Cannot access APC 9617

Anonymous user · ‎2021-07-08

I know that this is an old issue, but I have an APC 9617 installed in an ACPA 4000 server AC. I've probably been through every APC procedure to reset the NMC. The problem is, I think, that the last time I logged into the control panel to update passwords, I inadvertently clicked Submit on a setting. It was not the Submit button for the apc password change and may have been some security setting. Anyway, I changed my password, and while still logged in attempted to login from another browser, and my login was denied. I went back to the first browser, and tried again to change the passwords (assuming I'd botched it the first time), but then I was prompted to enter a password to make the change, and my credentials were denied.

Now, whenever I attempt to login, I see the following error message:

This object on the APC Management Web Server is protected. Either your User Name/Password is invalid, or your access is restricted.

I've tried the reset procedure to temporarily reset the credentials back to apc/apc, but even then I'm blocked.

I've tried ssh, telnet, and arp with no luck. All I do is generate alarms of unauthorized access.

I have even powered off the AC, removed the card, and removed the card battery for good measure. The card still has the IP I'd set.

Any advice?

theotang_apc · ‎2021-07-08

The error message means you need to use https

See Answer In Context

BillP · ‎2021-07-08

Hi,

If you can do the reset password procedure, that should give you temporary administrator access which then would allow you to set the administrator credentials again to something you know. If you were to not reset the credentials while in there, after log out, you'd be back to before you started. While you're in there, you could also reset the system to defaults under the System->Tools menu also and if you can afford to wipe the rest of the system configuration (you can save IP settings).

Can you clarify if when you're doing the password reset procedure, you're able to get to the System->Tools menu? Or specifics on if you're trying it and its not working?

Are you using apc/apc to log in or something else you modified?

I can't quite tell what exactly you did but it sounds like potentially you may have set your account to be a device level user or read only or just flat out made a typo in admin name or password. The firmware sounds older based on the error message so that is my guess as to what is causing it.

Side note: The battery only saves date/time when the card is powered off.

Anonymous user · ‎2021-07-08

Good afternoon.

Thank you for your reply.

I have tried the reset procedure several times, and I cannot login as apc/apc. I get the error message instead.
When I last tried to set the password, I copied it directly from notepad. I made sure that no extra space was copied (I do technical support too, and I advise my customers to do the same). I saw a Submit button near the top of the page, and I clicked it. Then I noticed that it was not the Submit button to click when changing the apc password. The Submit button I first clicked had something to do with additional security, and I suspect that mistake is now hindering all my logins, even after doing resets. I'm unable to find a manual for the Web interface, so I can't say what I actually submitted. Can you provide a link to the user manual for the Web interface?

As you've pointed out, this is an old card, and I have only a few old servers that have serial ports. I've installed HyperTerminal on one of them and set the baud to 2400, but no amount of hitting the enter key ever generates a response from the card, even after a reset. The only serial cable I have with a female connector at each end isn't long enough to reach from the back of the server (rack mounted) to the back of the AC. I have an APC serial cable (940-1524D) which is long enough, but it has a female connector at one end and a male connector at the other. If I connect the two cables together, I can connect the server to the AC, but I'm not sure it helps.

I've tried using the APC Management Card Wizard with both the Serial cable and the the network (TCP/IP), but it finds no unconfigured management cards on the network.

Is there new firmware for this card? If so, could installing it fix the problem? An if it can, how do I upload it to the card when it reject my every attempt to do so?

FYI: I've tried telnet, ssh, and arp, and the card rejects the attempt. In fact it will even send me an email about attempt unauthorized access, which I configure it to do when I was still able to login. I've not tried FTP yet.

NOTE: Again, as you've pointed out, this is an old card, and I only set up the alert on January 4 of this year. I used the reset procedure to gain access with apc/apc, and then I used the APC Management Card Wizard to find the card on the network and configure the network settings and IP address. I then tried the Web interface once the IP address was set, and I gained access to the card using the IP address. I set up a new password for the apc user and set some other configurations like the alert. Last week, I wanted to make a change to the alert, and couldn't login with the password I'd set in January. I tried apc/apc for fun and grins, and it worked. I don't know how it was reset back to the default, but I had logged in several times in Jan and Feb with the password I'd set in January. So, when I finally regained Web access last week, during that access, I clicked the other Submit button, and now I cannot login.

Sorry for the lengthy response.

BillP · ‎2021-07-08

Hi again - don't respond for a lengthy response, these are usually the most detailed

OK, I see you are using an air conditioner as opposed to a UPS. I had to re-read to get that.

I also think that we were talking about different things with the password reset procedure initially. I was thinking you were following this procedure (http://www.apc.com/us/en/faqs/FA156075) for 'reset' as in recovery if you lost your admin password but it sounds like you were changing the password in the UI after you logged in successfully with original admin credentials. But, you had to use this reset procedure when the unit appeared to have lost its password last week

I think we should probably try to run through the recovery procedure I just linked for this to be resolved the quickest. This unit requires APC serial cable part # 940-0103 which is a grey cable (as opposed to black like the 940-1524D you said you have.) And I think the baud rate would be 2400. Do you have this 940-0103 anywhere? Or how did you reset the credentials to apc/apc originally set it up in January?

Alternatively, we could remove this card from the AC unit and put it in a different type of unit, such as a UPS, and do the password reset (recovery) procedure there then pop it in the AC unit. Does that sound feasible? Majority of our UPSs with DB-9 style serial ports would use 940-1524D to communicate.

Here is the only user's guide I found for the NMC itself: http://www.apc.com/salestools/ASTE-6Z2RQX/ASTE-6Z2RQX_R0_EN.pdf

The firmware for AP9617 for this unit hasn't been updated in some time. Looks like AOS 2.2.8/nairpa app v1.0.6 is the latest available. You won't be able to load that until we get admin access back. Wouldn't be surprised if that is what is already loaded.

Anonymous user · ‎2021-07-08

I'm logged into the card again. After reading more thoroughly the link you provided to the user guide, I noticed that the password has a 10 character limit, so I tried again with the password I set last week and typed in the first 10 characters (the password I set was 12 characters long), and I successfully logged into the NMC. I presume that the system took all 12 characters and then displayed the error. I'm just uncertain why the reset didn't allow apc/apc to work.

I did use the document in the reset procedure in the first link you provided. I tried it in January, but what finally got me in back in January was the following procedure (or so I remember):

1. I plugged the NMC on the AC directly into one of our network switches.
2. I plugged a laptop into the same network switch.
3. I ran the APC NMC wizard and set it to network instead of serial.
4. I used a paper clip to reset the NMC by holding in the reset for 20-30 seconds.
5. I had to do this several times before the wizard fianlly detected the card.
6. I then set the IP address, subnet, and gateway.
7. I used a browser to connect to the IP address
8. I used apc/apc to login.

The order of the above events may not be correct, but I know that I had no luck with the serial cable and hyperterminal approach. I might've had to do another paper clip reset between steps 7 and 8.

I took another look at my gray serial cable, and it is a 924-0103. I may have to grab a recently decommissioned tower server with a serial port, so I can use the 924-0103 in the future. The cable is only 6 feet long, and the tower is movable where my rack server is not, and I'm about to decommission the old rack servers anyway.

Now that I'm logged in, I can verify the firmware. It is AOS 2.2.8/nairpa app v1.0.6. I can also verify that I'm still set to basic authentication, not MD5. It was this setting that I clicked Submit on last week. Obviously, it was not the issue.

Other questions:

1. I just set passwords for device and readonly, but the logins don't work. I'm simply prompted again for the credentials. If I click Cancel, I get the same error as before. FYI: I was still logged into the apc account on another computer.

2. I also tried to login as apc from a different computer. I received a message that said that the apc user was already logged in on another computer. I guess it's supposed to work that way?

3. If I'm already logged in as apc, will it prevent the device and readonly users from logging into the NMC?

4. I set a hidden authentication phrase. How is it used?

BillP · ‎2021-07-08

Here are some answers for you:

On 4/11/2017 5:43 PM, Dennis said:
1. I just set passwords for device and readonly, but the logins don't work. I'm simply prompted again for the credentials. If I click Cancel, I get the same error as before. FYI: I was still logged into the apc account on another computer.

Hmm, I am not sure why this is. I was able to log in with 'device' user but not 'readonly'. I was able to get in most times in my testing with device and readonly users but on some attempts I couldn't and not clear why.

On 4/11/2017 5:43 PM, Dennis said:
2. I also tried to login as apc from a different computer. I received a message that said that the apc user was already logged in on another computer. I guess it's supposed to work that way?

Only one user can be logged into any NMC running 1.X, 2.X, or 3.X firmware. We started supporting multiple user log ins in 6.X with our second generation cards.

On 4/11/2017 5:43 PM, Dennis said:
3. If I'm already logged in as apc, will it prevent the device and readonly users from logging into the NMC?

Yes, based on comment above. Only one user can be logged in a time. A trick on the older cards is because of the log in priority across interfaces (web, telnet, serial), you can log in with telnet and log out which will kill any web sessions because web is least priority.

On 4/11/2017 5:43 PM, Dennis said:
4. I set a hidden authentication phrase. How is it used?

I am not too familiar with actually using this since this older firmware predates my expertise with NMC. I checked the help file and it seems like that auth phrase is used with the MD5 authentication method which I am also not familiar with..

Here is what I saw in the help file:

Authentication Type

Enable/Disable the authentication algorithm to use.
Basic - use standard HTTP 1.1 login ( base64 - encoded passwords). Default setting.
MD5 - use an MD5-based authentication login. Note: Java and Cookies must be enabled in the browser before MD5 can be used. Note: File uploads are not supported in this mode.

Authentication Phrase

Set the case-sensitive phrase to be used during MD5 Authentication. Phrase must be 15-32 ASCII-only characters long.

Based on how modern browsers work and when this firmware was designed and released, I am not sure if the MD5 authentication will even work properly?

Hope this helps.

Anonymous user · ‎2021-07-08

Thanks for those answers. I read the MD5 content, and it sounds like it's not necessarily safe anymore, so I won't make any changes in order to use it. Apparently, the hidden phrase can be used with the username instead of a password when MD5 is in effect.

I was able to telnet in as apc. I made a change to the device user by setting a password and pass phrase, but when I tried to use it either with telnet or the Web interface, I still couldn't login with it. I did notice that the telnet prompted me for a new device username. Perhaps that's the ticket. As long as apc works I probably don't need either a device user or a readonly user. Any reason why I'd want either of those users?

BillP · ‎2021-07-08

You're welcome! We offer those different device and readonly accounts on our devices just as a different permission set, if you wanted to provide someone else access without giving them full admin rights to the NMC system. If you won't be using it then no big deal.

Very curious on why those other accounts don't work but even stranger that I also saw some of that behavior.. the event log didn't record anything on those "invalid" attempts, right? My guess is no but just a thought.

Anonymous user · ‎2021-07-08

I checked the logs, and they only display that an invalid login was attempted from a specific IP address but with no details as to who made the attempt and why it was rejected.

theotang_apc · ‎2021-07-08

The error message means you need to use https