1IPMI-PET(8)                     System Commands                    IPMI-PET(8)
2
3
4

NAME

6       IPMI - IPMI Platform Event Trap Interpreter
7

SYNOPSIS

9       ipmi-pet [OPTION...] [SPECIFIC TRAP] [VARIABLE BINDING HEX BYTES ...]
10

DESCRIPTION

12       Ipmi-pet interprets hex bytes from a platform event trap (PET) and out‐
13       puts a string representing its contents. Hex values may be input on the
14       command  line, a file via the --file option, or via stdin if neither of
15       the previous are specified.  Ipmi-pet is commonly used  in  conjunction
16       with an SNMP trap daemon to intrepret the results from an IPMI PET trap
17       captured by the daemon. While ipmi-pet could be  called  directly  from
18       such  a daemon, typically a script is called to parse the SNMP daemon's
19       output and convert it into a form that can be input into ipmi-pet.   On
20       some  systems,  you may wish to also send a PET acknowledge to a remote
21       system to inform it the trap was received and parsed. One can  be  sent
22       using  the  --pet-acknowledge  option.   While  an  IPMI session is not
23       required to interpret a PET, data from the sensor data repository (SDR)
24       is required to properly interpret sensor names and other information in
25       the PET. IPMI session configuration below, such  as  driver,  hostname,
26       username,  etc.  should be configured to load the SDR of the host where
27       the trap originated.  If this is difficult to perform, it may  be  wise
28       to  cache  and  load  a  specific  SDR cache using the --sdr-cache-file
29       option.  If the SDR is  difficult  to  obtain,  the  --ignore-sdr-cache
30       option  can be specified so that an SDR will not be loaded, and an IPMI
31       session will not be required. The PET will be interpreted  as  best  as
32       possible  given  no SDR. The --ignore-sdr-cache option may affect other
33       options such as --interpret-oem-data too. Some options, such as --manu‐
34       facturer-id  and  --product-id  may alleviate some of these issues.  If
35       the SNMP daemon does not output a SNMPv1 specific trap on its  own,  it
36       is  typically  output as the last element of the OID in SNMPv2.  If for
37       some reason a specific trap cannot be determined, the value of  NA  may
38       be  input for the specific trap to indicate it is not available.  Ipmi-
39       pet will output as much as possible  based  on  the  variable  bindings
40       information.  Some of the specific trap information may be obtained via
41       SDR information.
42
43       Listed below are general IPMI options, tool specific  options,  trouble
44       shooting  information,  workaround  information,  examples,  and  known
45       issues. For a general introduction to FreeIPMI please see freeipmi(7).
46

GENERAL OPTIONS

48       The following options are general options for configuring IPMI communi‐
49       cation and executing general tool commands.
50
51       -D IPMIDRIVER, --driver-type=IPMIDRIVER
52              Specify  the  driver type to use instead of doing an auto selec‐
53              tion.  The currently available outofband  drivers  are  LAN  and
54              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
55              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
56              SUNBMC, and INTELDCMI.
57
58       --disable-auto-probe
59              Do not probe in-band IPMI devices for default settings.
60
61       --driver-address=DRIVER-ADDRESS
62              Specify  the  in-band  driver  address to be used instead of the
63              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
64              hex value and '0' for an octal value.
65
66       --driver-device=DEVICE
67              Specify the in-band driver device path to be used instead of the
68              probed path.
69
70       --register-spacing=REGISTER-SPACING
71              Specify the in-band  driver  register  spacing  instead  of  the
72              probed  value. Argument is in bytes (i.e. 32bit register spacing
73              = 4)
74
75       --target-channel-number=CHANNEL-NUMBER
76              Specify the in-band driver target channel number  to  send  IPMI
77              requests to.
78
79       --target-slave-address=SLAVE-ADDRESS
80              Specify  the  in-band  driver  target  slave number to send IPMI
81              requests to.
82
83       -h IPMIHOST, --hostname=IPMIHOST[:PORT]
84              Specify the remote host to communicate with.  An  optional  port
85              can be specified, which may be useful in port forwarding or sim‐
86              ilar situations. If specifying an IPv6 address and port, use the
87              format [ADDRESS]:PORT.
88
89       -u USERNAME, --username=USERNAME
90              Specify  the username to use when authenticating with the remote
91              host.  If not specified, a null  (i.e.  anonymous)  username  is
92              assumed. The user must have atleast OPERATOR privileges in order
93              for this tool to operate fully.
94
95       -p PASSWORD, --password=PASSWORD
96              Specify the password to use when authenticationg with the remote
97              host.   If  not  specified,  a null password is assumed. Maximum
98              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
99
100       -P, --password-prompt
101              Prompt for password  to  avoid  possibility  of  listing  it  in
102              process lists.
103
104       -k K_G, --k-g=K_G
105              Specify  the  K_g  BMC  key  to use when authenticating with the
106              remote host for IPMI 2.0.  If  not  specified,  a  null  key  is
107              assumed. To input the key in hexadecimal form, prefix the string
108              with '0x'. E.g., the key 'abc' can be entered  with  the  either
109              the string 'abc' or the string '0x616263'
110
111       -K, --k-g-prompt
112              Prompt  for  k-g  to  avoid possibility of listing it in process
113              lists.
114
115       --session-timeout=MILLISECONDS
116              Specify the session timeout in milliseconds. Defaults  to  20000
117              milliseconds (20 seconds) if not specified.
118
119       --retransmission-timeout=MILLISECONDS
120              Specify  the  packet  retransmission  timeout  in  milliseconds.
121              Defaults to 1000 milliseconds (1 second) if not  specified.  The
122              retransmission  timeout  cannot be larger than the session time‐
123              out.
124
125       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
126              Specify the IPMI 1.5 authentication type to use.  The  currently
127              available  authentication types are NONE, STRAIGHT_PASSWORD_KEY,
128              MD2, and MD5. Defaults to MD5 if not specified.
129
130       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
131              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
132              identifies a set of authentication, integrity, and confidential‐
133              ity algorithms to use for IPMI 2.0 communication. The  authenti‐
134              cation  algorithm  identifies  the  algorithm to use for session
135              setup, the integrity algorithm identifies the algorithm  to  use
136              for session packet signatures, and the confidentiality algorithm
137              identifies the algorithm to use for payload encryption. Defaults
138              to  cipher  suite  ID  3  if not specified. The following cipher
139              suite ids are currently supported:
140
141              0 - Authentication Algorithm = None; Integrity Algorithm = None;
142              Confidentiality Algorithm = None
143
144              1  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
145              None; Confidentiality Algorithm = None
146
147              2 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
148              HMAC-SHA1-96; Confidentiality Algorithm = None
149
150              3  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
151              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
152
153              6 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
154              None; Confidentiality Algorithm = None
155
156              7  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
157              HMAC-MD5-128; Confidentiality Algorithm = None
158
159              8 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
160              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
161
162              11  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
163              MD5-128; Confidentiality Algorithm = None
164
165              12 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
166              MD5-128; Confidentiality Algorithm = AES-CBC-128
167
168              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
169              = None; Confidentiality Algorithm = None
170
171              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
172              = HMAC_SHA256_128; Confidentiality Algorithm = None
173
174              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
175              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
176
177       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
178              Specify the privilege level to be used. The currently  available
179              privilege  levels  are  USER,  OPERATOR,  and ADMIN. Defaults to
180              OPERATOR if not specified.
181
182       --config-file=FILE
183              Specify an alternate configuration file.
184
185       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
186              Specify workarounds to vendor compliance issues. Multiple  work‐
187              arounds  can be specified separated by commas. A special command
188              line flag of "none", will indicate no workarounds (may be useful
189              for overriding configured defaults). See WORKAROUNDS below for a
190              list of available workarounds.
191
192       --debug
193              Turn on debugging.
194
195       -?, --help
196              Output a help list and exit.
197
198       --usage
199              Output a usage message and exit.
200
201       -V, --version
202              Output the program version and exit.
203

IPMI-PET OPTIONS

205       The following options are specific to ipmi-pet.
206
207       -v     Output verbose output. This option will output  event  direction
208              and OEM custom messages from the trap.
209
210       -vv    Output  very  verbose output. This option will output additional
211              information available in the trap, such  as  GUID,  manufacturer
212              ID, and system ID.
213
214       -vvv   Output  very  very verbose output. This option will output addi‐
215              tional information than verbose output.  Most  notably  it  will
216              output  additional  hex  codes to given information on ambiguous
217              events. For example, it will output Generator ID hex  codes  for
218              sensors without names.
219
220       --pet-acknowledge
221              Send  PET  acknowledge  using inputted trap data instead of out‐
222              putting data. In some  circumstances,  this  may  be  useful  to
223              inform  a  remote system that a trap was received and parsed. If
224              specified, a hostname must be specified via -h or --hostname  to
225              inform  ipmi-pet  where  to  send  the acknowledge to. When this
226              option is specified, the SDR cache is  not  loaded  and  is  not
227              required.
228
229       --file=CMD-FILE
230              Specify  a  file to read PET specific trap and variable bindings
231              hex from instead of command line.
232
233       --output-event-severity
234              Output event severity in output. This  will  add  an  additional
235              output  of an event severity. The outputs may be Monitor, Infor‐
236              mation, OK, Non-critical condition, Critical condition, or  Non-
237              recoverable  condition.  This  differs from the output of --out‐
238              put-event-state, as event severity is not interpreted, it  is  a
239              value  reported  in  the  SNMP trap. However, not all events may
240              report a severity, or some manufacturers  may  not  support  the
241              report  of a severity. Event severity will automatically be out‐
242              put under verbose output.
243
244       --output-event-state
245              Output event state in output. This will add an additional output
246              reporting  if  an event should be viewed as NOMINAL, WARNING, or
247              CRITICAL. This differs from the output of  --output-event-sever‐
248              ity,  as this output is an interpreted value that will be inter‐
249              preted identically to the --output-event-state output  in  ipmi-
250              sel(8).   As  long  as an event interpretation is supported, all
251              events will have outputted state. The event state is  an  inter‐
252              preted     value     based    on    the    configuration    file
253              /etc/freeipmi//freeipmi_interpret_sel.conf and the event  direc‐
254              tion. See freeipmi_interpret_sel.conf(5) for more information.
255
256       --event-state-config-file=FILE
257              Specify  an  alternate  event  state  configuration file. Option
258              ignored if --output-event-state not specified.
259
260       --manufacturer-id=NUMBER
261              Specify a specific manufacturer id to assume. Useful if you wish
262              to  specify --interpret-oem-data, but the manufacturer id cannot
263              be determined by IPMI access or is not  available  in  the  SNMP
264              trap.   The  manufacturer  id of a motherboard can be determined
265              with bmc-info(8).  If this option is specified, so must  --prod‐
266              uct-id.
267
268       --product-id=NUMBER
269              Specify  a  specific product id to assume. Useful if you wish to
270              specify --interpret-oem-data,  but  the  product  id  cannot  be
271              determined  by IPMI access or is not available in the SNMP trap.
272              The product id of a motherboard  can  be  determined  with  bmc-
273              info(8).   If  this  option  is  specified,  so  must --manufac‐
274              turer-id.
275
276       --interpret-oem-data
277              Attempt to interpret OEM data, such as event data, sensor  read‐
278              ings,  or  general  extra info, etc. If an OEM interpretation is
279              not available, the default output will be generated. Correctness
280              of  OEM  interpretations  cannot  be guaranteed due to potential
281              changes OEM vendors may make in products, firmware, etc. See OEM
282              INTERPRETATION  below for confirmed supported motherboard inter‐
283              pretations.
284
285       --entity-sensor-names
286              Output sensor names prefixed with their entity id  and  instance
287              number  when  appropriate. This may be necessary on some mother‐
288              boards to help identify what sensors are referencing. For  exam‐
289              ple,  a  motherboard may have multiple sensors named 'TEMP'. The
290              entity id and instance number  may  help  clarify  which  sensor
291              refers to "Processor 1" vs. "Processor 2".
292
293       --no-sensor-type-output
294              Do  not show sensor type output for each entry. On many systems,
295              the sensor type is redundant to the name of the sensor. This can
296              especially  be  true  if --entity-sensor-names is specified.  If
297              the sensor name is sufficient, or if the sensor type  is  of  no
298              interest  to  the user, this option can be specified to condense
299              output.
300
301       --comma-separated-output
302              Output fields in comma separated format.
303
304       --no-header-output
305              Do not output column headers. May be useful in scripting.
306
307       --non-abbreviated-units
308              Output non-abbreviated units (e.g. 'Amps' instead of  'A').  May
309              aid  in  disambiguation  of  units  (e.g.  'C'  for  Celsius  or
310              Coulombs).
311

SDR CACHE OPTIONS

313       This tool requires access to the sensor data repository (SDR) cache for
314       general  operation.  By default, SDR data will be downloaded and cached
315       on the local machine. The following options apply to the SDR cache.
316
317       --flush-cache
318              Flush a cached version  of  the  sensor  data  repository  (SDR)
319              cache. The SDR is typically cached for faster subsequent access.
320              However, it may need to be flushed and re-generated if  the  SDR
321              has been updated on a system.
322
323       --quiet-cache
324              Do  not output information about cache creation/deletion. May be
325              useful in scripting.
326
327       --sdr-cache-recreate
328              If the SDR cache is out of date or invalid, automatically recre‐
329              ate  the  sensor data repository (SDR) cache. This option may be
330              useful for scripting purposes.
331
332       --sdr-cache-file=FILE
333              Specify a specific sensor data repository (SDR) cache file to be
334              stored  or read from. If this option is used when multiple hosts
335              are specified, the same SDR cache file  will  be  used  for  all
336              hosts.
337
338       --sdr-cache-directory=DIRECTORY
339              Specify  an alternate directory for sensor data repository (SDR)
340              caches to be stored or read from. Defaults to the home directory
341              if not specified.
342
343       --ignore-sdr-cache
344              Ignore  SDR  cache related processing. May lead to incomplete or
345              less useful information being  output,  however  it  will  allow
346              functionality  for  systems without SDRs or when the correct SDR
347              cannot be loaded.
348

GENERAL TROUBLESHOOTING

350       Most often, IPMI problems are due to configuration problems.
351
352       IPMI over  LAN  problems  involve  a  misconfiguration  of  the  remote
353       machine's  BMC.  Double check to make sure the following are configured
354       properly in the remote machine's BMC: IP address, MAC  address,  subnet
355       mask,  username,  user enablement, user privilege, password, LAN privi‐
356       lege, LAN enablement, and allowed authentication type(s). For IPMI  2.0
357       connections,  double  check  to make sure the cipher suite privilege(s)
358       and K_g key are configured properly. The  ipmi-config(8)  tool  can  be
359       used to check and/or change these configuration settings.
360
361       Inband  IPMI  problems  are  typically  caused by improperly configured
362       drivers or non-standard BMCs.
363
364       In addition to the troubleshooting tips below, please  see  WORKAROUNDS
365       below to also if there are any vendor specific bugs that have been dis‐
366       covered and worked around.
367
368       Listed below are many of the common issues  for  error  messages.   For
369       additional  support, please e-mail the <freeipmi-users@gnu.org> mailing
370       list.
371
372       "username invalid" - The username entered (or a NULL username  if  none
373       was  entered)  is  not  available on the remote machine. It may also be
374       possible the remote BMC's username configuration is incorrect.
375
376       "password invalid" - The password entered (or a NULL password  if  none
377       was  entered)  is not correct. It may also be possible the password for
378       the user is not correctly configured on the remote BMC.
379
380       "password verification timeout" - Password verification has timed  out.
381       A  "password  invalid"  error  (described  above) or a generic "session
382       timeout" (described below) occurred.  During this point in the protocol
383       it cannot be differentiated which occurred.
384
385       "k_g  invalid"  -  The  K_g  key entered (or a NULL K_g key if none was
386       entered) is not correct. It may also be possible the  K_g  key  is  not
387       correctly configured on the remote BMC.
388
389       "privilege level insufficient" - An IPMI command requires a higher user
390       privilege than the one authenticated with. Please try  to  authenticate
391       with a higher privilege. This may require authenticating to a different
392       user which has a higher maximum privilege.
393
394       "privilege level cannot be obtained for  this  user"  -  The  privilege
395       level  you are attempting to authenticate with is higher than the maxi‐
396       mum allowed for this user. Please try again with a lower privilege.  It
397       may  also be possible the maximum privilege level allowed for a user is
398       not configured properly on the remote BMC.
399
400       "authentication type unavailable for attempted privilege level"  -  The
401       authentication  type you wish to authenticate with is not available for
402       this privilege level. Please try again with an alternate authentication
403       type  or  alternate privilege level. It may also be possible the avail‐
404       able authentication types you can authenticate with are  not  correctly
405       configured on the remote BMC.
406
407       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
408       ticate with is not available on the remote BMC. Please try  again  with
409       an  alternate  cipher  suite  id. It may also be possible the available
410       cipher suite ids are not correctly configured on the remote BMC.
411
412       "ipmi 2.0 unavailable" - IPMI 2.0 was  not  discovered  on  the  remote
413       machine. Please try to use IPMI 1.5 instead.
414
415       "connection  timeout"  - Initial IPMI communication failed. A number of
416       potential errors are possible, including an invalid hostname specified,
417       an  IPMI  IP  address  cannot  be  resolved, IPMI is not enabled on the
418       remote server, the network connection is bad, etc. Please  verify  con‐
419       figuration and connectivity.
420
421       "session  timeout"  - The IPMI session has timed out. Please reconnect.
422       If this error occurs often, you may wish to increase the retransmission
423       timeout. Some remote BMCs are considerably slower than others.
424
425       "device  not  found"  - The specified device could not be found. Please
426       check configuration or inputs and try again.
427
428       "driver timeout" - Communication with the driver or  device  has  timed
429       out. Please try again.
430
431       "message  timeout"  - Communication with the driver or device has timed
432       out. Please try again.
433
434       "BMC busy" - The BMC is currently busy. It may be  processing  informa‐
435       tion  or have too many simultaneous sessions to manage. Please wait and
436       try again.
437
438       "could not find inband device" - An inband device could not  be  found.
439       Please  check configuration or specify specific device or driver on the
440       command line.
441
442       "driver timeout" - The inband driver has timed out communicating to the
443       local  BMC  or  service  processor. The BMC or service processor may be
444       busy or (worst case) possibly non-functioning.
445
446       "internal IPMI error" - An IPMI error has occurred that  FreeIPMI  does
447       not  know  how  to  handle.  Please  e-mail <freeipmi-users@gnu.org> to
448       report the issue.
449

WORKAROUNDS

451       With so many different vendors implementing their own  IPMI  solutions,
452       different  vendors  may implement their IPMI protocols incorrectly. The
453       following describes a number of workarounds currently available to han‐
454       dle  discovered compliance issues. When possible, workarounds have been
455       implemented so they will be transparent to the user. However, some will
456       require the user to specify a workaround be used via the -W option.
457
458       The hardware listed below may only indicate the hardware that a problem
459       was discovered on. Newer versions of  hardware  may  fix  the  problems
460       indicated  below.  Similar machines from vendors may or may not exhibit
461       the same problems. Different vendors may license  their  firmware  from
462       the  same IPMI firmware developer, so it may be worthwhile to try work‐
463       arounds listed below even if your motherboard is not listed.
464
465       If you believe your hardware has an additional  compliance  issue  that
466       needs a workaround to be implemented, please contact the FreeIPMI main‐
467       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
468
469       assumeio - This workaround flag will assume inband interfaces  communi‐
470       cate  with  system  I/O rather than being memory-mapped. This will work
471       around systems that report invalid base addresses. Those  hitting  this
472       issue  may see "device not supported" or "could not find inband device"
473       errors.  Issue observed on HP ProLiant DL145 G1.
474
475       spinpoll - This workaround flag will inform some inband  drivers  (most
476       notably  the  KCS driver) to spin while polling rather than putting the
477       process to sleep. This may significantly improve the wall clock running
478       time  of  tools because an operating system scheduler's granularity may
479       be much larger than the time it takes to perform a single IPMI  message
480       transaction.  However,  by spinning, your system may be performing less
481       useful work by not contexting out the tool for a more useful task.
482
483       authcap - This workaround flag will  skip  early  checks  for  username
484       capabilities,  authentication  capabilities,  and K_g support and allow
485       IPMI authentication to succeed. It  works  around  multiple  issues  in
486       which the remote system does not properly report username capabilities,
487       authentication capabilities, or K_g status. Those  hitting  this  issue
488       may  see  "username  invalid",  "authentication  type  unavailable  for
489       attempted privilege level", or "k_g invalid" errors.  Issue observed on
490       Asus  P5M2/P5MT-R/RS162-E4/RX4,  Intel  SR1520ML/X38ML,  and  Sun  Fire
491       2200/4150/4450 with ELOM.
492
493       nochecksumcheck - This workaround flag will tell FreeIPMI to not  check
494       the  checksums  returned  from  IPMI command responses. It works around
495       systems that return invalid checksums due to implementation errors, but
496       the  packet  is otherwise valid. Users are cautioned on the use of this
497       option, as it removes validation of packet integrity  in  a  number  of
498       circumstances.  However,  it  is unlikely to be an issue in most situa‐
499       tions. Those hitting this issue may see "connection timeout",  "session
500       timeout",  or  "password verification timeout" errors. On IPMI 1.5 con‐
501       nections, the "noauthcodecheck" workaround may also needed  too.  Issue
502       observed  on  Supermicro  X9SCM-iiF, Supermicro X9DRi-F, and Supermicro
503       X9DRFR.
504
505       idzero - This workaround flag  will  allow  empty  session  IDs  to  be
506       accepted by the client. It works around IPMI sessions that report empty
507       session IDs to the client. Those hitting this issue  may  see  "session
508       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
509
510       unexpectedauth  -  This  workaround flag will allow unexpected non-null
511       authcodes to be checked as though they were expected. It  works  around
512       an  issue  when  packets contain non-null authentication data when they
513       should be null due to disabled per-message authentication.  Those  hit‐
514       ting  this  issue  may  see "session timeout" errors. Issue observed on
515       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
516
517       forcepermsg - This workaround flag will force  per-message  authentica‐
518       tion  to  be used no matter what is advertised by the remote system. It
519       works around an issue when per-message authentication is advertised  as
520       disabled on the remote system, but it is actually required for the pro‐
521       tocol. Those hitting this  issue  may  see  "session  timeout"  errors.
522       Issue observed on IBM eServer 325.
523
524       endianseq  -  This  workaround flag will flip the endian of the session
525       sequence numbers to allow the session to continue  properly.  It  works
526       around  IPMI  1.5  session  sequence numbers that are the wrong endian.
527       Those hitting this  issue  may  see  "session  timeout"  errors.  Issue
528       observed  on  some  Sun  ILOM  1.0/2.0  (depends  on  service processor
529       endian).
530
531       noauthcodecheck - This workaround flag will tell FreeIPMI to not  check
532       the  authentication  codes returned from IPMI 1.5 command responses. It
533       works around systems that return invalid authentication  codes  due  to
534       hashing  or  implementation  errors.  Users are cautioned on the use of
535       this option, as it removes an authentication check verifying the valid‐
536       ity of a packet. However, in most organizations, this is unlikely to be
537       a security issue. Those hitting this issue may  see  "connection  time‐
538       out",  "session  timeout",  or  "password verification timeout" errors.
539       Issue observed on Xyratex FB-H8-SRAY, Intel  Windmill,  Quanta  Winter‐
540       fell, and Wiwynn Windmill.
541
542       intel20  - This workaround flag will work around several Intel IPMI 2.0
543       authentication issues. The issues covered include padding of usernames,
544       and  password  truncation  if  the  authentication  algorithm  is HMAC-
545       MD5-128. Those hitting this issue may see "username invalid", "password
546       invalid",  or  "k_g  invalid" errors. Issue observed on Intel SE7520AF2
547       with Intel Server Management Module (Professional Edition).
548
549       supermicro20 - This workaround flag will work around several Supermicro
550       IPMI  2.0  authentication  issues  on  motherboards  w/  Peppercon IPMI
551       firmware. The issues covered include handling invalid length  authenti‐
552       cation  codes.  Those  hitting  this  issue  may see "password invalid"
553       errors.  Issue observed on Supermicro H8QME with SIMSO  daughter  card.
554       Confirmed fixed on newerver firmware.
555
556       sun20 - This workaround flag will work work around several Sun IPMI 2.0
557       authentication issues. The issues covered include invalid lengthed hash
558       keys,  improperly  hashed keys, and invalid cipher suite records. Those
559       hitting this issue may see "password invalid" or  "bmc  error"  errors.
560       Issue  observed  on Sun Fire 4100/4200/4500 with ILOM.  This workaround
561       automatically includes the "opensesspriv" workaround.
562
563       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
564       2.0 connection protocol to workaround an invalid hashing algorithm used
565       by the remote system. The privilege level sent during the Open  Session
566       stage of an IPMI 2.0 connection is used for hashing keys instead of the
567       privilege level sent during the RAKP1 connection stage.  Those  hitting
568       this  issue may see "password invalid", "k_g invalid", or "bad rmcpplus
569       status code" errors.  Issue observed on Sun  Fire  4100/4200/4500  with
570       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
571       Intel S5500WBV/Penguin Relion 700,  Intel  S2600JF/Appro  512X,  Quanta
572       QSSC-S4R/Appro  GB812X-CN, and Dell C5220. This workaround is automati‐
573       cally triggered with the "sun20" workaround.
574
575       integritycheckvalue - This workaround flag will work around an  invalid
576       integrity  check  value  during  an IPMI 2.0 session establishment when
577       using Cipher Suite ID 0. The integrity check value should be 0  length,
578       however  the  remote motherboard responds with a non-empty field. Those
579       hitting this issue may see "k_g  invalid"  errors.  Issue  observed  on
580       Supermicro  X8DTG,  Supermicro X8DTU, and Intel S5500WBV/Penguin Relion
581       700, and Intel S2600JF/Appro 512X.
582
583       assumemaxsdrrecordcount - This workaround will inform  SDR  reading  to
584       stop  reading  after  a  known  maximum number of SDR records have been
585       read. This will work around systems that have mis-implemented SDR read‐
586       ing  functions.  Those  hitting  this  issue  may see "SDR record count
587       invalid" errors. Issue observed on unspecified Inspur motherboard.
588
589       malformedack - This workaround flag will ignore malformed PET  acknowl‐
590       edge  responses and assume any PET acknowledge response from the remote
591       machine is valid. It works around remote systems that respond with  PET
592       acknowledge  requests with invalid/malformed IPMI payloads.  Those hit‐
593       ting this issue may see "session timeout" errors when executing  a  PET
594       acknowledge. Issue observed on Dell Poweredge R610.
595
596       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
597       found to not support IPMI 1.5. Those hitting this issue may  see  "ipmi
598       2.0  unavailable"  or  "connection  timeout"  errors. This issue can be
599       worked around by using IPMI 2.0  instead  of  IPMI  1.5  by  specifying
600       --driver-type=LAN_2_0. Issue observed on HP Proliant DL 145.
601

OEM INTERPRETATION

603       The  following  motherboards are confirmed to have atleast some support
604       by the --interpret-oem-data option. While highly probable the OEM  data
605       interpretations  would work across other motherboards by the same manu‐
606       facturer, there are no guarantees. Some of the motherboards  below  may
607       be rebranded by vendors/distributors.
608
609       Currently None
610

EXAMPLES

612       Interpret a PET using the local SDR cache.
613
614       #  ipmi-pet  356224  0x44  0x45 0x4c 0x4c 0x50 0x00 0x10 0x59 0x80 0x43
615       0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00 0x02 0x19 0xe8 0x7e 0x26  0xff  0xff
616       0x20  0x20  0x04 0x20 0x73 0x18 0x00 0x80 0x01 0xff 0x00 0x00 0x00 0x00
617       0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1
618
619       Interpret a PET using a remote SDR cache.
620
621       # ipmi-pet -h ahost -u myusername -p mypassword 356224 0x44  0x45  0x4c
622       0x4c  0x50  0x00 0x10 0x59 0x80 0x43 0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00
623       0x02 0x19 0xe8 0x7e 0x26 0xff 0xff 0x20 0x20 0x04 0x20 0x73  0x18  0x00
624       0x80  0x01  0xff 0x00 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x02 0xa2 0x01
625       0x00 0xc1
626
627       Interpret a PET using a previously stored SDR cache.
628
629       # ipmi-pet 356224 0x44 0x45 0x4c 0x4c 0x50 0x00  0x10  0x59  0x80  0x43
630       0xb2  0xc0  0x4f 0x33 0x33 0x58 0x00 0x02 0x19 0xe8 0x7e 0x26 0xff 0xff
631       0x20 0x20 0x04 0x20 0x73 0x18 0x00 0x80 0x01 0xff 0x00 0x00  0x00  0x00
632       0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1 --sdr-cache-file=/tmp/mys‐
633       drcache
634
635       Instead of outputting trap interpretation, send a PET acknowledge using
636       the trap data.
637
638       #  ipmi-pet  -h ahost --pet-acknowledge 356224 0x44 0x45 0x4c 0x4c 0x50
639       0x00 0x10 0x59 0x80 0x43 0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00  0x02  0x19
640       0xe8  0x7e  0x26 0xff 0xff 0x20 0x20 0x04 0x20 0x73 0x18 0x00 0x80 0x01
641       0xff 0x00 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1
642

DIAGNOSTICS

644       Upon successful execution, exit status is 0. On error, exit  status  is
645       1.
646

KNOWN ISSUES

648       On  older  operating systems, if you input your username, password, and
649       other potentially security relevant information on  the  command  line,
650       this information may be discovered by other users when using tools like
651       the ps(1) command or looking in the /proc file system. It is  generally
652       more  secure  to input password information with options like the -P or
653       -K options. Configuring security relevant information in  the  FreeIPMI
654       configuration file would also be an appropriate way to hide this infor‐
655       mation.
656
657       In order to prevent brute force attacks,  some  BMCs  will  temporarily
658       "lock  up" after a number of remote authentication errors. You may need
659       to wait awhile in order to this temporary "lock up" to pass before  you
660       may authenticate again.
661

REPORTING BUGS

663       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
664
666       Copyright © 2011-2015 FreeIPMI Core Team
667
668       This program is free software; you can redistribute it and/or modify it
669       under the terms of the GNU General Public License as published  by  the
670       Free  Software Foundation; either version 3 of the License, or (at your
671       option) any later version.
672

SEE ALSO

674       freeipmi(7), bmc-info(8), ipmi-config(8), ipmi-sel(8),  freeipmi_inter‐
675       pret_sel.conf(5)
676
677       http://www.gnu.org/software/freeipmi/
678
679
680
681IPMI-PET version 1.6.4            2019-08-21                       IPMI-PET(8)
Impressum