Provided by: freeipmi-tools_1.4.11-1.1ubuntu4.1~0.16.04_amd64 bug

NAME

       ipmi-config - IPMI configuration file details

DESCRIPTION

       Before  many  IPMI  tools  can  be  used  over a network, a machine's Baseboard Management
       Controller (BMC) must be configured. The configuration can be quite daunting for those who
       do  not  know  much  about  IPMI.  This manpage hopes to provide enough information on BMC
       configuration so that you can configure the BMC for your system. When appropriate, typical
       BMC configurations will be suggested.

       The  following  is  an  example  configuration  file  partially  generated  by running the
       --checkout option with the ipmi-config(8) command. This configuration comes from the  core
       category  of  configuration  values  (the  default).  This example configuration should be
       sufficient for most users after the appropriate local IP  and  MAC  addresses  are  input.
       Following  this  example,  separate  sections  of  this manpage will discuss the different
       sections of the configuration file in more detail with explanations of how the BMC can  be
       configured for different environments.

       Note  that  many  options  may  or  may  not  be available on your particular machine. For
       example, Serial-Over-Lan (SOL) is available only on IPMI 2.0 machines. Therefore,  if  you
       are  looking to configure an IPMI 1.5 machine, many of the SOL or IPMI 2.0 related options
       will be be unavailable to you. The number of configurable users may  also  vary  for  your
       particular machine.

       The  below  configuration  file  and most of this manpage assume the user is interested in
       configuring a BMC for use with IPMI over LAN.  Various configuration  options  from  ipmi-
       config(8)  have  been  left  out  or skipped because it is considered unnecessary.  Future
       versions of this manpage will try to include more information.

            Section User1
             ## Give username
             ## Username NULL
             ## Give password or leave it blank to clear password
             Password mypassword
             ## Possible values: Yes/No or blank to not set
             Enable_User Yes
             ## Possible values: Yes/No
             Lan_Enable_Ipmi_Msgs Yes
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Lan_Privilege_Limit Administrator
               ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
               ## Lan_Session_Limit
             ## Possible values: Yes/No
             SOL_Payload_Access Yes
            EndSection
            Section User2
             ## Give username
             Username user2
             ## Give password or leave it blank to clear password
             Password userpass
             ## Possible values: Yes/No or blank to not set
             Enable_User No
             ## Possible values: Yes/No
             Lan_Enable_Ipmi_Msgs No
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Lan_Privilege_Limit No_Access
               ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
               ## Lan_Session_Limit
               ## Possible values: Yes/No
               SOL_Payload_Access No
            EndSection
            Section Lan_Channel
             ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
             Volatile_Access_Mode Always_Available
             ## Possible values: Yes/No
             Volatile_Enable_User_Level_Auth Yes
             ## Possible values: Yes/No
             Volatile_Enable_Per_Message_Auth Yes
             ## Possible values: Yes/No
             Volatile_Enable_Pef_Alerting No
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Volatile_Channel_Privilege_Limit Administrator
             ## Possible values: Disabled/Pre_Boot_Only/Always_Available/Shared
             Non_Volatile_Access_Mode Always_Available
             ## Possible values: Yes/No
             Non_Volatile_Enable_User_Level_Auth Yes
             ## Possible values: Yes/No
             Non_Volatile_Enable_Per_Message_Auth Yes
             ## Possible values: Yes/No
             Non_Volatile_Enable_Pef_Alerting No
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
             Non_Volatile_Channel_Privilege_Limit Administrator
            EndSection
            Section Lan_Conf
             ## Possible values: Unspecified/Static/Use_DHCP/Use_BIOS/Use_Others
             Ip_Address_Source Static
             ## Give valid IP Address
             Ip_Address 192.168.1.100
             ## Give valid MAC Address
             Mac_Address 00:0E:0E:FF:AA:12
             ## Give valid Subnet mask
             Subnet_Mask 255.255.255.0
             ## Give valid IP Address
             Default_Gateway_Ip_Address 192.168.1.1
             ## Give valid MAC Address
             Default_Gateway_Mac_Address 00:0E:0E:FF:AA:18
             ## Give valid IP Address
             Backup_Gateway_Ip_Address 192.168.1.2
             ## Give valid MAC Address
             Backup_Gateway_Mac_Address 00:0E:0E:FF:AA:15
            EndSection
            Section Lan_Conf_Auth
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Md2 No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Md5 No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Callback_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             User_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Md2 Yes
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Md5 Yes
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             User_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Md2 Yes
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Md5 Yes
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Operator_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Md2 Yes
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Md5 Yes
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Admin_Enable_Auth_Type_Oem_Proprietary No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_None No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Md2 No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Md5 No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Straight_Password No
             ## Possible values: Yes/No
             Oem_Enable_Auth_Type_Oem_Proprietary No
            EndSection
            Section Lan_Conf_Security_Keys
               ## Give string or blank to clear. Max 20 chars
               K_G
            EndSection
            Section Lan_Conf_Misc
             ## Possible values: Yes/No
             Enable_Gratuitous_Arps Yes
             ## Possible values: Yes/No
             Enable_Arp_Response No
             ## Give valid number. Intervals are 500 ms.
             Gratuitous_Arp_Interval 4
            EndSection
            Section Rmcpplus_Conf_Privilege
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_0 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_1 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_2 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_3 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_4 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_5 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_6 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_7 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_8 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_9 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_10 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_11 Unused
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_12 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_13 Administrator
             ## Possible values: Unused/User/Operator/Administrator/OEM_Proprietary
             Maximum_Privilege_Cipher_Suite_Id_14 Administrator
            EndSection
            Section SOL_Conf
             ## Possible values: Yes/No
             Enable_SOL Yes
             ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary
             SOL_Privilege_Level Administrator
             ## Possible values: Yes/No
             Force_SOL_Payload_Authentication Yes
             ## Possible values: Yes/No
             Force_SOL_Payload_Encryption Yes
             ## Give a valid integer. Each unit is 5ms
             Character_Accumulate_Interval 50
             ## Give a valid number
             Character_Send_Threshold 100
             ## Give a valid integer
             SOL_Retry_Count 5
             ## Give a valid integer. Interval unit is 10ms
             SOL_Retry_Interval 50
             ## Possible values: Serial/9600/19200/38400/57600/115200
             Non_Volatile_Bit_Rate 115200
             ## Possible values: Serial/9600/19200/38400/57600/115200
             Volatile_Bit_Rate 115200
            EndSection

Section User1, User2, ...

       The User sections of the BMC configuration file are for username  configuration  for  IPMI
       over LAN communication. The number of users available to be configured on your system will
       vary by manufacturer.  With the exception of the Username  for  User1,  all  sections  are
       identical.

       The  username(s)  you  wish to configure the BMC with are defined with Username. The first
       username under Section User1 is typically the NULL username and cannot  be  modified.  The
       password for the username can be specified with Password. It can be left empty to define a
       NULL password. Each user you wish to  enable  must  be  enabled  through  the  Enable_User
       configuration  option.  It is recommended that all usernames have non-NULL passwords or be
       disabled for security reasons.

       Lan_Enable_Ipmi_Msgs is used to enable or disable IPMI over LAN access for the user.  This
       should be set to "Yes" to allow IPMI over LAN tools to work.

       Lan_Privilege_Limit  specifies  the  maximum  privilege  level  limit the user is allowed.
       Different IPMI commands have different privilege restrictions.  For  example,  determining
       the  power  status  of  a machine only requires the "User" privilege level. However, power
       cycling requires the "Operator" privilege. Typically, you will want to assign atleast  one
       user  with a privilege limit of "Administrator" so that all system functions are available
       to atleast one user via IPMI over LAN.

       Lan_Session_Limit specifies the number of simultaneous IPMI sessions allowed for the user.
       Most  users  will  wish  to set this to "0" to allow unlimited simultaneous IPMI sessions.
       This field is considered optional by  IPMI  standards,  and  may  result  in  errors  when
       attempting to configure it to a non-zero value. If errors to occur, setting the value back
       to 0 should resolve problems.

       SOL_Payload_Access specifies if a particular user is allowed to connect with  Serial-Over-
       LAN (SOL). This should be set to "Yes" to allow this username to use SOL.

       The  example  configuration  above  disables  "User2" but enables the default "NULL" (i.e.
       anonymous) user. Many IPMI tools (both open-source and vendor) do not allow  the  user  to
       input  a username and assume the NULL username by default. If the tools you are interested
       in using allow usernames to be input, then it is recommended  that  one  of  the  non-NULL
       usernames  be  enabled  and  the  NULL  username  disabled  for  security  reasons.  It is
       recommeneded that you disable the NULL username  in  section  User1,  so  that  users  are
       required to specify a username for IPMI over LAN communication.

       Some  motherboards  may  require  a  Username to be configured prior to other fields being
       read/written. If this is the case, those fields will be set to <username-not-set-yet>.

Section Lan_Channel

       The Lan_Channel section configures a variety of IPMI over  LAN  configuration  parameters.
       Both  Volatile  and  Non_Volatile  configurations  can be set. Volatile configurations are
       immediately configured onto the  BMC  and  will  have  immediate  effect  on  the  system.
       Non_Volatile  configurations  are  only  available after the next system reset. Generally,
       both the Volatile and Non_Volatile should be configured identically.

       The Access_Mode parameter configures the availability of IPMI  over  LAN  on  the  system.
       Typically this should be set to "Always_Available" to enable IPMI over LAN.

       The  Privilege_Limit  sets  the  maximum  privilege  any  user of the system can have when
       performing IPMI over LAN. This should be set to the maximum privilege level configured  to
       a username. Typically, this should be set to "Administrator".

       Typically  User_Level_Auth  and  Per_Message_Auth  should  be  set to "Yes" for additional
       security. Disabling User_Level_Auth allows "User" privileged IPMI commands to be  executed
       without  authentication.  Disabling Per_Message_Auth allows fewer individual IPMI messages
       to require authentication.

Section Lan_Conf

       Those familiar with setting up networks should find most of the  fields  in  this  section
       self explanatory. The example BMC configuration above illustrates the setup of a static IP
       address. The field IP_Address_Source is configured with "Static". The IP  address,  subnet
       mask,  and  gateway  IP  addresses  of  the  machine  are respecitvely configured with the
       IP_Address, Subnet_Mask, Default_Gateway_Ip_Address, and Backup_Gateway_Ip_Address fields.
       The  respective  MAC  addresses  for  the  IP  addresses are configured under Mac_Address,
       Default_Gateway_Mac_Address, and Backup_Gateway_Mac_Address.

       It is not required to setup the BMC IP_Address to be  the  same  P_Address  used  by  your
       operating  system  for  that  network interface. However, if you choose to use a different
       address, an alternate ARP configuration may need to be setup.

       To instead setup your BMC network information via DHCP, the field IP_Address_Source should
       be configured with "Use_DHCP".

       It  is  recommended that static IP addresses be configured for address resolution reasons.
       See Lan_Conf_Misc below for a more detailed explanation.

Section Lan_Conf_Auth

       This section determines what types of password authentication mechanisms are  allowed  for
       users  at  different privilege levels under the IPMI 1.5 protocol. The currently supported
       authentication  methods  for  IPMI  1.5  are   None   (no   username/password   required),
       Straight_Password  (passwords  are sent in the clear), MD2 (passwords are MD2 hashed), and
       MD5 (passwords are MD5 hashed).  Different usernames at different privilege levels may  be
       allowed  to  authenticate  differently through this configuration. For example, a username
       with "User" privileges may be allowed to authenticate with  a  straight  password,  but  a
       username with "Administrator" privileges may be allowed only authenticate with MD5.

       The  above  example configuration supports MD2 and MD5 authentication for all users at the
       "User", "Operator", and "Administrator" privilege levels.  All  authentication  mechanisms
       have been disabled for the "Callback" privilege level.

       Generally  speaking,  you  do  not  want  to  allow  any user to authenticate with None or
       Straight_Password for security reasons.  MD2 and MD5 are digital signature algorithms that
       can  minimally encrypt passwords. If you have chosen to support the NULL username (enabled
       User1) and NULL passwords (NULL password for User1), you will  have  to  enable  the  None
       authentication fields above to allow users to connect via None.

Section Lan_Conf_Security_Keys

       This  section  supports configuration of the IPMI 2.0 (including Serial-over-LAN) K_g key.
       If your machine does not support IPMI 2.0, this field will not be configurable.

       The key is used for two-key authentication in IPMI 2.0. In most  tools,  when  doing  IPMI
       2.0, the K_g can be optionally specified. It is not required for IPMI 2.0 operation.

       In  the  above  example,  we  have elected to leave this field blank so the K_g key is not
       used.

Section Lan_Conf_Misc

       This section lists miscellaneous IPMI over LAN configuration options.  These are  optional
       IPMI configuration options that are not implemented on all BMCs.

       Normally,  a  client  cannot resolve the ethernet MAC address without the remote operating
       system running. However, IPMI over LAN would not work when a machine is powered off or  if
       the  IP  address  used by the operating system for that network interface differs from the
       BMC IP Address. One way to work around this is through gratuitous ARPs.   Gratuitous  ARPs
       are  ARP  packets  generated  by  the  BMC  and sent out to advertise the BMC's IP and MAC
       address.  Other machines on the network can store this  information  in  their  local  ARP
       cache  for  later  IP/hostname resolution. This would allow IPMI over LAN to work when the
       remote machine is powered off. The Enable_Gratuitous_Arps option allows you to  enable  or
       disable  this  feature.  The  Gratuitous_Arp_Interval  option  allows you to configure the
       frequency at which gratuitous ARPs are sent onto the network.

       Instead of gratuitous ARPs some BMCs are able  to  respond  to  ARP  requests,  even  when
       powered  off.  If  offerred,  this  feature can be enabled through the Enable_Arp_Response
       option.

       Generally speaking, turning on gratuitous ARPs is acceptable.  However, it  will  increase
       traffic  on  your  network.  If you are using IPMI on a large cluster, the gratuitous ARPs
       may easily flood your network. They should be tuned to occur less frequently or  disabled.
       If  disabled,  the  remote machine's MAC address should be permanently stored in the local
       ARP cache through arp(8).

       See bmc-watchdog(8) for a method which allows gratuitous ARPs  to  be  disabled  when  the
       operating system is running, but enabled when the system is down.

Section Rmcpplus_Conf_Privilege

       This  section  supports  configuration  of the IPMI 2.0 (including Serial-over-LAN) cipher
       suite IDs. If your machine does not support IPMI 2.0, the fields will not be configurable.

       Each cipher suite ID describes a combination of  an  authentication  algorithm,  integrity
       algorithm,  and  encryption  algorithm for IPMI 2.0.  The authentication algorithm is used
       for user authentication with the BMC. The  integrity  algorithm  is  used  for  generating
       signatures on IPMI packets. The confidentiality algorithm is used for encrypting data. The
       configuration in this section enables certain cipher suite IDs to be enabled or  disabled,
       and the maximum privilege level a username can authenticate with.

       The following table shows the cipher suite ID to algorithms mapping:

       0 - Authentication Algorithm = None; Integrity Algorithm = None; Confidentiality Algorithm
       = None

       1 - Authentication Algorithm = HMAC-SHA1;  Integrity  Algorithm  =  None;  Confidentiality
       Algorithm = None

       2   -   Authentication   Algorithm   =  HMAC-SHA1;  Integrity  Algorithm  =  HMAC-SHA1-96;
       Confidentiality Algorithm = None

       3  -  Authentication  Algorithm  =  HMAC-SHA1;   Integrity   Algorithm   =   HMAC-SHA1-96;
       Confidentiality Algorithm = AES-CBC-128

       4   -   Authentication   Algorithm   =  HMAC-SHA1;  Integrity  Algorithm  =  HMAC-SHA1-96;
       Confidentiality Algorithm = xRC4-128

       5  -  Authentication  Algorithm  =  HMAC-SHA1;   Integrity   Algorithm   =   HMAC-SHA1-96;
       Confidentiality Algorithm = xRC4-40

       6  -  Authentication  Algorithm  =  HMAC-MD5;  Integrity Algorithm = None; Confidentiality
       Algorithm = None

       7  -  Authentication  Algorithm  =   HMAC-MD5;   Integrity   Algorithm   =   HMAC-MD5-128;
       Confidentiality Algorithm = None

       8   -   Authentication   Algorithm   =   HMAC-MD5;  Integrity  Algorithm  =  HMAC-MD5-128;
       Confidentiality Algorithm = AES-CBC-128

       9  -  Authentication  Algorithm  =   HMAC-MD5;   Integrity   Algorithm   =   HMAC-MD5-128;
       Confidentiality Algorithm = xRC4-128

       10   -   Authentication   Algorithm   =  HMAC-MD5;  Integrity  Algorithm  =  HMAC-MD5-128;
       Confidentiality Algorithm = xRC4-40

       11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =  MD5-128;  Confidentiality
       Algorithm = None

       12  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality
       Algorithm = AES-CBC-128

       13 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =  MD5-128;  Confidentiality
       Algorithm = xRC4-128

       14  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm = MD5-128; Confidentiality
       Algorithm = xRC4-40

       Generally speaking, HMAC-SHA1 based algorithms  are  stronger  than  HMAC-MD5,  which  are
       better  than  MD5-128 algorithms. AES-CBC-128 confidentiality algorithms are stronger than
       xRC4-128 algorithms, which are better than  xRC4-40  algorithms.  Cipher  suite  ID  3  is
       therefore typically considered the most secure. Some users may wish to set cipher suite ID
       3 to a privilege level and disable all remaining cipher suite IDs.

       The above example configuration  has  decided  to  allow  any  user  with  "Administrator"
       privileges  use  any  Cipher  Suite  algorithm  suite  which  requires  an authentication,
       integrity,  and  confidentiality  algorithm.   Typically,  the  maximum  privilege   level
       configured to a username should be set for atleast one cipher suite ID. Typically, this is
       the "Administrator" privilege.

       A number of cipher suite IDs are optionally implemented, so the available cipher suite IDs
       available your system may vary.

Section SOL_Conf

       This  section  is  for  setting  up  Serial-Over-Lan  (SOL) and will only be available for
       configuration on those machines. SOL can be enabled with the Enable_SOL field. The minimum
       privilege  level  required  for  connecting  with SOL is specified by SOL_Privilege_Level.
       This should be set to the maximum privilege level configured to a username  that  has  SOL
       enabled.  Typically,  this is the "Administrator" privilege. Authentication and Encryption
       can  be  forced   or   not   using   the   fields   Force_SOL_Payload_Authentication   and
       Force_SOL_Payload_Encryption  respectively.  It  is  recommended  that  these  be  set on.
       However, forced authentication and/or encryption support depend on the  cipher  suite  IDs
       supported.

       The   Character_Accumulate_Interval,  Character_Send_Threshold  ,  SOL_Retry_Count  and  ,
       SOL_Retry_Interval   options   are   used   to   set   SOL   character   output    speeds.
       Character_Accumulate_Interval  determines  how  often serial data should be regularly sent
       and Character_Send_Threshold indicates the character count  that  if  passed,  will  force
       serial  data  to  be  sent.  SOL_Retry_Count  indicates  how  many  times  packets must be
       retransmitted if acknowledgements  are  not  received.  SOL_Retry_Interval  indicates  the
       timeout  interval.  Generally,  the  manufacturer  recommended numbers will be sufficient.
       However, you may wish to experiment with these values for faster SOL throughput.

       The Non_Volatile_Bit_Rate and Volatile_Bit_Rate determine the baudrate the BMC should use.
       This  should  match  the baudrate set in the BIOS and operating system, such as agetty(8).
       Generally speaking, both the Volatile and Non_Volatile options should be set identically.

       In addition to enabling SOL in this section, individual users  most  also  be  capable  of
       connecting with SOL. See the section Section User1, User2, ...  above for details.

REPORTING BUGS

       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.

SEE ALSO

       freeipmi(7), bmc-watchdog(8), ipmi-config(8), agetty(8)

       http://www.gnu.org/software/freeipmi/