 |
Call
toll free: 877-647-2728 Mon - Fri 6:00am - 6:00pm PST email: info@mirapath.com |
PartnersSupport
Professional
Service
CompanyContact
UsAvocent
BayTechCyclades
DigiOpengear
Raritan
Server Tech |
Console Servers AlterPath™ ACS TS Series KVM Enterprise Solutions Alterpath™KVM Analog Alterpath™KVM/net (KVM over IP) Alterpath™KVM/netPlus (KVM over IP) Power Management AlterPath™PM OOBI Management Alterpath™Manager Blade Management Alterpath™ Blade Manager Branch Office Management AlterPath™OnSite Alterpath™ACS1 TS100 & TS110 Multiport Serial Cards Cyclades Z Series Cyclom Y Series Other AlterPath™Biometric Scanner Cables and Adapters
|
|
Cyclades
AlterPath™ Blade Manager Blade Management AlterPath™ BladeManager: Console Management and Access Security Gateway for IBM® BladeCenter™ Background The IBM® eServer™ BladeCenter™ is the IBM platform for blade server computing. It provides physical and logical server consolidation by reducing the need for external cabling and external management components and allows for the management of a multi-blade configuration as a single system. The BladeCenter includes two management modules (MM) per chassis that provide an alternate out-of-band path for remotely accessing and controlling the chassis subsystems. The MM is the chassis focal point for remote administration. Each MM has a 100 Mbps Ethernet link for remote access. User authentication is accomplished via locally-defined user records (within the MM) or through a remote LDAP server. Each user can be authorized to perform a subset of operations. For example, a user may be given access to chassis and blade-level information but be restricted from changing or accessing storage or networking subsystems. The AlterPath™BladeManager, part of the Cyclades AlterPath family of products, is the first out-of-band infrastructure appliance specifically designed to complement the remote administration features of IBM's BladeCenter. The AlterPath BladeManager serves as a management aggregation platform providing access to the BladeCenter's out-of-band features. It enhances manageability and works together with the IBM Director as an out-of-band secure access manager, offering consolidated access to BIOS, serial consoles, KVM and power functions for each blade server. Secure, Concurrent Access for Serial Console, Keyboard, Video, Mouse (KVM), Remote Power Control and Virtual Media Customers evaluating IBM BladeCenters in the data center must consider out-of-band requirements traditionally addressed by external management solutions (console servers, KVM switches, intelligent power distribution units [IPDUs], etc.). With its innovative architecture, the BladeCenter eliminates the need for many of the aforementioned external management components, resulting in reduced costs and increased efficiency. A complete management solution compatible with an enterprise data center can rely on the built-in features of the BladeCenter architecture when used in combination with the IBM Director and Cyclades AlterPath BladeManager. Serial Console All operating systems used in large scale, high-density data centers (including UNIX®, Linux® and Windows® 2003) are designed to interact with out-of-band systems through a text-based serial console. The most common implementation of this serial console is through an RS-232 port. In addition to providing a low-level management interface to the operating systems in each blade server, a serial console also provides access to hardware-level diagnostic and management interfaces such as the system BIOS where many hardware-related issues can be detected and resolved. Unlike traditional servers that provide a dedicated serial console port in hardware, the BladeCenter architecture utilizes a virtual serial console port using a technique known as Serial over LAN (SoL) that provides serial console access to each blade server from the BladeCenter MM. KVM Administators use the KVM ports of traditional servers to provide access to graphical management and user interfaces such as Microsoft Windows. Remote KVM access is normally provided using a separate appliance called a KVM over IP switch, which connects the KVM interfaces of multiple servers and provides remote access using a Web browser. The IBM BladeCenter provides built-in KVM access to each blade server in the chassis allowing operators to remotely access system BIOS information and graphical user interfaces (GUIs). Unlike serial console access, the KVM interface provides a GUI that requires a human operator to use and interpret all data. Therefore KVM is generally used to provide occasional access to systems for maintenance and emergency recovery. Remote Power Control In many cases such as in bare metal provisioning of servers, there is a requirement to reboot a server by turning the power off and on. Also in fault conditions such as a Windows blue screen or a UNIX kernel panic, the only way to bring the server back online is to reboot or power cycle the unit. The IBM BladeCenter provides built-in power control for each blade server to ensure full control in any situation. Virtual Media The IBM BladeCenter also provides a virtual media feature that allows an administrator to virtually insert a floppy disk image into the blade server. This can be used for installing software and boot images. Console Management Functionality As server density and automation increase in data centers, the out-of-band infrastructure (OOBI) needs to become more intelligent. While technologies such as IPMI and IBM BladeCenter provide integrated, out-of-band management features, a manager is needed to provide the software intelligence necessary to collect operating system console data and hardware health-monitoring information, and to automate basic event processing before this information is presented to the user or to the network or systems management application. This external manager will buffer and store hardware system messages, automatically process the information and accept preprogrammed actions, minimizing the need for human intervention. System administrators rely heavily on the console messages produced by the server hardware and operating systems to monitor the health of each server and to notify administrators of potential problems. Large data centers require a consolidated solution for managing console information that enables operators to quickly recognize, diagnose and fix problems through a secure manager. In many data centers with centralized management, console traffic is transported across the enterprise network. This requires strong encryption and authentication that is integrated with the enterprise directory services. Serial console access allows for advanced features that may be utilized such as console data logging, keystroke logging and event detection/notification, which help in providing audit trails in high security applications or where compliance with FDA, Sarbanes-Oxley and HIPAA regulations are considerations. These console management features are not available in the BladeCenter MM but are provided by the Cyclades AlterPath BladeManager. The following pages provide a detailed description of the features and benefits of using AlterPath BladeManager in conjunction with IBM BladeCenter and IBM Director. AlterPath BladeManager The AlterPath BladeManager is used in combination with IBM BladeCenter and IBM Director to extend the capabilities and security of the OOBI components. It provides enhanced security and manageability for all BladeCenter assets and centralizes remote access for SoL, KVM, power control and virtual media. The AlterPath BladeManager is built on the IBM xSeries® 306 platform and connects through an Ethernet cross-cable to the Ethernet port in the BladeCenter MM to provide physical security (or through a management switch if managing multiple BladeCenters). A second Ethernet port is used to connect to the public network connecting the systems management applications and other management tools that require access to the BladeCenter MM such as IBM Director. Each AlterPath BladeManager can support 6 fully populated BladeCenter chassis providing granular controlled access to 84 blade servers, 24 switch modules and 12 MM. The AlterPath BladeManager can help customers overcome common management and access limitations in BladeCenters deployed in large data centers and remote sites. Examples of such obstacles are the following:
Security Before allowing access to any systems, the AlterPath BladeManager enforces the users' security profile, which provides multiple layers of access control including the following:
This provides maximum flexibility to ensure that only authorized users access the system from authorized workstations and networks. Authentication Local authentication, with user names and passwords stored at every point of access, is not only expensive and impractical for large data centers but is also not secure. User authentication must be done against a centralized database stored in an authentication server using an industry standard directory protocol. Standard protocols include LDAP, RADIUS (used in network-centric environments), TACACS (Cisco environments), NIS (Sun legacy), Kerberos (UNIX-centric environments), etc. The AlterPath BladeManager supports all of these authentication protocols for access to BladeCenter out-of-band components and can be deployed in any enterprise environment. Access Control and Access Auditing When planning a BladeCenter deployment, users are faced with the challenges of providing secure, remote access to individual blade servers in an environment where chassis may be used by multiple customers, each with their own administrative privileges. Granular access control and authorization is required for each user to specify which blade servers may be accessed and what actions are allowed once access is granted. In addition to access control and authorization, a complete audit trail is needed to identify who has been accessing each blade server and what actions were performed. In the case of a command line access to blade servers through the SoL interface, the AlterPath BladeManager will also record all keystrokes and command responses. Encryption of Data Management data must be encrypted while traveling on the network. Web-based access must utilize secure connections, and terminal connections must use the SSHv2 protocol. IP-based packet filtering, data and event logging, enforcement of user and port access lists and policies are some features often required to support security policies in large data centers. Stringent security policies in large data centers will prevent the deployment of equipment that is unable to comply with requirements for authentication, authorization and access logging capabilities. The AlterPath BladeManager provides the flexibility and the tools necessary to ensure compliance with enterprise security policies and to extend the security features of the IBM BladeCenter MM and is suitable for the most stringent environments. Serial Console Access Each blade server provides virtual serial console access via the MM over the internal Ethernet network within the chassis. This scheme, known as Serial over LAN (SoL), allows each blade server to provide concurrent serial access through a telnet or SSH console session controlled by the MM. As currently implemented, a user who is authenticated to access the MM is also authorized to access the serial sessions for all of the blade servers. Cyclades Advantage Providing direct user access to the MM presents a security challenge in environments where multiple users or customers are being served from different blade servers within the chassis. The AlterPath BladeManager isolates each blade server console and applies a security profile along with access control list to determine which blade servers a user may access and what actions they are authorized to take. The AlterPath BladeManager also provides advanced console management features such as console data logging and event notification. These features allow the AlterPath BladeManager to record all console data from the blade server including BIOS-level messages and to notify users of potential issues based on the console output. A good example is a disk synchronization or memory parity error, which would be reported to the SoL console at boot time. The AlterPath BladeManager will record this information and can also be programmed to send e-mail notifications to the administrators of that blade server when an error is detected. KVM Access The MM provides KVM access to one of the blade servers via direct KVM ports or remotely via the 100 Mbps Ethernet link. First a user must be authenticated and logged into the MM Web-user interface. The user may then select the blade server to activate the KVM session. The MM acts as a KVM switch and allows one KVM session to be active to any one of the blade servers. The KVM can be accessed via direct attachment to the MM KVM ports or remotely via the Ethernet link. Cyclades Advantage When accessed through the AlterPath BladeManager, the user will be presented with a filtered view based on the user's access control list and security profile. This will allow access only to those blade servers that the user is responsible for. The AlterPath BladeManager provides advanced proxy functionality so that the user does not have direct access to the MM but is presented with a filtered list of blade servers that are accessible through the KVM interface. The AlterPath BladeManager also provides complete access logging and maintains a list of who accessed the blade servers and when. In addition to security, the AlterPath BladeManager also provides arbitration services to ensure that the single KVM over IP session available in the MM is shared among the multiple users who may be managing the blade servers within the chassis. Power Control IBM BladeCenter provides for power control of each blade server in the chassis through the MM Web interface. This allows administrators to power the blade servers off and on for initial provisioning and subsequently for failure recovery or following system upgrades. Cyclades Advantage The AlterPath BladeManager extends this functionality to integrate power control with the console sessions and provides separation of the power function from a security standpoint to allow access to the feature based on the user's security profile and access control list. Native Web Interface The BladeCenter MM provides other features to the user through its native Web interface. The AlterPath BladeManager leverages this functionality and provides a complete proxy service for Serial stream from blade passed to MM via ESM User accesses the SoL stream via SSH or telnet session to MM SWITCH SERVER (1 and 2) (1 of 14) CPU Internal Mgmt Network Connections: 2 100 Mbps ports (1 per MM) MM (1 of 2)Ethernet Blade SubsystemDual Ethernet "AdapterOptional Daughter MIDPLANto SW to SW to SW to SW P C I 14Ethernet Switch 4 Fabric the Web interface. This allows for the security profile and access control to be implemented the same way as for other OOBI components. In addition a complete audit trail is maintained to allow tracking of users who have accessed the systems. Another benefit of the proxy approach is that the BladeCenter becomes hidden and the user does not have direct access to the MM and its features. Instead these features are only available once the AlterPath BladeManager has completely authenticated and authorized the user to do so. Summary As more and more IBM BladeCenters are deployed, the need for OOBI solutions increases. Management tools such as IBM Director perform systems and server management but do not cover the entire spectrum of management requirements. Only by adding secure, out-of-band blade manager can a complete management solution be realized. The AlterPath BladeManager is the first blade-specific solution to address OOBI access. |
|
|
| © 2003-2008 Mirapath, Inc. | 10950
N. Blaney Ave, Cupertino, CA 95014 | T: (408) 873-7883 | F: (408) 521-0520 Terms of Use | Privacy Policy |