How To
Summary
The system password provides an added layer of security to the system by restricting access to certain functions and actions while in the Petitboot bootloader of the HMC.
Those restrictions can prevent a user from being able to reinstall the HMC or make configuration changes in Petitboot if the system password is set, and it is not known. This document explains the options and steps available to remove the system password.
Objective
Provide the user with the options and steps to remove the Petitboot system password, when the current password is not known.
Environment
This document applies to the 7063-CR2 Hardware Management Console (HMC.)
Steps
What is the Petitboot system password?
The Petitboot boot loader on the 7063-CR2, provides an option to configure a system password.
When enabled, the system password is required for tasks that effect changes on the configuration, such as:
- Manually selecting the boot device - This prevents the user from selecting a new boot device with which to overwrite the HMC, without providing the system password.
NOTE: When the HMC is allowed to boot automatically from the hard drive boot image, the system password is not required. - Having root access on the Petitboot shell - The user is set to "petituser". In order to switch to root, the command "su -" must be entered, followed by providing the system password.
- Saving Petitboot configuration changes.
Example of Petitboot prompting for the system password when trying to manually boot from a boot device. In this case, booting from the HMC hard drive:
Example showing the default user is petituser when the Exit to shell option is selected, and there is a system password set.
How is the Petitboot system password set?
The system password is set in Petitboot under "System configuration".
There are instances when a system password is set, and the user is not aware of having set one. As a result, they don't know the currently set system password.
How to clear the Petitboot system password
If the system password is not known, there are two ways to clear it.
- Clearing the system password through the BMC
- Clearing the system password using the Operating System
- Shutdown the HMC
- Access the BMC of the HMC through ssh, as root
Example:
ssh root@<BMC IP or hostname>
NOTE: If the network configuration of the BMC has not been set, or it is unknown, see the Additional Information section. - Remove the NVRAM file:
rm /var/lib/phosphor-software-manager/pnor/prsv/NVRAM
👁 CR2-bmc-remove-nvram - Remove the power cables from the HMC
- Wait 30 seconds, and re-connect the power cables
NOTE: The BMC takes approximately 2.5 minutes to restart. - Power the HMC back on. There should not be a system password set.
This method can be used if it is possible to log into the HMC as user hscpe as it is needed to get root access.
Obtain root access on the HMC by contacting IBM Support to get the required credentials.
Run the following commands as root on the HMC:
- Verify the system password is enabled
nvram -p common --print-config=petitboot,password
If the command returns output (long string of characters), the system password is enabled. - Clear the system password
nvram -p common --update-config petitboot,password=
This command returns no output - Finally, verify the system password is disabled
nvram -p common --print-config=petitboot,password
The command should return no output.
Additional Information
Steps to access the BMC if no network settings have been configured, or the current network settings are unknown:
- 1) Configure the network settings of a laptop or workstation to the following:
IP: 169.254.0.117 (this IP can be any in the 169.254.x.x range)
SM: 255.255.0.0 - Connect an Ethernet cable from the laptop to the dedicated port of the BMC on the 7063-CR2 (labeled M)
- Open an ssh session to "mowgli.local"
Ex.
ssh root@mowgli.local
Alternatively, use PuTTY and open a session to "mowgli.local". - When prompted, provide the root password.
If this is the first time the BMC is being accessed, the default password is still set.
The default root password is 0penBmc (zero, not O)
NOTE: You are prompted to immediately change the default password. The first prompt asks to reenter the current password, which is the default one. The next step prompts for the new password.
Simplistic passwords fail. Do not attempt to set a password containing "abc" or "123", for example. Multiple failed attempts to modify the password, results in the root user being locked. If the root user is locked, suspend further login attempts for 5 minutes (300 seconds).
Following the 5 minutes you will have exactly one chance to authenticate correctly or it will re-lock for another 5 minutes.
Rules about the BMC password:
The password must:
- Be different from the current password
- Be 8 - 20 characters long
- Include at least one uppercase letter, one lowercase letter, one numeric digit and it cannot contain spaces.
- Must not be simplistic (ex. "abc", or "123").
Example of a password that would comply with the rules: 0penBmc0 (zeros instead of letter O). - If the user remains locked, contact IBM Support for assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"7063CR2","label":"Hardware Management Console (7063-CR2)"},"ARM Category":[{"code":"a8mKe000000000fIAA","label":"HMC-\u003E7063 Hardware"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}]}]
Was this topic helpful?
Document Information
Modified date:
17 April 2024
UID
ibm17148404