Triple Data Encryption Standard, an encrypting algorithm (cipher) that encrypts data three times, using a unique key each time, to prevent unauthorized viewers from viewing or changing the data. 3DES encryption is one of the
security features provided by Cyclades products to enable customers to enforce their data center security policies. See also
authentication,
authorization, and
encryption.
AH (authentication header)
One of the two main protocols used by IPSec. (ESP is the other.) AH authenticates data flowing over the connection. AH is not compatible with
NAT, so it must be employed only when the source and destination networks can be reached without NAT. Does not define the authentication method that must be used.
An easy-to-remember, usually-short, usually-descriptive name used instead of a full name or IP address. For example, on some Cyclades products, port names contain numbers by default (as in Port_1) but the administrator can assign an alias (such as
SunBladeFremont that describes which server is connected to the ports. Aliases make it easier for users to understand which devices are connected.
The process by which a user’s identity is checked (usually by checking a user-supplied username and password) before the user is allowed to access requested resources. Authentication may be done locally (on the Cyclades device) or on a configured authentication server running one of the widely-used authentication protocols (LDAP, RADIUS, TACACS+, NIS, SMB, and Kerberos) that are supported by Cyclades products. Authentication is one of the
security features provided on Cyclades products to enable customers to enforce their data center security policies. See also
authorization and
encryption.
Permission to access a controlled resource, which must be granted by administrative action. A user’s authorizations are checked after a user logs into a system and has been authenticated. Each user is restricted to using only the features the user is authorized to access. Checking a user’s authorizations is one of the
security features provided on Cyclades products to enable customers to enforce their data center security policies. A user who is authorized to access a device or software function is referred to as an
authorized user. See also
authentication and
encryption.
On Cyclades products, specifies where to save compressed configuration files for possible later restoration. Some Cyclades products save configuration changes in the affected configuration files while maintaining a backed-up compressed set of configuration files in a separate directory. The backup directory’s contents are available for restoration until the administrator takes a specific action to overwrite the backed-up files.
Pronounced “bye-ose.” Instructions in the onboard flash memory that start up (boot) a computer without the need to access programs from a disk. Sometimes used for the name of the memory chip where the start-up instructions reside. BIOS access is available even during disk failures. Administrators often need to access the BIOS while troubleshooting, for example, to temporarily change the location from which the system boots in case of a corrupted operating system kernel. How to access the BIOS varies from one manufacturer to the other.
An internal processor on some servers that is separate from the main system and that operates even if the main processor is not operable. Sits on the server’s baseboard (motherboard), on an internal circuit board, or on the chassis of a blade server. Monitors on-board instrumentation. Provides remote reset or power-cycle capabilities. Enables remote access to BIOS configuration or operating system console information. In some cases provides
KVM control of the server. Includes a communication protocol that delivers the information and control to administrators.
A security feature used to authenticate users who are calling into a device. The software authenticates the user, hangs up, and then returns the call to the user before allowing access.
Software posted at the Cyclades download site is accompanied by a checksum (*
.md5) file generated using the MD5 algorithm. The checksum of a downloaded file must be the same as the checksum in the file. The checksum is compared automatically when the download is performed through the Web Manager or can be compared manually if the download is performed using
ftp or
http. If the checksums do not match, the software file is damaged and should not be used.
Allows users to use text commands to tell computers to perform actions (in contrast to using a GUI). The user types a text command at an on-screen prompt and presses the Enter or Return key. The computer processes the command, displays output when appropriate, and displays another prompt. Users can save a series of frequently-used commands in a script. Being able to create and run scripts to automate repetitive tasks is one of the reasons many administrators prefer using a CLI.
Cyclades products run the Linux operating system, and most Cyclades products allow access to the command line of the Linux shell. Command line access is achieved through several different means. For one example, a remote administrator can use Telnet or SSH to access an AlterPath OnBoard and then can enter commands on the Linux shell's command line.
Some Cyclades products offer a management utility called the CLI. Administrators type “CLI” or “cli” at the prompt in the Linux shell. Products that provide similar utilities with different names, such as the
cycli, provide an alias for users who are familiar with the CLI name. The Cyclades CLI tool provides many commands and nested parameters in a format called the
CLI parameter tree.
Each version of the Cyclades CLI utility has a set of commands and parameters nested in the form of a tree. The CLI for the AlterPath OnBoard and other products use the Cyclades Application Configuration Protocol (CACP) daemon (cacpd). The cacpd uses the
param.conf file, which defines a different CLI parameter tree for each product.
A string used as a type of shared password by SNMP v1 and v2 to authenticate messages. Hosts that share the same community name usually are physically near each other. The administrator must supply a community name when configuring SNMP on the Cyclades device, and the same community name must be also configured on the SNMP server. For security reasons, the default community name
public should not be used.
A computer mode that gives access to a computer’s command line (see command line interface). The console also displays error messages generated by the computer’s operating system or
BIOS. Console access is essential when a device (such as some special-purpose servers, routers, service processors, and other embedded devices) has no window system. Console access is also essential when the window system is not available on a device that has one, either because the system is damaged or it is offline. Access to the console allows remote administrators to control and repair damaged or otherwise-unavailable systems. See also
device console and
service processor console.
A service that can automatically assign an IP address to a device on a network, which saves administrator’s time and reduces the number of IP addresses needed. Other configuration parameters may also be managed. A DHCP server assigns a dynamic address to a device based on the
MAC address of the device’s Ethernet card. Many Cyclades devices are shipped with DHCP client software, and with DHCP enabled by default.
A method of connecting to a remote computer using communications software, such as
PPP, along with a modem, and a telephone line, which is supported on many Cyclades products. After the administrator of the Cyclades product has connected a modem from the Cyclades product to a live telephone line and made the phone number available, a remote authorized user can use the phone number to dial into the Cyclades product and access connected devices.
A service that translates domain names (such as cyclades.com) to network IP addresses (192.168.00.0) and that translates host names (such as “onboard”) to host IP addresses (192.168.44.11). To enable the use of this service, administrators need to configure one or more DNS servers when configuring AlterPath devices.
Service processors on certain Dell servers may include an independent DRAC system controller. Several incompatible version types exist (DRAC II, DRAC III, DRAC III/XT, DRAC IV) along with several incompatible firmware versions. All controller types have a battery and can have an optional PCMCIA modem installed. Provide remote monitoring, logging, alerting, diagnostics, and basic control of the server. Some types have a
native web interface and a
native application “Dell OpenManage Server Administrator,” that runs on the remote administrator’s computer. Dell Open ManageIT Assistant software on the administrators computer can be used to configure and launch access.
Translation of data into a secret format using a series of mathematical functions so that only the recipient can decode it. Designed to protect unauthorized viewing or modification of data, even when the encrypted data is travelling over unsecure media (such as the Internet). See 3DES and SSH. As an example, a remote terminal session using secure shell SSH usually encrypts data using 3DES or better algorithms. Encryption is one of the security features provided on Cyclades products to enable customers to enforce their data center security policies. See also
authentication and
authorization.
One of the two main protocols used by IPSec (AH is the other). ESP encrypts and authenticates data flowing over the connection. Does not define the authentication method that must be used. DES, 3DES, AES, and Blowfish are commonly used with ESP.
Synonymous with Ethernet failover. A way of configuring two Ethernet ports on a single device with the same IP address so that if the primary Ethernet port becomes unavailable, the secondary Ethernet port is used. When bonding is enabled, the active IP address is assigned to bond0 instead of eth0. When the primary Ethernet port returns to active status, the software returns it to operation.
See Ethernet bonding. See also
failover.
A script written using expect, a scripting language based on Tcl, the Tool Command Language. Can be written to perform automation and testing operations that are not possible with other scripting languages. Cyclades uses
expect scripts in some of its AlterPath products, and users can customize some of the default expect scripts. For example administrators of the AlterPath OnBoard can customize the Expect scripts that handle conversations with service processors and other supported devices.
A high-availability feature that relies on two redundant components in a system or a network, with the second component available to automatically take over the work of the primary components if the primary component becomes unavailable for any reason. When the primary component becomes available, it takes over the work again. Automatically and transparently redirects requests from the unavailable component to the backup component. Used to make systems more fault-tolerant. See
Ethernet bonding.
Main standards organization for the Internet. Working groups create Internet Drafts that may become RFCs. RFCs that are approved by the Internet Engineering Steering Group (IESG) may become standards. RFCs (Requests for Comments) are the official technical specifications of the Internet protocol suite. For example, the format of SNMP MIBs was defined by the IETF, which assigns MIB numbers to organizations.
Hewlett Packard’s proprietary service processor (pronounced EYE-loh). Even though HP is a major supporter of IPMI, the company also provides iLO because it provides many more functions than IPMI. The iLO processor resides on the
baseboard. Even if the server is off, iLO is active. When the dedicated Ethernet port is plugged into the network, iLO uses DHCP. iLO has a web interface and a Telnet interface. Advanced iLO provides remote KVM and
virtual media access.
Provides controlled access to basic management features on multiple Ethernet-based servers that have embedded service processors, using only one Internet address. When managed separately, each service processor needs its own IP address. Managing multiple servers with multiple IP addresses is both expensive and time consuming without consolidation.
An open standards vendor-independent service processor currently adopted by many major server platform vendors. Its main benefit over other service processor types is that it is installed on servers from many vendors, providing one interface and protocol for all servers. Its main disadvantage is that it does not always provide as much functionality as the proprietary service processors. For this reason, IBM’s series e325 and e326 servers use IPMI to manage their BMCs but the top-of-the-line xSeries servers use
RSA II. IPMI works by interacting with the
BMC, and since it usually has standby power, it can function even if the operating system is unavailable or if the system is powered down. The OnSite supports IPMI version 1.5. OnSite administrators can create custom
Expect scripts to support IPMI 2.0.
A command line utility that interfaces with any BMC that supports either IPMI 1.5 or 2.0 specifications. Reads the sensor data repository (SDR) and prints sensor values, displays the contents of the System Event Log (SEL), prints Field Replaceable Unit (FRU) inventory information, reads and sets LAN configuration parameters, and performs remote chassis power control. Described at SourceForge at:
http://ipmitool.sourceforge.net. The command options are described on the
ipmitool(1) man page at SourceForge:
http://ipmitool.sourceforge.net/manpage.html.
ipmitool commands can be added to customized scripts on the OnSite to access unsupported features on a connected service processor.
A suite of protocols used for establishing private, secure, connections over IP networks. Only the sending and receiving computers need to be running IPSec. Each computer handles security at its end and assumes that the intermediary nodes between the source and destination computers are not secure. Supported on many AlterPath products. In tunnel mode, IPSec is used to form a
VPN connection, creating a secure tunnel between either an individual host or a subnet on one end and the AlterPath device on the other end. Has two modes,
transport and
tunnel mode. Tunnel mode encrypts the entire packet. Transport mode encrypts application headers, TCP or UDP headers, and packet data, but not the IP header. The method that encrypts the entire packet cannot be used where NAT is required
Network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.
A KVM switch that requires a local user connection before a user can gain access to any servers that are connected to the switch. Cyclades AlterPath KVM analog switches are one component of the
out-of-band infrastructure.
A KVM switch that supports remote access over a LAN or WAN or telephone line to servers connected to the switch, using the TCP/IP protocols and a web browser. Enables operations over long distances. Cyclades AlterPath KVM/IP switches are one component of the
out-of-band infrastructure.
Enables use of only one keyboard, video monitor, and mouse to run multiple servers from a remote location. Reduces expenses by eliminating the cost of acquiring, powering, cabling, cooling, managing, and finding data-center space for one keyboard, monitor, and mouse for every server. Servers are connected to KVM ports on Cyclades AlterPath KVM switches using AlterPath KVM terminators on the server end and up to 500 feet of
CAT5 or greater cable. AlterPath KVM switches provide
authentication and other
security features and allow only
authorized users to access a restricted set of connected servers. See also
KVM analog switch and
KVM over IP switch. Cyclades AlterPath KVM analog switches are one component of the
out-of-band infrastructure.
A network separated from the
production network that provides remote
out-of-band access for management of IT assets, including access for returning disconnected IT assets to service without the need for a site visit.
Each server company that offers a service processor produces its own client-side software to access the servers’ management features through the service processor. In some cases, management software is imbedded in the service processor and is presented either as a web interface or as a command line interface accessed using SSH or Telnet, or as both a web interface and command line interface. In other cases, the management software is installed in a client workstation and accesses the management features of the service processor using an IP-based protocol, such as
IPMI. Most of these types of software only manage one server, do not scale, and do not address the need for consolidated access-control, multi-user access, data logging, and event detection, encyrption and other needs. The OnSite addresses these needs and provides a single interface to access basic features of multiple-vendors’ service processors.
Each SNMP device has one or more MIBs (management information bases), which describes the device’s manageable objects and attributes. The MIB name tree for Cyclades starts at 1.3.6.1.4.1.4413.
Network address translation, an Internet standard that enables the use of one set of IP addresses for internal traffic and another set of IP addresses for traffic over the public network. The AlterPath OnBoard uses NAT to allow access to service processors and managed devices while not revealing their Ethernet addresses. Users can use administratively-assigned virtual IP addresses to access the service processor or device through the OnBoard.
A management option that gives the user the ability to run service processor-specific
native applications and access the application’s management features from the user's remote computer through the OnBoard. For example, the IBM service processor provides the IBM Director native application.
native command interface (See
NCI)
A management option that the OnBoard administrator can enable when configuring a
service processor. Because this option provides full access to all features supported by the service processor, the user must be a trusted user who is specifically authorized to use the option. A
VPN connection must be made before the user is allow to access the native IP option. When the OnSite user activates Native IP for a service processor, the OnSite routes packets between that user’s IP address and the service processor through a secure tunnel. The VPN connection must remain active for the duration of the Native IP session. Authorizing a user for native IP gives the user access to a
native application or a
native web interface that may be provided by the service processor and that may provide additional management functions beyond those provided by the OnBoard, including
KVM over IP access to the server.
A service processor feature that allows direct access to the
console of the service processor. Access may be provided to features such as power control, hardware auditing, event logs, sensor readings, and service processor configuration, usually by means of a Telnet or
SSH server running on the service processor.
Means that equipment has been tested and proven to meet the NEBS requirements for central office equipment that is adhered to in common by several telecommunications carriers. The requirements are in place to ensure that telecommunications equipment poses no risk or safety hazard to people, nearby equipment, or to the physical location where the equipment operates, and that equipment is reliable and dependable during both normal and abnormal conditions. Tests address heat release, surface temperature, fire resistance, electromagnetic capability, electrical safety, and manufacturing component characteristics, among other attributes.
A unique indentifier for each object in an SNMP MIB. The OID naming scheme is in the form of an inverted tree with branches pointing downward. The OID naming scheme is governed by the IETF, which grants authority for parts of the OID name space to individual organizations. Cyclades has the authority to assign OIDs that can be derived by branching downward from the node in the MIB name tree that starts at 1.3.6.1.4.1.4413.
The OnBoard shell, /usr/bin/onbdshell, which displays a menu of devices an authorized user can access. Accessed by authorized users through selecting the “Access Devices” option from the user shell menu,
rmenush. Selecting a server name from the menu brings up the list of actions the user is authorized to perform on that server’s
service processor. Accessed by administrators by typing
/usr/bin/onbdshell on the OnSite’s command line; the administrators’ version of the menu lists all configured devices.
An integrated systems approach to remote administration. Consists of components that provide secure,
out of band access to connect to and manage an organization’s
production network. Components can include console servers, KVM and
KVM over IP switches, power control appliances, centralized management devices (to control the entire out-of-band infrastructure), and service-processor managers to manage access to multiple vendor's service processors. Allows administrators to remotely connect to disconnected IT assets and to quickly return them to normal operation. Cyclades AlterPath products are designed as building blocks for an OOBI, including AlterPath ACS console servers, AlterPath KVM and KVM over P switches, AlterPath OnSite with consolidated console and KVM ports, AlterPath PM IPDUs, the AlterPath OnBoard service- processor manager, and the AlterPath Manager for centralized control of and access through multiple AlterPath devices to up to 5000 connected devices, and for access to servers that have IPMI controllers.
An authentication system that requires the user to generate and use a new password for every connection. The OTP can only be used once, which ensures that a discovered password is useless. Originally developed at Bellcore (now Telcordia), it started as a freely available program called S/Key that was trademarked. A newer freeware OTP program is OPIE (one-time passwords in everything).
Access to IT assets that is either separate from or independent of the normal production network. A term that originated in the telecommunications industry to refer to communications used to control a phone call that are made on a dedicated channel, which is separate from the channel over which the call is made. Allows remote monitoring and control even when a managed IT asset loses connection to the production network. Typically, out-of-band access is through a
console or management port (typically an RS-232 or Ethernet port), an
intelligent power management device (IPDU), a
KVM port, or a
service processor.
A VPN method developed by Microsoft along with other technology companies, it is the most widely supported VPN method among Windows clients and the only VPN protocol built into Windows 9x and NT operating systems. Uses the same types of authentication as PPP.
The network on which the primary computing work of an organization is done. Users on a production network expect 24/7/365 availability with access to data and resources as reliable as access to telephone service. Development and testing of new applications are often performed on separate networks to avoid burdening or compromising the production network. Organizations often set up separate
management networks to provide remote
out-of-band access to disconnected IT assets.
A widely-supported authentication protocol for centralized user administration. Used by many Internet Service Providers (ISPs) and by devices such as routers and switches that do not have much storage. Combines authentication and authorization in a user profile. Relies on the UDP protocol. One of many standard authentication protocols supported on Cyclades devices.
The default login shell for users (/usr/bin/rmenush), which allows users only a limited set of menu options, including: access to management actions on devices for which they are authorized; the ability to change the user’s password; and the ability to logout. The OnSite administrator may modify the menu options and commands.
Service processor technology on certain IBM servers that includes a service processor PCI card used to manage the BMC that is located on the motherboard. Enables the remote administrator to receive notifications, alerts, to view event logs and the last screen before a failure, to use virtual media (also called “remote media”), to control power and to manage the console through a web browser using a built-in Web server. Provides more options than the IPMI service processor that is available on IBM xseries e325 and e326 servers.
Service processor technology on certain Sun servers that includes a service processor RSC card. Enables the remote administrator to run diagnostic tests, view diagnostic and error messages, reboot the server, and display environmental status information from a remote console even if the server’s operating system goes offline. The RSC firmware runs independently of the host server, and uses standby power drawn from the server. The RSC card on some servers include a battery that provides approximately 30 minutes of power to RSC in case of a power failure.
Cyclades products provide security features, including encryption,
authentication, and
authorization, to enable customers to enforce their data center security policies while providing
out-of-band access to managed systems.Also provided in most Cyclades products are
security profiles.
Most Cyclades products require the administrator to select a security profile during initial configuration, which helps enforce the security policies of the organization where the unit is being used. The security profiles are configurable and control which network services are turned on, whether a default authentication method is specified for all subsequently-configured devices, whether authorizations are checked. (Bypassing authorizations is not available in any of the default security profiles but can be selected in a custom security profile.) The security profile chosen during initial configuration can be changed later. Services can also be turned on and off independently from the security profile.
An OOBI component that provides to users and groups secure, controlled access to basic features required for out-of-band management of servers that have embedded management controllers (also called
BMCs or
service processors). Also provides access to the console of servers and other devices without service processors but that have Ethernet ports that allow console access. Provides a single point of access through a single Ethernet address (see
IP address consolidation) to services that are provided by service processors from several different vendors and to the console of certain servers and other devices. Its administrators are able to use a single interface to manage multiple servers without having to learn multiple management interfaces. The AlterPath OnBoard is the Cyclades service processor manager.
A command interpreter on UNIX-based operating systems (like the Linux operating system that controls most Cyclades products). A shell typically is accessed in a terminal window where the shell presents a prompt. For example:
[admin@OnSite admin]# is the prompt that appears when a user logs into an OnSite as admin and is in the
/home/admin directory. Users tell the operating system to perform actions by typing commands in the shell, which interprets the commands and performs the specified actions. See also
command line interface. The AlterPath OnSite has two user shells:
onbdshell and
rmenush.
A set of network management protocols for TCP/IP and IPX (Internet Packet Exchange) networks, which are part of the TCP/IP protocol suite. Supports management of devices running SNMP agent software by remote administrators using
SNMP manager software, such as HP OpenView, Novell NMS, IBM NetView, or Sun Net Manager, on remote computers. Devices running SNMP agent software send data from management information bases (
MIBs) to the SNMP manager software.
On certain Cyclades devices, administrators can enable SNMP to allow a remote administrator to manage the device and can configure the device to send alerts about events of interest. Before enabling SNMP, the administrator needs the following information: The contact person (administrator) of the AlterPath device; the physical location, the
community name (for SNMP v1, v2c only), IP address or DNS hostname of the
SNMP manager. The OnBoard supports SNMP v1, v2c, and v3. The SNMP configuration file is located at
/etc/snmp/snmpd.conf. See also
OID and
traps.
Access to the console of a server or other device that supports redirection of serial server data to a dedicated Ethernet port. Permits access to and control of the BIOS and operating system console over the LAN or Internet. Eliminates the need for the device to have a serial port and the need for serial cabling to enable console access. On the OnSite, once a device’s SoL Ethernet port is connected to one of the OnSite’s private Ethernet ports, an authorized user can access the server or a device’s console either through the “Device console” or “devconsole” option (available on the
Web Manager,
rmenush, or
onbdshell) or through entering the
devconsole command with
ssh on the command line).
Ethernet-based management controller on a server, which provides out-of-band management through an interface between the server’s administrator and an internal baseboard management controller (BMC) that enables the management features. Management features can include serial console emulation (using Telnet or IPMI),
KVM over IP, power control, sensor and log information from the server hardware, and virtual media.
An out-of-band infrastructure (OOBI) capability delivered by the AlterPath OnSite that isolates the management ports (emergency service ports) of servers that have
service processors from the
production network. Physically consolidates and logically secures the Ethernet connections between the AlterPath OnSite and the connected service processors. By providing
IP consolidation, SRM substantially lowers the cost and complexity of deploying service processors. SRM also lowers the security risks of using service processors by providing centralized authentication and user access control, isolating vulnerable service processor protocols from the production network and communicating with authenticated and
authorized users over the public network using higher-end secure protocols (such as
SSH,
SSL, and
HTTPS).
Secure shell, developed by SSH Communications Security, Ltd., is a UNIX-based
shell and protocol that provides strong authentication and secure communications over unsecured channels. Unlike
telnet,
ftp, and the
rcp/rsh/remsh programs, SSH encrypts everything it sends over the network. Many Cyclades products support SSH version 1 and SSH version 2. Since SSH1 and SSH2 are entirely different, incompatible protocols, it is important when given a choice between enabling one or the other of the two SSH versions to enable the version that is available on the computer being used to access the Cyclades equipment. The OpenSSH (
www.openssh.org) package is used on the AlterPath OnSite. THe OnSite uses the Open SSH version that is certified by the Cryptographic Module Validation (CMV) program run by the U.S. National Institute of Standards (NIST) and the Canadian government’s Communications Security Establishment (CSE). Authorized users on the AlterPath OnSite can enter an OnSite-specific set of commands such as poweron, poweroff, powercycle when using
ssh on the command line to perform
service processor management actions.
TACACS+ (Terminal Access Controller Access Control System)
An authentication protocol (pronounced tak-ak_plus) that provides separate authentication, authorization, and accounting services. Based on TACACS, but completely incompatible with it. Uses the TCP protocol, which is seen by some administrators as a more-reliable protocol than the UDP protocol used by RADIUS. One of many standard authentication protocols supported on Cyclades devices.