1IPMI-PET(8)                     System Commands                    IPMI-PET(8)
2
3
4

NAME

6       IPMI - IPMI Platform Event Trap Interpreter
7

SYNOPSIS

9       ipmi-pet [OPTION...] [SPECIFIC TRAP] [VARIABLE BINDING HEX BYTES ...]
10

DESCRIPTION

12       Ipmi-pet interprets hex bytes from a platform event trap (PET) and out‐
13       puts a string representing its contents. Hex values may be input on the
14       command  line, a file via the --file option, or via stdin if neither of
15       the previous are specified.  Ipmi-pet is commonly used  in  conjunction
16       with an SNMP trap daemon to intrepret the results from an IPMI PET trap
17       captured by the daemon. While ipmi-pet could be  called  directly  from
18       such  a daemon, typically a script is called to parse the SNMP daemon's
19       output and convert it into a form that can be input into ipmi-pet.   On
20       some  systems,  you may wish to also send a PET acknowledge to a remote
21       system to inform it the trap was received and parsed. One can  be  sent
22       using  the  --pet-acknowledge  option.   While  an  IPMI session is not
23       required to interpret a PET, data from the sensor data repository (SDR)
24       is required to properly interpret sensor names and other information in
25       the PET. IPMI session configuration below, such  as  driver,  hostname,
26       username,  etc.  should be configured to load the SDR of the host where
27       the trap originated.  If this is difficult to perform, it may  be  wise
28       to  cache  and  load  a  specific  SDR cache using the --sdr-cache-file
29       option.  If the SDR is  difficult  to  obtain,  the  --ignore-sdr-cache
30       option  can be specified so that an SDR will not be loaded, and an IPMI
31       session will not be required. The PET will be interpreted  as  best  as
32       possible  given  no SDR. The --ignore-sdr-cache option may affect other
33       options such as --interpret-oem-data too. Some options, such as --manu‐
34       facturer-id  and  --product-id  may alleviate some of these issues.  If
35       the SNMP daemon does not output a SNMPv1 specific trap on its  own,  it
36       is  typically  output as the last element of the OID in SNMPv2.  If for
37       some reason a specific trap cannot be determined, the value of  NA  may
38       be  input for the specific trap to indicate it is not available.  Ipmi-
39       pet will output as much as possible  based  on  the  variable  bindings
40       information.  Some of the specific trap information may be obtained via
41       SDR information.
42
43       Listed below are general IPMI options, tool specific  options,  trouble
44       shooting  information,  workaround  information,  examples,  and  known
45       issues. For a general introduction to FreeIPMI please see freeipmi(7).
46

GENERAL OPTIONS

48       The following options are general options for configuring IPMI communi‐
49       cation and executing general tool commands.
50
51       -D IPMIDRIVER, --driver-type=IPMIDRIVER
52              Specify  the  driver type to use instead of doing an auto selec‐
53              tion.  The currently available outofband  drivers  are  LAN  and
54              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
55              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
56              SUNBMC, and INTELDCMI.
57
58       --disable-auto-probe
59              Do not probe in-band IPMI devices for default settings.
60
61       --driver-address=DRIVER-ADDRESS
62              Specify  the  in-band  driver  address to be used instead of the
63              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
64              hex value and '0' for an octal value.
65
66       --driver-device=DEVICE
67              Specify the in-band driver device path to be used instead of the
68              probed path.
69
70       --register-spacing=REGISTER-SPACING
71              Specify the in-band  driver  register  spacing  instead  of  the
72              probed  value. Argument is in bytes (i.e. 32bit register spacing
73              = 4)
74
75       --target-channel-number=CHANNEL-NUMBER
76              Specify the in-band driver target channel number  to  send  IPMI
77              requests to.
78
79       --target-slave-address=SLAVE-ADDRESS
80              Specify  the  in-band  driver  target  slave number to send IPMI
81              requests to.
82
83       -h IPMIHOST, --hostname=IPMIHOST[:PORT]
84              Specify the remote host to communicate with.  An  optional  port
85              can be specified, which may be useful in port forwarding or sim‐
86              ilar situations.
87
88       -u USERNAME, --username=USERNAME
89              Specify the username to use when authenticating with the  remote
90              host.   If  not  specified,  a null (i.e. anonymous) username is
91              assumed. The user must have atleast OPERATOR privileges in order
92              for this tool to operate fully.
93
94       -p PASSWORD, --password=PASSWORD
95              Specify the password to use when authenticationg with the remote
96              host.  If not specified, a null  password  is  assumed.  Maximum
97              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
98
99       -P, --password-prompt
100              Prompt  for  password  to  avoid  possibility  of  listing it in
101              process lists.
102
103       -k K_G, --k-g=K_G
104              Specify the K_g BMC key to  use  when  authenticating  with  the
105              remote  host  for  IPMI  2.0.  If  not  specified, a null key is
106              assumed. To input the key in hexadecimal form, prefix the string
107              with  '0x'.  E.g.,  the key 'abc' can be entered with the either
108              the string 'abc' or the string '0x616263'
109
110       -K, --k-g-prompt
111              Prompt for k-g to avoid possibility of  listing  it  in  process
112              lists.
113
114       --session-timeout=MILLISECONDS
115              Specify  the  session timeout in milliseconds. Defaults to 20000
116              milliseconds (20 seconds) if not specified.
117
118       --retransmission-timeout=MILLISECONDS
119              Specify  the  packet  retransmission  timeout  in  milliseconds.
120              Defaults  to  1000 milliseconds (1 second) if not specified. The
121              retransmission timeout cannot be larger than the  session  time‐
122              out.
123
124       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
125              Specify  the  IPMI 1.5 authentication type to use. The currently
126              available authentication types are NONE,  STRAIGHT_PASSWORD_KEY,
127              MD2, and MD5. Defaults to MD5 if not specified.
128
129       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
130              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
131              identifies a set of authentication, integrity, and confidential‐
132              ity  algorithms to use for IPMI 2.0 communication. The authenti‐
133              cation algorithm identifies the algorithm  to  use  for  session
134              setup,  the  integrity algorithm identifies the algorithm to use
135              for session packet signatures, and the confidentiality algorithm
136              identifies the algorithm to use for payload encryption. Defaults
137              to cipher suite ID 3 if  not  specified.  The  following  cipher
138              suite ids are currently supported:
139
140              0 - Authentication Algorithm = None; Integrity Algorithm = None;
141              Confidentiality Algorithm = None
142
143              1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
144              None; Confidentiality Algorithm = None
145
146              2  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
147              HMAC-SHA1-96; Confidentiality Algorithm = None
148
149              3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
150              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
151
152              6  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
153              None; Confidentiality Algorithm = None
154
155              7 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
156              HMAC-MD5-128; Confidentiality Algorithm = None
157
158              8  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
159              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
160
161              11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
162              MD5-128; Confidentiality Algorithm = None
163
164              12  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
165              MD5-128; Confidentiality Algorithm = AES-CBC-128
166
167              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
168              = None; Confidentiality Algorithm = None
169
170              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
171              = HMAC_SHA256_128; Confidentiality Algorithm = None
172
173              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
174              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
175
176       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
177              Specify  the privilege level to be used. The currently available
178              privilege levels are USER,  OPERATOR,  and  ADMIN.  Defaults  to
179              OPERATOR if not specified.
180
181       --config-file=FILE
182              Specify an alternate configuration file.
183
184       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
185              Specify  workarounds to vendor compliance issues. Multiple work‐
186              arounds can be specified separated by commas. A special  command
187              line flag of "none", will indicate no workarounds (may be useful
188              for overriding configured defaults). See WORKAROUNDS below for a
189              list of available workarounds.
190
191       --debug
192              Turn on debugging.
193
194       -?, --help
195              Output a help list and exit.
196
197       --usage
198              Output a usage message and exit.
199
200       -V, --version
201              Output the program version and exit.
202

IPMI-PET OPTIONS

204       The following options are specific to Ipmi-pet.
205
206       -v     Output  verbose  output. This option will output event direction
207              and OEM custom messages from the trap.
208
209       -vv    Output very verbose output. This option will  output  additional
210              information  available  in  the trap, such as GUID, manufacturer
211              ID, and system ID.
212
213       -vvv   Output very very verbose output. This option will  output  addi‐
214              tional  information  than  verbose  output. Most notably it will
215              output additional hex codes to given  information  on  ambiguous
216              events.  For  example, it will output Generator ID hex codes for
217              sensors without names.
218
219       --pet-acknowledge
220              Send PET acknowledge using inputted trap data  instead  of  out‐
221              putting  data.  In  some  circumstances,  this  may be useful to
222              inform a remote system that a trap was received and  parsed.  If
223              specified,  a hostname must be specified via -h or --hostname to
224              inform ipmi-pet where to send  the  acknowledge  to.  When  this
225              option  is  specified,  the  SDR  cache is not loaded and is not
226              required.
227
228       --file=CMD-FILE
229              Specify a file to read PET specific trap and  variable  bindings
230              hex from instead of command line.
231
232       --output-event-severity
233              Output  event  severity  in  output. This will add an additional
234              output of an event severity. The outputs may be Monitor,  Infor‐
235              mation,  OK, Non-critical condition, Critical condition, or Non-
236              recoverable condition. This differs from the  output  of  --out‐
237              put-event-state,  as  event severity is not interpreted, it is a
238              value reported in the SNMP trap. However,  not  all  events  may
239              report  a  severity,  or  some manufacturers may not support the
240              report of a severity. Event severity will automatically be  out‐
241              put under verbose output.
242
243       --output-event-state
244              Output event state in output. This will add an additional output
245              reporting if an event should be viewed as NOMINAL,  WARNING,  or
246              CRITICAL.  This differs from the output of --output-event-sever‐
247              ity, as this output is an interpreted value that will be  inter‐
248              preted  identically  to the --output-event-state output in ipmi-
249              sel(8).  As long as an event interpretation  is  supported,  all
250              events  will  have outputted state. The event state is an inter‐
251              preted    value    based    on    the     configuration     file
252              /etc/freeipmi//freeipmi_interpret_sel.conf  and the event direc‐
253              tion. See freeipmi_interpret_sel.conf(5) for more information.
254
255       --event-state-config-file=FILE
256              Specify an alternate  event  state  configuration  file.  Option
257              ignored if --output-event-state not specified.
258
259       --manufacturer-id=NUMBER
260              Specify a specific manufacturer id to assume. Useful if you wish
261              to specify --interpret-oem-data, but the manufacturer id  cannot
262              be  determined  by  IPMI  access or is not available in the SNMP
263              trap.  The manufacturer id of a motherboard  can  be  determined
264              with  bmc-info(8).  If this option is specified, so must --prod‐
265              uct-id.
266
267       --product-id=NUMBER
268              Specify a specific product id to assume. Useful if you  wish  to
269              specify  --interpret-oem-data,  but  the  product  id  cannot be
270              determined by IPMI access or is not available in the SNMP  trap.
271              The  product  id  of  a  motherboard can be determined with bmc-
272              info(8).  If  this  option  is  specified,  so  must  --manufac‐
273              turer-id.
274
275       --interpret-oem-data
276              Attempt  to interpret OEM data, such as event data, sensor read‐
277              ings, or general extra info, etc. If an  OEM  interpretation  is
278              not available, the default output will be generated. Correctness
279              of OEM interpretations cannot be  guaranteed  due  to  potential
280              changes OEM vendors may make in products, firmware, etc. See OEM
281              INTERPRETATION below for confirmed supported motherboard  inter‐
282              pretations.
283
284       --entity-sensor-names
285              Output  sensor  names prefixed with their entity id and instance
286              number when appropriate. This may be necessary on  some  mother‐
287              boards  to help identify what sensors are referencing. For exam‐
288              ple, a motherboard may have multiple sensors named  'TEMP'.  The
289              entity  id  and  instance  number  may help clarify which sensor
290              refers to "Processor 1" vs. "Processor 2".
291
292       --no-sensor-type-output
293              Do not show sensor type output for each entry. On many  systems,
294              the sensor type is redundant to the name of the sensor. This can
295              especially be true if --entity-sensor-names  is  specified.   If
296              the  sensor  name  is sufficient, or if the sensor type is of no
297              interest to the user, this option can be specified  to  condense
298              output.
299
300       --comma-separated-output
301              Output fields in comma separated format.
302
303       --no-header-output
304              Do not output column headers. May be useful in scripting.
305
306       --non-abbreviated-units
307              Output  non-abbreviated  units (e.g. 'Amps' instead of 'A'). May
308              aid  in  disambiguation  of  units  (e.g.  'C'  for  Celsius  or
309              Coulombs).
310

SDR CACHE OPTIONS

312       This tool requires access to the sensor data repository (SDR) cache for
313       general operation. By default, SDR data will be downloaded  and  cached
314       on the local machine. The following options apply to the SDR cache.
315
316       -f, --flush-cache
317              Flush  a  cached  version  of  the  sensor data repository (SDR)
318              cache. The SDR is typically cached for faster subsequent access.
319              However,  it  may need to be flushed and re-generated if the SDR
320              has been updated on a system.
321
322       -Q, --quiet-cache
323              Do not output information about cache creation/deletion. May  be
324              useful in scripting.
325
326       --sdr-cache-recreate
327              If the SDR cache is out of date or invalid, automatically recre‐
328              ate the sensor data repository (SDR) cache. This option  may  be
329              useful for scripting purposes.
330
331       --sdr-cache-file=FILE
332              Specify a specific sensor data repository (SDR) cache file to be
333              stored or read from. If this option is used when multiple  hosts
334              are  specified,  the  same  SDR  cache file will be used for all
335              hosts.
336
337       --sdr-cache-directory=DIRECTORY
338              Specify an alternate directory for sensor data repository  (SDR)
339              caches to be stored or read from. Defaults to the home directory
340              if not specified.
341
342       --ignore-sdr-cache
343              Ignore SDR cache related processing. May lead to  incomplete  or
344              less  useful  information  being  output,  however it will allow
345              functionality for systems without SDRs or when the  correct  SDR
346              cannot be loaded.
347

GENERAL TROUBLESHOOTING

349       Most often, IPMI problems are due to configuration problems.
350
351       IPMI  over  LAN  problems  involve  a  misconfiguration  of  the remote
352       machine's BMC.  Double check to make sure the following are  configured
353       properly  in  the remote machine's BMC: IP address, MAC address, subnet
354       mask, username, user enablement, user privilege, password,  LAN  privi‐
355       lege,  LAN enablement, and allowed authentication type(s). For IPMI 2.0
356       connections, double check to make sure the  cipher  suite  privilege(s)
357       and  K_g  key  are  configured properly. The ipmi-config(8) tool can be
358       used to check and/or change these configuration settings.
359
360       Inband IPMI problems are  typically  caused  by  improperly  configured
361       drivers or non-standard BMCs.
362
363       In  addition  to the troubleshooting tips below, please see WORKAROUNDS
364       below to also if there are any vendor specific bugs that have been dis‐
365       covered and worked around.
366
367       Listed  below  are  many  of the common issues for error messages.  For
368       additional support, please e-mail the <freeipmi-users@gnu.org>  mailing
369       list.
370
371       "username  invalid"  - The username entered (or a NULL username if none
372       was entered) is not available on the remote machine.  It  may  also  be
373       possible the remote BMC's username configuration is incorrect.
374
375       "password  invalid"  - The password entered (or a NULL password if none
376       was entered) is not correct. It may also be possible the  password  for
377       the user is not correctly configured on the remote BMC.
378
379       "password  verification timeout" - Password verification has timed out.
380       A "password invalid" error (described  above)  or  a  generic  "session
381       timeout" (described below) occurred.  During this point in the protocol
382       it cannot be differentiated which occurred.
383
384       "k_g invalid" - The K_g key entered (or a NULL  K_g  key  if  none  was
385       entered)  is  not  correct.  It may also be possible the K_g key is not
386       correctly configured on the remote BMC.
387
388       "privilege level insufficient" - An IPMI command requires a higher user
389       privilege  than  the one authenticated with. Please try to authenticate
390       with a higher privilege. This may require authenticating to a different
391       user which has a higher maximum privilege.
392
393       "privilege  level  cannot  be  obtained  for this user" - The privilege
394       level you are attempting to authenticate with is higher than the  maxi‐
395       mum  allowed for this user. Please try again with a lower privilege. It
396       may also be possible the maximum privilege level allowed for a user  is
397       not configured properly on the remote BMC.
398
399       "authentication  type  unavailable for attempted privilege level" - The
400       authentication type you wish to authenticate with is not available  for
401       this privilege level. Please try again with an alternate authentication
402       type or alternate privilege level. It may also be possible  the  avail‐
403       able  authentication  types you can authenticate with are not correctly
404       configured on the remote BMC.
405
406       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
407       ticate  with  is not available on the remote BMC. Please try again with
408       an alternate cipher suite id. It may also  be  possible  the  available
409       cipher suite ids are not correctly configured on the remote BMC.
410
411       "ipmi  2.0  unavailable"  -  IPMI  2.0 was not discovered on the remote
412       machine. Please try to use IPMI 1.5 instead.
413
414       "connection timeout" - Initial IPMI communication failed. A  number  of
415       potential errors are possible, including an invalid hostname specified,
416       an IPMI IP address cannot be resolved,  IPMI  is  not  enabled  on  the
417       remote  server,  the network connection is bad, etc. Please verify con‐
418       figuration and connectivity.
419
420       "session timeout" - The IPMI session has timed out.  Please  reconnect.
421       If this error occurs often, you may wish to increase the retransmission
422       timeout. Some remote BMCs are considerably slower than others.
423
424       "device not found" - The specified device could not  be  found.  Please
425       check configuration or inputs and try again.
426
427       "driver  timeout"  -  Communication with the driver or device has timed
428       out. Please try again.
429
430       "message timeout" - Communication with the driver or device  has  timed
431       out. Please try again.
432
433       "BMC  busy"  - The BMC is currently busy. It may be processing informa‐
434       tion or have too many simultaneous sessions to manage. Please wait  and
435       try again.
436
437       "could  not  find inband device" - An inband device could not be found.
438       Please check configuration or specify specific device or driver on  the
439       command line.
440
441       "driver timeout" - The inband driver has timed out communicating to the
442       local BMC or service processor. The BMC or  service  processor  may  be
443       busy or (worst case) possibly non-functioning.
444
445       "internal  IPMI  error" - An IPMI error has occurred that FreeIPMI does
446       not know how  to  handle.  Please  e-mail  <freeipmi-users@gnu.org>  to
447       report the issue.
448

WORKAROUNDS

450       With  so  many different vendors implementing their own IPMI solutions,
451       different vendors may implement their IPMI protocols  incorrectly.  The
452       following describes a number of workarounds currently available to han‐
453       dle discovered compliance issues. When possible, workarounds have  been
454       implemented so they will be transparent to the user. However, some will
455       require the user to specify a workaround be used via the -W option.
456
457       The hardware listed below may only indicate the hardware that a problem
458       was  discovered  on.  Newer  versions  of hardware may fix the problems
459       indicated below. Similar machines from vendors may or may  not  exhibit
460       the  same  problems.  Different vendors may license their firmware from
461       the same IPMI firmware developer, so it may be worthwhile to try  work‐
462       arounds listed below even if your motherboard is not listed.
463
464       If  you  believe  your hardware has an additional compliance issue that
465       needs a workaround to be implemented, please contact the FreeIPMI main‐
466       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
467
468       assumeio  - This workaround flag will assume inband interfaces communi‐
469       cate with system I/O rather than being memory-mapped.  This  will  work
470       around  systems  that report invalid base addresses. Those hitting this
471       issue may see "device not supported" or "could not find inband  device"
472       errors.  Issue observed on HP ProLiant DL145 G1.
473
474       spinpoll  -  This workaround flag will inform some inband drivers (most
475       notably the KCS driver) to spin while polling rather than  putting  the
476       process to sleep. This may significantly improve the wall clock running
477       time of tools because an operating system scheduler's  granularity  may
478       be  much larger than the time it takes to perform a single IPMI message
479       transaction. However, by spinning, your system may be  performing  less
480       useful work by not contexting out the tool for a more useful task.
481
482       authcap  -  This  workaround  flag  will skip early checks for username
483       capabilities, authentication capabilities, and K_g  support  and  allow
484       IPMI  authentication  to  succeed.  It  works around multiple issues in
485       which the remote system does not properly report username capabilities,
486       authentication  capabilities,  or  K_g status. Those hitting this issue
487       may  see  "username  invalid",  "authentication  type  unavailable  for
488       attempted privilege level", or "k_g invalid" errors.  Issue observed on
489       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
490       2200/4150/4450 with ELOM.
491
492       nochecksumcheck  - This workaround flag will tell FreeIPMI to not check
493       the checksums returned from IPMI command  responses.  It  works  around
494       systems that return invalid checksums due to implementation errors, but
495       the packet is otherwise valid. Users are cautioned on the use  of  this
496       option,  as  it  removes  validation of packet integrity in a number of
497       circumstances. However, it is unlikely to be an issue  in  most  situa‐
498       tions.  Those hitting this issue may see "connection timeout", "session
499       timeout", or "password verification timeout" errors. On IPMI  1.5  con‐
500       nections,  the  "noauthcodecheck" workaround may also needed too. Issue
501       observed on Supermicro X9SCM-iiF, Supermicro  X9DRi-F,  and  Supermicro
502       X9DRFR.
503
504       idzero  -  This  workaround  flag  will  allow  empty session IDs to be
505       accepted by the client. It works around IPMI sessions that report empty
506       session  IDs  to  the client. Those hitting this issue may see "session
507       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
508
509       unexpectedauth - This workaround flag will  allow  unexpected  non-null
510       authcodes  to  be checked as though they were expected. It works around
511       an issue when packets contain non-null authentication  data  when  they
512       should  be  null due to disabled per-message authentication. Those hit‐
513       ting this issue may see "session timeout"  errors.  Issue  observed  on
514       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
515
516       forcepermsg  -  This workaround flag will force per-message authentica‐
517       tion to be used no matter what is advertised by the remote  system.  It
518       works  around an issue when per-message authentication is advertised as
519       disabled on the remote system, but it is actually required for the pro‐
520       tocol.  Those  hitting  this  issue  may  see "session timeout" errors.
521       Issue observed on IBM eServer 325.
522
523       endianseq - This workaround flag will flip the endian  of  the  session
524       sequence  numbers  to  allow the session to continue properly. It works
525       around IPMI 1.5 session sequence numbers that  are  the  wrong  endian.
526       Those  hitting  this  issue  may  see  "session  timeout" errors. Issue
527       observed on  some  Sun  ILOM  1.0/2.0  (depends  on  service  processor
528       endian).
529
530       noauthcodecheck  - This workaround flag will tell FreeIPMI to not check
531       the authentication codes returned from IPMI 1.5 command  responses.  It
532       works  around  systems  that return invalid authentication codes due to
533       hashing or implementation errors. Users are cautioned  on  the  use  of
534       this option, as it removes an authentication check verifying the valid‐
535       ity of a packet. However, in most organizations, this is unlikely to be
536       a  security  issue.  Those hitting this issue may see "connection time‐
537       out", "session timeout", or  "password  verification  timeout"  errors.
538       Issue  observed  on  Xyratex FB-H8-SRAY, Intel Windmill, Quanta Winter‐
539       fell, and Wiwynn Windmill.
540
541       intel20 - This workaround flag will work around several Intel IPMI  2.0
542       authentication issues. The issues covered include padding of usernames,
543       and password  truncation  if  the  authentication  algorithm  is  HMAC-
544       MD5-128. Those hitting this issue may see "username invalid", "password
545       invalid", or "k_g invalid" errors. Issue observed  on  Intel  SE7520AF2
546       with Intel Server Management Module (Professional Edition).
547
548       supermicro20 - This workaround flag will work around several Supermicro
549       IPMI 2.0  authentication  issues  on  motherboards  w/  Peppercon  IPMI
550       firmware.  The issues covered include handling invalid length authenti‐
551       cation codes. Those hitting  this  issue  may  see  "password  invalid"
552       errors.   Issue  observed on Supermicro H8QME with SIMSO daughter card.
553       Confirmed fixed on newerver firmware.
554
555       sun20 - This workaround flag will work work around several Sun IPMI 2.0
556       authentication issues. The issues covered include invalid lengthed hash
557       keys, improperly hashed keys, and invalid cipher suite  records.  Those
558       hitting  this  issue  may see "password invalid" or "bmc error" errors.
559       Issue observed on Sun Fire 4100/4200/4500 with ILOM.   This  workaround
560       automatically includes the "opensesspriv" workaround.
561
562       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
563       2.0 connection protocol to workaround an invalid hashing algorithm used
564       by  the remote system. The privilege level sent during the Open Session
565       stage of an IPMI 2.0 connection is used for hashing keys instead of the
566       privilege  level  sent during the RAKP1 connection stage. Those hitting
567       this issue may see "password invalid", "k_g invalid", or "bad  rmcpplus
568       status  code"  errors.   Issue observed on Sun Fire 4100/4200/4500 with
569       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
570       Intel S5500WBV/Penguin Relion 700, Intel S2600JF/Appro 512X, and Quanta
571       QSSC-S4R/Appro GB812X-CN. This workaround  is  automatically  triggered
572       with the "sun20" workaround.
573
574       integritycheckvalue  - This workaround flag will work around an invalid
575       integrity check value during an IPMI  2.0  session  establishment  when
576       using  Cipher Suite ID 0. The integrity check value should be 0 length,
577       however the remote motherboard responds with a non-empty  field.  Those
578       hitting  this  issue  may  see  "k_g invalid" errors. Issue observed on
579       Supermicro X8DTG, Supermicro X8DTU, and Intel  S5500WBV/Penguin  Relion
580       700, and Intel S2600JF/Appro 512X.
581
582       assumemaxsdrrecordcount  -  This  workaround will inform SDR reading to
583       stop reading after a known maximum numer of SDR records have been read.
584       This  will  work  around  systems that have mis-implemented SDR reading
585       functions that. Those hitting this issue  may  see  "SDR  record  count
586       invalid" errors. Issue observed on unspecified Inspur motherboard.
587
588       malformedack  - This workaround flag will ignore malformed PET acknowl‐
589       edge responses and assume any PET acknowledge response from the  remote
590       machine  is valid. It works around remote systems that respond with PET
591       acknowledge requests with invalid/malformed IPMI payloads.  Those  hit‐
592       ting  this  issue may see "session timeout" errors when executing a PET
593       acknowledge. Issue observed on Dell Poweredge R610.
594
595       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
596       found  to  not support IPMI 1.5. Those hitting this issue may see "ipmi
597       2.0 unavailable" or "connection timeout"  errors.  This  issue  can  be
598       worked  around  by  using  IPMI  2.0  instead of IPMI 1.5 by specifying
599       --driver-type=LAN_2_0. Issue observed on HP Proliant DL 145.
600

OEM INTERPRETATION

602       The following motherboards are confirmed to have atleast  some  support
603       by  the --interpret-oem-data option. While highly probable the OEM data
604       interpretations would work across other motherboards by the same  manu‐
605       facturer,  there  are no guarantees. Some of the motherboards below may
606       be rebranded by vendors/distributors.
607
608       Currently None
609

EXAMPLES

611       Interpret a PET using the local SDR cache.
612
613       # ipmi-pet 356224 0x44 0x45 0x4c 0x4c 0x50 0x00  0x10  0x59  0x80  0x43
614       0xb2  0xc0  0x4f 0x33 0x33 0x58 0x00 0x02 0x19 0xe8 0x7e 0x26 0xff 0xff
615       0x20 0x20 0x04 0x20 0x73 0x18 0x00 0x80 0x01 0xff 0x00 0x00  0x00  0x00
616       0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1
617
618       Interpret a PET using a remote SDR cache.
619
620       #  ipmi-pet  -h ahost -u myusername -p mypassword 356224 0x44 0x45 0x4c
621       0x4c 0x50 0x00 0x10 0x59 0x80 0x43 0xb2 0xc0 0x4f 0x33 0x33  0x58  0x00
622       0x02  0x19  0xe8 0x7e 0x26 0xff 0xff 0x20 0x20 0x04 0x20 0x73 0x18 0x00
623       0x80 0x01 0xff 0x00 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x02  0xa2  0x01
624       0x00 0xc1
625
626       Interpret a PET using a previously stored SDR cache.
627
628       #  ipmi-pet  356224  0x44  0x45 0x4c 0x4c 0x50 0x00 0x10 0x59 0x80 0x43
629       0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00 0x02 0x19 0xe8 0x7e 0x26  0xff  0xff
630       0x20  0x20  0x04 0x20 0x73 0x18 0x00 0x80 0x01 0xff 0x00 0x00 0x00 0x00
631       0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1 --sdr-cache-file=/tmp/mys‐
632       drcache
633
634       Instead of outputting trap interpretation, send a PET acknowledge using
635       the trap data.
636
637       # ipmi-pet -h ahost --pet-acknowledge 356224 0x44 0x45 0x4c  0x4c  0x50
638       0x00  0x10  0x59 0x80 0x43 0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00 0x02 0x19
639       0xe8 0x7e 0x26 0xff 0xff 0x20 0x20 0x04 0x20 0x73 0x18 0x00  0x80  0x01
640       0xff 0x00 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1
641

DIAGNOSTICS

643       Upon  successful  execution, exit status is 0. On error, exit status is
644       1.
645

KNOWN ISSUES

647       On older operating systems, if you input your username,  password,  and
648       other  potentially  security  relevant information on the command line,
649       this information may be discovered by other users when using tools like
650       the  ps(1) command or looking in the /proc file system. It is generally
651       more secure to input password information with options like the  -P  or
652       -K  options.  Configuring security relevant information in the FreeIPMI
653       configuration file would also be an appropriate way to hide this infor‐
654       mation.
655
656       In  order  to  prevent  brute force attacks, some BMCs will temporarily
657       "lock up" after a number of remote authentication errors. You may  need
658       to  wait awhile in order to this temporary "lock up" to pass before you
659       may authenticate again.
660

REPORTING BUGS

662       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
663
665       Copyright © 2011-2015 FreeIPMI Core Team
666
667       This program is free software; you can redistribute it and/or modify it
668       under  the  terms of the GNU General Public License as published by the
669       Free Software Foundation; either version 3 of the License, or (at  your
670       option) any later version.
671

SEE ALSO

673       freeipmi(7),  bmc-info(8), ipmi-config(8), ipmi-sel(8), freeipmi_inter‐
674       pret_sel.conf(5)
675
676       http://www.gnu.org/software/freeipmi/
677
678
679
680IPMI-PET version 1.5.7            2018-04-11                       IPMI-PET(8)
Impressum