PTF MH01097 HMC V7R3.3.0 Recovery media

This package represents the Recovery image that can be used to upgrade your HMC from HMC V7R3.1.0 or HMC V7R3.2.0 to HMC V7R3.3.0. This package can also be used to install a clean version of HMC V7R3.3.0. You can also reference this package by APAR MB02269.

Package information and notes

Notes

  1. After you install V7R3.3.0, you must install PTF MH01102. You must perform an additional reboot of the HMC after the mandatory reboot required by installing MH01102
  2. For HMCs managing POWER5 servers: If your HMC is at HMC V6 R1.2 or V6 R1.3, upgrading your HMC to HMC V7 R3.3.0 is a two-step process. You must first upgrade the HMC to HMC V7 R3.1.0, and then upgrade to HMC V7 R3.3.0.

Package Name

Size

Checksum

APAR#

PTF#

HMC_Recovery_V7R330_1.iso
HMC_Recovery_V7R330_2.iso

1594570752
1375275008

56682
50911

MB02269

MH01097

Splash Panel information (or lshmc -V output)

Version: 7
Release: 3.3.0
Service Pack: 0
HMC Build level 20080408.1
","base_version=V7R3.3.0

Enhancements and Fixes

This package provides the following enhancements and fixes:

Server and Partition Management

  • On the Integrated Virtual Ethernet (Host Ethernet Adapter) panels, you can no longer toggle between HEAs. Instead, all physical ports across all HEAs are displayed together. In addition, the profile panels no longer allow LHEA (Logical Host Ethernet Adapter) capabilities to be changed. This is now a command-line only option.
  • A new user authentication type "ldap" is supported along with existing type "local", and "kerberos". If HMC is configured to use a LDAP server, when a user with ldap authentication type logs in, the authentication will be done via LDAP server.
  • The max number of lpars that HCA (Host Channel Adapter) adapter(s) can support ranges from 1-16. By default, the max lpars supported is 1 and it can be changed manually using chsyscfg command. The max lpar support setting is applicable for all HCA adapters installed on the system. New HCA 2 adapters can be installed along with HCA 1 adapter(s) on the same system and the max lpar support described above applies to both HCA adapter types.
  • POWER5 systems now display their SRC codes as clickable links to the full description of the code.
  • The HMC now supports Internet Protocol Version 6 (IPv6) on the "internet" connections. IPv6 is not supported on network connections to servers.
  • New user login control mechanism. When adding, modifying, and copying user in the "Manage User Profiles and Access" window, the "User Properties" button will pop up another window to set the following timeout and remote access properties for the user:

Session timeout minutes

Specifies how many minutes a session should last for this user.

    • For GUI login, when the session runs long enough to reach the timeout minutes (no matter if the user actively executes tasks or the session is idle), the GUI will prompt a authentication window to ask the user to re-authenticate. If the re-authentication passed, the next session timeout counting is started. If the authentication failed three times or the authentication password is not re-entered within the Verification Timeout minutes, the session will be forcedly disconnected.
    • For ssh login, when the session time reaches the limitation, the ssh session will be closed.

Idle timeout minutes

Indicates how long a user session can be idle. When the idle time reaches the set value, the login session will be forcedly disconnected.

Allow remote access via the web

Select/unselecting this item will enable/disable this user from logging on to this HMC via the GUI login remotely.

Note: A value of zero for Session timeout minutes, Verification timeout minutes, or Idle timeout minutes means no timeout limit.

Platform Management

  • Creation of a new "View VLAN Network Data" GUI task to display additional detailed data returned from the Collect Network Data command (SPCN).
  • Add support for the 5767 dual port ethernet adapter for HMC model 7042-CR4. Also added support for an internal modem if there is no additional ethernet card or there is one additional card of type 5767.
  • Support for the new HMC deskside model 7042-C07.
  • Ability to initiate a Node Controller Dump from the GUI.
  • Provide ability to launch the full set of HMC UI tasks from a higher level management console including IBM Director.
  • Support for the new IBM Power 595 model 9119-FHA and IBM Power 570 model 9117-MMA servers.
  • A toolbar has been added to the navigation pane which provides back and forward navigation, go to and set a home page, as well as the ability to expand and collapse all navigation nodes.
  • A new "Tree" view of resources is available in the Systems Management, Servers, and Custom Groups work panes.
  • Breadcrumbs are now displayed in the work pane to further enhance navigation between views.
  • The tasks pad is enhanced to include expanding and collapsing of the task groups.
  • The tasks pad now displays a settings button which allows users to update the number of columns used to display available tasks for selected objects.
  • Users may now create their own customized column views with the "Manage Views" task in the work pane table toolbar Views menu.
  • Miscellaneous updates to the Guided Setup Wizard.
  • Improvements were made to the "Add Enclosure" and "Add FRU" Pending Actions list to enable the Launch Procedure button only when the location code is selected.
  • Fixed a dialog resizing issue when closing corrective service task.
  • Fixed a problem to ensure resource locking on DVD-RAM media.
  • Additional user entry field checking is now done when entering NTP server information.
  • Support for additional virtual network switches added. A new "Virtual Network Management" task under the Managed System's Configuration tasks allows for the creation and management of virtual network switches.

Command Line

  • A new command, lsfru, has been added to list selected service processor field-replaceable unit (FRU) information for a managed system (POWER6 servers only).
  • The following commands have been added to support LDAP configuration on the HMC:

chhmcldap

Changes the HMC LDAP configuration

lshmcldap

Lists LDAP user information and HMC LDAP configuration data

  • The following commands have been enhanced to support HMC LDAP configuration and remote LDAP authentication: chhmcusr, lshmcusr, mkhmcusr, getfile, and rmfile.
  • The following commands have been enhanced to support virtual switches (POWER6 servers only): chsyscfg, lssyscfg, mksyscfg, chhwres, and lshwres.
  • The chhmc command has been enhanced to configure the HMC for IPv6 support, and the lshmc command has been enhanced to display the HMC IPv6 configuration settings.
  • The chhmc and lshmc commands have been enhanced to support changing and displaying the network settings for the sl0 interface.
  • The lshmc command has been enhanced to display the SSH protocol version(s) the HMC can use.
  • The chsyscfg and lssyscfg commands have been enhanced to support setting and displaying the address broadcast performance policy for a managed system (POWER6 servers only).
  • The chsyscfg and lssyscfg commands have been enhanced to support setting and displaying the maximum number of partitions that can use a Host Channel Adapter (HCA) (POWER6 servers only). You must set this value if you want more than one partition to use a HCA.
  • The chlparutil and lslparutil commands have been enhanced to support new utilization data sampling rates of 30 seconds, 60 seconds, 5 minutes, and 30 minutes.
  • A new option has been added to the lpar_netboot command to enable or disable firmware spanning tree discovery.
  • A new option has been added to the lssysconn command to list IP addresses that cannot be automatically discovered by the HMC when using DHCP, and a new option has been added to the rmsysconn command to remove an IP address from that list.
  • A new option has been added to the lshwinfo command to allow the user to specify the side of the managed frame's bulk power assembly for which to list environmental information. For POWER6 frames with 2 line cords per side, the lshwinfo command will have two output values per attribute; the first value will be for line cord 1, and the second for line cord 2.
  • The startdump command has been enhanced to support initiation of node service processor dumps (POWER6 servers only).
  • The -l option on the updlic command now accepts a comma-separated list of firmware levels in the format <stream>_<level>, to allow specific levels to be specified for a mixed POWER5 and POWER6 environment.
  • Expanded updlic command so that bulk power levels for environments with both POWER5 and POWER6 frames can be specified.

Licensed Internal Code (LIC) update

  • For POWER6 servers, the HMC will validate the current version of HMC code is compatible with the managed server firmware image:
    • At each connection of the HMC to the FSP
    • At the beginning of each managed server/power update
    • And verify that the Power code is also compatible with the managed system firmware.
  • Corrected a problem where "accept" or "reject fix" operations initiated from the HMC GUI do not update BPC-B.
  • Corrected a problem updating I/O microcode due to changed RPM packaging.
  • Corrected a problem in the "synchronize redundant components" operation that caused BPC firmware synchronization to fail with error code E302F831.
  • Corrected a problem in R/V BPC firmware synchronize flow that caused a lock management error.
  • Enhanced code update to make "Remove and Activate" disruptive after the platform has been IPLed on a firmware level.
  • Corrected a problem where the HMC was attempting to refresh a lock after FSP failover, causing error code B181303B to be logged.
  • Enhanced HMC error checking to ensure that FSP state is stable before attempting to activate new firmware.
  • Corrected a problem where "-1" was displayed for the firmware level on the confirmation panel.
  • Corrected a problem where code update was unable to obtain a lock, resulting in error code E302F973.
  • Corrected a problem where performing licensed internal code update on several managed systems simultaneously may fail to update some systems. E302F830 is reported.

Scheduled Operations

  • Fix for E3550046 error called home when a scheduled operation occurs for a managed system that is not present.
  • Improved problem reporting and call home data to include additional component logging for processor related recoverable errors.
  • Added domain analysis functionality to improve the dump retrieval process in a multi-system environment.

Problem Analysis

Improved problem reporting and call home data to include additional component logging for processor related recoverable errors.

Service Agent

  • Corrected a problem with Call-Home logs that could result in a E2FF1801 serviceable event being created.
  • Creation of a Task oriented HMC guided setup wizard for call home. This function will make the set-up wizard more user friendly for setting up call home and customer notify functions.

Help

Enhancements and updates were made to the help documentation.

Repair and Verify

  • From the R&V panels, inform the user how to find the procedures translated into a language other than English.
  • Support for I/O Drawer Feature Code 5720. Since this drawer is connected via SAS cables from the I/O adapters in the server, the HMC will not be able to detect its presence in a configuration. The Repair and Verify procedures will be written to instruct the user to manually interact with the drawer. The procedures for each FRU will be displayed within a browser in HTML format.
  • HMC Serviceability support for 24" Infiniband drawer and FRUs.
  • HMC Serviceability support for POWER6 MMA including concurrent add of a new CEC node to increase the system hardware capacity for POWER6 MMA models.
  • HMC Serviceability support for POWER6 MMA including concurrent node repair for defective processor, memory, or I/O planar.
  • Updates and additions were made to the MMA isolation procedures.
  • Corrected a problem with adding an enclosure to an iSeries 9406-MMA server. The correct install instructions are now launching.
  • Corrected a problem when performing a GX+ card Add on a MMA server.
  • Update to the HMC Support link (located on the HMC Welcome page) in the Online Information subsection.
  • Fixed R&V user interface panels to display correct model description for 9124-720.
  • Clarified the "Add Enclosure" instructions directing the user to use the Next or Launch Procedure button to add an Enclosure Type to the Pending Actions list.
  • Corrected the instructions that tell the SSR to plug the cables in during a GX+ add service procedure.
  • Updated the address types that are displayed when Repair & Verify encounters a situation where a Remote HMC session should be launched from the primary HMC.
  • Updated Resource Constraint detected message with additional detail.
  • Clarified and/or corrected External Cable and HSL Cable procedures for IO Enclosures 0595 and 5294.
  • Updated the System Processor Node repair instructions for a MMA server.
  • Enhanced instructions for SPCN repair for Node 3 or Node 4 for a model POWER6 MMA.
  • Corrected the panel flow for the Model POWER6 MMA.
  • Enhanced safety instructions for Node Concurrent Maintenance procedure.
  • Corrected ASM instructions in a Node Add procedure for the 9406-MMA server.
  • Enhanced Repair & Verify implementation to properly detect the network drop and execute the accurate error message in the Concurrent Maintenance operation for the 9406-MMA server.
  • Updated System Processor Assembly exchange graphics for the MMA server.
  • Repair & Verify documentation that was previously supported in Resource Link will now be supported in the IBM Systems Information Center.

System Plan

  • Improved usability/manageability of VIOS install into LPAR.
  • Additional Manage Install Resource task.
  • Additional ability to install AIX into LPAR: as stand alone and with NIM.
  • Additional ability to install RHEL & SLES into LPAR.
  • Additional provisioning of group capped partition attributes.
  • Improved System Plan Viewer user controls and details.
  • Fix a problem that can result in create system plan failing for some managed systems with an inventory gathering error.

National Language Support in HMC V7R3.3.0

The NLS support remains the same but there are these known issues:

  • Mnemonics is no longer supported in the new UI. However, mnemonics are still being shown in certain language environments.
  • Number format issues with decimal point in certain locales. For example, sometimes period (.) is used instead of comma (,) for decimal point.
  • To allow all UI displayed in English only in remote management, users can only have English or none in the language list of their browser setting.
  • Due to the limitation of groff, some characters in the output of "man" command might be corrupted in traditional Chinese, simplified Chinese and Korean when the window is too narrow. Widen the window and retry the command again.
  • User ID, User information, HMC User password, Partition name, managed system name, profile name and system profile name are in English only.
  • The gifs displayed are in English in Help for the Main User Interface.
  • The first page (top-level entries) in each chapter of three Help books ("Base Tasks and Console","System" and "User Interface") are blank.
  • The order of the address fields is for US but this address will not be used as mailing address.
  • The text and flyovers on the Help window will be displayed in English.

Security Fixes

Fix

Description

CVE=2007-5612

Security Vulnerability in L1 agent (Pegasus CIM object manager)

CVE-2007-5707
CVE-2007-5708

SECURITY: openldap2 remote denial of service

FIX_BY_IBM

SECURITY: Pegasus CIM object manager - CVE-2008-0003 PAM Callback stack buff...

CVE-2007-4135

SECURITY: nfsidmap name - uid translation flaw

CVE-2007-4752

SECURITY: openssh X11 cookie and SIGALRM fixes

CVE-2007-2445

SECURITY: libpng DOS

CVE-2007-2442
CVE-2007-2443
CVE-2007-2798

SECURITY: krb5 remote code execution

CVE-2007-2754

SECURITY: freetype remote code execution

CVE-2007-2926

SECURITY: bind DNS cache poisoning

CVE-2007-3387
CVE-2007-3798

SECURITY: findutils local vulnerability

CVE-2007-3798

SECURITY: tcpcump BGP packet handler overflow

HMC ports

Ports

Protocol

Application name

Description

Enabled by default

22

TCP

ssh.name

Allows remote secure shell access

No

443
9960

TCP

SecureRemoteAccess.name

Allow access to the HMC via remote web browser

No

5989

TCP

pegasus.name

Allows access to OpenPegasus Server

Yes

5988
9197

TCP

CSM_SNIA.name

SNIA CIM for Cluster System Management

No

657

TCP/UDP

RMC.name

Allows access between HMC and partitions

Yes

9920
9900

TCP/UDP

FCS.name

Allow HMC to HMC communication

Yes

9735

TCP

vtty.name

Allows remote virtual terminal access

Yes

2302

TCP

vtty_proxy.name

Allows remote virtual terminal access

Yes

2300
2301

TCP

i5250.name

5250 terminal access

Yes

123

UDP

ntp.name

Network Time Protocol

No

1701

UDP

l2tp.name

Allows the HMC to share its modem with an i5 OS partition

Yes

427

UDP

SLP.name

Allows the HMC to receive and respond to Service Location Protocol service

Yes

12347
12348

UDP

RPD.name

Allow group communication and aliveness UDP packets produced by RSCT subsystems. This is required when forming an RSCT Peer Domain across multiple HMCs.

Yes

8899

TCP

hwserver.name

Allow hardware servers between CSM and HMC, or between HMCs to communicate. This is required for FNM to log errors and report to the ELA master on HMC. RSCT Peer Domains must also be enabled for this to work properly

Yes

162

TCP/UDP

snmptrap.name

Receive Simple Network Management Protocol (SNMP) Trap messages.

No

Incoming ping

Echo-request:icmp

ping.name

Allow the HMC to respond to the ping network utility.

Yes

The chhmc command can be used to change the firewall settings for each of the applications in the preceding table.

Examples:

To disable access to port 5989 for OpenPegasus on network interface eth0:
chhmc -c pegasus.name -s remove -a 0.0.0.0 -nm 0.0.0.0 -i eth0

To enable access to port 123 for NTP on network interface eth0:
chhmc -c ntp.name -s add -a 0.0.0.0 -nm 0.0.0.0 -i eth0

Known Issues in HMC V7R3.3.0

  • When using the chhmc command to configure Kerberos, the "a" option only accepts IPv4 addresses.
  • Updating Licensed Internal Code on multiple Managed Systems in a 9125-F2A within the same power frame can be updated simultaneously by using the following procedure:

Step 1

Select one Managed System in each frame from the "Servers" or "Updates" panel and perform the Licensed Internal Code update. This will update Licensed Internal Code on the Power Subsystem and the selected Managed System.

Step 2

Select the remaining Managed Systems in all frames from the "Servers" or "Updates" panel. This will update Licensed Internal Code on the remaining Managed Systems. The Power Subsystem was already updated in Step 1 and will not be updated again.

Note: after Licensed Internal Code has been updated in Step 1, the image is saved on the HMC. The "disk" repository can then be used for subsequent updates in Step 2.

  • After login through ssh an error may be output to the screen "bash: /dev/pts/3: restricted: cannot redirect output". The error is harmless and can be ignored. This error will ONLY happen if the DISPLAY environment is set, that is, when the user performs ssh onto the HMC with the -X or -Y (for X11 Forwarding) option.
  • System Plans will not deploy if using an HEA adapter for the Ethernet connection to do the network install of the partition. This will be fixed in the first Service Pack.