Tripp Lite 0 Idades Manual
Have a look at the manual Tripp Lite 0 Idades Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 7 Tripp Lite manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
141 Chapter 8: Power and Environment 8.2.3 Configuring powered computers to monitor a Managed UPS Once you have added a Managed UPS, each server that is drawing power thr\ ough the UPS should be setup to monitor the UPS status as a Slave. This is done by installing the NUT package on eac\ h server, and setting up upsmon to connect to the Console Server. Refer to the NUT documentation for details on how this is done, specifi\ cally sections 13.5 to 13.10. http://eu1.networkupstools.org/doc/2.2.0/INSTALL.html An example upsmon.conf entry might look like: • MONITOR [email protected] 1 username password Slave • managedups is the UPS Name of the Managed UPS • 192.168.0.1 is the IP address of the Console Server • 1 indicates the server has a single power supply attached to this UPS • username is the Username of the Managed UPS • password is the Password of the Manager UPS
142 Chapter 8: Power and Environment 8.2.4 UPS alerts You can now set UPS alerts using Alerts & Logging: Alerts (refer to Chapter 7) 8.2.5 UPS status You can monitor the current status of all your Managed or Monitored UPS’\ s, whether they are on the network or connected serially or via USB: • Select the Status: UPS Status menu and a table with the summary status of all connected UPS hardware \ will be displayed • Click on any particular UPS System name in the table and you will be presented with a more detailed graphi\ cal information on the select UPS System • Click on any particular All Data for any UPS System in the table for more status and configuration inf\ ormation on the select UPS System • Select UPS Logs and you will be presented with the log table of the load, battery charge\ level, temperature and other status information from all the Managed and Monitored UPS systems. This \ information will be logged for all UPS’s which were configured with Log Status checked. The information is also prese\ nted graphically
143 Chapter 8: Power and Environment 8.2.6 Overview of Network UPS Tools (NUT) Network UPS Tools (NUT) is a group of open source programs that provide a common in\ terface for monitoring and administering UPS hardware; and ensuring safe shutdowns of the systems w\ hich are connected. NUT can be configured using the Management Console as described above,\ or you can configure the tools and manage the UPS’s directly from the command line. This section provides an overvi\ ew of NUT. You can find full documentation at http://www. networkupstools.org/doc. NUT is built on a networked model with a layered scheme of drivers, serv\ er and clients. 1. The driver programs talk directly to the UPS equipment and run on the same host as\ the NUT network server upsd. Drivers are provided for a wide assortment of equipment from most of the popular\ UPS vendors and they understand the specific language of each UPS and map it back to a compatibility layer. This means both an expensive "smart" protocol UPS and a simple "power strip" model can be handled transparently. 2. The NUT network server program upsd is responsible for passing status data from the drivers to the client p\ rograms via the network. upsd can cache the status from multiple UPS’s and can then serve this sta\ tus data to many clients. upsd also contains access control features to limit the abilities of the clie\ nts (so only authorized hosts may monitor or control the UPS hardware). 3. There are a number of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based on the status. These clients can run on the same host as the NUT server \ or they can communicate with the NUT server over the network (enabling them to monitor any UPS anywhere). The upsmon client enables servers that draw power through the UPS (i.e. Slaves of\ the UPS) to shutdown gracefully when the battery power reaches critical. Additionally, one server is designated the Master of the UPS, and is responsible for\ shutting down the UPS itself when all Slaves have shut down. Typically, the Master of the UPS is the one connected to the UPS via serial or USB cable. upsmon can monitor multiple UPS’s, so high-end servers which receive power \ from multiple UPS’s simultaneously won't initiate a shutdown until the total power situation across all source UP\ S’s becomes critical. There also the two status/logging clients, upsc and upslog. The upsc client provides a quick way to poll the status of a UPS. It can be used inside shell scripts and other programs that need UP\ S status information. upslog is a background service that periodically polls the status of a UPS, writing it to a fi\ le. All these clients run on the Console Server (for Management Console pre\ sentations) but they also are run remotely (on locally powered servers and remote monitoring systems). This layered NUT architecture enables: • Multiple architecture support: NUT can manage serial and USB-connected models with the same common interface. SNMP equipment can also be monitored (although at this stage this is st\ ill pre-release with experimental drivers and this feature will be added to the embedded UPS tools in future release). • Multiple clients monitoring one UPS: Multiple systems may monitor a sing\ le UPS using only their network connections. There’s a wide selection of client programs which support monitoring \ UPS hardware via NUT (Big Sister, Cacti, Nagios, Windows and more). Refer to www.networkupstools.org/client-projects.) So NUT supports the more complex power architectures found in data cente\ rs, computer rooms and NOCs where many UPS’s from many vendors power many systems with many clients and each of the l\ arger UPS’s power multiple devices and many of these devices are themselves dual powered.
144 Chapter 8: Power and Environment 8.3 Environmental Monitoring The Environmental Monitoring Device (EMD), model B090-EMD, can be conn\ ected to any Console Server serial port and each Console Server can support multiple EMD’s. Each EMD has one temp\ erature and one humidity sensor and one general purpose status sensor which can be connected to a smoke detector, water detector, vibration or open-door sensor. The B095-004/003 Console Server models also each has an internal tempera\ ture sensor. Using the Management Console, Administrators can view the ambient temper\ ature and humidity and set the EMD to automatically send alarms progressively from warning levels to critical \ alerts.
145 Chapter 8: Power and Environment 8.3.1 Connecting the EMD The Environmental Monitoring Sensor (EMD) connects to any serial port \ on the Console Server via a special EMD Adapter and standard CAT5 cable. The EMD is powered over this serial connection and communicate\ s using a custom handshake protocol. It is not an RS232 device and should not be connected without the adapte\ r: • Plug the RJ plug on the EMD Adapter (model B090-EMD-ADP) into RJ45 Port on the EMD (model B090-EMD). Then connect the Console Server serial port to the R\ J45 port of the EMD Adapter using the provided UTP cable. If the 6 foot (2 meter) UTP \ cable provided with the EMD is not long enough it can be replaced with a standard Cat5 UTP c\ able up to 33 feet (10meters) in length (Tripp Lite N002 series cables) • Screw the bare wires on any smoke detector, water detector, vibration sensor, open-door sensor or general purpose open/close status sensors into the terminals o\ n the EMD: o B090-WLS Console Server Water Leak Sensor o B090-DCS Console Server Door Contact Sensor o B090-VS Console Server Vibration Sensor o B090-SD-110 Console Server Smoke Detector - 110V o B090-SD-220 Console Server Smoke Detector - 220V The EMD can be used only with a Console Server and cannot be connected t\ o standard RS232 serial ports on other appliances. • Select Environmental as the Device Type in the Serial & Network: Serial Port menu for the port to which the EMD is to be attached. No particular Common Settings are required. • Click Apply • Select the Serial & Network: Environmental menu. This will display all the EMD connections that have already been \ configured • Click Add
146 Chapter 8: Power and Environment • Enter a Name and Description for the EMD and select pre-configured serial port that the EMD will b\ e Connected Via • Provide L abels for each of the two alarms • Check Log Status and specify the Log Rate (minutes between samples) if you wish the status from this EMD to be \ logged. These logs can be views from the Status: Environmental Status screen • Click Apply 8.3.2 Environmental alerts You can now set temperature, humidity and probe status alerts using Alerts & Logging: Alerts (refer to Chapter 7) 8.3.3 Environmental status You can monitor the current status of all of EMDs and their probes • Select the Status: Environmental Status menu and a table with the summary status of all connected EMD hardware \ will be displayed • Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of the log history of the select EMD
147 Chapter 9: Authentication The Tripp Lite Console Server is a dedicated Linux computer, and it embodies popular and proven Linux software modules for secure network access (OpenSSH) and communications (OpenSSL) and sophisticated user authentication (PAM, RADIUS, TACACS+, Kerberos and LDAP). • This chapter details how the Administrator can use the Management Consol\ e to establish remote AAA authentication for all connections to the Console Server and attached serial and network ho\ st devices • This chapter also covers establishing a secure link to the Management Co\ nsole using HTTPS and using OpenSSL and OpenSSH to establish a secure Administration connection to the Console Server\ 9.1 Authentication Configuration Authentication can be performed locally, or remotely using an LDAP, Radius or TACACS+ authentication server. The default authentication method for the Console Server is Local. Any authentication method that is configured will be used for authenti\ cation of any user attempting to log in through Telnet, SSH or the Web Manager to the Console Server and any connected serial port or networ\ k host devices. The Console Server can be configured to the default (Local) or an alternate authentication method (TACACS, RADIUS Kerberos or LDAP) with the option of a selected order in which local and remote authent\ ication is to be used: Local TACACS /RADIUS/LDAP/Kerberos: Tries local authentication first, falling back to remote if local fails\ TACACS /RADIUS/LDAP/Kerberos Local: Tries remote authentication first, falling back to local if remote fail\ s TACACS /RADIUS/LDAP/Kerberos Down Local: Tries remote authentication first, falling back to local if the remote \ authentication returns an error condition (e.g. the remote authenticati\ on server is down or inaccessible) 9.1.1 Local authentication • Select Serial and Network: Authentication and check Local • Click Apply
148 Chapter 9: Authentication 9.1.2 TACACS authentication Perform the following procedure to configure the TACACS+ authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed: • Select Serial and Network: Authentication and check TACAS or LocalTACACS or TACACSLocal or TACACSDownLocal • Enter the Server Address (IP or host name) of the remote Authentication/Authorization server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in su\ ccession. • In addition to multiple remote servers, you can also enter for separate \ lists of Authentication/Authorization servers and Accounting servers. If no Accounting servers are specified, the Authen\ tication/Authorization servers are used instead. • Enter the Server Password When Ignore Privilege Level is enabled, the priv-lvl setting for all of the users defined on the TACACS AAA server will be ignored Note: The console server normally interprets a user with a TACACS priv-lvl of 12 or above as an admin user. There is also a special privilege level where a user with a priv-lvl of 15 is also given access to all configured serial ports. When the Ignore Privilege Level option is enabled (i.e., checked in the user interface), there are no \ escalations of privileges based on the priv-lvl value from the TACACS server. Also note that if the only privilege level configured for one or more \ TACACS users is the priv-lvl (e.g., no specific port access or group memberships set) level, you will revoke access to the console \ server for those users with whom this level is enabled. Users will not be a member of any group, even if the Retrieve Remote gro\ ups option in the Authentication menu is enabled. • Click Apply. TACAS+ remote authentication will now be used for all user access to Cons\ ole Server and serially or network attached devices TACACS+ The Terminal Access Controller Access Control System (TACACS+) security protocol is a recent protocol developed by Cisco. It provides detailed accounting information and flexible adm\ inistrative control over the authentication and authorization processes. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide authentication, authorization, and accounting services independe\ ntly. Each service can be tied into its own database to take advantage of other services available on that serve\ r or on the network, depending on the capabilities of the daemon. There is a draft RFC detailing this protocol\ . Further information on configuring remote TACACS+ servers can be found at the following sites: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0\ 9186a00800eb6d6.html http://cio.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_\ cr/secur_c/scprt2/sctplus.htm
149 Chapter 9: Authentication 9.1.3 RADIUS authentication Perform the following procedure to configure the RADIUS authentication \ method to be used whenever the Console Server or any of its serial ports or hosts is accessed: • Select Serial and Network: Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or RADIUSDownLocal • Enter the Server Address (IP or host name) of the remote Authentication/ Authorization server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in su\ ccession • In addition to multiple remote servers, you can also enter for separate \ lists of Authentication/Authorization servers and Accounting servers. If no Accounting servers are specified, the Authen\ tication/Authorization servers are used instead • Enter the Server Password • Click Apply. RADIUS remote authentication will now be used for all user access to C\ onsole Server and serially or network attached devices RADIUS The Remote Authentication Dial-In User Service (RADIUS) protocol was d\ eveloped by Livingston Enterprises as an access server authentication and accounting protocol. The RADIUS serv\ er can support a variety of methods to authenticate a user. When it is provided with the username and original password given by t\ he user, it can support PPP, PAP or CHAP, UNIX login, and other authentication mechanisms. Further information on configuring remote RADIUS servers can be found at the following sites: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/d4fe\ 8248-eecd-49e4-88f6- 9e304f97fefc.mspx http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800945cc.shtml http://www.freeradius.org/
150 Chapter 9: Authentication 9.1.4 LDAP authentication With firmware version 3.11 and later, LDAP authentication now supports OpenLDAP servers using the Posix-style schema for user and group definitions. Performing simple authentication against any LDAP server (AD or OpenLDAP\ ) follow the common LDAP standards and protocols. Extra steps are required in configuring extra user data (e\ .g., groups, etc). The console server may be configured for authentication and authorizat\ ion of group information from an LDAP server. This group information can be stored in a number of different ways. Active Di\ rectory has one method of storage, and OpenLDAP has two methods: • Active Directory: Each entry for a user has multiple ‘memberOf’ attributes. Each ‘memberOf’ value is the full DN of the group they belong to (the user entry will be of objectClass “user”\ ). • OpenLDAP / Posix: Each entry for a user must have a ‘gidNumber’ attribute. Thi\ s will be an integer value that functions as the user’s primary group (e.g., mapping to the /etc/passwd file\ within the group ID field). To determine the group, first search for an entry in the directory that contains that group ID. Doing \ this will also provide the group name (the users are of objectClass “posixAccount” and the groups are of objectClass “\ posixGroup”). • OpenLDAP / Posix: Each group entry in the group tree (of objectClass ‘posixGroup\ ’) may have multiple ‘memberUid’ attributes. These represent secondary groups (e.g., mapping to the /etc\ /groups file). Each attribute contains a username. To accommodate these possibilities, the pam_ldap module has been modified to perform group queries for each of the thr\ ee styles. This allows for a ‘generic’ configuration and does not a\ ffect how the LDAP directory is set up. There are only two parameters that need to be configured based upon a \ user’s search: LDAP username and group membership attributes. To clarify which parameters to use, the descriptions for these fields h\ ave been updated to prompt the user for common or likely attributes. For example, the two configuration fields below use the following des\ criptions: LDAP Username Attribute: The LDAP attribute that corresponds to the login name of the user (comm\ only ‘sAMAccountName’ for Active Directory, and ‘uid’ for OpenLDAP). LDAP Group Membership Attribute: The LDAP attribute that indicates group membership in a user record (co\ mmonly ‘memberOf’ for Active Directory, and unused for OpenLDAP). Note: The libldap library is particular about ensuring SSL connections using certificates signed by a trusted CA. Setting up a connection to an LDAP server using SSL requires extra attention.