UCS Technology Labs UCS B-Series Components

and Management

UCS System Management

Communications
Last updated: April 11, 2013

Task
Configure the UCS Manager to allow management communications via HTTPS, SSH, Telnet,
SNMPv3, and Read-Only SMASH CLP.
Redirect all port 80 web requests to port 443. Limit to 6 web sessions per user, and a maximum
of 32 sessions for the entire system.
Create an SNMP user named SNMP-MONITOR.
Make any password for this user, for example C1sc0123.
Ensure that the user uses a 160-bit hashing algorithm and 128-bit encryption method whenever
authenticating and whenever sending any sort of data.
Utilize this user for all inbound SNMP queries sent to the UCS system and all outbound
trap/inform notifications.
Send all traps or informs to the IPv4 address of 192.168.0.199.
When creating a SNMP Trap or Inform, use the one that is more reliable. The system contact for
SNMP should be UCS.Admin@ine.com and the location should be set to "INE DC1, Reno, NV,
US, Earth".

Configuration
Begin by limiting the scope of view to only what is needed at the current time, to simplify
configuration. In this case, filter to Communications Management. Then click the
Communications Services sub-group.

FEEDBACK

Next, limit the number of web sessions to those specified: 6 per user and 32 overall. Notice that
HTTP port 80 already redirects to HTTPS/SSL port 443, so nothing more there is needed. Also
note that the default Key Ring is used for a self-signed SSL certificate. If a PKI/CA was desired
for use, this would require changing the filter for view to Key Management and adding a CA
Trustpoint and a CA Signing Request, then importing the resulting certificate. (If using a CA/PKI
Trustpoint, this should be done prior to any other configuration on the system being performed.)
Also note in this graphic that we have enabled Telnet communications, which is by default
disabled.

SNMP Communications are now configured by first enabling them and specifying the username
that will be used in all outbound trap/inform notifications. The System Contact and System
Location fields have also been filled out. Note the red highlighted plus symbols on the right side

of each SNMP box below. These will be used to create the necessary traps and users required
by the task in the next two graphics.

Click + to create the SNMP Trap. Enter the IP address and username. Use V3 to ensure the
ability to both authenticate and encrypt, and enforce both of those by choosing the v3Privilege of
Priv (Auth authenticates but doesn't encrypt, and Noauth doesn't do either, as you might
expect). Choosing Informs as the Type is necessary because SNMP Traps have no indicator
that the receiving side actually received anything at all, whereas Informs require by RFC for the
receiver to send an SNMP response protocol data unit (PDU). This method will be used for
outbound SNMP Informs from the UCS system.

For inbound queries, we need to set up a user to be authenticated. We also want to make sure
we select 160-bit authentication (96 of which are used in the HMAC-SHA-96 spec per RFC
2404) and AES-128 encryption mechanism.

In the screen shot below, we can see that both are enabled. SMASH CLP (read-only) and SSH
are both enabled by default and cannot be disabled. Remember to click Save at the bottom of
the screen before moving on.

Note that SNMP is used in UCSM to read-only, not to do writes or management but simply to
do monitoring. Management of the system is performed via SOAP calls to the well-defined and
well-documented XML-API.
^ back to top

Disclaimer (http://www.ine.com/feedback.htm)

Privacy Policy (http://www.ine.com/resources/)

2013 INE

Inc., All Rights Reserved (http://www.ine.com/about-us.htm)