I have become allergic to Java. It seems every time I need to access a
server console my system is throwing fits about Java security. I've
spent hours trying to fix a Java issue which was preventing me from
fixing a server I needed console access to. I will show you how to
end this madness.
FreeBSD
You should always enable the serial console on your servers. You never
know when you will need it, and it is a prerequisite for this exercise.
On FreeBSD you will want to do the following:
/boot/loader.conf:
boot_multicons="YES"
boot_serial="YES"
comconsole_speed="115200"
console="comconsole,vidconsole"
Enable ttyu0 always by changing onifconsole to on in /etc/ttys:
ttyu0 "/usr/libexec/getty 3wire" vt100 on secure
On releases before 10.3-RELEASE you also change std.9600 to std.115200 as
3wire is not available:
ttyu0 "/usr/libexec/getty std.115200" vt100 on secure
When complete you will need to enable it with kill -HUP 1.
You can find more details on this in the FreeBSD handbook.
Dell DRAC
On Dell servers you will need to enable the serial console in the BIOS.
If you have multiple serial ports the following configuration should
allow both the physical and virtual serial ports to function as
intended. Here is a screenshot of my BIOS settings:
You will also want to enable IPMI. This can be done in the DRAC settings
on boot in the following screenshot, or you can SSH to the DRAC console
and enable it there with the rest of the settings.
To finish the setup we SSH to the DRAC console and run the following
commands:
# The DRAC shell is usually prefixed with something like /admin1-> but
# I will not print it here so you can easily copy/paste this
racadm config -g cfgSerial -o cfgSerialBaudRate 115200
racadm config -g cfgSerial -o cfgSerialCom2RedirEnable 1
racadm config -g cfgSerial -o cfgSerialSshEnable 1
racadm config -g cfgIpmiSol -o cfgIpmiSolEnable 1
racadm config -g cfgIpmiSol -o cfgIpmiSolBaudRate 115200
racadm config -g cfgIpmiLan -o cfgIpmiLanEnable 1
There are settings to limit DRAC network access (HTTPS, SSH, IPMI)
to a specific subnet, but I strongly suggest you do not place your DRAC
on the internet and protect it with a real firewall. It would be
reasonable to enable this bruteforce protection if you wish to do so.
The following blocks for 5 minutes after 5 failed attempts:
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkEnable 1
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailCount 5
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailWindow 60
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkPenaltyTime 300
Now you have remote access to your server without Java. You can access
it with one of the following:
ssh:
$ ssh root@1.2.3.4
/admin1-> console com2
ipmi:
$ ipmitool -I lanplus -U root -H 1.2.3.4 sol activate
Both of these will render best if your terminal window is 80x24.
Cisco CIMC
Assuming you've already provisioned an IP address for your Cisco CIMC
and it is accessible on the network you can simply ssh into the CIMC and
run the following commands:
cisco-cimc# scope sol
cisco-cimc /sol # set baud-rate 115200
cisco-cimc /sol *# set enabled yes
cisco-cimc /sol *# commit
show
cisco-cimc /sol # show
Enabled Baud Rate(bps)
------- ---------------
yes 115200
cisco-cimc# top
cisco-cimc# scope ipmi
cisco-cimc /ipmi # set enabled yes
cisco-cimc /ipmi *# commit
cisco-cimc /ipmi # show
Enabled Encryption Key Privilege Level Limit
------- ---------------------------------------- ---------------------
yes 0000000000000000000000000000000000000000 admin
db02-ipmi /ipmi #
Or for your copy/paste speedrun:
scope sol
set baud-rate 115200
set enabled yes
top
scope ipmi
set enabled yes
commit
Now you can connect to the serial console by one of the following:
ssh:
$ ssh admin@1.2.3.4
cisco-cimc# connect host
ipmi:
$ ipmitool -I lanplus -U admin -H 1.2.3.4 sol activate
The Cisco CIMC also allows you to mount remote media from a fileshare or
HTTP/HTTPS URL which is fantastic for troubleshooting. :-)