Dell OpenManage Version 5.1 Installation and Security User's Guide
Dependencies and Prerequisites
Configuring a Supported Web Browser
Secure Port Server and Security Setup
The following sections describe the Dell OpenManage systems management software general requirements. Operating system-specific installation prerequisites are listed as part of the installation procedures.
Dell OpenManage systems management software runs, at a minimum, on each of the following operating systems:
![]() |
NOTE: IT Assistant is not supported on systems running Microsoft Windows Server 2003 x64. |
![]() |
NOTE: Support for updated kernels released by Red Hat and for later versions of Red Hat Enterprise Linux may require the use of Dynamic Kernel Support (see "Dynamic Kernel Support (DKS)" for a description of this feature). |
![]() |
NOTE: Support for updated kernels released by Novell® and for later versions of SUSE Linux Enterprise Server may require the use of Dynamic Kernel Support (see "Dynamic Kernel Support (DKS)" for a description of this feature). |
Dell OpenManage Server Administrator software must be installed on each system to be managed. You can then manage each system running Server Administrator locally or remotely through a supported Web browser.
![]() |
NOTE: The RAC software is installed as part of the Express or Typical Setup and Custom Setup installation options when installing managed system software from the Dell PowerEdge Installation and Server Management CD provided that the managed system meets all of the RAC installation prerequisites. See "Remote Access Service" and the Dell Remote Access Controller Installation and Setup Guide or the Dell Embedded Remote Access/MC Controller User's Guide for complete software and hardware requirements. |
A supported systems management protocol standard must be installed on the managed system before installing your management station or managed system software. On supported Windows operating systems, Dell OpenManage software supports these two systems management standards: Common Information Model/Windows Management Instrumentation (CIM/WMI) and Simple Network Management Protocol (SNMP). On supported Red Hat Enterprise Linux and SUSE Linux Enterprise Server operating systems, Dell OpenManage software supports the SNMP systems management standard.
![]() |
NOTE: For information about installing a supported systems management protocol standard on your managed system, see your operating system documentation. |
Table 3-1 shows the availability of the systems management standards for each supported operating system.
Table 3-1. Availability of Systems Management Protocol by Operating Systems
Upgrades from Dell OpenManage software versions 1.x, 2.x, and 3.x through 4.2 are not supported. You must manually uninstall Dell OpenManage software versions 1.x, 2.x, and 3.x through 4.2 before launching the Dell OpenManage software installation. The installer will notify you if it detects Dell OpenManage software versions 1.x through 4.2 on the system. Another way of upgrading from these versions is to upgrade to version 4.3 first, then upgrade to the current version. For Microsoft Windows, you can upgrade from version 4.3 to a later version through a full Microsoft Software Installer (MSI) installation only.
The following sections provide instructions for configuring the supported Web browsers. For a list of supported Web browsers, see "Minimum Supported Web Browser Requirements."
If you are connecting to a Web-based interface from a management station that connects to the Internet through a proxy server, you need to configure the Web browser to connect properly. If you are using Microsoft's Internet Explorer browser, follow these steps:
Configure other browsers for the same functionality.
When using Internet Explorer or Netscape Navigator on systems running Windows, to view localized versions of the Web-based interface, do the following:
To ensure critical system component security, you must properly assign user privileges to all Dell OpenManage software users before installing Dell OpenManage software.
The following sections provide step-by-step instructions for creating users and assigning user privileges for each supported operating system.
![]() |
NOTICE: To protect access to your critical system components, you must assign a password to every user account that can access Dell OpenManage software. |
![]() |
NOTICE: You should disable guest accounts for supported Windows operating systems in order to protect access to your critical system components. See "Disabling Guest and Anonymous Accounts in Supported Windows Operating Systems" for instructions. |
![]() |
NOTE: You must be logged in with Administrator privileges to perform these procedures. |
The following procedures create user accounts, assign user privileges, and add users to domains.
![]() |
NOTE: For questions about creating users and assigning user group privileges, or for more detailed instructions, see your operating system documentation. |
You must assign a password to every user account that can access Dell OpenManage software to protect access to your critical system components. Additionally, users who do not have an assigned password cannot log into Dell OpenManage software on a system running Windows Server 2003 due to operating system constraints.
New users can log into Dell OpenManage software with the user privileges for their assigned group.
![]() |
NOTE: For questions about creating users and assigning user group privileges, or for more detailed instructions, see your operating system documentation. |
New users can log into Dell OpenManage software with the user privileges for their assigned group.
![]() |
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions, see your operating system documentation. |
![]() |
NOTE: You must have Microsoft Active Directory® installed on your system to perform the following procedures. See "Microsoft Active Directory" for more information about using Active Directory. |
You must assign a password to every user account that can access Dell OpenManage software to protect access to your critical system components. Additionally, users who do not have an assigned password cannot log into Dell OpenManage software on a system running Windows Server 2003 due to operating system constraints.
New users can log into Dell OpenManage software with the user privileges for their assigned group and domain.
![]() |
NOTE: You must be logged in with Administrator privileges to perform this procedure. |
If your system is running Windows 2000, right-click My Computer and point to Manage.
A red circle with an X appears over the user name. The account is disabled.
![]() |
NOTE: Consider renaming the accounts so that remote scripts cannot enable the accounts using the name. |
Administrator access privileges are assigned to the user logged in as root. To create users with User and Power User privileges, perform the following steps.
![]() |
NOTE: You must be logged in as root to perform these procedures. |
![]() |
NOTE: You must have the useradd utility installed on your system to perform these procedures. |
![]() |
NOTE: For questions about creating users and assigning user group privileges, or for more detailed instructions, see your operating system documentation. |
useradd -d home-directory -g group username
where group is not root.
![]() |
NOTE: If group does not exist, you must create it by using the groupadd command. |
You must assign a password to every user account that can access Dell OpenManage software to protect access to your critical system components.
The new user can now log in to Dell OpenManage software with User group privileges.
useradd -d home-directory -g root username
![]() |
NOTE: You must set root as the primary group. |
You must assign a password to every user account that can access Dell OpenManage software to protect access to your critical system components.
The new user can now log in to Dell OpenManage software with Power User group privileges.
If you use Active Directory service software, you can configure it to control access to your network. Dell has modified the Active Directory database to support remote management authentication and authorization. IT Assistant and Server Administrator, as well as Dell remote access controllers, can now interface with Active Directory. With this tool, you can add and control users and privileges from one central database. If you use Active Directory to control user access to your network, see "Using Microsoft® Active Directory®."
Dell OpenManage software supports the SNMP systems management standard on all supported operating systems. The SNMP support may or may not be installed depending on your operating system and how the operating system was installed. An installed supported systems management protocol standard, such as SNMP, is required before installing Dell OpenManage software. See "Installation Requirements" for more information.
You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant, perform the procedures described in the following sections.
![]() |
NOTE: For IT Assistant to retrieve management information from a system running Server Administrator, the community name used by IT Assistant must match a community name on the system running Server Administrator. For IT Assistant to modify information or perform actions on a system running Server Administrator, the community name used by IT Assistant must match a community name that allows Set operations on the system running Server Administrator. For IT Assistant to receive traps (asynchronous event notifications) from a system running Server Administrator, the system running Server Administrator must be configured to send traps to the system running IT Assistant. For more information, see the Dell OpenManage IT Assistant User's Guide. |
The following sections provide step-by-step instructions for configuring the SNMP agent for each supported operating system:
Dell OpenManage software uses the SNMP services provided by the Windows SNMP agent. (SNMP is one of the two supported ways of connecting to a System Administrator session; the other is CIM/WMI.) You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant, perform the procedures described in the following sections.
![]() |
NOTE: See your operating system documentation for additional details on SNMP configuration. |
Windows Server 2003, by default, does not accept SNMP packets from remote hosts. For systems running Windows Server 2003, you must configure the SNMP service to accept SNMP packets from remote hosts if you plan to manage the system by using SNMP management applications from remote hosts. To enable remote shutdown of a system from IT Assistant, SNMP Set operations must be enabled.
![]() |
NOTE: Rebooting your system for change management functionality does not require SNMP Set operations. |
To enable a system running the Windows Server 2003 operating system to receive SNMP packets from a remote host, perform the following steps:
The Computer Management window appears.
The SNMP Service Properties window appears.
Configuring the SNMP community names determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Dell OpenManage software system so that the management applications can retrieve management information from Dell OpenManage software.
The Computer Management window appears.
The SNMP Service Properties window appears.
The SNMP Service Configuration window appears.
The SNMP Service Properties window appears.
The SNMP Service Configuration window appears.
The SNMP Service Properties window appears.
SNMP Set operations must be enabled on the Dell OpenManage software system to change Dell OpenManage software attributes using IT Assistant. To enable remote shutdown of a system from IT Assistant, SNMP Set operations must be enabled.
![]() |
NOTE: Rebooting your system for change management functionality does not require SNMP Set operations. |
The Computer Management window opens.
The SNMP Service Properties window appears.
The SNMP Service Configuration window opens.
The SNMP Service Properties window opens.
Dell OpenManage software generates SNMP traps in response to changes in the status of sensors and other monitored parameters. You must configure one or more trap destinations on the Dell OpenManage software system for SNMP traps to be sent to a management station.
The Computer Management window opens.
The SNMP Service Properties window opens.
The SNMP Service Configuration window opens.
The SNMP Service Properties window opens.
Server Administrator uses the SNMP services provided by the ucd-snmp or net-snmp agent. You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant, perform the procedures described in the following sections.
![]() |
NOTE: See your operating system documentation for additional details about SNMP configuration. |
The management information base (MIB) branch implemented by Server Administrator is identified by the 1.3.6.1.4.1.674 OID. Management applications must have access to this branch of the MIB tree to manage systems running Server Administrator.
For Red Hat Enterprise Linux operating systems, the default SNMP agent configuration gives read-only access for the "public" community only to the MIB-II "system" branch (identified by the 1.3.6.1.2.1.1 OID) of the MIB tree. This configuration does not allow management applications to retrieve or change Server Administrator or other systems management information outside of the MIB-II "system" branch.
If Server Administrator detects the default SNMP configuration during installation, it attempts to modify the SNMP agent configuration to give read-only access to the entire MIB tree for the "public" community. Server Administrator modifies the /etc/snmp/snmpd.conf SNMP agent configuration file in two ways.
The first change is to create a view to the entire MIB tree by adding the following line if it does not exist:
view all included .1
The second change is to modify the default "access" line to give read-only access to the entire MIB tree for the "public" community. Server Administrator looks for the following line:
access notConfigGroup "" any noauth exact systemview none none
If Server Administrator finds the line above, it modifies the line so that it reads:
access notConfigGroup "" any noauth exact all none none
These changes to the default SNMP agent configuration give read-only access to the entire MIB tree for the "public" community.
![]() |
NOTE: To ensure that Server Administrator is able to modify the SNMP agent configuration to provide proper access to systems management data, it is recommended that any other SNMP agent configuration changes be made after installing Server Administrator. |
Server Administrator SNMP communicates with the SNMP agent using the SNMP Multiplexing (SMUX) protocol. When Server Administrator SNMP connects to the SNMP agent, it sends an object identifier to the SNMP agent to identify itself as a SMUX peer. Because that object identifier must be configured with the SNMP agent, Server Administrator adds the following line to the SNMP agent configuration file, /etc/snmp/snmpd.conf, during installation if it does not exist:
smuxpeer .1.3.6.1.4.1.674.10892.1
Configuring the SNMP community names determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Server Administrator software system, so the management applications can retrieve management information from Server Administrator.
To change the SNMP community name used for retrieving management information from a system running Server Administrator, edit the SNMP agent configuration file, /etc/snmp/snmpd.conf, and perform the following steps:
com2sec publicsec default public
or
com2sec notConfigUser default public
com2sec publicsec default community_name
or
com2sec notConfigUser default community_name
service snmpd restart
SNMP Set operations must be enabled on the system running Server Administrator in order to change Server Administrator software attributes using IT Assistant. To enable remote shutdown of a system from IT Assistant, SNMP Set operations must be enabled.
![]() |
NOTE: Rebooting your system for change management functionality does not require SNMP Set operations. |
To enable SNMP Set operations on the system running Server Administrator, edit the /etc/snmp/snmpd.conf SNMP agent configuration file and perform the following steps:
access publicgroup "" any noauth exact all none none
or
access notConfigGroup "" any noauth exact all none none
access publicgroup "" any noauth exact all all none
or
access notConfigGroup "" any noauth exact all all none
service snmpd restart
Server Administrator generates SNMP traps in response to changes in the status of sensors and other monitored parameters. One or more trap destinations must be configured on the system running Server Administrator for SNMP traps to be sent to a management station.
To configure your system running Server Administrator to send traps to a management station, edit the /etc/snmp/snmpd.conf SNMP agent configuration file and perform the following steps:
trapsink IP_address community_name
where IP_address is the IP address of the management station and community_name is the SNMP community name
service snmpd restart
If you enable firewall security when installing Red Hat Enterprise Linux, the SNMP port on all external network interfaces is closed by default. To enable SNMP management applications such as IT Assistant to discover and retrieve information from Server Administrator, the SNMP port on at least one external network interface must be open. If Server Administrator detects that the SNMP port is not open in the firewall for any external network interface, Server Administrator displays a warning message and logs a message to the system log. See "Ports" for additional information.
You can open the SNMP port by disabling the firewall, opening an entire external network interface in the firewall, or opening the SNMP port for at least one external network interface in the firewall. You can perform this action before or after Server Administrator is started.
To open the SNMP port using one of the previously described methods, perform the following steps:
![]() |
NOTE: This command is available only if you have performed a default installation of the operating system. |
The Choose a Tool menu opens.
The Firewall Configuration screen opens.
![]() |
NOTE: Press <F1> for more information about the firewall security levels. The default SNMP port number is 161. If you are using the X Windows GUI, pressing <F1> might not provide information about firewall security levels on newer versions of the Red Hat Enterprise Linux operating system. |
The Firewall Configuration - Customize screen opens.
The Firewall Configuration screen opens.
The Choose a Tool menu opens.
Server Administrator uses the SNMP services provided by the ucd-snmp or net-snmp agent. You can configure the SNMP agent to enable SNMP access from remote hosts, change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant, perform the procedures described in the following sections.
![]() |
NOTE: On SUSE Linux Enterprise Server (version 9), the SNMP agent configuration file is located at /etc/snmpd.conf. On SUSE Linux Enterprise Server (version 10), the SNMP agent configuration file is located at /etc/snmp/snmpd.conf. |
![]() |
NOTE: See your operating system documentation for additional details about SNMP configuration. |
Server Administrator SNMP communicates with the SNMP agent using the SNMP Multiplexing (SMUX) protocol. When Server Administrator SNMP connects to the SNMP agent, it sends an object identifier to the SNMP agent to identify itself as a SMUX peer. Because that object identifier must be configured with the SNMP agent, Server Administrator adds the following line to the SNMP agent configuration file, /etc/snmpd.conf or /etc/snmp/snmpd.conf, during installation if it does not exist:
smuxpeer .1.3.6.1.4.1.674.10892.1
The default SNMP agent configuration on SUSE Linux Enterprise Server operating systems gives read-only access to the entire MIB tree for the "public" community from the local host only. This configuration does not allow SNMP management applications such as IT Assistant running on other hosts to discover and manage Server Administrator systems properly. If Server Administrator detects this configuration during installation, it logs a message to the operating system log file, /var/log/messages, to indicate that SNMP access is restricted to the local host. You must configure the SNMP agent to enable SNMP access from remote hosts if you plan to manage the system by using SNMP management applications from remote hosts.
![]() |
NOTE: For security reasons, it is advisable to restrict SNMP access to specific remote hosts if possible. |
To enable SNMP access from a specific remote host to a system running Server Administrator, edit the SNMP agent configuration file, /etc/snmpd.conf or /etc/snmp/snmpd.conf, and perform the following steps:
rocommunity public 127.0.0.1
rocommunity public IP_address
![]() |
NOTE: You can enable SNMP access from multiple specific remote hosts by adding a rocommunity directive for each remote host. |
/etc/init.d/snmpd restart
To enable SNMP access from all remote hosts to a system running Server Administrator, edit the SNMP agent configuration file, /etc/snmpd.conf or /etc/snmp/snmpd.conf, and perform the following steps:
rocommunity public 127.0.0.1
rocommunity public
/etc/init.d/snmpd restart
Configuring the SNMP community name determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Server Administrator system, so the management applications can retrieve management information from Server Administrator.
To change the default SNMP community name used for retrieving management information from a system running Server Administrator, edit the SNMP agent configuration file, /etc/snmpd.conf or /etc/snmp/snmpd.conf, and perform the following steps:
rocommunity public 127.0.0.1
rocommunity community_name 127.0.0.1
/etc/init.d/snmpd restart
SNMP Set operations must be enabled on the system running Server Administrator in order to change Server Administrator attributes using IT Assistant. To enable remote shutdown of a system from IT Assistant, SNMP Set operations must be enabled.
![]() |
NOTE: Rebooting your system for change management functionality does not require SNMP Set operations. |
To enable SNMP Set operations on the system running Server Administrator, edit the SNMP agent configuration file, /etc/snmpd.conf or /etc/snmp/snmpd.conf, and perform the following steps:
rocommunity public 127.0.0.1
rwcommunity public 127.0.0.1
/etc/init.d/snmpd restart
Server Administrator generates SNMP traps in response to changes in the status of sensors and other monitored parameters. One or more trap destinations must be configured on the system running Server Administrator for SNMP traps to be sent to a management station.
To configure your system running Server Administrator to send traps to a management station, edit the SNMP agent configuration file, /etc/snmpd.conf or /etc/snmp/snmpd.conf, and perform the following steps:
trapsink IP_address community_name
where IP_address is the IP address of the management station and community_name is the SNMP community name.
/etc/init.d/snmpd restart
This section contains the following topics:
You can set user and secure port server preferences for Server Administrator and IT Assistant from the respective Preferences Web page. Click General Settings and click either the User tab or Web Server tab.
![]() |
NOTE: You must be logged in with Administrator privileges to set or reset user or server preferences. |
Perform the following steps to set up your user preferences:
The Preferences home page appears.
![]() |
NOTE: Clicking Email in any window sends an e-mail message with an attached HTML file of the window to the designated e-mail address. |
Perform the following steps to set up your secure port server preferences:
The Preferences home page appears.
![]() |
NOTE: Changing the port number to an invalid or in-use port number might prevent other applications or browsers from accessing Server Administrator on the managed system. |
![]() |
NOTE: A user with Administrator privileges cannot use Server Administrator when logged into the system remotely. |
![]() |
NOTE: Changing the IP Address to Bind to value to a value other than All may prevent other applications or browsers from remotely accessing Server Administrator on the managed system. |
![]() |
NOTE: For security reasons, your company or organization might not allow e-mails to be sent through the SMTP server to outside accounts. |
Web certificates are necessary to ensure the identity of a remote system and ensure that information exchanged with the remote system cannot be viewed or changed by others. To ensure system security, it is strongly recommended that you either generate a new X.509 certificate, reuse an existing X.509 certificate, or import a root certificate or certificate chain from a Certification Authority (CA).
![]() |
NOTE: You must be logged in with Administrator privileges to perform certificate management. |
You can manage X.509 certificates for Server Administrator and IT Assistant from the respective Preferences Web page. Click General Settings, click the Web Server tab, and click X.509 Certificate.
Use the X.509 certificate tool to either generate a new X.509 certificate, reuse an existing X.509 certificate, or import a root certificate or certificate chain from a CA. Authorized CAs include Verisign, Entrust, and Thawte.