Centralized user management

A centralized management configuration uses a single user authentication repository for all of the Chassis Management Modules (CMMs) in a management domain. The user accounts that are created for the IBM® Flex System Manager management software are used by all of the CMMs and compute node service processors in the chassis.

When you use the IBM Flex System Manager management software to place a chassis under centralized management, the Chassis Management Module (CMM) is configured to use the registry that is stored on the management node. The local user accounts in the CMM registry are disabled, and the new user account RECOVERY_ID is created for future authentication to the CMM (as long as it is configured to use the centralized user registry on the management node).

Notes:

Only use the RECOVERY_ID account in an emergency; for example, if the management node fails, or if a network problem prevents the CMM from contacting the management node to authenticate users.
The password for the RECOVERY_ID account is expired by default, and must be reset during initial login. If you need to use the RECOVERY_ID account, log in to the CMM with the RECOVERY_ID user name, change the password, and store the new password where you can find it again in the future.
After the CMM is unmanaged (or changed to be managed in decentralized management mode), all the local CMM accounts are re-enabled, and the RECOVERY_ID account is deleted.

After the CMM detects the management node user registry, it uses the management node registry configuration to provision all of the managed resources in the chassis (except for network switches) so that they also use the central management node user registry. When you log in to an IMM or FSP on a compute node in a centrally-managed chassis, you must use a user name and password that are stored in the IBM Flex System Manager user registry.

With centralized management, a single security policy is distributed and enforced on all of the Chassis Management Modules in a management domain. In addition, a single set of user accounts and a single password policy is in effect.

Note: Each CMM that is under centralized user management must match the security policy level of the management software.

If a CMM does not match the security policy level of the management software, its status is Out of Sync. In the Chassis Manager view of the management software web interface, Warning is displayed in the status column. Click Warning to see details about the user registry and the security policy status.

Note: If your network interface for the management network is configured to use DHCP, the management interface IP address might change when the DHCP lease expires. If the IP address changes, you must unmanage the chassis, and then re-manage the chassis. To avoid this problem, either change the management interface to a static IP address, or make sure that the DHCP server configuration is set so that the DHCP address is based on a MAC address or that the DHCP lease does not expire.

Chassis that are not centrally managed might have different security policies, different user accounts, and different passwords from those that are set for the management domain. If chassis are centrally managed, user accounts can be edited only by the management software.

For more information about managing chassis with a single management node user registry, see Using centralized user management.

For centralized user management troubleshooting, see Centralized user management problems.

For information about changing the user management configuration from decentralized to centralized, or centralized to decentralized, see Changing the user management mode of a managed chassis.