IBM Remote Supervisor Adapter
Remote supervisor adapter (RSA) is the out-of-band management interface card optional on most IBM x86-based server machines sold under the IBM System x brand.
Remote management is independent of the status of the managed server.
Features
- Remote control of hardware and operating systems
- Web-based management with standard Web browsers (no other software is required)
- Scriptable command-line interface and text-based serial console redirect
- System-independent graphical console redirection
- Remote diskette and CD-ROM drive support
Adapter Versions
Advanced Systems Management Adapter (ASMA)
This is a full-length ISA or PCI adapter. The ISA version is very rare, and was only ever supported in one or two servers. This adapter can be accessed either in-band through a device driver, or out-band over serial or 10Mbit Ethernet.
In addition, this adapter supports chaining of IBM Servers with Advanced Systems Management Processors (ASMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required. A total of 12 systems can be controlled this way using a single adapter.
The PCI version is supported under Linux through the ibmasm driver.
Supported servers:
- IBM Netfinity 4500R
- IBM Netfinity 5000, 5100, 5500, 5500 M10, 5500 M20, 5600
- IBM Netfinity 6000R
- IBM Netfinity 7000 M10, 7100, 7600
- IBM Netfinity 8500R
- IBM eServer xSeries 230, 240, 250
- IBM eServer xSeries 330 (8654), 340, 350, 370
Remote Supervisor Adapter (RSA) 59P2952
This is a half-length PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.
In addition, this adapter supports chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.
The adapter is supported under Linux through the ibmasm driver.
This is the first version to support remote KVM over Ethernet. But when chaining is used, only the server with the adapter installed supports the remote KVM function.
Supported servers:
- IBM eServer xSeries 205, 225 (8647), 232, 255
- IBM eServer xSeries 305, 330, 335, 342, 345, 360
- IBM eServer xSeries 440, 445, 450, 455
Remote Supervisor Adapter II (RSA-II) 73P9265
This is a half-length full-height PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.
In addition, this adapter supports chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.
This adapter (when properly cabled) can be accessed for in-band management through a USB driver.
This adapter has its own ATI video chip, and will cause the onboard video chip to get disabled. The reason for this was to resolve some of the problems with capturing the video for the remote KVM function that the original RSA experienced. Just like the original RSA, in the event of chaining the remote KVM function is only supported on the server with the adapter installed.
Supported servers:
- IBM eServer 326, 326m
- IBM eServer xSeries 206, 225 (8649), 226, 235, 255
- IBM eServer xSeries 305, 306, 306m, 335, 345, 365
- IBM eServer xSeries 445
Cable
The RSA-II requires a 20-pin cable to attach to the motherboard of the server. Without this cable the remote video facilities will still work, and if the external USB cable is connected, the remote keyboard and mouse will work—but nothing else (including power control) will function properly. Moreover, some servers will pause for 30–120 seconds after power-on if the RSA-II is installed but the cable is missing.
Different cables are required for different servers, and as of April 2008 it appears that the cards themselves are far more plentiful on the used market than certain cables—often the cables sell for more than the cards themselves!
Here is a table of known server/cablenumber combinations:
- eServer 326 uses cable 73P9312
- x345 uses cable 02R1661
Older servers use what is known as the "planar cable". Newer servers use the cable shown in the image to the right:
Remote Supervisor Adapter II Slimline (RSA-II Slimline)
This is a special version of the RSA-II that does not need a PCI slot. Instead it is plugged into a dedicated slot on the systemboard, like a mini-pci adapter. This version also does not have a video controller anymore like the RSA-II.
Out-band management is provided by a dedicated Ethernet port on the server, which is not connected if the RSA-II Slimline is not installed. In-Band management is provided by the same USB driver as the RSA-II.
Supported servers:
- IBM eServer xSeries 236, 260
- IBM eServer xSeries 336, 346, 366
- IBM eServer xSeries 460, MXE-460
- IBM System x 3200, 3250, 3350, 3400, 3500, 3550, 3650, 3655, 3755, 3800, 3850, 3950
Peculiarities
Maximum Password Length
A password can only be 15 characters max. If more characters are typed at the changing password form, there will be no error message but they won't be memorized.
Java 1.6 Incompatibility Bug
The RSA remote control is now broken IBM has issued a fix that only works some of the time (see here & ). Most users are advised to use Java JRE 1.60 U07 or earlier also works around IBM's bug, which is impossible if the user does not have administrative access to the client machine. IBM has been unresponsive. jre-1_5_0_21-windows-i586-p.exe generally gives good results on windows clients.
The Remote console works with the OpenJDK JRE and the IcedTea browser plugin. Tested on OpenJDK6 build 18 and IcedTea 1.1.
Passwords Sent in Clear Text
SSL is disabled by default, meaning that administrator passwords are sent in clear text.
Invisible to Traceroute
The network stack used by the RSAII does not respond to UDP packets sent to a closed port; therefore, it appears to be "invisible" to traceroutes based on UDP (the default for non-Windows systems).
Reliability Problems
A defect in the design of the RSA can cause it to go into a state in which the remote video capabilities are disabled. Unfortunately, once in this state the only way to correct the situation is to physically remove power from the RSA and the server; no amount of remote restarting will correct the problem. Because the point of the RSA is to eliminate the need for this sort of physical intervention to clear errors, this flaw calls into question the usefulness of the device.
This flaw is documented on IBM's website at [1]
Requires UDP
The remote control feature of the service processor requires that it be possible to exchange packets on UDP port 2000 between the adapter and the client.
No Video through NAT
The adapter does not cope well with modern NATs. The symptoms generally experienced are a lack of video when attempting to access remote control. If in doubt, ensure that the client (web browser) has its own public internet IP and is not behind any sort of NAT.
No Video when using a Cisco router or switch with Network Address Translation (NAT)
Problem: When using a Cisco router or switch with Network Address Translation (NAT) enabled, connection to the Remote Supervisor Adapter (RSA) II web UI is operational. When starting the remote control session, the user receives a blank screen.
Solution:
The remote console port should be changed from 2000 to 5090 or any other value.
Log in to the RSA II web UI pages. In the RSA II web UI, go to Port Assignments in the left panel. Go to remote console and change the value to 5090. Save and restart the ASM. Port 2000 is being used by Cisco Skinny Client Control Protocol (SCCP). Since the default value for RSA II console port (remote video) is 2000, it needs be changed to another value such as 5090.
Network Port Disabled By Default
The default state for the RSAII is to have the network port disabled.[2] This will also be the case if the card has been reset to factory defaults. To enable the network port, one must install an OS on the server (Linux or Windows) and use a software utility to enable the network port.
Difficult to Reset
Procedures for resetting the RSAII to factory defaults may be challenging for some users. The IBM forums list a procedure [3] for resetting an RSAII to factory defaults which appears to be simpler; it involves removing the card from the server and operating it from a non-PCI power supply.
LDAP authentication generally unusable
LDAP authentication fails if a user is a member of more than one posixGroup, which is usually the case in non-trivial directories. IBM privately acknowledged the problem has existed for over four years, but still has not published a fix. The problem is that it considers only first posixGroup in resultset, so if you manage to reorganize directory to return your matching group first, you can succeed on the auth (with openldap ldif dump, delete and restore tends to keep results ordered).
Host OS tools
Like almost all IBM-provided management tools, software tools do not respect long established OS conventions for packaging, file paths and naming.
Firmware updates are incompatible with a non-executable /tmp directory, a commonly employed security setting.
Command line tools have many undocumented behaviors. "asu," the executable used to query or set parameters on the board, writes logs to the current directory with a hardcoded name, without warning and without basic sanity checks. It will thus silently overwrite the target of a symbolic link with that name.
Related
BladeCenter Management Module (BCMM)
This is the first management module of the IBM BladeCenter.
Its function is very similar to that of the RSA-II
The BCMM provides an external 10/100Mbit Ethernet connection (used for out-of-band management) and shared VGA, PS/2 Keyboard and PS/2 Mouse ports. Internally the VGA and PS/2 ports are switchable between blades. The PS/2 ports are internally seen to the blades as USB.
This has since been phased out and replaced by the BCAMM. It is no longer supported by IBM.
BladeCenter Advanced Management Module (BCAMM)
This is a hardware refresh of the management module for the IBM BladeCenter. The PS/2 ports for keyboard and mouse were replaced with two USB ports. The BCAMM is currently under active development and its firmware offers more capabilities than the original BCMM.
Advanced Systems Management Processor (ASMP)
This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the ISMP. Out-of-band management is possible using a serial port (shared with the OS), or by adding the Advanced Systems Management Adapter (ASMA).
These servers have ASMP functionality:
- IBM Netfinity 4500R
- IBM Netfinity 5000, 5100, 5500, 5600
- IBM Netfinity 6000R
- IBM Netfinity 7100, 7600
- IBM xSeries 130 (8654), 135 (8654), 150
- IBM xSeries 230, 240, 250
- IBM xSeries 330, 340, 350
Integrated Systems Management Processor (ISMP)
This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the BMC. Out-of-band management is possible by adding the RSA or RSA-II.
These servers have ISMP functionality:
- IBM xSeries 232, 235, 236, 255
- IBM xSeries 335, 342, 345
Baseboard Management Controller (BMC)
On the latest IBM Intel-based servers a BMC is standard, and optionally the RSA-II Slimline can be added.
Integrated Management Module (IMM)
IBM Integrated Management Module (IMM) comprises the legacy BMC (baseboard management processor) and RSA (Remote Supervisor Adapter) function in IBM uEFI machines. Also, it consolidates Super I/O controller, Video controller. It also incorporates most of the bugs present in RSA and BMC, as well as providing many of its own, unique problems. This works with System firmware (Unified Extensible Firmware Interface) to provide system management functions. some of its greatly improved features over BMC and RSA are:
- Advanced Predictive Failure Analysis (PFA)
- Option to choose dedicated or shared Ethernet connection
- Virtual light path diagnostic
- Email alerts
- Remote firmware updating
- Remote power control, remote control of hardware and Operating system
- OS failure screen shot capture
- Remote disk which enables to use CD/DVD drive, USB flash drives, image and diskette drive
See also
Default Password
The default login is "USERID" and the default password is "PASSW0RD" (note the zero rather than an "O").