1IPMI-PET(8)                     System Commands                    IPMI-PET(8)
2
3
4

NAME

6       IPMI - IPMI Platform Event Trap Interpreter
7

SYNOPSIS

9       ipmi-pet [OPTION...] [SPECIFIC TRAP] [VARIABLE BINDING HEX BYTES ...]
10

DESCRIPTION

12       Ipmi-pet interprets hex bytes from a platform event trap (PET) and out‐
13       puts a string representing its contents. Hex values may be input on the
14       command  line, a file via the --file option, or via stdin if neither of
15       the previous are specified.  Ipmi-pet is commonly used  in  conjunction
16       with an SNMP trap daemon to intrepret the results from an IPMI PET trap
17       captured by the daemon. While ipmi-pet could be  called  directly  from
18       such  a daemon, typically a script is called to parse the SNMP daemon's
19       output and convert it into a form that can be input into ipmi-pet.   On
20       some  systems,  you may wish to also send a PET acknowledge to a remote
21       system to inform it the trap was received and parsed. One can  be  sent
22       using  the  --pet-acknowledge option.  While an IPMI session is not re‐
23       quired to interpret a PET, data from the sensor data  repository  (SDR)
24       is required to properly interpret sensor names and other information in
25       the PET. IPMI session configuration below, such  as  driver,  hostname,
26       username,  etc.  should be configured to load the SDR of the host where
27       the trap originated.  If this is difficult to perform, it may  be  wise
28       to  cache  and load a specific SDR cache using the --sdr-cache-file op‐
29       tion.  If the SDR is difficult to obtain, the --ignore-sdr-cache option
30       can be specified so that an SDR will not be loaded, and an IPMI session
31       will not be required. The PET will be interpreted as best  as  possible
32       given  no  SDR.  The --ignore-sdr-cache option may affect other options
33       such as --interpret-oem-data too.  Some  options,  such  as  --manufac‐
34       turer-id  and  --product-id may alleviate some of these issues.  If the
35       SNMP daemon does not output a SNMPv1 specific trap on its  own,  it  is
36       typically output as the last element of the OID in SNMPv2.  If for some
37       reason a specific trap cannot be determined, the value of NA may be in‐
38       put  for  the  specific trap to indicate it is not available.  Ipmi-pet
39       will output as much as possible based on the variable bindings informa‐
40       tion. Some of the specific trap information may be obtained via SDR in‐
41       formation.
42
43       Listed below are general IPMI options, tool specific  options,  trouble
44       shooting  information,  workaround information, examples, and known is‐
45       sues. For a general introduction to FreeIPMI please see freeipmi(7).
46

GENERAL OPTIONS

48       The following options are general options for configuring IPMI communi‐
49       cation and executing general tool commands.
50
51       -D IPMIDRIVER, --driver-type=IPMIDRIVER
52              Specify  the  driver type to use instead of doing an auto selec‐
53              tion.  The currently available outofband  drivers  are  LAN  and
54              LAN_2_0,  which  perform IPMI 1.5 and IPMI 2.0 respectively. The
55              currently available inband  drivers  are  KCS,  SSIF,  OPENIPMI,
56              SUNBMC, and INTELDCMI.
57
58       --disable-auto-probe
59              Do not probe in-band IPMI devices for default settings.
60
61       --driver-address=DRIVER-ADDRESS
62              Specify  the  in-band  driver  address to be used instead of the
63              probed value. DRIVER-ADDRESS should be prefixed with "0x" for  a
64              hex value and '0' for an octal value.
65
66       --driver-device=DEVICE
67              Specify the in-band driver device path to be used instead of the
68              probed path.
69
70       --register-spacing=REGISTER-SPACING
71              Specify the in-band  driver  register  spacing  instead  of  the
72              probed  value. Argument is in bytes (i.e. 32bit register spacing
73              = 4)
74
75       --target-channel-number=CHANNEL-NUMBER
76              Specify the in-band driver target channel number  to  send  IPMI
77              requests to.
78
79       --target-slave-address=SLAVE-ADDRESS
80              Specify  the in-band driver target slave number to send IPMI re‐
81              quests to.
82
83       -h IPMIHOST, --hostname=IPMIHOST[:PORT]
84              Specify the remote host to communicate with.  An  optional  port
85              can be specified, which may be useful in port forwarding or sim‐
86              ilar situations. If specifying an IPv6 address and port, use the
87              format [ADDRESS]:PORT.
88
89       -u USERNAME, --username=USERNAME
90              Specify  the username to use when authenticating with the remote
91              host.  If not specified, a null (i.e. anonymous) username is as‐
92              sumed.  The  user must have atleast OPERATOR privileges in order
93              for this tool to operate fully.
94
95       -p PASSWORD, --password=PASSWORD
96              Specify the password to use when authenticationg with the remote
97              host.   If  not  specified,  a null password is assumed. Maximum
98              password length is 16 for IPMI 1.5 and 20 for IPMI 2.0.
99
100       -P, --password-prompt
101              Prompt for password  to  avoid  possibility  of  listing  it  in
102              process lists.
103
104       -k K_G, --k-g=K_G
105              Specify  the K_g BMC key to use when authenticating with the re‐
106              mote host for IPMI 2.0. If not specified, a null key is assumed.
107              To  input  the  key  in hexadecimal form, prefix the string with
108              '0x'. E.g., the key 'abc' can be entered  with  the  either  the
109              string 'abc' or the string '0x616263'
110
111       -K, --k-g-prompt
112              Prompt  for  k-g  to  avoid possibility of listing it in process
113              lists.
114
115       --session-timeout=MILLISECONDS
116              Specify the session timeout in milliseconds. Defaults  to  20000
117              milliseconds (20 seconds) if not specified.
118
119       --retransmission-timeout=MILLISECONDS
120              Specify  the  packet retransmission timeout in milliseconds. De‐
121              faults to 1000 milliseconds (1 second) if not specified. The re‐
122              transmission timeout cannot be larger than the session timeout.
123
124       -a AUTHENTICATION-TYPE, --authentication-type=AUTHENTICATION-TYPE
125              Specify  the  IPMI 1.5 authentication type to use. The currently
126              available authentication types are NONE,  STRAIGHT_PASSWORD_KEY,
127              MD2, and MD5. Defaults to MD5 if not specified.
128
129       -I CIPHER-SUITE-ID, --cipher-suite-id=CIPHER-SUITE-ID
130              Specify the IPMI 2.0 cipher suite ID to use. The Cipher Suite ID
131              identifies a set of authentication, integrity, and confidential‐
132              ity  algorithms to use for IPMI 2.0 communication. The authenti‐
133              cation algorithm identifies the algorithm  to  use  for  session
134              setup,  the  integrity algorithm identifies the algorithm to use
135              for session packet signatures, and the confidentiality algorithm
136              identifies the algorithm to use for payload encryption. Defaults
137              to cipher suite ID 3 if  not  specified.  The  following  cipher
138              suite ids are currently supported:
139
140              0 - Authentication Algorithm = None; Integrity Algorithm = None;
141              Confidentiality Algorithm = None
142
143              1 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
144              None; Confidentiality Algorithm = None
145
146              2  - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm =
147              HMAC-SHA1-96; Confidentiality Algorithm = None
148
149              3 - Authentication Algorithm = HMAC-SHA1; Integrity Algorithm  =
150              HMAC-SHA1-96; Confidentiality Algorithm = AES-CBC-128
151
152              6  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
153              None; Confidentiality Algorithm = None
154
155              7 - Authentication Algorithm = HMAC-MD5; Integrity  Algorithm  =
156              HMAC-MD5-128; Confidentiality Algorithm = None
157
158              8  -  Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
159              HMAC-MD5-128; Confidentiality Algorithm = AES-CBC-128
160
161              11 - Authentication Algorithm = HMAC-MD5; Integrity Algorithm  =
162              MD5-128; Confidentiality Algorithm = None
163
164              12  - Authentication Algorithm = HMAC-MD5; Integrity Algorithm =
165              MD5-128; Confidentiality Algorithm = AES-CBC-128
166
167              15 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
168              = None; Confidentiality Algorithm = None
169
170              16 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
171              = HMAC_SHA256_128; Confidentiality Algorithm = None
172
173              17 - Authentication Algorithm = HMAC-SHA256; Integrity Algorithm
174              = HMAC_SHA256_128; Confidentiality Algorithm = AES-CBC-128
175
176       -l PRIVILEGE-LEVEL, --privilege-level=PRIVILEGE-LEVEL
177              Specify  the privilege level to be used. The currently available
178              privilege levels are USER, OPERATOR, and ADMIN. Defaults to  OP‐
179              ERATOR if not specified.
180
181       --config-file=FILE
182              Specify an alternate configuration file.
183
184       -W WORKAROUNDS, --workaround-flags=WORKAROUNDS
185              Specify  workarounds to vendor compliance issues. Multiple work‐
186              arounds can be specified separated by commas. A special  command
187              line flag of "none", will indicate no workarounds (may be useful
188              for overriding configured defaults). See WORKAROUNDS below for a
189              list of available workarounds.
190
191       --debug
192              Turn on debugging.
193
194       -?, --help
195              Output a help list and exit.
196
197       --usage
198              Output a usage message and exit.
199
200       -V, --version
201              Output the program version and exit.
202

IPMI-PET OPTIONS

204       The following options are specific to ipmi-pet.
205
206       -v     Output  verbose  output. This option will output event direction
207              and OEM custom messages from the trap.
208
209       -vv    Output very verbose output. This option will  output  additional
210              information  available  in  the trap, such as GUID, manufacturer
211              ID, and system ID.
212
213       -vvv   Output very very verbose output. This option will  output  addi‐
214              tional  information  than  verbose  output. Most notably it will
215              output additional hex codes to given  information  on  ambiguous
216              events.  For  example, it will output Generator ID hex codes for
217              sensors without names.
218
219       --pet-acknowledge
220              Send PET acknowledge using inputted trap data  instead  of  out‐
221              putting  data.  In some circumstances, this may be useful to in‐
222              form a remote system that a trap was  received  and  parsed.  If
223              specified,  a hostname must be specified via -h or --hostname to
224              inform ipmi-pet where to send the acknowledge to. When this  op‐
225              tion  is  specified,  the SDR cache is not loaded and is not re‐
226              quired.
227
228       --file=CMD-FILE
229              Specify a file to read PET specific trap and  variable  bindings
230              hex from instead of command line.
231
232       --output-event-severity
233              Output  event  severity  in  output. This will add an additional
234              output of an event severity. The outputs may be Monitor,  Infor‐
235              mation,  OK, Non-critical condition, Critical condition, or Non-
236              recoverable condition. This differs from the  output  of  --out‐
237              put-event-state,  as  event severity is not interpreted, it is a
238              value reported in the SNMP trap. However, not all events may re‐
239              port  a  severity, or some manufacturers may not support the re‐
240              port of a severity. Event severity will automatically be  output
241              under verbose output.
242
243       --output-event-state
244              Output event state in output. This will add an additional output
245              reporting if an event should be viewed as NOMINAL,  WARNING,  or
246              CRITICAL.  This differs from the output of --output-event-sever‐
247              ity, as this output is an interpreted value that will be  inter‐
248              preted  identically  to the --output-event-state output in ipmi-
249              sel(8).  As long as an event interpretation  is  supported,  all
250              events  will  have outputted state. The event state is an inter‐
251              preted    value    based    on    the     configuration     file
252              /etc/freeipmi//freeipmi_interpret_sel.conf  and the event direc‐
253              tion. See freeipmi_interpret_sel.conf(5) for more information.
254
255       --event-state-config-file=FILE
256              Specify an alternate event state configuration file. Option  ig‐
257              nored if --output-event-state not specified.
258
259       --manufacturer-id=NUMBER
260              Specify a specific manufacturer id to assume. Useful if you wish
261              to specify --interpret-oem-data, but the manufacturer id  cannot
262              be  determined  by  IPMI  access or is not available in the SNMP
263              trap.  The manufacturer id of a motherboard  can  be  determined
264              with  bmc-info(8).  If this option is specified, so must --prod‐
265              uct-id.
266
267       --product-id=NUMBER
268              Specify a specific product id to assume. Useful if you  wish  to
269              specify  --interpret-oem-data,  but the product id cannot be de‐
270              termined by IPMI access or is not available in  the  SNMP  trap.
271              The  product  id  of  a  motherboard can be determined with bmc-
272              info(8).  If  this  option  is  specified,  so  must  --manufac‐
273              turer-id.
274
275       --interpret-oem-data
276              Attempt  to interpret OEM data, such as event data, sensor read‐
277              ings, or general extra info, etc. If an  OEM  interpretation  is
278              not available, the default output will be generated. Correctness
279              of OEM interpretations cannot be  guaranteed  due  to  potential
280              changes OEM vendors may make in products, firmware, etc. See OEM
281              INTERPRETATION below for confirmed supported motherboard  inter‐
282              pretations.
283
284       --entity-sensor-names
285              Output  sensor  names prefixed with their entity id and instance
286              number when appropriate. This may be necessary on  some  mother‐
287              boards  to help identify what sensors are referencing. For exam‐
288              ple, a motherboard may have multiple sensors named  'TEMP'.  The
289              entity  id  and  instance  number  may help clarify which sensor
290              refers to "Processor 1" vs. "Processor 2".
291
292       --no-sensor-type-output
293              Do not show sensor type output for each entry. On many  systems,
294              the sensor type is redundant to the name of the sensor. This can
295              especially be true if --entity-sensor-names  is  specified.   If
296              the  sensor  name  is sufficient, or if the sensor type is of no
297              interest to the user, this option can be specified  to  condense
298              output.
299
300       --comma-separated-output
301              Output fields in comma separated format.
302
303       --no-header-output
304              Do not output column headers. May be useful in scripting.
305
306       --non-abbreviated-units
307              Output  non-abbreviated  units (e.g. 'Amps' instead of 'A'). May
308              aid  in  disambiguation  of  units  (e.g.  'C'  for  Celsius  or
309              Coulombs).
310

SDR CACHE OPTIONS

312       This tool requires access to the sensor data repository (SDR) cache for
313       general operation. By default, SDR data will be downloaded  and  cached
314       on the local machine. The following options apply to the SDR cache.
315
316       --flush-cache
317              Flush  a  cached  version  of  the  sensor data repository (SDR)
318              cache. The SDR is typically cached for faster subsequent access.
319              However,  it  may need to be flushed and re-generated if the SDR
320              has been updated on a system.
321
322       --quiet-cache
323              Do not output information about cache creation/deletion. May  be
324              useful in scripting.
325
326       --sdr-cache-recreate
327              If the SDR cache is out of date or invalid, automatically recre‐
328              ate the sensor data repository (SDR) cache. This option  may  be
329              useful for scripting purposes.
330
331       --sdr-cache-file=FILE
332              Specify a specific sensor data repository (SDR) cache file to be
333              stored or read from. If this option is used when multiple  hosts
334              are  specified,  the  same  SDR  cache file will be used for all
335              hosts.
336
337       --sdr-cache-directory=DIRECTORY
338              Specify an alternate directory for sensor data repository  (SDR)
339              caches to be stored or read from. Defaults to the home directory
340              if not specified.
341
342       --ignore-sdr-cache
343              Ignore SDR cache related processing. May lead to  incomplete  or
344              less  useful  information  being  output,  however it will allow
345              functionality for systems without SDRs or when the  correct  SDR
346              cannot be loaded.
347

GENERAL TROUBLESHOOTING

349       Most often, IPMI problems are due to configuration problems.
350
351       IPMI  over  LAN  problems  involve a misconfiguration of the remote ma‐
352       chine's BMC.  Double check to make sure the  following  are  configured
353       properly  in  the remote machine's BMC: IP address, MAC address, subnet
354       mask, username, user enablement, user privilege, password,  LAN  privi‐
355       lege,  LAN enablement, and allowed authentication type(s). For IPMI 2.0
356       connections, double check to make sure the  cipher  suite  privilege(s)
357       and  K_g  key  are  configured properly. The ipmi-config(8) tool can be
358       used to check and/or change these configuration settings.
359
360       Inband IPMI problems are  typically  caused  by  improperly  configured
361       drivers or non-standard BMCs.
362
363       In  addition  to the troubleshooting tips below, please see WORKAROUNDS
364       below to also if there are any vendor specific bugs that have been dis‐
365       covered and worked around.
366
367       Listed below are many of the common issues for error messages.  For ad‐
368       ditional support, please e-mail  the  <freeipmi-users@gnu.org>  mailing
369       list.
370
371       "username  invalid"  - The username entered (or a NULL username if none
372       was entered) is not available on the remote machine.  It  may  also  be
373       possible the remote BMC's username configuration is incorrect.
374
375       "password  invalid"  - The password entered (or a NULL password if none
376       was entered) is not correct. It may also be possible the  password  for
377       the user is not correctly configured on the remote BMC.
378
379       "password  verification timeout" - Password verification has timed out.
380       A "password invalid" error (described  above)  or  a  generic  "session
381       timeout" (described below) occurred.  During this point in the protocol
382       it cannot be differentiated which occurred.
383
384       "k_g invalid" - The K_g key entered (or a NULL K_g key if none was  en‐
385       tered)  is not correct. It may also be possible the K_g key is not cor‐
386       rectly configured on the remote BMC.
387
388       "privilege level insufficient" - An IPMI command requires a higher user
389       privilege  than  the one authenticated with. Please try to authenticate
390       with a higher privilege. This may require authenticating to a different
391       user which has a higher maximum privilege.
392
393       "privilege  level  cannot  be  obtained  for this user" - The privilege
394       level you are attempting to authenticate with is higher than the  maxi‐
395       mum  allowed for this user. Please try again with a lower privilege. It
396       may also be possible the maximum privilege level allowed for a user  is
397       not configured properly on the remote BMC.
398
399       "authentication  type  unavailable for attempted privilege level" - The
400       authentication type you wish to authenticate with is not available  for
401       this privilege level. Please try again with an alternate authentication
402       type or alternate privilege level. It may also be possible  the  avail‐
403       able  authentication  types you can authenticate with are not correctly
404       configured on the remote BMC.
405
406       "cipher suite id unavailable" - The cipher suite id you wish to authen‐
407       ticate  with  is not available on the remote BMC. Please try again with
408       an alternate cipher suite id. It may also be possible the available ci‐
409       pher suite ids are not correctly configured on the remote BMC.
410
411       "ipmi  2.0 unavailable" - IPMI 2.0 was not discovered on the remote ma‐
412       chine. Please try to use IPMI 1.5 instead.
413
414       "connection timeout" - Initial IPMI communication failed. A  number  of
415       potential errors are possible, including an invalid hostname specified,
416       an IPMI IP address cannot be resolved, IPMI is not enabled on  the  re‐
417       mote server, the network connection is bad, etc. Please verify configu‐
418       ration and connectivity.
419
420       "session timeout" - The IPMI session has timed out.  Please  reconnect.
421       If this error occurs often, you may wish to increase the retransmission
422       timeout. Some remote BMCs are considerably slower than others.
423
424       "device not found" - The specified device could not  be  found.  Please
425       check configuration or inputs and try again.
426
427       "driver  timeout"  -  Communication with the driver or device has timed
428       out. Please try again.
429
430       "message timeout" - Communication with the driver or device  has  timed
431       out. Please try again.
432
433       "BMC  busy"  - The BMC is currently busy. It may be processing informa‐
434       tion or have too many simultaneous sessions to manage. Please wait  and
435       try again.
436
437       "could  not  find inband device" - An inband device could not be found.
438       Please check configuration or specify specific device or driver on  the
439       command line.
440
441       "driver timeout" - The inband driver has timed out communicating to the
442       local BMC or service processor. The BMC or  service  processor  may  be
443       busy or (worst case) possibly non-functioning.
444
445       "internal  IPMI  error" - An IPMI error has occurred that FreeIPMI does
446       not know how to handle. Please e-mail <freeipmi-users@gnu.org>  to  re‐
447       port the issue.
448

WORKAROUNDS

450       With  so  many different vendors implementing their own IPMI solutions,
451       different vendors may implement their IPMI protocols  incorrectly.  The
452       following describes a number of workarounds currently available to han‐
453       dle discovered compliance issues. When possible, workarounds have  been
454       implemented so they will be transparent to the user. However, some will
455       require the user to specify a workaround be used via the -W option.
456
457       The hardware listed below may only indicate the hardware that a problem
458       was  discovered on. Newer versions of hardware may fix the problems in‐
459       dicated below. Similar machines from vendors may or may not exhibit the
460       same  problems.  Different  vendors may license their firmware from the
461       same IPMI firmware developer, so it may  be  worthwhile  to  try  work‐
462       arounds listed below even if your motherboard is not listed.
463
464       If  you  believe  your hardware has an additional compliance issue that
465       needs a workaround to be implemented, please contact the FreeIPMI main‐
466       tainers on <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
467
468       assumeio  - This workaround flag will assume inband interfaces communi‐
469       cate with system I/O rather than being memory-mapped.  This  will  work
470       around  systems  that report invalid base addresses. Those hitting this
471       issue may see "device not supported" or "could not find inband  device"
472       errors.  Issue observed on HP ProLiant DL145 G1.
473
474       spinpoll  -  This workaround flag will inform some inband drivers (most
475       notably the KCS driver) to spin while polling rather than  putting  the
476       process to sleep. This may significantly improve the wall clock running
477       time of tools because an operating system scheduler's  granularity  may
478       be  much larger than the time it takes to perform a single IPMI message
479       transaction. However, by spinning, your system may be  performing  less
480       useful work by not contexting out the tool for a more useful task.
481
482       authcap  - This workaround flag will skip early checks for username ca‐
483       pabilities, authentication capabilities, and K_g support and allow IPMI
484       authentication to succeed. It works around multiple issues in which the
485       remote system does not properly report username capabilities, authenti‐
486       cation  capabilities,  or  K_g status. Those hitting this issue may see
487       "username invalid",  "authentication  type  unavailable  for  attempted
488       privilege  level",  or  "k_g  invalid"  errors.  Issue observed on Asus
489       P5M2/P5MT-R/RS162-E4/RX4,   Intel   SR1520ML/X38ML,   and   Sun    Fire
490       2200/4150/4450 with ELOM.
491
492       nochecksumcheck  - This workaround flag will tell FreeIPMI to not check
493       the checksums returned from IPMI command  responses.  It  works  around
494       systems that return invalid checksums due to implementation errors, but
495       the packet is otherwise valid. Users are cautioned on the use  of  this
496       option,  as  it  removes  validation of packet integrity in a number of
497       circumstances. However, it is unlikely to be an issue  in  most  situa‐
498       tions.  Those hitting this issue may see "connection timeout", "session
499       timeout", or "password verification timeout" errors. On IPMI  1.5  con‐
500       nections,  the  "noauthcodecheck" workaround may also needed too. Issue
501       observed on Supermicro X9SCM-iiF, Supermicro  X9DRi-F,  and  Supermicro
502       X9DRFR.
503
504       idzero  -  This  workaround flag will allow empty session IDs to be ac‐
505       cepted by the client. It works around IPMI sessions that  report  empty
506       session  IDs  to  the client. Those hitting this issue may see "session
507       timeout" errors. Issue observed on Tyan S2882 with M3289 BMC.
508
509       unexpectedauth - This workaround flag will  allow  unexpected  non-null
510       authcodes  to  be checked as though they were expected. It works around
511       an issue when packets contain non-null authentication  data  when  they
512       should  be  null due to disabled per-message authentication. Those hit‐
513       ting this issue may see "session timeout"  errors.  Issue  observed  on
514       Dell PowerEdge 2850,SC1425. Confirmed fixed on newer firmware.
515
516       forcepermsg  -  This workaround flag will force per-message authentica‐
517       tion to be used no matter what is advertised by the remote  system.  It
518       works  around an issue when per-message authentication is advertised as
519       disabled on the remote system, but it is actually required for the pro‐
520       tocol.  Those hitting this issue may see "session timeout" errors.  Is‐
521       sue observed on IBM eServer 325.
522
523       endianseq - This workaround flag will flip the endian  of  the  session
524       sequence  numbers  to  allow the session to continue properly. It works
525       around IPMI 1.5 session sequence numbers that  are  the  wrong  endian.
526       Those  hitting  this  issue may see "session timeout" errors. Issue ob‐
527       served on some Sun ILOM 1.0/2.0 (depends on service processor endian).
528
529       noauthcodecheck - This workaround flag will tell FreeIPMI to not  check
530       the  authentication  codes returned from IPMI 1.5 command responses. It
531       works around systems that return invalid authentication  codes  due  to
532       hashing  or  implementation  errors.  Users are cautioned on the use of
533       this option, as it removes an authentication check verifying the valid‐
534       ity of a packet. However, in most organizations, this is unlikely to be
535       a security issue. Those hitting this issue may  see  "connection  time‐
536       out",  "session  timeout",  or  "password verification timeout" errors.
537       Issue observed on Xyratex FB-H8-SRAY, Intel  Windmill,  Quanta  Winter‐
538       fell, and Wiwynn Windmill.
539
540       intel20  - This workaround flag will work around several Intel IPMI 2.0
541       authentication issues. The issues covered include padding of usernames,
542       and  password  truncation  if  the  authentication  algorithm  is HMAC-
543       MD5-128. Those hitting this issue may see "username invalid", "password
544       invalid",  or  "k_g  invalid" errors. Issue observed on Intel SE7520AF2
545       with Intel Server Management Module (Professional Edition).
546
547       supermicro20 - This workaround flag will work around several Supermicro
548       IPMI  2.0  authentication  issues  on  motherboards  w/  Peppercon IPMI
549       firmware. The issues covered include handling invalid length  authenti‐
550       cation  codes.  Those hitting this issue may see "password invalid" er‐
551       rors.  Issue observed on Supermicro H8QME  with  SIMSO  daughter  card.
552       Confirmed fixed on newerver firmware.
553
554       sun20 - This workaround flag will work work around several Sun IPMI 2.0
555       authentication issues. The issues covered include invalid lengthed hash
556       keys,  improperly  hashed keys, and invalid cipher suite records. Those
557       hitting this issue may see "password invalid" or  "bmc  error"  errors.
558       Issue  observed  on Sun Fire 4100/4200/4500 with ILOM.  This workaround
559       automatically includes the "opensesspriv" workaround.
560
561       opensesspriv - This workaround flag will slightly alter FreeIPMI's IPMI
562       2.0 connection protocol to workaround an invalid hashing algorithm used
563       by the remote system. The privilege level sent during the Open  Session
564       stage of an IPMI 2.0 connection is used for hashing keys instead of the
565       privilege level sent during the RAKP1 connection stage.  Those  hitting
566       this  issue may see "password invalid", "k_g invalid", or "bad rmcpplus
567       status code" errors.  Issue observed on Sun  Fire  4100/4200/4500  with
568       ILOM, Inventec 5441/Dell Xanadu II, Supermicro X8DTH, Supermicro X8DTG,
569       Intel S5500WBV/Penguin Relion 700,  Intel  S2600JF/Appro  512X,  Quanta
570       QSSC-S4R/Appro  GB812X-CN, and Dell C5220. This workaround is automati‐
571       cally triggered with the "sun20" workaround.
572
573       integritycheckvalue - This workaround flag will work around an  invalid
574       integrity check value during an IPMI 2.0 session establishment when us‐
575       ing Cipher Suite ID 0. The integrity check value should  be  0  length,
576       however  the  remote motherboard responds with a non-empty field. Those
577       hitting this issue may see "k_g invalid" errors. Issue observed on  Su‐
578       permicro  X8DTG,  Supermicro  X8DTU,  and Intel S5500WBV/Penguin Relion
579       700, and Intel S2600JF/Appro 512X.
580
581       assumemaxsdrrecordcount - This workaround will inform  SDR  reading  to
582       stop  reading  after  a  known  maximum number of SDR records have been
583       read. This will work around systems that have mis-implemented SDR read‐
584       ing  functions.  Those hitting this issue may see "SDR record count in‐
585       valid" errors. Issue observed on unspecified Inspur motherboard.
586
587       malformedack - This workaround flag will ignore malformed PET  acknowl‐
588       edge  responses and assume any PET acknowledge response from the remote
589       machine is valid. It works around remote systems that respond with  PET
590       acknowledge  requests with invalid/malformed IPMI payloads.  Those hit‐
591       ting this issue may see "session timeout" errors when executing  a  PET
592       acknowledge. Issue observed on Dell Poweredge R610.
593
594       No IPMI 1.5 Support - Some motherboards that support IPMI 2.0 have been
595       found to not support IPMI 1.5. Those hitting this issue may  see  "ipmi
596       2.0  unavailable"  or  "connection  timeout"  errors. This issue can be
597       worked around by using IPMI 2.0  instead  of  IPMI  1.5  by  specifying
598       --driver-type=LAN_2_0.  Issue observed on a number of HP and Supermicro
599       motherboards.
600

OEM INTERPRETATION

602       The following motherboards are confirmed to have atleast  some  support
603       by  the --interpret-oem-data option. While highly probable the OEM data
604       interpretations would work across other motherboards by the same  manu‐
605       facturer,  there  are no guarantees. Some of the motherboards below may
606       be rebranded by vendors/distributors.
607
608       Currently None
609

EXAMPLES

611       Interpret a PET using the local SDR cache.
612
613       # ipmi-pet 356224 0x44 0x45 0x4c 0x4c 0x50 0x00  0x10  0x59  0x80  0x43
614       0xb2  0xc0  0x4f 0x33 0x33 0x58 0x00 0x02 0x19 0xe8 0x7e 0x26 0xff 0xff
615       0x20 0x20 0x04 0x20 0x73 0x18 0x00 0x80 0x01 0xff 0x00 0x00  0x00  0x00
616       0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1
617
618       Interpret a PET using a remote SDR cache.
619
620       #  ipmi-pet  -h ahost -u myusername -p mypassword 356224 0x44 0x45 0x4c
621       0x4c 0x50 0x00 0x10 0x59 0x80 0x43 0xb2 0xc0 0x4f 0x33 0x33  0x58  0x00
622       0x02  0x19  0xe8 0x7e 0x26 0xff 0xff 0x20 0x20 0x04 0x20 0x73 0x18 0x00
623       0x80 0x01 0xff 0x00 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x02  0xa2  0x01
624       0x00 0xc1
625
626       Interpret a PET using a previously stored SDR cache.
627
628       #  ipmi-pet  356224  0x44  0x45 0x4c 0x4c 0x50 0x00 0x10 0x59 0x80 0x43
629       0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00 0x02 0x19 0xe8 0x7e 0x26  0xff  0xff
630       0x20  0x20  0x04 0x20 0x73 0x18 0x00 0x80 0x01 0xff 0x00 0x00 0x00 0x00
631       0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1 --sdr-cache-file=/tmp/mys‐
632       drcache
633
634       Instead of outputting trap interpretation, send a PET acknowledge using
635       the trap data.
636
637       # ipmi-pet -h ahost --pet-acknowledge 356224 0x44 0x45 0x4c  0x4c  0x50
638       0x00  0x10  0x59 0x80 0x43 0xb2 0xc0 0x4f 0x33 0x33 0x58 0x00 0x02 0x19
639       0xe8 0x7e 0x26 0xff 0xff 0x20 0x20 0x04 0x20 0x73 0x18 0x00  0x80  0x01
640       0xff 0x00 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x02 0xa2 0x01 0x00 0xc1
641

DIAGNOSTICS

643       Upon  successful  execution, exit status is 0. On error, exit status is
644       1.
645

KNOWN ISSUES

647       On older operating systems, if you input your username,  password,  and
648       other  potentially  security  relevant information on the command line,
649       this information may be discovered by other users when using tools like
650       the  ps(1) command or looking in the /proc file system. It is generally
651       more secure to input password information with options like the  -P  or
652       -K  options.  Configuring security relevant information in the FreeIPMI
653       configuration file would also be an appropriate way to hide this infor‐
654       mation.
655
656       In  order  to  prevent  brute force attacks, some BMCs will temporarily
657       "lock up" after a number of remote authentication errors. You may  need
658       to  wait awhile in order to this temporary "lock up" to pass before you
659       may authenticate again.
660

REPORTING BUGS

662       Report bugs to <freeipmi-users@gnu.org> or <freeipmi-devel@gnu.org>.
663
665       Copyright © 2011-2015 FreeIPMI Core Team
666
667       This program is free software; you can redistribute it and/or modify it
668       under  the  terms of the GNU General Public License as published by the
669       Free Software Foundation; either version 3 of the License, or (at  your
670       option) any later version.
671

SEE ALSO

673       freeipmi(7),  bmc-info(8), ipmi-config(8), ipmi-sel(8), freeipmi_inter‐
674       pret_sel.conf(5)
675
676       http://www.gnu.org/software/freeipmi/
677
678
679
680IPMI-PET version 1.6.10           2022-08-31                       IPMI-PET(8)
Impressum