator password. 7. When prompted, enter and re-enter the new password. 8. Select OK to set the single-use password. 9. Log into the UI with this account, using the single-use password. 10. Set a new password for this account in the screen provided. 11. Verify by logging out, then logging into this account with the new password. More information •
“About the Maintenance console” (page 471)
•
“Access the Maintenance console” (page 474)
•
“Log in to the Maintenance console” (page 475)
•
Accessing Hewlett Packard Enterprise Support
E.11 Reset the Maintenance console password Prerequisites •
Create a new password that fulfills the password requirements.
•
If the current Maintenance console password is forgotten: 1. Perform a backup. 2. Back up all user data. 3. Ensure that all users are logged off and that tasks are not running. 4. Perform a factory reset on the appliance. The maintenance console password is not enabled after a factory reset.
Resetting the Maintenance console password 1. 2. 3. 4. 5. 6.
Access the virtual appliance console. Log in with the user name maintenance and password (if set) at the login prompt. Access the Maintenance console main menu. Select Reset maintenance console password. Enter the current password and the new password twice, once for verification. Select OK.
E.12 Restart the appliance using the Maintenance console This procedure describes how to use the Maintenance console to shut down and then restart the appliance.
480 Maintenance console
Prerequisites •
Ensure that all users are logged out and all ongoing work is completed.
Restarting the appliance using the Maintenance console 1. 2.
Access the Maintenance console main menu. Select Restart. Confirm that you want to restart the appliance.
3. Verify by observing the restart. See also •
“Access the Maintenance console” (page 474)
•
“Log in to the Maintenance console” (page 475)
•
“Maintenance console main menu screen details” (page 475)
•
“Shut down the appliance using the Maintenance console” (page 481)
E.13 Shut down the appliance using the Maintenance console This procedure describes how to use the Maintenance console to perform a graceful shutdown of the appliance. Prerequisites •
Ensure that all users are logged out and all ongoing work is completed.
Shutting down the appliance using the Maintenance console 1. 2.
Access the Maintenance console main menu. Select Shut down in the main menu. Confirm that you want to shut down the appliance.
3. Verify by observing the shutdown. See also •
“Access the Maintenance console” (page 474)
•
“Log in to the Maintenance console” (page 475)
•
“Maintenance console main menu screen details” (page 475)
•
“Restart the appliance using the Maintenance console” (page 480)
E.14 View the appliance details Use this procedure to display appliance details such as state, host name, IP address, model, and firmware. Viewing the appliance details 1. 2.
Access the Maintenance console’s main menu. Select View details. The Maintenance console details screen is displayed.
See also •
“Maintenance console Details screen details” (page 476)
•
“Access the Maintenance console” (page 474)
•
“Log in to the Maintenance console” (page 475)
E.13 Shut down the appliance using the Maintenance console 481
482
Index A accessing updates, 433 Accessing help sidebar, 88 acknolwedgments migration, 228 Actions menu, 79 active uplink, 206 active active see active/active active standby see active/standby active-active see active/active active-standby see active/standby active/active network configuration, 206 active/active configuration, 133, 135, 191, 206–207 active/standby network configuration, 206 active/standby configuration, 135, 206 activity about, 311 managing, 311 monitoring health, 307 states, 314 statuses, 315 troubleshoot, 361 types, 312 viewing activity filter sidebar, 80 Activity control icon, 88 Activity sidebar, 80 addresses managing, 300 administrator password resetting, 281, 479 agentless management, 31 aggregation switch see data center switch alert, 312 active, 314 auto-cleanup, 313 cleared, 314 locked, 314 appliance availability, 296 backup and restore features, 33 backup script, 439 crash recovery, automated features, 298 crash recovery, data protection, 298 crash recovery, manual, 298 creating support dump file, 358–359 describing icons, 87 downloads from, 78 IP address requirements, 115 logging out, 90 management LAN, 115 NTP configuration, 115 online help, 107
performing factory reset, 299, 474 relationship to other resources, 42 resetting to original factory settings, 299, 474 restart behavior, 298 restore script, 450 restoring, 289 restoring from backup file, 291 searching, 95 SNMP settings, 164 status screens, 85 troubleshoot, 362 unexpected shutdown, automated recovery features, 298 unexpected shutdown, data protection, 298 unexpected shutdown, manual recovery, 298 updating, 295 VM management best practices, 296 appliance network troubleshoot, 379 audit log, 71, 304 downloading, 303 policy for, 72 audit tracking, 80 authentication, 69 authentication settings about, 278 authorization, 69 availability virtual appliance, 35
B back up policy, 285 backup and restore features, 33 backup file, 283 creating, 285 downloading, 285 restoring appliance from, 289, 291 troubleshooting, 368, 372 backup script, 285, 439 best practice firmware, 248 best practices browser, 82 firmware, 248 health monitoring, 308–309 restoring an appliance from a backup file, 291 VM appliance management, 296 BPDU (Bridge Protocol Data Units), 209 browser, 81 best practices, 82 supported features and settings, 82 browsers supported, 83 buttons, 83
483
C certificate, 72 displaying settings, 75 TLS, 302 changes tracking, 80 Collapse list item icon, 87 configuration change planning for, 117 configuring email notification of alerts, 316 connection relationship to other resources, 43 consistency checking, 214 console access, 77 restrict, 78 contacting Hewlett Packard Enterprise, 433 copyright, 1 crashes appliance, automated recovery features, 298 appliance, data protection, 298 appliance, manual recovery, 298 credentials, 70 customer self repair, 435
D Dashboard, 307 add a panel, 319 customizing, 319 delete a panel, 319 interpret charts, 317 learning, 316 move a panel, 319 queries, 319 screen details, 317 Dashboard charts, 317 data center about, 257 configuring rack placement, 257 monitoring, 307–308 monitoring temperature, 321 planning considerations, 111 relationship to other resources, 44 resource names, 111 visualizing temperature, 321 data center switch matching VLAN IDs to uplink set VLAN IDs, 193 port configuration for uplink sets, 193 spanning tree edge, 193 trunk ports, 193 DELETE, 99 Delete icon, 87 details pane, 79 Device Control Channel (DCC) protocol, 209 directory server troubleshooting, 428–429 directory service configuring, 273 troubleshooting, 426 discovery, hardware, 28 484 Index
documentation download and serve HTML UI help files, 108 download and serve REST API documentation, 108 enabling off-appliance browsing, 108 online help, 107 providing feedback on, 435 domain relationship to other resources, 45 downlink, 198 downlinks, 195 dual-stack implementation, 112
E Edit icon, 87, 202 email notification of alerts, 315–316 email notifications managing, 315 enclosure about, 218 about managed, 218, 220 about migrating, 220–221, 225–227 about monitored, 219 add, 142 adding, 232 adding to an existing enclosure group, 140 adding, affected resources, 119 before adding, 219 editing unmanaged, 230 editing unsupported, 230 manage, 232 managed, 219 managing, 217, 237 migrate, 220, 225, 233, 236 migrating, 236 monitor, 232 prerequisites for bringing into HPE OneView, 231 prerequisites for managing, 231 relationship to other resources, 46 troubleshooting, 387 unsupported firmware, 246 VCEM-managed, 236 VCM-managed, 220 enclosure group about, 237 creating, 237 relationship to other resources, 46 enclosure type relationship to other resources, 47 End-User License agreement viewing, 85 Enhnaced TLV settings about, 204 environmental management, 32 Ethernet uplink set, 199 Ethernet network about, 191
Smart Link, 192 VLAN range, 191 EULA how to view, 79 Expand list item icon, 87 Expand menu icon, 87
F factory reset performing, 299, 474 troubleshooting login failure after, 376 FCF, 196 FCoE FIP snooping, 196 uplink set, 199 features, 39 Fibre Channel direct attach, 190 fabric attach, 190 flat SAN, 190 uplink set, 199 Virtual Connect modules, 191 Fibre Channel network about, 190 Fibre Channel over Ethernet (FCoE) downlink from enclosure interconnect to server, 192 Fibre Channel over Ethernet network about, 192 filter syntax examples, 97 filters sidebar, 84 FIP snooping, 196 firmware, 243 about migrating, 226 activating, logical interconnect, 213 appliance shutdown during update, 298 best practice, 248 best practices, 248 bundle, 243 compliance checking, 30 management, 30, 243 repository, 30 SPP, custom, 249 troubleshoot, 393 unsupported, 246 update, 245 updating logical interconnect, 205 firmware bundle installing, 251 firmware repository, 243 firmware update troubleshoot, 394–395, 403 flat SAN, 190 full access role, 274
G GET, 99 group compliance checking, 30
groups managing, 273
H hardening, 65 hardware discovery of, 28 inventory management features, 33 health icon, 87 health monitoring, 33, 308 see also activity and SCMB, 31 best practices, 308–309 REST APIs, 309 State-Change Message Bus, 309 health status, 98 help enable off-appliance browsing, 108 REST API help, 107 searching, 93 UI help, 107 Help control icon, 88 Help sidebar, 84 expanding and collapsing, 88 help topics searching, 93 HP SUM troubleshoot, 393 HPE Insight Control integration with HPE OneView, 36 HPE Insight Control server provisioning integration with HPE OneView, 36 HPE iPDU device detection, 28 HPE OneView availability features, 35 backup and restore features, 33 change management features, 30 configuration, automated, 31 device detection, 27 discovery, 28 enclosures, automatic configuration, 27 environmental management features, 32 firmware baseline compliance checking, 30 firmware management features, 30 group compliance checking, 30 groups, overview, 25 hardware inventory, 33 hardware provisioning, 24 health monitoring, 31 health monitoring features, 33 integration with HPE Insight Control, 36 integration with HPE Insight Control server provisioning, 36 integration with Microsoft System Center, 37 integration with Onboard Administrator, 36 integration with other software, 28, 38 integration with VMware vCenter, 37 monitoring from other platforms, 31 485
networking features, 38 online help, 107 operating system deployment, 28 overview, 21 port-level statistics, 32 power and cooling management features, 32 provisioning features, 24 resource utilization monitoring, 32 REST APIs, 36 SCMB, 38 server profile template, overview, 27 server profile, overview, 27 sets, overview, 25 SNMP trap configuration, 31 storage provisioning, 28 user interface, 35 HPE PowerShell, 236 HPE Virtual Connect Fibre Channel Module interconnect, 232 HPE Virtual Connect FlexFabric-20/40 F8 Module interconnect, 232
unsupported firmware, 247 unsupported hardware, 196 Virtual Connect FlexFabric–20/40 F8 Module, 210 interconnect modification failure troubleshooting, 395 interconnect module HPE Virtual Connect Fibre Channel Module, 232 HPE Virtual Connect FlexFabric 20/40 F8 Module, 232 internal networks logical interconnect, 200 inventory monitor, 232 IP address requirements, 115 IPv6 settings, 112
K key combinations virtual appliance console, 437
L I icon description, 87 icons informational, 88 severity, 87 status, 87 user control, 87 ID pool, 301 ID pools managing, 300 iLO management processor accessing using HPE OneView, 158 configuration by HPE OneView, 162 HPE OneView user roles, 36 integration with HPE OneView, 36, 158 licensing, 324 licensing with HPE OneView, 179 integration open, 38 other software, 36 interconnect about, 195 and staged firmware, 117 managed, 195 managing, 195 module in Incompatible state, troubleshooting, 397 module in Inventory state, troubleshooting, 396 module in Maintenance state, troubleshooting, 396 module in Missing state, troubleshooting, 397 module in Unmanaged state, troubleshooting, 396, 410–411 monitored, 195 outage during firmware activation, 117 pause flood condition, troubleshooting, 405 relationship to other resources, 47 staged firmware and reboot actions, 117 troubleshoot, 395 486 Index
labels add, 90 manage, 90 remove, 90 search, 90 viewing, 92 Labels view, 88 LACP, 193 LAG, 193 license about, 179 delivery, 183 enclosures, 181 iLO Advanced license, 179 managed hardware, 181 managed servers, 181 monitored hardware, 183 monitored servers, 183 rack mount servers, 182 reporting, 185 troubleshoot, 398 utilization, 184 Link Aggregation Control Protocol see LACP Link Aggregation Group see LAG Link Layer Discovery Protocol about, 204 LLDP tagging about, 204 log files, 358 log in using REST APIs, 100 log out, 90 using REST APIs, 100 logical enclosure about, 238–239 adding, 239 creating, 239
creating a support dump file, 240 inconsistent, 239 relationship to other resources, 48 unsupported firmware, 247 logical interconnect about, 198 activating firmware, 213 adding, 201 consistency checking, 214 deleting, 202 internal networks, about, 200 managing, 197 naming convention, 201 outage during firmware activation, 117 preventing loss of network connectivity during firmware update, 117 relationship to other resources, 49 removing, 202 stacking health, defined, 201 stacking link, enclosure, 200 troubleshoot, 403 update, 214 updating firmware, 205 logical interconnect group about, 202, 237 about copying, 203 create, 203 creating, 215 relationship to other resources, 50 Logical Interconnect Groups user interface, 202 logical interconnect groups multiple, 133, 142, 203 logical switch about, 268 managing, 267 logical switch group about, 271 managing, 267 logical switch groups relationship to other resources, 52 logical switches relationship to other resources, 51 troubleshooting, 405 login troubleshooting, 376 loop protection, 209
managed enclosure about, 218 Map icon, 88 Map view, 79, 88 master pane, 79 Metric Streaming Message Bus .NET C# example, 342 connect to the MSMB, 338 Java example, 344 JSON structure of message, 339 MSMB, 337 Python example, 345 Python example amqplib, 347 Python example pika, 346 re-create the AMQP client certificate, 348 set up a queue, 339 metric units of measure, 83 Microsoft System Center integration with HPE OneView, 37 migrate enclosure, 220, 225, 233, 236 enclosure firmware, 226 server profile, 169 migrating enclosure, 225 enclosure firmware, 226 migrating enclosure compatibility, 236 migration blocking issues, 227 enclosure, 227 in-service, 220 offline, 220 partially stacked domains, 221 planning, 121 migration acknowledgments, 228 monitor, 219 enclosure, 232 hardware, 232 monitored enclosure, 219 monitored server hardware, 161 monitoring features, 30 resource, 32 multiple selection, 92 multiplex ports, 210
N M MAC address binding FCoE, 150 main menu, 79, 81 Maintenance console details, 476 factory reset, 478 Maintenance console password resetting, 480 manage enclosure, 232
naming convention data center, 113 default names, 113 network, 112 network set, 112 resource, 112 typical abbreviations for resources, 113 uplink set, 113 network about Ethernet, 191 about Fibre Channel, 190 487
about Fibre Channel over Ethernet, 192 adding, affected resources, 118 deleting, affected resources, 118 managing, 187 naming conventions, 112 relationship to other resources, 52 tagged, 191 troubleshoot, 406 tunnel, 192 untagged, 192 network configuration active/active, 206–207 active/standby, 206 network disruption, 209 network resources managing, 187 network set about, 188 deleting, affected resources, 118 naming conventions, 112 relationship to other resources, 53 network traffic, 206 networking overview, 38 networks creating, 188 provisioning, 188 networks, about, 188 NIC teaming, 206 notification alerts configuring, 315–316 notifications area viewing, 89 NTP (Network Time Protocol) configuration, 114–115 NTP server troubleshooting, 381
O Onboard Administrator integration with HPE OneView, 36 onboard administrator adding enclosure, 232 OneView Forum how to access, 79 open integration, 38 open source code how to view written offer, 79
P password resetting administrator, 281, 479 resetting Maintenance console, 480 pause flood protection, 209 Per VLAN Spanning Tree Bridge Protocol Data Units (PVST BPDU), 209 Pin icon, 87 planning considerations 488 Index
data center, 111 data center resources, 111 migrate VCM enclosures, 121 security, 111 ports required, 76 POST, 99 power managing, 255 power delivery device about, 255 relationship to other resources, 53 PowerShell library, 105 ProLiant server Altair build, 469 provisioning features, 24 storage, 28 public key troubleshooting, 425 PUT, 99 PVST BPDU (Per VLAN Spanning Tree Protocol Data Units), 209 Python library, 105
Q QSFP+ ports, 210 Quality of Service (QoS), 210 queries Dashboard, 319
R rack about, 257 adding a rack mount server, 144 managing, 257 relationship to other resources, 54 remote support, 434 Remove icon, 202 requirements active/active configuration, 207 data center switch port, 193 VM host, 113 resetting administrator password, 281, 479 resetting Maintenance console password, 480 resource manage using REST API, 99 naming conventions, 112 querying with REST API, 103 relationships, 88 view by health status, 98 view using labels, 92 resource categories, 300 resource model, 41 resources organize, 90 search using labels, 90 REST API online help, 107
PowerShell library, 105 Python library, 105 using, 99 version, 100 REST API documentation enabling off-appliance browsing , 108 online help, 107 restart troubleshooting, 374–375 restore script, 450 restoring from backup file, 289 role, 69
S SAN manager, 259 about, 262 relationship to other resources, 55 SAN managers troubleshooting, 422 SAN volume attaching to server profile, 173 SANs about, 264 relationship to other resources, 55 scope, 300 screen component icons, 95 screen description, 79 logical interconnect group, 202 script backup appliance, 439 restore appliance, 450 search, 93, 95, 97 Search icon, 87 security and DoS attacks, 34 appliance, 34 audit log policy, 72 audit logging, 34 best practices, 67 certificate, 35, 72 data download restrictions, 66 directory service support, 34 management LAN, 34 overview of features, 34 passwords, 70 separation of data and management, 34 SSO (single sign-on), 34 UI features, 66 selection multiple resources, 92 server hardware about, 160 about monitored, 161 connect networks, 142 launching remote console, 163 managing, 157 model features, 158 monitor features, 159
prerequisites for bringing under management, 160 relationship to other resources, 56 troubleshoot, 407 unsupported hardware, 161 server hardware type about, 162 relationship to other resources, 57 server profile about, 166 affinity, 169 and network deletion, 118 and network set deletion, 118 and uplink set deletion, 117 and uplink set name changes, 117 assigning to an empty bay, 170 attaching SAN volume, 173 best practice configurations, 166 configuration changes requiring powered off hardware, 118 editing, 167 effect of changes to other resources, 118 launching remote console, 163 local storage, 171 managing, 157, 165 migrating, 169 moving, 168 overview, 27 previously deleted network, adding, 118 relationship to other resources, 57 remove and replace, 169 storage target, 173 troubleshoot, 412 unsupported firmware, 247 updating, 174 updating firmware, 252 server profile template about, 177 creating, 177 editing, 177 managing, 176 overview, 27 relationship to other resources, 58 updating firmware, 253 Service Pack for ProLiant see SPP services access, 77 Session control icon, 88 session security, 68 settings managin, 298 remote support, 319 shutdown troubleshooting, 374 Smart Link about, 192 Smart Search box clearing, 97 refresh, 97 Smart Search filtering syntax, 97 Smart Search toolbar, 95 489
Smart Update Manager see SUM Smart Update Tools, 39, 249 see SUT Altair build, 469 Snapshot about, 261 SNMP settings, 210 about, 164 Sort icon, 87 specialized access role, 274 SPP, 30, 243, 249 installing, 251 SSL certificate settings, 75 SSL protocol, 72 stacking full, 221 horizontal, 221 partial, 221 primary-slice, 221 stacking health, 201 stacking link enclosure, 200 logical interconnect, 200 stacking links, 195, 198 standby uplink, 206 State-Change Message Bus .NET C# example, 330 connect to the SCMB, 327 Java example, 333 JSON structure of message, 329 Python code example, 334 Python example amqplib, 336 Python example pika, 335 re-create the AMQP client certificate, 337 SCMB, 327 set up a queue, 328 status icon, 87 status screens appliance, 85 storage managing, 259 provisioning, 28 troubleshoot, 418 storage arrays about, 260 storage pool, 259 about, 261 relationship to other resources, 59 storage system, 259 about, 260 relationship to other resources, 60 storage target editing, server profile, 173 SUM, 243 support Hewlett Packard Enterprise, 433 support dump file, 240 creating, 358–359 SUT, 469 490 Index
troubleshooting inconsistent firmware, 417 troubleshooting profiles, 415 switch about, 267 managing, 267 relationship to other resources, 60 switch, data center see data center switch
T tagged network about, 191 tagging, network see VLAN ID task, 33, 312–313 see also activity appliance, 313 background, 313 completed, 314 interrupted, 314 number initiated during current session, 80 pending, 314 running, 314 user, 313 temperature managing, 255 thermal hot spots, 321 TLS certificates managing, 302 top-of-rack switch see data center switch about, 267 ToR switch see data center switch troubleshoot adding enclosure, 387 adding server hardware, 408 creating network, 406 enclosures, 387 firmware, 393 firmware update, 394–395, 403 HP SUM, 393 interconnect, 395 license, 398 locales, 403 logical interconnect, 403 logical switches, 405 login failure, 376 messages from REST API calls returned in wrong language, 403 network, 406 powering off a server, 409 powering on a server, 409 removing enclosure, 387 removing server hardware, 408 replace VC interconnect, 397 reports, 406 scopes, 407 server profile, 412 storage, 418 user accounts, 424 troubleshooting NTP synchronization, 381
tunnel network about, 192
graphs, 307, 323 iLO Advanced license requirement, 324 meters, 323 overview, 323 panel, 323 setting US or metric units of measure, 83
U UI help enable off-appliance browsing, 108 zip file, 108 unmanaged device about, 161 relationship to other resources, 61 unsupported hardware about, 161 untagged network about, 192 updates accessing, 433 uplink, 198 active, 206 standby, 206 uplink set, 198 adding, 211 Ethernet networks, 199 FCoE networks, 199 Fibre Channel networks, 199 matching VLAN IDs to switch port VLAN IDs, 193 multiple uplinks from same interconnect to same switch, 193 naming conventions, 113 native network in, 193 relationship to data center switches, 193 relationship to logical interconnect, 199 relationship to logical interconnect group, 199 relationship to other resources, 61 VLAN tags, 193 uplinks, 195 URI format, 99 US units of measure, 83 user adding a local user with full access, 273 adding a local user with role-based access, 273 adding a user with full access, authenticated by directory membership, 273 adding a user with role-based access, authenticated by directory membership, 273 user account troubleshoot, 424 user accounts, 69, 273 user interface logical interconnect group, 202 navigating, 81 navigating screens, 79 screen topography, 79 user password managing, 280 user role, 274 action privileges, 275 users managing, 273 utilization
V VCEM, 236 VCEM-managed enclosure, 236 VCM-managed enclosure, 220 migrate, 233 View details icon, 87 view selector, 79 virtual appliance console, 437 Virtual Connect, 206 Fibre Channel modules, 191 Virtual Connect FlexFabric–20/40 F8 Module, 210 VLAN ID matching uplink set to data center switch ports, 193 pool, 188 reserved, 188 VM host requirements for, 113 VMware vCenter integration with HPE OneView, 37 volume, 259 about, 261 relationship to other resources, 62 volume template, 259 about, 262 relationship to other resources, 62
W web browser supported features and settings, 82 website PowerShell code sample library, 105 Python code sample library, 105 websites, 434 customer self repair, 435 written offer viewing, 85
Z zone sets about, 263
491