Provided by: freeipmi-tools_0.8.12-3ubuntu1_amd64 bug


       bmc-config - BMC configuration file format and details


       Before  many  IPMI  tools  can  be  used  over a network, a machine's Baseboard Management
       Controller (BMC) must be configured. The configuration of a BMC can be quite daunting  for
       those who do not know much about IPMI. This manpage hopes to provide enough information on
       BMC configuration so that you can configure the BMC for your  system.   When  appropriate,
       typical BMC configurations will be suggested.

       The  following  is  an  example  BMC  configuration file partially generated from the bmc-
       config(1) command. This example configuration should be sufficient for  most  users  after
       the  appropriate  local  IP and MAC addresses are input.  Following this example, separate
       sections of this manpage will discuss the different sections of the BMC configuration file
       in  more  detail  with  explanations  of  how  the  BMC  can  be  configured for different

       Note that many options may or may  not  be  available  on  your  particular  machine.  For
       example,  Serial-Over-Lan  (SOL) is available only on IPMI 2.0 machines. Therefore, if you
       are looking to configure an IPMI 1.5 machine, many of the SOL or IPMI 2.0 related  options
       will  be  be  unavailable  to you. The number of configurable users may also vary for your
       particular machine.

       The below configuration file and most of this manpage assume the  user  is  interested  in
       configuring  a  BMC  for  use with IPMI over LAN.  Various configuration options from bmc-
       config(1) have been left out or skipped because  it  is  considered  unnecessary.   Future
       versions of this manpage will try to include more information.

            Section User1
             ## Give username
             ## Username NULL
             ## Give password or leave it blank to clear password
             Password mypassword
             ## Possible values: Yes/No or blank to not set
             Enable_User Yes
             ## Possible values: Yes/No
             Lan_Enable_Ipmi_Msgs Yes
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Lan_Privilege_Limit Administrator
               ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
               ## Lan_Session_Limit
             ## Possible values: Yes/No
             SOL_Payload_Access Yes
            Section User2
             ## Give username
             Username user2
             ## Give password or leave it blank to clear password
             Password userpass
             ## Possible values: Yes/No or blank to not set
             Enable_User No
             ## Give password for IPMI 2.0 or blank to clear. MAX 20 chars.
             Lan_Enable_Ipmi_Msgs No
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Lan_Privilege_Limit No_Access
               ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
               ## Lan_Session_Limit
               ## Possible values: Yes/No
               SOL_Payload_Access No
            Section Lan_Channel
             ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
             Volatile_Access_Mode Always_Available
             ## Possible values: Yes/No
             Volatile_Enable_User_Level_Auth Yes
             ## Possible values: Yes/No
             Volatile_Enable_Per_Message_Auth Yes
             ## Possible values: Yes/No
             Volatile_Enable_Pef_Alerting No
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Volatile_Channel_Privilege_Limit Administrator
             ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
             Non_Volatile_Access_Mode Always_Available
             ## Possible values: Yes/No
             Non_Volatile_Enable_User_Level_Auth Yes
             ## Possible values: Yes/No
             Non_Volatile_Enable_Per_Message_Auth Yes
             ## Possible values: Yes/No
             Non_Volatile_Enable_Pef_Alerting No
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Non_Volatile_Channel_Privilege_Limit Administrator
            Section Lan_Conf
             ## Possible values: Unspecified/Static/Use_DHCP/Use_BIOS/Use_Others
             Ip_Address_Source Static
             ## Give valid IP Address
             ## Give valid MAC Address
             Mac_Address 00:0E:0E:FF:AA:12
             ## Give valid Subnet mask
             ## Give valid IP Address
             ## Give valid MAC Address
             Default_Gateway_Mac_Address 00:0E:0E:FF:AA:18
             ## Give valid IP Address
             ## Give valid MAC Address
             Backup_Gateway_Mac_Address 00:0E:0E:FF:AA:15
            Section Lan_Conf_Auth
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Md2 No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Md5 No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             User_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Md2 Yes
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Md5 Yes
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Md2 Yes
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Md5 Yes
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Md2 Yes
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Md5 Yes
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Md2 No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Md5 No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Oem_Proprietary No
            Section Lan_Conf_Security_Keys
               ## Give string or blank to clear. Max 20 chars
            Section Lan_Conf_Misc
             ## Possible values: Yes/No
             Enable_Gratuitous_Arps Yes
             ## Possible values: Yes/No
             Enable_Arp_Response No
             ## Give valid number. Intervals are 500 ms.
             Gratuitous_Arp_Interval 4
            Section Rmcpplus_Conf_Privilege
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_0 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_1 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_2 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_3 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_4 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_5 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_6 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_7 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_8 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_9 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_10 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_11 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_12 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_13 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_14 Administrator
            Section SOL_Conf
             ## Possible values: Yes/No
             Enable_SOL Yes
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
             SOL_Privilege_Level Administrator
             ## Possible values: Yes/No
             Force_SOL_Payload_Authentication Yes
             ## Possible values: Yes/No
             Force_SOL_Payload_Encryption Yes
             ## Give a valid integer. Each unit is 5ms
             Character_Accumulate_Interval 50
             ## Give a valid number
             Character_Send_Threshold 100
             ## Give a valid integer
             SOL_Retry_Count 5
             ## Give a valid integer. Interval unit is 10ms
             SOL_Retry_Interval 50
             ## Possible values: Serial/9600/19200/38400/57600/115200
             Non_Volatile_Bit_Rate 115200
             ## Possible values: Serial/9600/19200/38400/57600/115200
             Volatile_Bit_Rate 115200
            Section Misc
             ## Possible Values: Off_State_AC_Apply/Restore_State_AC_Apply/On_State_AC_Apply
             Power_Restore_Policy Restore_State_Ac_Apply

Section User1, User2, ...

       The  User  sections  of the BMC configuration file are for username configuration for IPMI
       over LAN communication. The number of users available to be configured on your system will
       vary  by  manufacturer.   With  the  exception of the Username for User1, all sections are

       The username(s) you wish to configure the BMC with are defined with  Username.  The  first
       username  under  Section  User1 is typically the NULL username and cannot be modified. The
       password for the username can be specified with Password. It can be left empty to define a
       NULL  password.  Each  user  you  wish  to  enable must be enabled through the Enable_User
       configuration option. It is recommended that all usernames have non-NULL passwords  or  be
       disabled for security reasons.

       Lan_Enable_Ipmi_Msgs  is used to enable or disable IPMI over LAN access for the user. This
       should be set to "Yes" to allow IPMI over LAN tools to work.

       Lan_Privilege_Limit specifies the maximum privilege  level  limit  the  user  is  allowed.
       Different  IPMI  commands  have different privilege restrictions. For example, determining
       the power status of a machine only requires the "User"  privilege  level.  However,  power
       cycling  requires the "Operator" privilege. Typically, you will want to assign atleast one
       user with a privilege limit of "Administrator" so that all system functions are  available
       to atleast one user via IPMI over LAN.

       Lan_Session_Limit specifies the number of simultaneous IPMI sessions allowed for the user.
       Most users will wish to set this to "0" to allow  unlimited  simultaneous  IPMI  sessions.
       This  field  is  considered  optional  by  IPMI  standards,  and may result in errors when
       attempting to configure it to a non-zero value. If errors to occur, setting the value back
       to 0 should resolve problems.

       SOL_Payload_Access  specifies if a particular user is allowed to connect with Serial-Over-
       LAN (SOL). This should be set to "Yes" to allow this username to use SOL.

       The example configuration above disables "User2" but  enables  the  default  "NULL"  (i.e.
       anonymous)  user.  Many  IPMI tools (both open-source and vendor) do not allow the user to
       input a username and assume the NULL username by default. If the tools you are  interested
       in  using  allow  usernames  to  be input, then it is recommended that one of the non-NULL
       usernames be  enabled  and  the  NULL  username  disabled  for  security  reasons.  It  is
       recommeneded  that  you  disable  the  NULL  username  in section User1, so that users are
       required to specify a username for IPMI over LAN communication.

       Some motherboards may require a Username to be configured  prior  to  other  fields  being
       read/written. If this is the case, those fields will be set to <username-not-set-yet>.

Section Lan_Channel

       The  Lan_Channel  section  configures a variety of IPMI over LAN configuration parameters.
       Both Volatile and Non_Volatile configurations can  be  set.  Volatile  configurations  are
       immediately  configured  onto  the  BMC  and  will  have  immediate  effect on the system.
       Non_Volatile configurations are only available after the  next  system  reset.  Generally,
       both the Volatile and Non_Volatile should be configured identically.

       The  Access_Mode  parameter  configures  the  availability of IPMI over LAN on the system.
       Typically this should be set to "Always_Available" to enable IPMI over LAN.

       The Privilege_Limit sets the maximum privilege any  user  of  the  system  can  have  when
       performing  IPMI over LAN. This should be set to the maximum privilege level configured to
       a username. Typically, this should be set to "Administrator".

       Typically User_Level_Auth and Per_Message_Auth should  be  set  to  "Yes"  for  additional
       security.  Disabling User_Level_Auth allows "User" privileged IPMI commands to be executed
       without authentication. Disabling Per_Message_Auth allows fewer individual  IPMI  messages
       to require authentication.

Section Lan_Conf

       Those  familiar  with  setting  up networks should find most of the fields in this section
       self explanatory. The example BMC configuration above illustrates the setup of a static IP
       address.  The  field IP_Address_Source is configured with "Static". The IP address, subnet
       mask, and gateway IP addresses  of  the  machine  are  respecitvely  configured  with  the
       IP_Address, Subnet_Mask, Default_Gateway_Ip_Address, and Backup_Gateway_Ip_Address fields.
       The respective MAC addresses for  the  IP  addresses  are  configured  under  Mac_Address,
       Default_Gateway_Mac_Address, and Backup_Gateway_Mac_Address.

       It  is  not  required  to  setup  the BMC IP_Address to be the same P_Address used by your
       operating system for that network interface. However, if you choose  to  use  a  different
       address, an alternate ARP configuration may need to be setup.

       To instead setup your BMC network information via DHCP, the field IP_Address_Source should
       be configured with "Use_DHCP".

       It is recommended that static IP addresses be configured for address  resolution  reasons.
       See Lan_Conf_Misc below for a more detailed explanation.

Section Lan_Conf_Auth

       This  section  determines what types of password authentication mechanisms are allowed for
       users at different privilege levels under the IPMI 1.5 protocol. The  currently  supported
       authentication   methods   for   IPMI   1.5  are  None  (no  username/password  required),
       Straight_Password (passwords are sent in the clear), MD2 (passwords are MD2  hashed),  and
       MD5  (passwords are MD5 hashed).  Different usernames at different privilege levels may be
       allowed to authenticate differently through this configuration. For  example,  a  username
       with  "User"  privileges  may  be  allowed to authenticate with a straight password, but a
       username with "Administrator" privileges may be allowed only authenticate with MD5.

       The above example configuration supports MD2 and MD5 authentication for all users  at  the
       "User",  "Operator",  and  "Administrator" privilege levels. All authentication mechanisms
       have been disabled for the "Callback" privilege level.

       Generally speaking, you do not want to  allow  any  user  to  authenticate  with  None  or
       Straight_Password for security reasons.  MD2 and MD5 are digital signature algorithms that
       can minimally encrypt passwords. If you have chosen to support the NULL username  (enabled
       User1)  and  NULL  passwords  (NULL  password for User1), you will have to enable the None
       authentication fields above to allow users to connect via None.

Section Lan_Conf_Security_Keys

       This section supports configuration of the IPMI 2.0 (including Serial-over-LAN)  K_g  key.
       If your machine does not support IPMI 2.0, this field will not be configurable.

       The  key  is  used  for two-key authentication in IPMI 2.0. In most tools, when doing IPMI
       2.0, the K_g can be optionally specified. It is not required for IPMI 2.0 operation.

       In the above example, we have elected to leave this field blank so  the  K_g  key  is  not

Section Lan_Conf_Misc

       This  section lists miscellaneous IPMI over LAN configuration options.  These are optional
       IPMI configuration options that are not implemented on all BMCs.

       Normally, a client cannot resolve the ethernet MAC address without  the  remote  operating
       system  running. However, IPMI over LAN would not work when a machine is powered off or if
       the IP address used by the operating system for that network interface  differs  from  the
       BMC  IP  Address. One way to work around this is through gratuitous ARPs.  Gratuitous ARPs
       are ARP packets generated by the BMC and sent out  to  advertise  the  BMC's  IP  and  MAC
       address.   Other  machines  on  the  network can store this information in their local ARP
       cache for later IP/hostname resolution. This would allow IPMI over LAN to  work  when  the
       remote  machine  is powered off. The Enable_Gratuitous_Arps option allows you to enable or
       disable this feature. The Gratuitous_Arp_Interval  option  allows  you  to  configure  the
       frequency at which gratuitous ARPs are sent onto the network.

       Instead  of  gratuitous  ARPs  some  BMCs  are  able to respond to ARP requests, even when
       powered off. If offerred, this feature can  be  enabled  through  the  Enable_Arp_Response

       Generally  speaking,  turning on gratuitous ARPs is acceptable.  However, it will increase
       traffic on your network.  If you are using IPMI on a large cluster,  the  gratuitous  ARPs
       may  easily flood your network. They should be tuned to occur less frequently or disabled.
       If disabled, the remote machine's MAC address should be permanently stored  in  the  local
       ARP cache through arp(8).

       See  bmc-watchdog(8)  for  a  method  which allows gratuitous ARPs to be disabled when the
       operating system is running, but enabled when the system is down.

Section Rmcpplus_Conf_Privilege

       This section supports configuration of the IPMI  2.0  (including  Serial-over-LAN)  cipher
       suite IDs. If your machine does not support IPMI 2.0, the fields will not be configurable.

       Each  cipher  suite  ID  describes a combination of an authentication algorithm, integrity
       algorithm, and encryption algorithm for IPMI 2.0.  The authentication  algorithm  is  used
       for  user  authentication  with  the  BMC.  The integrity algorithm is used for generating
       signatures on IPMI packets. The confidentiality algorithm is used for encrypting data. The
       configuration  in this section enables certain cipher suite IDs to be enabled or disabled,
       and the maximum privilege level a username can authenticate with.

       The following table shows the cipher suite ID to algorithms mapping:

       0 - Authentication Algorithm = None; Integrity Algorithm = None; Confidentiality Algorithm
       = None

       1  -  Authentication  Algorithm  =  HMAC-SHA1; Integrity Algorithm = None; Confidentiality
       Algorithm = None

       2  -  Authentication  Algorithm  =  HMAC-SHA1;   Integrity   Algorithm   =   HMAC-SHA1-96;
       Confidentiality Algorithm = None

       3   -   Authentication   Algorithm   =  HMAC-SHA1;  Integrity  Algorithm  =  HMAC-SHA1-96;
       Confidentiality Algorithm = AES-CBC-128

       4  -  Authentication  Algorithm  =  HMAC-SHA1;   Integrity   Algorithm   =   HMAC-SHA1-96;
       Confidentiality Algorithm = xRC4-128

       5   -   Authentication   Algorithm   =  HMAC-SHA1;  Integrity  Algorithm  =  HMAC-SHA1-96;
       Confidentiality Algorithm = xRC4-40

       6 - Authentication Algorithm =  HMAC-MD5;  Integrity  Algorithm  =  None;  Confidentiality
       Algorithm = None

       7   -   Authentication   Algorithm   =   HMAC-MD5;  Integrity  Algorithm  =  HMAC-MD5-128;
       Confidentiality Algorithm = None

       8  -  Authentication  Algorithm  =   HMAC-MD5;   Integrity   Algorithm   =   HMAC-MD5-128;
       Confidentiality Algorithm = AES-CBC-128

       9   -   Authentication   Algorithm   =   HMAC-MD5;  Integrity  Algorithm  =  HMAC-MD5-128;
       Confidentiality Algorithm = xRC4-128

       10  -  Authentication  Algorithm  =  HMAC-MD5;   Integrity   Algorithm   =   HMAC-MD5-128;
       Confidentiality Algorithm = xRC4-40

       11  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality
       Algorithm = None

       12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =  MD5-128;  Confidentiality
       Algorithm = AES-CBC-128

       13  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality
       Algorithm = xRC4-128

       14 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =  MD5-128;  Confidentiality
       Algorithm = xRC4-40

       Generally  speaking,  HMAC-SHA1  based  algorithms  are  stronger than HMAC-MD5, which are
       better than MD5-128 algorithms. AES-CBC-128 confidentiality algorithms are  stronger  than
       xRC4-128  algorithms,  which  are  better  than  xRC4-40  algorithms. Cipher suite ID 3 is
       therefore typically considered the most secure. Some users may wish to set cipher suite ID
       3 to a privilege level and disable all remaining cipher suite IDs.

       The  above  example  configuration  has  decided  to  allow  any user with "Administrator"
       privileges use  any  Cipher  Suite  algorithm  suite  which  requires  an  authentication,
       integrity,   and  confidentiality  algorithm.   Typically,  the  maximum  privilege  level
       configured to a username should be set for atleast one cipher suite ID. Typically, this is
       the "Administrator" privilege.

       A number of cipher suite IDs are optionally implemented, so the available cipher suite IDs
       available your system may vary.

Section SOL_Conf

       This section is for setting up Serial-Over-Lan  (SOL)  and  will  only  be  available  for
       configuration on those machines. SOL can be enabled with the Enable_SOL field. The minimum
       privilege level required for connecting with  SOL  is  specified  by  SOL_Privilege_Level.
       This  should  be  set to the maximum privilege level configured to a username that has SOL
       enabled. Typically, this is the "Administrator" privilege. Authentication  and  Encryption
       can   be   forced   or   not   using   the   fields  Force_SOL_Payload_Authentication  and
       Force_SOL_Payload_Encryption respectively.  It  is  recommended  that  these  be  set  on.
       However,  forced  authentication  and/or encryption support depend on the cipher suite IDs

       The  Character_Accumulate_Interval,  Character_Send_Threshold  ,  SOL_Retry_Count  and   ,
       SOL_Retry_Interval    options   are   used   to   set   SOL   character   output   speeds.
       Character_Accumulate_Interval determines how often serial data should  be  regularly  sent
       and  Character_Send_Threshold  indicates  the  character  count that if passed, will force
       serial data to  be  sent.  SOL_Retry_Count  indicates  how  many  times  packets  must  be
       retransmitted  if  acknowledgements  are  not  received.  SOL_Retry_Interval indicates the
       timeout interval. Generally, the manufacturer  recommended  numbers  will  be  sufficient.
       However, you may wish to experiment with these values for faster SOL throughput.

       The Non_Volatile_Bit_Rate and Volatile_Bit_Rate determine the baudrate the BMC should use.
       This should match the baudrate set in the BIOS and operating system,  such  as  agetty(8).
       Generally speaking, both the Volatile and Non_Volatile options should be set identically.

       In  addition  to  enabling  SOL  in this section, individual users most also be capable of
       connecting with SOL. See the section Section User1, User2, ...  above for details.

Section Misc

       The Power_Restore_Policy determines the behavior of the  machine  when  AC  power  returns
       after   a   power  loss.  The  behavior  can  be  set  to  always  power  on  the  machine
       ("On_State_AC_Apply"), power off the machine ("Off_State_AC_Apply"), or return  the  power
       to the state that existed before the power loss ("Restore_State_AC_Apply").


       Report bugs to <> or <>.


       freeipmi(7), bmc-config(8), bmc-watchdog(8), agetty(8)