TITLE: HPE Integrity
Superdome X Servers Firmware Bundle – for SUM (Smart Update Manager)
VERSION:
Bundle version: 2018.10
Firmware version: 8.8.16
Smart Update Manager (SUM)
SUM Version: 8.3.5
DESCRIPTION:
This bundle contains the Smart Update Manager (SUM) x86 application with the
complex and nPartition firmware for the HPE Integrity Superdome X Server with
Gen8 and Gen9 blades. It includes an integrated OA (Onboard Administrator).
This bundle can be used to update the firmware through the OA using the SUM
application.
WARNING: If you are updating from a version prior to
6.0.42, you must install 6.0.42 (bridge release for digital signing) prior to
updating to this version.
WARNING: If
you are updating from a version between 6.0.42 and 8.2.106, you must install
8.2.106 (bridge release for digital signing) prior to updating to this version.
WARNING: To
ensure that the OA GUI continues to work after December 31, 2016, after
upgrading from version 7.6.0 or earlier to version 8.2.106 or later, the OA
SHA1 self-signed certificate will be removed and replaced with SHA256
self-signed certificate. To prevent security warnings, customer is encouraged
to re-generate the self-signed certificate with the common name (CN) matching
exactly the OA hostname as known by the web browser. See the Certificate
Administration section in the OA user guide for more information.
Note:
- Superdome
X version 5.73.0 or later supports online complex firmware update:
- The
update of the Complex firmware takes effect without any additional
operator interaction; some server management capabilities will become
inactive until the update completes.
- The
new Partition firmware however only gets programmed into the Flash ROM
during the update, and a partition reboot is required to activate
it. This enables rolling upgrades, where the new Partition firmware
may get activated on one partition at a time, when it is convenient to
bring the partition down for a reboot.
- This
“mixed” operational mode is supported for an indefinite period of time,
provided the combinations of Complex and Partition firmware are
compatible. The table below describes those supported compatible
Complex/Partition firmware combinations:
- “Yes”
in the cell means that the combination for the Partition (row)/ Complex
(column) is supported and “No” that it is not supported.
Note:
- The
complex firmware version must always be greater than or equal to the
partition firmware (but not all such combinations are supported).
- Online
firmware downgrade is not supported.
|
|
Complex
Firmware
|
|
|
5.73.0
1
|
6.0.42
|
7.5.0
|
7.6.0
|
8.2.106
|
8.4.84
|
8.5.3
|
8.7.84
|
8.8.2
|
8.8.14
|
8.8.16
|
|
Partition Firmware
|
5.73.0
|
Yes
|
Yes
|
Yes
1,3
|
Yes1,3
|
Yes1,3
|
Yes1,3
|
Yes1,3
|
Yes1,3
|
Yes,3,4
|
Yes,3,4
|
Yes,3,4
|
|
6.0.42
|
No
|
Yes
|
Yes
2,3
|
Yes2,3
|
Yes2,3
|
Yes2,3
|
Yes2,3
|
Yes2,3
|
Yes2,3,4
|
Yes2,3,4
|
Yes2,3,4
|
|
7.5.0
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes4
|
Yes4
|
Yes4
|
|
7.6.0
|
No
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes4
|
Yes4
|
Yes4
|
|
8.2.106
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
|
8.4.84
|
No
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
|
8.5.3
|
No
|
No
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
|
8.7.84
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
|
8.8.2
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
Yes
|
|
8.8.14
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
|
8.8.16
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
Yes
|
Note 1: Updating Complex FW from 5.X.X to 7.5.0 or later requires
installing 6.0.42 first because of changes to the digital firmware bundle
signature.
Note 2: Online
Complex FW updates from 6.0.42 to 7.5.0 or later will show “Mixed” firmware due
to newer PDH FPGA in 7.5.0. Partition operation is supported in this condition.
To complete the PDH FPGA update, turn off the partition(s) when convenient, and
rerun firmware update.
Note 3: BL920s Gen8
Blades support running Complex FW version 7.5.0 or later with Partition FW
5.73.0 or 6.0.42, but Gen9 Blades require both Complex and nPartition FW
version 7.5.0 or later when using v3 family processors, or version 8.2.106
or later when using v4 family processors.
Note 4: See 2
WARNING at top of the release notes regarding stepping updates from versions
prior to 6.0.42 or from 6.0.42 to 8.2.106.
- Additional
details about online complex firmware updates can be found in the “HPE
Integrity Superdome X and Superdome 2 Onboard Administrator User Guide”.
UPDATE RECOMMENDATION:
Critical
HPE requires users update to this
version immediately.
Note: Review the FIXES section to check if your system may be affected by
the issue fixed in this release.
[X ]
Critical
[ ] Panic, [ ] Hang, [ ] Abort, [ ] Corruption, [ ]
Memory Leak, [ ] Performance, [X ] Security
[ ] Hardware Enablement, [ ] Software Enablement
[ ] Required
[ ] Recommended
[ ] Optional
[ ] Hardware Enablement, [ ] Software Enablement, [
] non-critical
[ ] Initial Customer Release
SUPERSEDES:
Bundle 2018.04 (firmware version 8.8.14)
PRODUCT MODEL(S):
HPE Integrity Superdome X Servers
OPERATING SYSTEMS:
OSes supported on Gen9 blades with v4 family processors:
·
RHEL
6.7, 6.8, 6.9, 6.10, 7.2, 7.3, 7.4, 7.5
·
SLES 11
SP4, 12 SP1, 12 SP2, 12 SP3
·
Windows
Server 2012 R2, 2016
·
VMware
vSphere 6.0 U2, 6.0 U3, 6.5, 6.5 U1, 6.5 U2
OSes supported on Gen9 blades with v3 family processors:
·
RHEL
6.6, 6.7, 6.8, 6.9, 6.10, 7.1, 7.2, 7.3,7.4, 7.5
·
SLES 11
SP3, 11 SP3 for SAP, 11 SP4, 12, 12 SP1, 12 SP2, 12 SP3
·
Windows
Server 2012 R2, 2016
·
VMware
vSphere 5.5 U3, 6.0 U1, 6.0 U2, 6.0 U3, 6.5 U2
OSes supported on Gen8 blades:
·
RHEL
6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3,7.4, 7.5
·
SLES 11
SP3, 11 SP3 for SAP, 11 SP4, 12, 12 SP1, 12 SP2, 12 SP3
·
Windows
Server 2012 R2, 2016
·
VMware
vSphere 5.5 U3, 6.0 U1, 6.0 U2, 6.0 U3
LANGUAGES:
International English
ENHANCEMENTS:.
·
Added support for RHEL 6.10, 7.5 and VMware
6.5 U2 (Gen9 blades)
FIXES: .
Complex firmware:
·
SFW addresses the following known
vulnerabilities, CVE-2018-3639 and CVE-2018-3640, for all supported types of
processors. For details refer to the advisory here.
·
SFW addresses the following L1 Terminal Faults:
o
L1 Terminal Fault - OS, SMM (CVE-2018-3620).
Please note this mitigation also requires operating system software updates.
o
L1 Terminal Fault - OS, VMM (CVE-2018-3646).
Please note this mitigation also requires operating system software updates,
and VMM software updates
Note: For more information, see the
bulletin a00055017en
·
IPMI/DCMI are now disabled by default when iLO is reset to factory defaults.
Recommended I/O firmware:
· HPE recommends
running with the IO firmware versions found on the “HPE Integrity Superdome X
IO firmware and Windows Drivers image” version 2018.09 or later, available on
the Superdome X firmware
download page on HPESC, under the “Software – CD-ROM”
section.Warning:
Do not update I/O using the SPP (Service Pack for Proliant)
as it may
install versions that are not supported, which may cause unnecessary downtime
·
Note:
- After
replacing an I/O adapter, check if a supported I/O firmware version is
installed or update the firmware.
- After
replacing an InfiniBand 545M card, if the replacement card comes with the
firmware version 10.10.40402 installed, you need to contact your HPE field
representative to update the firmware to a supported version as a special
procedure must be followed in that case.
- On
partitions with more than 8 InfiniBand 545M cards installed, HPE
recommends using RHEL 7.2 or later.
- For
additional details on how to install I/O firmware and for a complete list
of known issues, please refer to the “HPE Integrity Superdome X IO
firmware and Windows Drivers image” release notes.
Required
I/O drivers:
- For servers running a supported Linux operating system, no additional I/O
driver updates are needed. For supported OS details, refer to the Linux white paper “Running
Linux on HPE Integrity Superdome X”.
- For servers running Windows operating system, if needed, the I/O
drivers should be updated using the “HPE Integrity Superdome X IO
firmware and Windows Drivers image” version 2018.09 or later as
the update from the SPP with SUM is not working for the Superdome X server
at this time. You can find the latest “HPE Integrity Superdome X IO
firmware and Windows Drivers image” on the Superdome X for Windows OS download page,
under “Software – CD-ROM”. Follow the instructions in the bundle for
installing the components.
- For
servers running VMware, the I/O drivers should be updated using the
appropriate a sync drivers which are available from http://vibsdepot.hpe.com/sdx/.
Customers need to build their own custom VMware VSphere distributions. For
details, please refer to the VMware white paper “Running VMware
vSphere on HPE Integrity Superdome X” available at http://www.hpe.com/support/superdomeXvmware-whitepaper
- OS
requirements
A.
Linux
a. All
Linux OS related information is available from the Linux
white paper “Running Linux on HPE
Integrity Superdome X”:
i.
Check the HPE Servers Support & Certification
Matrices for special OS requirements for the HP Integrity Superdome X Server
ii. Linux
SMH and WBEM providers: HPE recommends that you install the latest versions of the SMH
and WBEM providers for your SLES or RHEL Operating System from the Software
Delivery Repository (SDR). Superdome X providers are available under http://downloads.linux.hpe.com/repo/bl920-wbem/
Note: You must install the SMH package prior to the WBEM providers or in
the same session.
Note: Reboot is not required for the SMH and WBEM provider changes to
take effect.
iii.
Check the Linux
white paper for additional details and
recommendations.
B. Windows:
I/O drivers and WBEM providers for Windows
2012 R2 for Superdome X are available as part of the “HPE
Integrity Superdome X IO Firmware and Windows Drivers image”
version 2018.09 or later on the Superdome X download
page on HPE Support Center,
under “Software – CD-ROM”. Follow the instructions in the bundle to install the
components.
For more information on installing Windows OS and components
on Superdome X, see the Windows white paper “Running Microsoft Windows Server on HPE Integrity Superdome X”, available at http://www.hpe.com/support/superdomeXwindows-whitepaper.
C.
VMware:
I/O drivers and WBEM providers for VMware are available
from this link (aug2018 required for VMware 6.5 U2 support): http://vibsdepot.hpe.com/sdx/downloads/
o For
Gen8 blades and Gen9
blades with Intel v3 family processors, select: gen8gen9v3
o For Gen9 blades with Intel
v4 family processors, select: gen9v4
For
more information on installing VMware OS and components on Superdome X, see
the VMware white paper Running VMware vSphere on HPE Integrity Superdome X
available at http://www.hpe.com/support/superdomeXvmware-whitepaper
PREREQUISITES:
NOTE:
- Firmware
version 7.5.0 or later is required to support BL920s Gen9 blades with
Intel v3 family processors.
- Firmware
version 8.2.106 or later is required to support BL920s Gen9 blades with
Intel v4 family processors
·
WARNING:
·
If you are updating from a version
prior to 6.0.42, you must first install to 6.0.42 (bridge release) and
then upgrade to 8.2.106 (bridge release for digital signing) prior to updating
to this version.
·
If you are updating from a version
between 6.0.42 and 8.2.106, you must install 8.2.106 (bridge release for
digital signing) prior to updating to this version.
IMPORTANT:
- HPE strongly recommends implementing the following
security best practices to help reduce both known and future security
vulnerability risks:
1.
Isolate the management network by keeping it separate from the production
network and not putting it on the open internet without additional access
authentication.
2.
Patch and Maintain LDAP and web servers.
3.
Run the up-to-date viruses and malware scanners in your network
environment
4.
Apply HPE Firmware updates as recommended.
INSTALLATION INSTRUCTIONS:
Please review all instructions and the "Hewlett Packard Enterprise
Support Tool License Terms" or your Hewlett Packard Enterprise support
terms and conditions for precautions, scope of license, restrictions, and
limitation of liability and warranties, before installing this package. It is
important that you read and understand these instructions completely before you
begin. This can determine your success in completing the firmware update.
Important Note: This version of SUM uses an Internet browser
as the graphical user interface. Currently supported browsers are:
|
|
Win2k8
|
Win2012
|
Win2016
|
SLES11
|
SLES12
|
RHEL6
|
RHEL7
|
|
IE 9, 10 or 11
|
X
|
x
|
x
|
|
|
|
|
|
Edge
|
|
|
x
|
|
|
|
|
|
FireFox 17
ESR
|
|
|
|
x
|
x
|
x
|
x
|
|
FireFox 18 or
later
|
X
|
x
|
x
|
x
|
x
|
x
|
x
|
|
Chrome 24 or later
|
X
|
x
|
x
|
x
|
x
|
x
|
x
|
Important Note: SUM now uses port 63001 by default for pulling FW files
from the server running SUM.
A. Extracting and Running SUM
1.
Download the firmware bundle binary <filename>.exe or
<filename>.tar.gz in a new folder on your system.
2.
Extract the bundle:
- Windows: double click
<filename>.exe then click “Extract”
- Linux: gunzip <filename>.tar.gz; tar -xvf <filename>.tar
3.
The above steps will extract the contents of the bundle in the new
folder where the bundle file is located. SUM and firmware components will
reside in the same folder.
4.
Execute hpsum.bat (Windows) or hpsum.sh (Linux), located in the
extracted folder, by logging as a user with Administrator or root
privilege. Executing hpsum will bring up your
default browser to show the user interface of the Smart Update Manager (SUM).
NOTE: SUM also provides a Command Line
Interface (CLI) that allows user to perform scripted installations in silent
mode. For more information please refer to the SUM User Guide located at http://www.hpe.com/info/sum-docs or
the "CLIHelp.txt" file in the extracted folder.
B. Installing the Firmware Components using SUM - Graphical User Mode
1.
Welcome Screen:
- Once
started, a page displays with SUM main content on it.
- For remote OA based updates:
- Select
Baselines from the main content menu
- Verify
that the current directory baseline completes inventory
- Select
Nodes from the main content menu
- Select
'Add Node' and enter IP address and credentials for the Onboard
Administrator, select the Baseline to be assigned from the Baseline
drop down, and click 'Add'
- After
initial verification of credentials is done, click Inventory from the
Actions menu
- After
inventory is done on the OA, click on the OA node and start Review/Deploy
- On
the Review page, click to select the associated nodes to update along
with the OA. SUM will sequence the updates as needed.
- Start
the Deploy
- After
Deploy is done, the logs for the updates can be reviewed on each node
page
Note:
- Online
complex firmware update is supported starting with firmware version
5.73.0. For more details, refer to the online firmware update table and
notes at the top of the release notes.
- If
doing an offline firmware update, you must power off all partitions before
upgrading firmware to this version
and then use the ALL option with the offline firmware upgrade to ensure
that the partitions will boot with the new partition firmware after the
update.
- Additional details about online complex firmware
updates can be found in the “HPE Integrity Superdome X and Superdome 2
Onboard Administrator User Guide”
- See
the SUM
user Guide for more information.
Reboot requirement:
Partition reboot is required after
installation for Partition firmware updates to take effect.
DETERMINING CURRENT VERSION:
- Establish
a session with the monarch OA and login to the get the command prompt
- Type
the OA command "UPDATE SHOW FIRMWARE" to display the version of
complex bundle installed.
- Type
the OA command “UPDATE SHOW NPARTITION ALL” to display the version of nPartition
firmware installed on each partition.
KNOWN ISSUES &
WORKAROUNDS:
·
OA web interface stops working when LDAP user
login to OA and modifies the “Advanced Security Settings” (SSL/TLS ciphers,
protocols).
Workaround: Login to OA cli as local administrator user and modify the
“Advanced Security Settings”.
·
Remote serial console applet may not launch with
Java Runtime Environment (JRE) version 6.
Workaround: HPE recommends updating
to the latest JRE version on the client system.
·
The user might see the following warning or
notice while launching the Remote Serial Console (RSC) applet from the OA GUI:
“Applet or Pericom version mismatch between the local
applet the browser already has, and what server has to send to the browser.
Close all browser instance and then start the browser again.”
Workaround: HPE recommends deleting
the previously cached TeemWorld.jar file from java cache using Java Control
Panel.
·
Updating the Superdome X firmware via FTP may
fail if the password contains some special characters, for instance, §, $,
& or space (but not !). This is due to
interpreting the special character as part of the command instead of the
password.
Workaround: Use quotes around the URI (ex. update firmware ‘ftp://user:passwd@15.1.1.75/firmware/hpsdx-<version>-fw.bundle’
all).
·
In very rare cases, after booting a Brocade
16Gb/28 SAN Switch, all internal ports of the switch attached to a 16Gb Fibre Channel QH2672 mezzanine card on a Superdome X server
may be running at 8 Gbps instead of the configured 16
Gbps. This is due to the OA not detecting the server
backplane type on time and may cause a SAN performance degradation. For more
details, see advisory c05384312.
·
With RHEL 7.3, the time for booting to the OS prompt increases with the
number of iSCSI ports and LUNs configured. It may take up to 2 hours with 32
iSCSI ports assigned to iSCSI LUNs, due to the system taking a lot of time
scanning for all the ports and their mapped disks.
- During
repeated partition power on, power off or partition reboot, firmware may
sometimes log erroneous CAE events 7571 and 8086 to indicate a power on
error (see details in c04796862).
- The
UEFI Shell command does not accept '0x' as a prefix when entering a
hexadecimal value.
Workaround: Enter the hexadecimal value without ‘0x’ in front.
- If
a user connects remote vMedia to a partition
from the IRC applet, a “show partition dvd all” from the OA CLI will not report that
the partition is connected to media via the “Virtual Media Applet”.
- Java
execution errors may be seen when launching the IRC (Integrated Remote
Console) or RSC (Remote Serial Console) from the OA GUI, causing the
applets to fail to launch, when using a Java Runtime Environment (JRE)
other than the Oracle version.
Workaround: Remove or de-configure all java environments other than
the Oracle version as this is the only JVM currently supported by iLO. The Oracle Java 7 JRE works correctly.
- When
more than one DIMM in a partition has been de-configured, the
"partition status" and "pending changes" TABs on the OA
GUI only show the first DIMM as de-configured.
Workaround: Refresh the OA GUI screen or use the CLI parstatus command to show correct information.
- After
a USB cable is reconnected between the OA and its matching GPSM (maybe due
to a repair or lose connection), SHOW ENCLOSURE STATUS reports the
Enclosure ID as "Degraded" instead of OK.
Workaround: Reboot the OA to clear the erroneous status.
- When
using the Firefox browser, users may only use IRC for a single partition
at a time as only one instance of the IRC client can be opened at a time.
Workaround: use Internet Explorer and the non-java based IRC
client.
- The
parstatus command incorrectly displays the
complex IO enclosure capacity as 8 instead of 0.
- If
a user performs an OA restart, OA failover or FW Update while an nPar is in OSBOOT state, the nPar
state unexpectedly changes to UP state.
- When
an alternate parspec is created with default
granule sizes, the parstatus –Z <parspec_name> command will display negative values
(-1 MB) for granule size.
- “Invalid
ROM contents” message may be seen in Linux OS syslog when booting to run
level 5 with the partition VGA enabled.
- In
network topologies with thousands of systems and high broadcast traffic,
new connections or re-login to the OA may not be possible due to OA
overflowing the ARP cache with network requests. Existing OA connections
are not affected by this issue.
Workaround: Reset the OA (via existing connection, serial
connection or by pressing the reset button).
- Superdome
X complex uses 169.254.x.x and 10.254.x.x addresses for internal
management. Those addresses are visible to the outside LAN via “SNMPwalk”, which may cause incorrect reports of IP
address conflicts. As a result, tools that use “SNMPwalk”
to avoid IP address conflicts may refuse to use the 169.254.x.x or
10.254.x.x for other systems outside of the complex. Other than incorrect
SNMP reporting, the internal management network traffic is contained
within the complex and will not affect customer’s management network.
Note: The addresses 169.254.x.x and 10.254.x.x are not available to be
used by the OA EBIPA.
DISCLAIMER:
The information in this document is subject to change without notice.
Hewlett Packard Enterprise makes no warranty of any kind with regard to this
material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett Packard
Enterprise shall not be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing, performance, or use of
this material.
This document contains proprietary information that is protected by
copyright. All rights are reserved. No part of this document may be reproduced,
photocopied, or translated to another language without the prior written consent
of Hewlett Packard Enterprise.
(C)
Copyright 2015-2018 Hewlett Packard Enterprise Development L.P.
FEEDBACK
As we are continuing to improve the firmware
management process we welcome your feedback on this document and on the
firmware update process:
TEAM-FWupdateFeedback@groups.ext.hpe.com
SUPERSEDES
HISTORY:
Version 2018.04 (8.8.14):
Enhancement:
Complex firmware:
•
Enabled
"Content-Security-Policy" (CSP) header in HTTP responses from Onboard
Administrator.
•
Enhanced
OA on SDX to offer “Advance Security Settings” in strong encryption mode. This
feature allows Administrator user to enable/disable SSL (Secure Sockets
Layer)/TLS (Transport Layer Security) protocols and ciphers.
Fixes:
nPartition
firmware:
·
Updated Intel Haswell, Broadwell and Ivy Bridge
microcode to address CVE-2017-5715.
Complex firmware:
·
Addressed CVE-2017-12542 and CVE-2017-12543
vulnerabilities in iLO4.
·
Fixed an issue where the OA GUI could become
very slow or sluggish and possibly log response timeouts.
·
Fixed the issue where the user name was
displayed as Unknown in the OA GUI for LDAP users that are part of 2 or more
LDAP groups.
·
RSC (Remote Serial Console) Java applet launch
issue with Java Runtime Environment (JRE) version 1.8.0_141 and higher is
fixed.
Version 2018.01 (8.8.6):
REMOVED
Version 2017.09 (8.8.2):
Complex firmware fixes:
• An
instance of Document Object Model (DOM) based Cross-Site Scripting (XSS)
vulnerability has been addressed.
• An
instance of Stored Cross-Site Scripting (XSS) vulnerability has been addressed.
• Enabled
HTTP Strict Transport Security (HSTS) headers in HTTPS response from Onboard
Administrator.
• NTP
is upgraded to address CVE-2016-7434 vulnerability.
• Addressed
a memory leak issue in SNMP.
FIXES:
nPartition
firmware:
·
Blades with a mix of 32GB and 64GB DDR4 PC-2133 and PC-2400 DIMMs would
be indicted and marked as degraded even though the blade and all its installed
memory was available to the partition. With this release, the blade is no
longer indicted and marked as degraded.
IMPORTANT: Due to
a compatibility issue, blades with a mix of 32GB DDR4 PC-2133 and PC-2400 DIMMs
will fail to power on if these DIMMs are installed within the same DRAM bus or
lockstep pairs. For more details, see Advisory c05404697.
ENHANCEMENTS:
·
Added support for RHEL 6.9, VMware 6.0 U3 and 6.5
·
Added support for Xeon E7-8894
·
Added support for iSCSI on the 650FLB adapters (FW version 11.1.183.23)
with Windows 2016, VMware 6.5 and RHEL 7.3 starting with Superdome X firmware
version 8.7.84 (bundle 2017.03).
Version 2016.11 (8.5.3):
FIXES:
nPartition
firmware fix:
- Under
certain error conditions, the system firmware would rarely enter an assert
loop, flooding the OA with events, thus hindering the OAs ability to
power-off or reboot the failing system. This is now fixed.
Complex firmware fixes:
- The system no longer crashes (MCA) when faulty DIMMs
trigger a CMC (Corrected Machine Check) storm leading to multiple
corrected memory errors.
- Software applications could lead to generating events
1063 or events 100924. For instance, HPE diagnostics or Windows 2012
hypervisor could generate events 1063. These were not hardware related
errors. With firmware version 8.5.3, events 1063 will no longer be
reported and events 100924 will now be reported at a reduced rate.
ENHANCEMENTS:
- Added support for Windows Server 2016, RHEL 7.3 and
SLES 12 SP2
- Added VMware OS support for 560M/FLB adapters on
Superdome X Gen9 blades with v4 family processors
- Added
RoCE support on the 650M/FLB adapters with Windows Server 2016
Version 2016.09 (8.4.84):
FIXES:
nPartition firmware fix:
- In
very specific multi-blades configurations, de-configured DIMMs could cause
an MCA during boot. One of the conditions for the MCA was to have one or
more 64GB DIMMs or five 32GB DIMMs de-configured on a non-root blade
loaded with 48 64GB DIMMs or with 48 32GB DIMMs. This is now fixed.
Complex firmware fixes:
- Increased robustness of Superdome X servers when
experiencing a high number of correctable memory errors that could lead to
unplanned system downtime.
- The
HTTPoxy vulnerability CVE-2016-5387 has been addressed.
- OA CLI UPLOAD command with scp/sftp in the URL now works both when the file name
immediately follows the hostname and when the URL specifies the full path
to the file.
- When all blades in a partition are set to link local,
the OA syslog no longer incorrectly reports the blades as powered off.
- After a blade replacement, show blade info would sometimes
report "Error Reading CPU Data" and parstatus
would report a CPU speed of 0 MHz. This is now
fixed.
- If the OA detected only 3 XFMs, active partitions would
continue running but would not reboot, and inactive partitions would not
power on (for instance, after an e-fuse reset or an XFM removal without
replacement). This is now fixed.
ENHANCEMENTS:
- Added support for 64 GB DIMMs and 24 TB of Memory
- Added support for Windows Server 2012 R2 and VMware 6.0
u2 (8 sockets only) on Gen9 blades with Intel v4 family processors
- Added support of Infiniband
545 M adapter on Gen9 blades with Intel v4 family processors
- Added support for RoCE on 650M/FLB adapters with Linux
RHEL 7.2
Version 2016.07 (FW 8.2.106):
FIXES:
nPartition
firmware:
- The
standby OA GUI no longer reports an incorrect firmware version.
- If
connected to the OA via telnet, the message “fatal: Cannot bind any
address” is no longer seen in the OA syslog after running the command
“disable ntp”, “disable https” or “disable snmp”.
- The
Network access section was added to the OA GUI so that OA users with
operator privilege can now enable or disable network protocols from the
GUI.
- Enclosure
ID field in enclosure status no longer shows as degraded after the DVD
module has recovered from USB connectivity issues.
- CAE
(Core Analysis Engine) now correctly identifies the socket that timed out
in CAE event 1053.
- As
a non-supported feature, Blade PowerDelay is now
always disabled and can no longer be changed from the CLI or GUI.
- When
reseating or e-fusing a monarch blade partition, the message now states
that the iLO IP address has been reconfigured
automatically by the firmware and not by the user.
- A
secondary error (100906) was flagged by CAE for MCAs, actually caused by a
known issue of fabric failover handling due to the presence of invalid
packets, and the blade of the processor reporting that issue is no
longer de-configured. Note: The invalid packet issue has been addressed in
a prior release.
- After
the DVD module is removed and reinserted, the OA CLI would sometimes no
longer see the FPL and SEL events logged prior to the removal. This is now
fixed.
- The
monarch iLO in complex firmware version 5.73.0
was affected by the OpenSSL Poodle (Padding Oracle on Downgraded Legacy
Encryption) CVE-2014-3566 vulnerability. This is fixed in complex firmware
version 7.5.0 and later.
- Some
BL920s Gen8 Blade servers with a specific memory configuration (32 GB DDR3
DIMMs per blade) would rarely experience a crash or hang in the presence
of excessive correctable memory errors, with FPL logs showing
X86_CPU_EXCEPTION in case of crash or STATUS_ASSERT_* messages in case of
hang. This is now fixed.
- The OA syslog would sometimes fill up with events such
as “udog logged into the Onboard Administrator
using RSA key <key>”. These have now been suppressed.
ENHANCEMENTS:
- Added
support for Intel EX v4 family processors on BL920s Gen9 blades with
firmware 8.2.106
Version 2015.12 (FW 7.6.0):
nPartition
firmware:
- Superdome
X systems with Gen9 blades installed and configured in 8- or 16-socket nPars, using 18 core processors (E7-8890 v3 or E7-8880
v3) and running Linux could experience a performance degradation. This is
now fixed.
ENHANCEMENTS:
February 2016 updates:
- Added
support for VMware and for HPE Ethernet 560FLB/560M adapters on Gen9
blades
January 2016 updates:
- Added
support for Windows 2012 R2 and related IO drivers on HPE
Integrity Superdome X Gen9 blades
- Added
support for Linux SLES 12 SP1 and RHEL 7.2
Version 2015.09 (FW 7.5.0):
ENHANCEMENTS:
- Superdome
X server firmware version 7.5.0 introduced support for BL920s Gen9 blades
- With
firmware version 7.5.0, HP Integrity Superdome X Server supports multiple
nPartitions of 6 sockets in addition to 2, 4, 8 and 16 sockets.
FIXES:
- Excessive
correctable memory errors could prevent an entire partition from booting.
Boot attempts would fail with the error SFW_BOOT_FATAL_ERROR in FPL. This
is now fixed.
- False
fabric errors or CAE event 2015 could rarely be seen after an EFI reset
command or a non-graceful system shutdown, causing in some cases a
critical error like an MCA, due to some packets not being discarded before
power-on. This is now fixed.
- A
system nPartition would very rarely hang with the FPL (Forward Progress
Log) or SEL (System Event Log) displaying some STATUS_ASSERT_* messages.
This is now fixed.
- The
WSMAN daemon no longer crashes if a WSMAN client makes a subscription
request with an unusually long “end point reference”.
- SNMP
no longer incorrectly sends trap 22041 whenever the active OA status
changes.
- On
systems running SLES, Event ID 100924 would sometimes be erroneously
reported for corrected memory errors. This is now fixed.
- In
case the monarch blade of an nPar is serviced
and the Administrator does not wait long enough (about 5 minutes) before
attempting to power on the partition, the partition no longer fails to
power on with an error message in OA syslog “nPartition Power On failed.
Error: fatal internal error”.
- When
removing an SNMP receiver’s IP address (ex. 10.11.12.13), OA no longer
incorrectly removes all receiver’s IP addresses that contain that IP
address as a substring (ex. 10.11.12.13 and 10.11.12.133).
- A
PDH low battery warning event is no longer reported daily in case of low
PDH battery level. It is now reported yearly as an informational event.
The OA GUI now properly detects
and displays a valid firmware bundle present on a USB stick in the external USB
drive.
Version 2015.04 (FW 6.0.42):
ENHANCEMENTS:
Bundle version 6.0.42(a):
- Added
support for SUSE Linux Enterprise Server 12
Bundle 2015.04 (FW version 6.0.42):
- Added
support for Intel® Xeon® Processor E7-8893 v2 (6 cores/3.4Ghz / 37.5Mb
cache / 155W)
FIXES:
- Addressed
the GHOST (GetHostByName) CVE-2015-0235 vulnerability
- NTP
was upgraded in this version to address the CVE-2014-9295 vulnerability
- Addressed
the OpenSSL Poodle (Padding Oracle on Downgraded Legacy Encryption)
vulnerability CVE-2014-3566 in Superdome X OA
- Fixed
issues that prevented some Superdome X servers to be discovered by HP
Insight Remote Support
- Remote
Windows Operating System installation may now be done using PXE boot
(Pre-Boot eXecution Environment)
- Fixed
an issue where rebooting partitions without a power cycle could result in
de-configured CPU sockets and/or blades and in a failure to boot
- CAE
event 7008 is now reported if multiple DIMM failures on the same DDR
channel are detected during memory initialization at partition boot
- Erasure
is no longer requested multiple times for the same failing device
- In
the OA GUI, after selecting ""Local User" and then
"User information", Interconnect Bay Access is now shown for all
bays, including Bay 5 to Bay 8
- An
Onboard Administrator board with firmware version 1.3.1 can now be updated
to the latest version using the standard firmware update process
Version 2014.10 (FW 5.73.0):
ENHANCEMENTS:
Changes included in bundle 2014.10 (FW version 5.73.0(b)):
- Added
support for Windows 2012 R2 with minimum Superdome X server firmware
5.73.0
Changes included in bundle 2014.10 (FW version
5.73.0(a)):
- The
release notes were updated in version 5.73.0(a), to add the Poodle
security vulnerability to the list of Known Issues
Changes included in bundle 2014.10 (FW version
5.73.0):
- Starting
with firmware version 5.73.0, the HP Integrity Superdome X Server supports
2S, 4S, 8S and 16S nPartitions. For information about creating and
managing partitions, see the HP Integrity Superdome X partitioning white
paper under the Superdome X server Manuals section on http://www.hp.com/go/hpsc.
- Note: Maximum 4 TB memory is
supported with Windows (see server QuickSpecs for more details)
FIXES:
Fixes included in bundle version 2014.10 (5.73.0(a), 5.73.0(b)):
- None (release notes update only)
Fixes included in bundle 2014.10 (FW version
5.73.0):
- The
bash “Shellshock” vulnerability has been fixed in the OA version included
in this firmware. Firmware versions prior to 5.73.0 could be exploited
remotely to allow execution of code. For details on this issue, please
refer to CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.
- Addressed
SSL/TLS MITM Vulnerability CVE-2014-0224
- During
boot, the partition fans would unnecessarily run at maximum speed, making
the enclosure very noisy, until partition completed boot to UEFI.
- Correctable
errors coming from multiple failing ranks on a single DIMM could
inadvertently result in the entire Blade being indicted (even 7005).
- If
a partition was forced to power off, stale data from the prior session
would sometimes be displayed on the console when the partition was powered
back on and remained visible until it began booting. These stale data
could be ignored.
- The
OA CLI did not allow setting the EBIPA (Enclosure Bay IP Addressing page)
for interconnect modules. The operation failed with the message
"Cannot issue command for non-monarch blade".
- After
an OA restart or DVD replacement, the DVD health LED would often be seen
amber and blinking. If the command “SHOW DVD status” or related views
reported the status as “OK”, you could safely ignore the amber blinking
LED.
- A
transient USB connection would sometimes generate transient errors and an
event DVD/GPSM_MODULE_USB_DISCONNECT (CAE id 12119). This event could
safely be ignored if the complex was not marked as degraded and no hardware
was indicted.
- If
you tried connecting the enclosure DVD from the CLI using the command
"set partition DVD connect <npar>",
with a remote DVD media already connected via GUI using iLO IRC to the
same partition, the CLI command did not return a failure message saying
that the same type of DVD drive was already connected.
- There
were several issues with the UEFI shell 2.0 behavior. In particular, the
command option –b (page break) did not always work correctly. The prompt
“Press ENTER to continue or ‘Q’ break” could be inserted in the middle of
output text instead of starting at a new line or overwrite text that
should have been displayed on the next line.
- When
a blade was removed slowly from the chassis, global clock failure events
(CFW_GCLK_0_NOT_AVAIL and/or CFW_GCLK_1_NOT_AVAIL) would rarely be
generated prior to the blade removal event (BLADE_REMOVED_SD2) due to
noise on the clock signal caused by the removal. These clock failure
events could safely be ignored during blade removal.
- After
making a PXE boot request, if the user decided not to proceed with PXE
boot (e.g. “exit” from the PXE menu to return to the UEFI prompt), any
attempt to boot would still result in PXE boot regardless of what the user
selected, because the PXE driver was still loaded.