IBM Remote Supervisor Adapter

Features

Advanced Systems Management Adapter (ASMA)

This is a full-length ISA or PCI adapter. The ISA version is very rare, and was only ever supported in one or two servers. This adapter can be accessed either in-band through a device driver, or out-band over serial or 10Mbit Ethernet.

In addition, this adapter supports chaining of IBM Servers with Advanced Systems Management Processors (ASMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required. A total of 12 systems can be controlled this way using a single adapter.

The PCI version is supported under Linux through the ibmasm driver.

Supported servers:

Remote Supervisor Adapter (RSA) 59P2952

This is a half-length PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.

In addition, this adapter supports the chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.

The adapter is supported under Linux through the ibmasm driver.

This is the first version to support remote KVM over Ethernet. But when chaining is used, only the server with the adapter installed supports the remote KVM function.

Supported servers:

Remote Supervisor Adapter II (RSA-II) 73P9265

This is a half-length full-height PCI adapter, which can be accessed either in-band through a device driver, or out-band over serial or Ethernet.

In addition, this adapter supports chaining of IBM Servers with Integrated Systems Management Processors (ISMP) using RJ45 patch cables (RS-485 signal), to reduce the number of adapters required.

This adapter (when properly cabled) can be accessed for in-band management through a USB driver.

This adapter has its own ATI video chip, and will cause the onboard video chip to get disabled. The reason for this was to resolve some of the problems with capturing the video for the remote KVM function that the original RSA experienced. Just like the original RSA, in the event of chaining the remote KVM function is only supported on the server with the adapter installed.

Supported servers:

Cable

The RSA-II requires a 20-pin cable to attach to the motherboard of the server. Without this cable the remote video facilities will still work, and if the external USB cable is connected, the remote keyboard and mouse will work—but nothing else (including power control) will function properly. Moreover, some servers will pause for 30–120 seconds after power-on if the RSA-II is installed but the cable is missing.

Different cables are required for different servers, and as of April 2008 it appears that the cards themselves are far more plentiful on the used market than certain cables—often the cables sell for more than the cards themselves!

Here is a table of known server/cablenumber combinations:

Older servers use what is known as the "planar cable". Newer servers use the cable shown in the adjacent image:

Remote Supervisor Adapter II Slimline (RSA-II Slimline)

This is a special version of the RSA-II that does not need a PCI slot. Instead it is plugged into a dedicated slot on the systemboard, like a mini-pci adapter. This version also does not have a video controller anymore like the RSA-II.

Out-band management is provided by a dedicated Ethernet port on the server, which is not connected if the RSA-II Slimline is not installed. In-Band management is provided by the same USB driver as the RSA-II.

Supported servers:

Maximum password length

A password can only be 15 characters max. If more characters are typed at the changing password form, there will be no error message but they won't be memorized.

Java 1.6 incompatibility bug

The RSA remote control is now broken IBM has issued a fix that only works some of the time. Most users are advised to use Java JRE 1.60 U07 or earlier, which is impossible if the user does not have administrative access to the client machine. IBM has been unresponsive. jre-1_5_0_21-windows-i586-p.exe generally gives good results on windows clients.

The Remote console works with the OpenJDK JRE and the IcedTea browser plugin. Tested on OpenJDK6 build 18 and IcedTea 1.1.

Passwords sent in clear text

SSL is disabled by default, meaning that administrator passwords are sent in clear text. The administrator should to use the builtin functionality to generate a CSR and have it signed by an accepted CA.

Invisible to traceroute

The network stack used by the RSAII does not respond to UDP packets sent to a closed port; therefore, it appears to be "invisible" to traceroutes based on UDP (the default for non-Windows systems).

Reliability problems

A defect in the design of the RSA can cause it to go into a state in which the remote video capabilities are disabled. Unfortunately, once in this state the only way to correct the situation is to physically remove power from the RSA and the server; no amount of remote restarting will correct the problem. Because the point of the RSA is to eliminate the need for this sort of physical intervention to clear errors, this flaw calls into question the usefulness of the device.

This flaw is documented on IBM's website at

The video forwarding also takes an initial reboot to take effect after the RSA was re-configured. At this point the operator would be in the BIOS menu but without the video functionality active. A reboot of the RSA will not suffice, the whole server has to be rebooted.

The card can also crash during some operations certificate generation.

Requires UDP

The remote control feature of the service processor requires that it be possible to exchange packets on UDP port 2000 between the adapter and the client.

No video through NAT

The adapter does not cope well with NAT. The symptoms generally experienced are a lack of video when attempting to access remote control. If in doubt, ensure that the client (web browser) has its own public internet IP and is not behind any sort of NAT.

No video when using a Cisco router or switch with Network Address Translation (NAT)

When using a Cisco router or switch with Network Address Translation (NAT) enabled, connection to the Remote Supervisor Adapter (RSA) II web UI is operational. When starting the remote control session, the user receives a blank screen.

The remote console port should be changed from 2000 to 5090 or any other value.

Log in to the RSA II web UI pages. In the RSA II web UI, go to Port Assignments in the left panel. Go to remote console and change the value to 5090. Save and restart the ASM. Port 2000 is being used by Cisco Skinny Client Control Protocol (SCCP). Since the default value for RSA II console port (remote video) is 2000, it needs be changed to another value such as 5090.

Network port may not be set to the Default of DHCP IP Address then (Static IP - Fallback Configuration)

The RSA II adapter's network port, by Default, is set to "Try DHCP Server. If it Fails, Use Static IP Config", where "Static IP Config" is the fallback IP address configuration; however, this behavior may vary depending upon the Firmware version installed or configuration changes made by a prior user. If the RSA II is reset to Defaults, the associated NIC should also automatically reset to DHCP IP address then Static IP if a DHCP address cannot be obtained.

If the RSA II NIC is not responding to network communication or an expected IP address, the associated network settings (including currently assigned IP address and configuration) can be viewed, modified and/or reset through the server's Advanced - BIOS settings under the RSA II or Remote Supervisor Adapter II (or similar title) Advanced feature setting.

Be sure to Save the Network settings before exiting the RSA II configuration screen and Save any other changes to BIOS settings before exiting the BIOS Setup Configuration.

Difficult to reset

Procedures for resetting the RSAII to factory defaults may be challenging for some users. The IBM forums list a procedure for resetting an RSAII to factory defaults which appears to be simpler; it involves removing the card from the server and operating it from a non-PCI power supply. Most of the problems resolve around correct loading of the USB library. Ensuring this is properly loaded raises chances of success.

LDAP authentication generally unusable

LDAP authentication fails if a user is a member of more than one posixGroup, which is usually the case in non-trivial directories. IBM privately acknowledged the problem has existed for over four years, but still has not published a fix. The problem is that it considers only first posixGroup in resultset, so if you manage to reorganize directory to return your matching group first, you can succeed on the auth (with openldap ldif dump, delete and restore tends to keep results ordered).

Host OS tools

Like almost all IBM-provided management tools, software tools do not respect long established OS conventions for packaging, file paths and naming.

Firmware updates are incompatible with a non-executable /tmp directory, a commonly employed security setting.

Command line tools have many undocumented behaviors. "asu," the executable used to query or set parameters on the board, writes logs to the current directory with a hardcoded name, without warning and without basic sanity checks. It will thus silently overwrite the target of a symbolic link with that name.

BladeCenter Management Module (BCMM)

This is the first management module of the IBM BladeCenter.

Its function is very similar to that of the RSA-II

The BCMM provides an external 10/100Mbit Ethernet connection (used for out-of-band management) and shared VGA, PS/2 Keyboard and PS/2 Mouse ports. Internally the VGA and PS/2 ports are switchable between blades. The PS/2 ports are internally seen to the blades as USB.

This has since been phased out and replaced by the BCAMM. It is no longer supported by IBM.

BladeCenter Advanced Management Module (BCAMM)

This is a hardware refresh of the management module for the IBM BladeCenter. The PS/2 ports for keyboard and mouse were replaced with two USB ports. The BCAMM is currently under active development and its firmware offers more capabilities than the original BCMM.

Advanced Systems Management Processor (ASMP)

This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the ISMP. Out-of-band management is possible using a serial port (shared with the OS), or by adding the Advanced Systems Management Adapter (ASMA).

These servers have ASMP functionality:

Integrated Systems Management Processor (ISMP)

This is an integrated Service Processor on select IBM Intel-based servers. It was succeeded by the BMC (Baseboard Management Controller). Out-of-band management is possible by adding the RSA or RSA II.

These servers have ISMP functionality:

Baseboard Management Controller (BMC)

On many legacy IBM Intel-based servers the BMC is standard with the RSA II or RSA II Slimline as an Option device.

Integrated Management Module (IMM)

The IBM Integrated Management Module (IMM) is the next generation of System Management devices for UEFI based servers and comprises features and functionality of the legacy Baseboard Management Controller (BMC), Remote Supervisor Adapter II (RSA II) while incorporating the Super I/O controller and Video controller.

The IMM interfaces with the server's UEFI System firmware (Unified Extensible Firmware Interface) to provide system management monitoring and functionality.

Although some issues known to both the RSA II and BMC may have been migrated to the early IMM generations (in addition to the IMM's own unique issues), most of these issues have been resolved while adding some of greatly improved features and Administrator / User experience over the BMC and RSA II predecessors.

For example:

Default password

The default login is "USERID" and the default password is "PASSW0RD" (note the zero rather than an "O").