EMC Rainfinity File Management Appliance/VE Getting ... · PDF fileEMC Rainfinity File...

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-9103

1-508-435-1000www.EMC.com

EMC® Rainfinity®

File Management Appliance/VEVersion 7.3

Getting Started GuideP/N 300-009-001

REV A03

EMC Rainfinity File Management Appliance/VE Version 7.3 Getting Started Guide2

Copyright © 2009 EMC Corporation. All rights reserved.

Published December, 2009

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

EMC Rainfinity File Management Appliance/VE Version 7.3 Getting Started Guide 3

Preface

Chapter 1 Introduction Overview of File Management ............................................................................ 14

What is File Management Appliance/VE?................................................... 14What are Virtual Appliances?......................................................................... 14

File Management Appliance/VE for High Availability.................................... 15 FMA/VE requirements .......................................................................................... 15 FMA/VE tasks ........................................................................................................ 16 Using FMA/VE....................................................................................................... 17

Chapter 2 Deploying the File Management Appliance/VE File Management deployment process................................................................ 20 Installing the virtual appliance ............................................................................. 21 Virtual Appliance setup ......................................................................................... 24 Configuring FMA/VE............................................................................................ 25

Configuring networking.................................................................................. 25Configuring the hostname, domain, and DNS server................................. 26

Graphical user interface......................................................................................... 26 Command line interface......................................................................................... 27 Using FMA/VE with the Celerra Data Mover as a source............................... 28

Adding a Celerra to the FMA/VE configuration ........................................ 28Configuring FMA/VE for Celerra to EMC Centera archiving .................. 30Prerequisites for using Celerra as an archiving source............................... 31Pre-archiving tasks on the Celerra Control Station .................................... 32

Configuring a NAS-based repository ................................................................. 36 Using FMA/VE with the EMC Centera .............................................................. 38 Backing up the configuration................................................................................ 39

Creating a backup dump................................................................................. 39Restoring a backup dump ............................................................................... 40

Database Maintenance ........................................................................................... 43 UPG upgrade........................................................................................................... 43

Contents


Contents

Chapter 3 File Management System Settings Security hardening .................................................................................................. 46

Single security database ................................................................................... 46Disable root logins ............................................................................................ 47Strengthen passwords ...................................................................................... 48Age passwords .................................................................................................. 48

Configuring the GUI access method .................................................................... 48 STIG hardening........................................................................................................ 49

Enabling STIG hardening ................................................................................ 49Disabling STIG hardening ............................................................................... 50

LDAP client configuration .................................................................................... 51Global LDAP settings ....................................................................................... 51LDAP authentication........................................................................................ 51Configuring basic LDAP settings ................................................................... 52Configuring advanced LDAP settings........................................................... 53

RADIUS and TACACS+......................................................................................... 54 Certificate management ........................................................................................ 54 Appliance mail delivery settings .......................................................................... 55 Log settings .............................................................................................................. 56

Configuring log rotation .................................................................................. 56Configuring SCP of rotated log files .............................................................. 56Alerts................................................................................................................... 58Configuring email alerts .................................................................................. 59Configuring SNMP alerts ................................................................................ 59Enabling SNMP polling ................................................................................... 60

System command accounting................................................................................ 61Tracking user command history..................................................................... 61Tracking user login history.............................................................................. 61Tracking daemon command history .............................................................. 62

Windows domain user............................................................................................ 62Creating a Windows domain user.................................................................. 62Adding an admin user to the local administrator group ............................ 63Configuring Windows 2008 for NTLM ......................................................... 63

Appendix A Network Topology Scenarios Advanced network topologies .............................................................................. 66 Configuring FMA/VE with two subnets............................................................. 67 Configuring FMA/VE with more than two subnets ......................................... 68 VLAN tagging modes for FMA/VE..................................................................... 69

ESX server virtual switch tagging ................................................................. 69ESX server virtual guest tagging ................................................................... 69

Glossary

Index


1 Archived report example ..................................................................................................... 162 Rainfinity File Management process .................................................................................. 203 File Management header ...................................................................................................... 264 Create New NAS Repository ............................................................................................... 365 NAS Repository List ............................................................................................................. 37

Figures


Figures


1 VMware and ESX Server interoperability with FMA/VE .............................................. 212 Critical security alerts ........................................................................................................... 583 Critical operational alerts ..................................................................................................... 58

Tables


Tables

Preface 9

Preface

As part of an effort to improve and enhance the performance and capabilities of its product lines, EMC periodically releases revisions of its hardware and software. Therefore, some functions described in this document may not be supported by all versions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, please contact your EMC representative.

Audience This document is part of the Rainfinity File Management Appliance/VE documentation set, and is intended for use by storage management administrators who are new to the Rainfinity File Management Appliance/VE.

Relateddocumentation

Related documents include:

◆ EMC Rainfinity File Management Appliance/VE online help — Provides detailed reference information on specific product features and functions.

◆ EMC Rainfinity File Managment Appliance/VE Release Notes — Provides an overview of new features and lists limitations.

◆ EMC Rainfinity man pages — Provide detailed command-line help, as well as overview information. A good starting point is: man rffm. PDFs of all man pages are available from:

/opt/rainfinity/filemanagement/doc


Preface

Conventions used inthis document

EMC uses the following conventions for special notices.

Note: A note presents information that is important, but not hazard-related.

CAUTION!A caution contains information essential to avoid data loss or damage to the system or equipment.

IMPORTANT!An important notice contains information essential to operation of the software.

Typographical conventionsEMC uses the following type style conventions in this document:

Normal Used in running (nonprocedural) text for:• Names of interface elements (such as names of windows, dialog boxes, buttons,

fields, and menus)• Names of resources, attributes, pools, Boolean expressions, buttons, DQL

statements, keywords, clauses, environment variables, functions, utilities• URLs, pathnames, filenames, directory names, computer names, filenames, links,

groups, service keys, file systems, notifications

Bold Used in running (nonprocedural) text for:• Names of commands, daemons, options, programs, processes, services,

applications, utilities, kernels, notifications, system calls, man pages

Used in procedures for:• Names of interface elements (such as names of windows, dialog boxes, buttons,

fields, and menus)• What user specifically selects, clicks, presses, or types

Italic Used in all text (including procedures) for:• Full titles of publications referenced in text• Emphasis (for example a new term)• Variables

Courier Used for:• System output, such as an error message or script • URLs, complete paths, filenames, prompts, and syntax when shown outside of

running text

Courier bold Used for:• Specific user input (such as commands)

Courier italic Used in procedures for:• Variables on command line• User input variables

< > Angle brackets enclose parameter or variable values supplied by the user

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{ } Braces indicate content that you must specify (that is, x or y or z)

... Ellipses indicate nonessential information omitted from the example

11

Preface

Where to get help EMC support, product, and licensing information can be obtained as follows.

Product information — For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to the EMC Powerlink website (registration required) at:

http://Powerlink.EMC.com

Technical support — For technical support, go to EMC Customer Service on Powerlink. To open a service request through Powerlink, you must have a valid support agreement. Please contact your EMC sales representative for details about obtaining a valid support agreement or to answer any questions about your account.

Your comments Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Please send your opinion of this document to:

[email protected]

http://powerlink.emc.com


Preface

Introduction 13

1

This chapter includes the following sections:

◆ Overview of File Management..................................................................................... 14◆ File Management Appliance/VE for High Availability ........................................... 15◆ FMA/VE requirements ................................................................................................. 15◆ FMA/VE tasks................................................................................................................ 16◆ Using FMA/VE .............................................................................................................. 17

Introduction


Introduction

Overview of File Management File Management is data archival software that optimizes primary NAS storage by automatically moving inactive files based on policies to less expensive secondary storage. Files that are moved appear as if they are on primary storage. File archiving dramatically improves storage efficiency and backup/restore time, while supporting additional business requirements such as compliance and retention.

As an example, the File Management software may be configured to locate all NAS data that has not been accessed in one year, and archive that data to secondary storage. For each file it archives, the File Management software will leave behind a small space-saving stub file that points to the real data on the secondary storage device. When a user tries to access the data in its original location on the primary NAS, the user will be transparently provided with the actual data that the stub points to, from secondary storage.

If multi-tier archiving is used, the software may be configured to move archived files from a secondary storage device tier to a tertiary storage device tier. This can be particularly useful in cases where the secondary storage device represents a tier that is smaller, faster, and more expensive to maintain than a larger, slower, and cheaper storage used in the tertiary tier. Once the files are moved, the space-saving stub file on the primary NAS tier would be updated to point to the data’s new location on the tertiary storage tier.

What is File Management Appliance/VE?File Management Appliance/VE (FMA/VE) is a VMware virtual appliance installed on a VMware ESX/ESXi Server. FMA/VE is provided in an industry standard Virtual Appliance distribution consisting of an OVF and VMDK file.

FMA/VE supports automated tiered storage from a source Celerra® to a target Celerra or EMC Centera®. Customers create policies to move files across multiple file systems to a deduped tier of storage for additional consolidation and efficiency benefits.

What are Virtual Appliances?Virtual Appliances are pre-built software solutions, comprised of one or more Virtual Machines that are packaged, updated, maintained, and managed as a unit. Unlike a traditional hardware appliance, these software appliances let customers easily acquire, deploy, and manage pre-integrated solution stacks. This speeds up time to value and simplifies software development, distribution, and management.

File Management Appliance/VE for High Availability 15

Introduction

File Management Appliance/VE for High AvailabilityVMware High Availability (HA) provides high availability for FMA/VE across a virtualized environment. With the failover protection against hardware and operating system failures that VMware HA delivers, FMA/VE can offer a disaster recovery solution.

Depending on the environment, VMware HA features require:

◆ Virtual Center 2.5 for ESX 3.5

◆ vCenter Server 4.0 for ESX 4.0

Information on configuring the VMware HA is provided in the VMware documentation at:

http://www.vmware.com/products/high-availability/

FMA/VE requirementsThe technical specifications are as follows:

◆ Assigned virtual processors: Two 64-bit Virtual CPUs

◆ Allocated disk: 150 GB

◆ Allocated memory (RAM): 4 GB

◆ VMware tools installed: Yes

◆ Software installed: Rainfinity® File Management Appliance/VE 7.3

Virtual Appliance Account Information

◆ Username: root

◆ Password: rain

Hardware and firmware requirements for 64-bit guest operating systems:

http://kb.vmware.com/selfservice/viewContent.do?externalId=1901

http://kb.vmware.com/selfservice/viewContent.do?externalId=1901


Introduction

FMA/VE tasksFMA/VE may be used to run several different tasks:

◆ Archiving

◆ Deleting

◆ Auxiliary tasks such as stub scanning, backup, and NAS migration

For archiving and deleting, the software leverages a policy engine to define which files should be archived or deleted. Users can combine and evaluate multiple rules together in a single policy. Several rule types for archiving and deleting are included.

Before running the archive, delete, or NAS migration task, running a simulation allows administrators to review real-time results without executing the task. The results will return an aggregated summary of total files matched, total bytes potentially archived, and optional list of files stored on the disk. It is a good practice to run a simulation to gain insight into the efficiency of a task before running the task. This is particulatly important for delete tasks, since these tasks remove data.

Once an archive task is run, results are displayed in a report. Figure 1 on page 16 is an example of an archived report.

Figure 1 Archived report example

Archive tasks may be one of three types:

◆ Archive (with policy) — Archives all regular (non-stub) files. Files are selected for archiving based on the archive policy.

◆ Multi-tier (with policy) — For this archiving task, all regular and stub files are evaluated with the multi_tier policy. If a regular file matches the policy, it is archived. If a stub file matches the policy, archived data is moved to a different repository and the stub is updated to point to the new location.

Using FMA/VE 17

Introduction

◆ Multi-tier stub (with policy) — For this archiving task, only stub files are evaluated with the multi_tier_stub policy. If a stub file matches the policy, archived data is moved to a different repository and the stub is updated to point to the new location. Otherwise, the archived data remains in the current repository.

Delete tasks may be one of two types:

◆ Delete orphan with policy — Deletes orphans on primary storage that match the delete_orphans policy.

◆ Delete stub with policy — The delete stub task deletes stubs that match the delete_stubs policy. Stubs on primary storage and files on the second tier that are either not under or no longer under retention are automatically deleted.

Auxiliary tasks are:

◆ Scan stubs — When a file is archived, a stub file remains on the source and an entry is added to the FMA database, mapping the name and location of the archived file to its stub. The stub scanning task scans for stubs in the FMA database that are no longer present on the source. When a stub has not been detected for 30 or more days, the archived file is designated as an orphan.

◆ Backup — The backup task performs periodic backups of data. It is a good practice to schedule backup tasks as part of a regular maintenance program.

◆ NAS Migration — NAS migration moves all archived data from one NAS repository to a new repository, which may be a NAS repository or an EMC Centera. All stub files pointing to this data will be updated to point to the new location.

The File Management software also has the capability to recover stub files accidentally deleted by client systems. It can even recover prior versions of files archived to any secondary storage destination.

Using FMA/VEAs with all EMC® Rainfinity software, once the appliance has been deployed on the network, the adminstrator can manage data through the FMA/VE graphical user interface (GUI) or command line interface (CLI). To start using the GUI, follow instructions provided in “Graphical user interface” on page 26. The online help documents all GUI pages and provides procedural steps to help the user navigate around FMA/VE.

Technical system details that are not GUI related but are required to configure the FMA/VE are provided in the following chapters and appendixes:

◆ “Deploying the File Management Appliance/VE” on page 19

◆ “File Management System Settings” on page 45

◆ “Network Topology Scenarios” on page 65


Introduction

Deploying the File Management Appliance/VE 19

2

This chapter contains the following sections:

◆ File Management deployment process ....................................................................... 20◆ Installing the virtual appliance .................................................................................... 21◆ Virtual Appliance setup ................................................................................................ 24◆ Configuring FMA/VE ................................................................................................... 25◆ Graphical user interface ................................................................................................ 26◆ Command line interface................................................................................................ 27◆ Using FMA/VE with the Celerra Data Mover as a source ...................................... 28◆ Configuring a NAS-based repository.......................................................................... 36◆ Using FMA/VE with the EMC Centera...................................................................... 38◆ Backing up the configuration ....................................................................................... 39◆ Database Maintenance................................................................................................... 43◆ UPG upgrade .................................................................................................................. 43

Deploying the FileManagementAppliance/VE


Deploying the File Management Appliance/VE

File Management deployment processFigure 2 on page 20 illustrates the Rainfinity File Management Appliance/VE deployment process.

Figure 2 Rainfinity File Management process

The top of the flowchart describes deploying the FMA/VE in various environments. “Virtual Appliance setup” on page 24 outlines this process.

The steps in the three boxes at the bottom of the flowchart are performed using the File Management GUI. These are documented in the File Management online help.

1. Configure primary NAS2a. Configure NAS repositories2b. Configure non-NAS repositories

1. Create file matching expressionsand archive destinations2. Specify policy type, retention, delayedstubbing, stub retention (as applicable)

Define Policies

Schedule Task

Execute Archiving Policy

File Management Configuration

1. Configure FMA networking2. For Celerra-Centera archiving,initialize recall services

File Management Setup

1. Create an archive, delete, orauxiliary task2. Select source (as applicable)3. Select archive conditions or starttimes (as applicable)

1. Determine optimal task scheduling2. Monitor archiving activity for errors

CNS-001283

Run Archive Simulation (Optional)1. Collect real-time results in FMA 2. Review policy efficacy againstreal-time results

1. Configure FileMover API2. Configure name resolutionfor recall3. Configure DHSM

Celerra to Centera Configuration

1. Configure FileMover API2. Configure DHSM

Celerra to NAS Configuration

Installing the virtual appliance 21


Installing the virtual applianceFMA/VE is installed on the VMware server. Table 1 on page 21 shows the interoperability.

This example shows the steps to install the FMA/VE virtual appliance on an ESX 3.5 host:

1. Unzip the ZIP file to create the directory for your virtual appliance. The ZIP file contains the .OVF file and .VMDK file.

2. Open the Virtual Infrastructure (VI) Client.

Review the ESX Server’s resource usage. To install the FMA/VE, the ESX server must have a minimum of:

• Two 64-bit Virtual CPUs (vCPU)

• 4 GB memory

• 150 GB disk

a. To find the appliance with the most free space, consider %CPU and %Memory.

Table 1 VMware and ESX Server interoperability with FMA/VE

VMware ESX Server Comments

ESX 3.5 Update 3ESXi 3.5 Update 3

2 virtual CPU, 4 GB of RAM, 150 GB of disk space, 2 Gigabit virtual interfaces are reserved.64-bit Intel hardware with VT support (EM64T and VT in the chip and BIOS) is required.

ESX 4.0ESXi 4.0

2 virtual CPU, 4 GB of RAM, 150 GB of disk space, 2 Gigabit virtual interfaces are reserved.64-bit Intel hardware with VT support (EM64T and VT in the chip and BIOS) is required.



b. Select the line for the ESX server: 10.10.35.101. A summary of the CPU, Memory, and Datastore capacities appears.

This ESX server has enough CPU and Memory available to install the FMA/VE.

3. Import the OVF file. Instructions differ depending upon VMware version.

a. For ESXi 3.5, from the VI Client, select File > Virtual Appliance > Import.

b. For ESX 4.0, from the VI Client, select File > Deploy OVF Template.

Installing the virtual appliance 23


4. Using the Import from file selection, type the path to the OVF file or click Browse to locate the file.

5. After answering a few basic questions, the summary screen appears. Validate the information and click Finish.

6. The import may take 3–30 minutes depending on the network connection between the VI Client and the VMware ESX Server. Approximately 600 MB will initially be transferred across the network.



Note: If FMA will be configured for Celerra to EMC Centera archiving, use Recall Settings as described in step 3 of “Adding a Celerra to the FMA/VE configuration” on page 28 to configure the single set of credentials for recall before running ccdsetup.sh as described in “Configuring FMA/VE for Celerra to EMC Centera archiving” on page 30.

Virtual Appliance setupAfter the virtual appliance is installed, but before performing tasks, both the virtual machine and the file management software must be properly configured.

◆ To configure the virtual machine, follow instructions provided in “Installing the virtual appliance” on page 21.

Then proceed to configure the FMA/VE for your environment as described in:

◆ “Configuring FMA/VE” on page 25

◆ If the system requires security hardening or any other special configuration, Chapter 3, ”File Management System Settings,”provides information for all system settings.

◆ “Using FMA/VE with the Celerra Data Mover as a source” on page 28

◆ “Configuring a NAS-based repository” on page 36

◆ “Using FMA/VE with the EMC Centera” on page 38

Configuring FMA/VE 25


Configuring FMA/VEBefore proceeding with the setup, ensure that you have the following information for the File Management Appliance/VE:

◆ IP address

◆ Netmask

◆ Hostname

◆ Default gateway IP

◆ DNS server IP (optional)

To set up the FMA/VE:

1. Power on the virtual machine.

2. Log in to the appliance. Type root as the login name. Type rain as the password.

The Rainfinity File Management setup tool appears. This tool performs basic setup tasks that are not available through the File Management GUI.

3. Select Change File Management Appliance Password, and change the password.

4. Select Configure Date and Time to set the time zone and date for the Rainfinity appliance.

5. Select Configure File Management Networking. The network configuration menu appears. Use the menu to change interface settings or set global settings such as hostname, domain, and DNS servers.

Configuring networkingTo configure networking:

1. Select option 1 from the network configuration menu. The File Management Network Setup, Main Menu appears.

On the list of available physical interfaces on the appliance, eth0 will be highlighted. To highlight a different interface, use the up arrow and down arrow keys.

2. With eth0 highlighted, press Enter. The configuration menu for the eth0 interface appears:

• Use the up arrow and down arrow keys to highlight the IP address field. Press Enter and type a new IP address value into the New Value column. Press Enter.

• Repeat the process to provide the Network Mask, Gateway, and MTU settings.

3. When the configuration for this interface is complete, press the left arrow to exit the eth0 interface configuration. To save the interface configuration, highlight Yes and press Enter. Note that the changes are saved, but will not be committed until the File Management Network Setup menu is exited.

4. Press the left arrow to exit from the File Management Network Setup menu. When prompted, select Yes to commit your changes.



Configuring the hostname, domain, and DNS serverConfigure the hostname, domain, and DNS servers:

1. Select option 2 from the network configuration menu. The following menu appears:

EMC Rainfinity Setup Tool (Configure Hostname, Domain and DNS Server(s))

Hostname = rsDomain =DNS Server =

Do you want to change the configuration [N]?

2. Select Y. Use the menu to configure the hostname, domain, and DNS servers.

3. The new hostname, domain, and DNS server information will be summarized after all the changes are entered, and you will be given the ability to accept or make further changes to these settings. To keep the new settings and return to the network configuration menu, press Enter.

4. Verify that the network configuration has been committed and network connectivity can be established properly.

Graphical user interfaceRainfinity software is accessible from a web browser. To access the graphical user interface:

1. In the navigation field of the web browser, type the IP address of the Rainfinity appliance.

2. Type the username and password for the default account which are

• Username: admin

• Password: rain

Figure 3 on page 26 shows the top view:

Figure 3 File Management header

◆ Schedule — Displays a list of scheduled tasks that are currently being processed and status of each task.

◆ Archived Files — Displays an archived file report. Also provides a search option to find archived files, recover stub files, and delete orphan files.

◆ Policies — Provides options that apply to creating and managing policies including:

• A list of policies, file matching expressions, and NAS destinations.

• Create new policy.

Command line interface 27


• Create new file matching expression.

• Create new NAS destination.

◆ Configuration — Provides configuration of users, passwords, logging, primary servers, and secondary destination servers.

Command line interfaceAs an alternative to the GUI, a command line interface may be used to send commands to the Rainfinity daemon.

To log in to the CLI using ssh, the default username and password are:

◆ Username: root

◆ Password: rain

For the FMA/VE, the most commonly used commands are:

◆ fmsupportdump — Creates a dump of the FM appliance's current state for Rainfinity support.

◆ rffm — Configures the FM Appliance and issues all commands that the GUI interface supports. To see a list of all commands available, type rffm --help or to view the man page for more detailed help, type man rffm.

◆ fmbackup/fmrestore — Backs up and restores the configuration as described in “Backing up the configuration” on page 39.

◆ rssystat — Displays statistics about the FM appliance.

Man pages for the command line tools are stored in the Rainfinity software installation directory. To accesss the man pages, type man command_name as in, man rssystat.



Using FMA/VE with the Celerra Data Mover as a sourceTo use the FMA/VE with a Celerra Data Mover, first perform configuration steps on the FMA/VE, and then on the Celerra Control Station (CS).

Adding a Celerra to the FMA/VE configurationTo configure the FMA/VE to add the Celerra Data Mover:

1. Using the FMA/VE GUI, click the File Servers link on the Configuration tab. The File Server List appears. Click New.

2. On the File Server Properties page that appears, select Celerra from the Type list box.

3. Click Recall Settings. The Recall Settings page appears.

Type the username and password for FileMover API authentication.

Note: Use this same username and password when creating the FileMover API user in step 2 of “Pre-archiving tasks on the Celerra Control Station” on page 32.

Using FMA/VE with the Celerra Data Mover as a source 29


4. Specify the following for the Celerra FileMover:

• Basic File Server Information — Type the Celerra name and select the DART version from the list. If the Data Mover will be involved in CIFS archiving, the NetBIOS name of the CIFS server must be used. Do not use the Fully Qualified Domain Name (FQDN) or IP address.

Note: To identify the Celerra as a Virtual Data Mover, select the checkbox. Virtual Data Movers only support the CIFS protocol.

• IP Addresses — Type the Celerra Data Mover IP address.

– When editing an existing server, click Update to retrieve the IP address from the DNS based on the server name.

– To specify an additional IP address, click Add. The IP address will be added to the list.

– To delete an existing IP address, select an IP and click Delete.• Control Station — For DART 5.6, type the IP address of the Celerra Control

Station. This will allow the FMA/VE to automatically perform some pre-configuration steps for archiving. If this field is empty, the FMA/VE will take no action and the pre-configuration steps must be performed manually.

• CIFS Specific Settings — This is the Windows domain user to be used by the Rainfinity appliance. The domain user must be a member of the local administrator’s group on the Celerra. “Windows domain user” on page 89 provides more information.

Note: The CIFS credential is not required if the Celerra performs only NFS archiving.

• Celerra as Source — This option configures the FMA/VE to archive data from the Celerra Data Mover. If more than one FMA/VE is connected to the same Celerra Data Mover, configure only one FMA/VE with this option. This option is only required if the Celerra is serving as a source for archiving.

CAUTION!If more than one FM appliance is configured to archive data from a single Celerra Data Mover, data loss may occur.

• Celerra Callback Agent Settings

This option is required if archiving to an EMC Centera. For the DNS name, type the FQDN of the Celerra Callback DNS entry. Note that the FQDN is case-sensitive.

• Atmos Callback Agent Settings

This option is not available for FMA/VE.

• Directory Exclusion List — These are the directories to exclude for all tasks. Rainfinity ignores all system directories such as, etc, lost+found, ckpt by default.

5. Click Commit to define the Celerra FileMover.



Configuring FMA/VE for Celerra to EMC Centera archivingTo archive from a Celerra to an EMC Centera, configure the Celerra Callback Service so that Rainfinity is in the recall path.

Configure the Celerra Callback Service to recall from EMC CenteraTo configure recall from the EMC Centera:

1. From the console on the FMA/VE which is the primary callback agent, log in as root.

2. Type ! to escape to the command line and type:

/opt/rainfinity/filemanagement/bin/ccdsetup.sh init_rffm

3. When the message appears:

By default the Celerra Callback Daemon will connect to the File Management service on the local machine.

Do you wish to configure another File Management Machine? (y/n)

Type N.

Note: If an invalid IP address is provided, the CelerraCallbackDaemon.stdout file located in /var/log/rainfinity/filemanagement will fill with errors indicating that there was no response from the primary agent. To correct the problem, repeat instructions starting from step 2.

Configure name resolutionWhen the Celerra Data Mover needs to establish a connection to the FMA/VE to recall data from an EMC Centera, it will try to resolve the FQDN from the HTTP DHSM connection in its local hosts file. If it cannot be resolved locally, the Data Mover will use DNS:

◆ To use local hostname resolution:

a. Log in to the Celerra Control station as root and mount the Data Mover to edit the local hosts file with vi:

mount server_2:/ /mnt/sourcecd /mnt/source/.etcvi hosts

where server_2 is the name of your Celerra Data Mover.

b. The edited file will appear similar to the following, where rainccd.domain is the FQDN that will be used to create the HTTP DHSM connection described in“Celerra Callback Agent Settings” on page 29:

10.0.0.1 rainccd.domain # CCD on FMA

c. Save the file and confirm that the Celerra Control Station is unmounted from the Data Mover:

cd ~unmount /mnt/source

Note: A bug in versions of DART 5.5 prior to 5.5.33.204 will prevent Data Movers from properly resolving hostnames using the local hosts file. Upgrade to the latest version of DART 5.5 if local hostname resolution will be used to identify the CCD.



◆ If local hostname resolution on the Data Mover is not going to be used, create a DNS entry for the Callback Daemon that points to the FMA. Select the checkbox for Create associated pointer (PTR) record to ensure that it will be included in the Reverse Lookup Zones list.

Note: The Celerra FileMover supports DNS HA failover. If the DNS server resolves the callback daemon hostname to multiple IP addresses, the Celerra FileMover transparently switches to the server at the next available IP address.

Prerequisites for using Celerra as an archiving sourceTo archive data from a Celerra Data Mover, the FMA/VE will require access to the FileMover API (TCP port 5080).

To archive NFS data, the FMA/VE will require:

◆ Mount v3 RPC service

◆ NFS v3 RPC service

◆ NLM v4 RPC service

◆ Root and read/write export permissions for all NFS data that will be archived

To archive CIFS data, the FMA/VE will require:

◆ SMB over NetBIOS (TCP port 139)

Direct command line access to the Celerra Control Station is not used by the FMA.



When configuring a Celerra Data Mover on the FMA, plan to provide:

◆ Credentials for a FileMover API user. This single set of credentials is used for both archive and recall.

◆ (For CIFS archiving only) Credentials for local administrator access through CIFS.

◆ (For CIFS archiving only) The NetBIOS name of the filer.

Note: The file system access policy must be native.

Pre-archiving tasks on the Celerra Control Station If a Celerra has not been configured as a source for archiving, perform the following steps:

1. Enable filename translation on the Celerra Control Station.

The File Management Appliance (FMA) expects all filenames to come from the Celerra Network Server in UTF-8 format. To preserve filenames correctly, perform the following:

a. Log in to the Celerra Control Station as nasadmin.

b. Use a text editor to open the file: /nas/site/locale/xlt.cfg.

c. Locate the last line of the file. Typically the last line appears as:

::::8859-1.txt: Any thing that didn’t match above will be assumed to be latin-1

Add the following line immediately above the last line:

::FMA_IP_ADDR::: FMA requires no translation (UTF-8)

where FMA_IP_ADDR is the IP address of your FMA.

d. To update the configuration, type:

/nas/sbin/uc_config -update xlt.cfg

e. To verify the new configuration, type:

/nas/sbin/uc_config -verify FMA_IP_ADDR -mover ALL

where FMA_IP_ADDR is the IP address of your FMA. Output will appear in the format:

server_name : FMA_IP_ADDR is UTF-8

2. Create the FileMover API user. Log in to the Celerra Control Station CLI as root and type the command:

/nas/sbin/server_user <data_mover> -add -md5 -passwd <user>

For example: /nas/sbin/server_user server_2 -add -md5 -passwd rffm

3. Allow the IP addresses of the FMA/VE to open connections to the FileMover interface. While logged in to the Celerra Control Station as an administrator (such as “nasadmin”), run the following command for all IP addresses of all Rainfinity appliances that will perform archiving or service recall requests for the Data Mover:

server_http <data_mover> -append dhsm -users <user> -hosts <ip_address>

For example: server_http server_2 -append dhsm -users rffm -hosts 192.168.0.100,192.168.0.101, <FMA_IP_address>



Note: A single Celerra Data Mover can be configured in multiple FMAs as an archiving source, but more than one FMA/VE should never be used to archive data from a single file system. Particular care should be taken in this scenario. Read the Stub Scanner and Orphan File Management sections of the File Management best practices guide for additional information.

4. Enable DHSM (FileMover) for the Data Mover. This is disabled by default with Celerra DART 5.6 and later. This command must be run once to enable DHSM and persists across Data Mover reboots.

server_http <data_mover> –service dhsm –start

5. Enable DHSM for specific file systems that will be used as archiving sources. This command must be run once per file system to enable DHSM and persists across Data Mover reboots.

fs_dhsm -modify <primary_fs> -state enabled

For example: fs_dhsm -modify fileSystem1 -state enabled

6. Ensure that the DHSM offline attribute is enabled for file systems that will be used for archiving.

• To verify that the offline attribute is on, run the command:

fs_dhsm -i <fs_name> | grep ’offline attr’

If the offline attribute is on, the following line will appear:

offline attr = on

• If the offline attribute is off, turn it on with the command:

fs_dhsm -m <fs_name> -offline_attr on

Create one or more connections from the Data Mover to the secondary storage locations for each file system that will be archived. Each CIFS or NFS repository used to store archived data needs to be configured as a DHSM connection for the Celerra file system. If data will be archived to an EMC Centera, a DHSM connection using the HTTP protocol needs to be configured for the file system.

Configuring automatically created DHSM connectionsThe FMA/VE can automatically create DHSM connections for Celerra systems running DART 5.6. To configure this feature, perform the following steps on the Celerra and the FMA:

1. Check to see if the XML API server is running. As root user on the Celerra, type:

ps -ef | grep start_xml_api_server | grep -v grep

The following example shows a server that is already running:

[root@celerra01 sbin]# ps -ef | grep start_xml_api_server | grep -v grep

root 14821 3226 0 15:41 ? 00:00:00 /bin/sh /nas/sbin/start_xml_api_server

• If it is running, restart the server by typing:

/nas/sbin/hup_api

• If it is not running, start the server by typing:

/nas/sbin/start_xml_api_server

If it fails to start or restart:

• Delete the file /nas/api/exit_now



• Delete the file /nas/api/api_retry

• Repeat the process to check if the server is running and to start it.

If the XML API server still fails to start, contact Celerra support.

2. Start the DHSM HTTP server on the Celerra:

server_http <data_mover_name> -service dhsm -start

3. Create a new system user for the XML API and FileMover API operations. Use the API GUI on the Celerra Control Station:

a. Log in as root and select: Security > Administrators > Users > New.

The New User screen appears.

b. Define a new system user:

– In the root group.– With client access option XML API v2 allowed.

This is the user for FileMover API Settings on the FMA. Use the same username and password defined for the FileMover API user in in step 2 of “Pre-archiving tasks on the Celerra Control Station” on page 32. If the user cannot be added to the root group, alternatively the filemover group can be used.

4. Define Celerra Data Mover properties on the FMA. “Adding a Celerra to the FMA/VE configuration” on page 28 describes the following properties in greater detail:

• For Control Station, provide the Control Station IPs for DART 5.6.

• For FileMover Settings, type the username and password created for the new system user.



• For the Celerra Callback Agent Settings, create any username and password. The system will use this username and password to create a HTTP connection using XML API.

If DHSM connections do not exist, the FMA/VE will automatically create the connections before running each archiving task.

Configuring manually created DHSM connectionsDHSM connections must be created manually if any of the following conditions apply:

◆ DART 5.6 is not being used

◆ DART 5.6 is being used, with an NFS exported file system on a VDM

◆ FMA/VE is not being used to automatically create DHSM connections

Commands to create the connection for different archiving scenarios are provided as follows:

◆ When archiving CIFS data to NAS, you will archive to a CIFS repository configured in FMA. Create a connection to each CIFS repository that will hold archived data. This setting applies to any repository that is part of a multi-tier destination. Log in to the CLI of the Celerra Control Station and type the command:

fs_dhsm -connection <primary_fs> -create -type cifs –admin ‘<fqdn>\<domain_administrator>’ –secondary ‘\\<fqdn_of_secondary_server>\<repository_path>’ -local_server <local_cifs_server>

For example: fs_dhsm -connection fileSystem1 -create -type cifs -admin 'mydomain.prv\administrator' -secondary '\\oldServer.mydomain.prv\FMA\' -local_server ns80dm1

Note: Use the apostrophe instead of quotation marks to encapsulate the CIFS administrative username and UNC path of the secondary storage location.

◆ When archiving NFS data to NAS, you will archive to an NFS repository configured in FMA. Create a connection to each NFS repository that will hold archived data by logging in to the CLI of the Celerra Control Station and type the command:

fs_dhsm -connection <primary_fs> -create -type nfsv3 –secondary ‘<fqdn_of_secondary_server>:/<repository_path>’ -proto TCP –useRootCred True

For example: fs_dhsm -connection fileSystem1 -create -type nfsv3 –secondary ‘oldServer.mydomain.prv:/FMA’ -proto TCP –useRootCred True

◆ When archiving any type of data to an EMC Centera CAS, recall requests will flow from the Data Mover to the FMA/VE.

To create the connection for an EMC Centera, log in to the CLI of the Celerra Control Station and type the command:

fs_dhsm -connection <primary_fs> -create -type http –secondary 'http://<fqdn for CCD>/fmroot' -httpPort 8000 -cgi n -user <user>

For example: fs_dhsm -connection fileSystem1 -create -type http –secondary 'http://CCD01.mydomain.prv/fmroot' -httpPort 8000 -cgi n -user rffm

When prompted, type a password for the ‘rffm’ user.



These same settings are used in “Adding a Celerra to the FMA/VE configuration” on page 28.

• The fully qualified domain name (FQDN) for the callback daemon is used for “Celerra Callback Agent Settings” on page 29.

• The same user and password credentials are used for Recall Settings in step 3.

Regardless of the type of connection (CIFS, NFS, or HTTP), the target of a connection should be specified as a hostname or FQDN in the command:

fs_dhsm -connection <primary_fs> -create

◆ When a Celerra Data Mover needs to establish a connection to secondary storage, it will first attempt to resolve the hostname in the local hosts file. If the name cannot be resolved locally, a DNS query is issued by the Data Mover.

◆ When archiving to NAS from Celerra, if the local hostname resolution of the Celerra is not going to be used, a DNS A record is required to resolve the FQDN of the secondary storage server to IP addresses. A PTR record (reverse DNS) is also required to map the IP addresses of the secondary storage server to the FQDN.

Note: The Celerra File Level Retention (FLR) enabled file systems cannot be used as an archiving source.

Configuring a NAS-based repository Use the FMA/VE to configure a Celerra repository on a NAS server.

Note: The FMA/VE must have read and write access to any share or export that may be used as an archive source or destination. In addition, the FMA/VE must have read and write permission for any file that it may archive.

To set up a NAS repository:

1. Using the FMA/VE GUI, click NAS Repository and NAS group on the Configuration tab. The NAS Repository List and NAS Group List page appears. For Create NAS Repository, click New. The Create New NAS Repository dialog box appears.

Figure 4 Create New NAS Repository

Configuring a NAS-based repository 37


2. Specify the following for the NAS repository:

• File Server — Select a file server from the list.

Note: The file server must have a proper DNS entry defined that links the file server name with the IP address.

• Protocol — Select NFS or CIFS.

Note: If the CIFS protocol is selected, use the CIFS user in the file system CIFS DHSM connection string for CIFS Specific Settings when configuring the primary storage on the FMA/VE. “Adding a Celerra to the FMA/VE configuration” on page 28 provides details on configuring this setting.

• Path — Click Browse to select an existing path.

Once the path is specified, a name in the form of Repository at <path> appears in the Name field.

Note: If the CIFS protocol is selected, the repository on the file server must support the CIFS protocol. In other words, the security style of a Celerra repository file system must be mixed, NTFS, or native.

• Maximum limit of disk usage — Type a percentage value for disk usage. Default value is 90%.

3. Click Save Repository. The NAS Repository List dialog box reappears with the new NAS repository listed.

Figure 5 NAS Repository List



Using FMA/VE with the EMC CenteraTo configure the FMA/VE to archive to an EMC Centera:

1. Using the FMA/VE GUI, click the File Servers link on the Configuration tab. The File Server List appears. Click New.

2. The File Server Properties page appears. Select Centera from the Type list box. The Centera Properties page appears:

3. Specify the following for the EMC Centera:

• Name — Type the logical name to identify the EMC Centera.

• Access Node IP — Specify the IP address of the EMC Centera access node:

– To specify an additional access node IP, click Add. The IP address will be added to the list and will be added as an entry in the Access Node String field.

– To delete an existing node, choose a node IP and click Delete.• Access Node String — This is automatically generated when the Access Node

IP address is added or deleted. You cannot enter data by typing directly into the field.

• Authentication — Select from one of three choices:

– Anonymous — If selected, no security is used to authenticate with the EMC Centera.

– User profile — If selected, type the username and password of the EMC Centera Profile that is to be used for archiving.

– PEA file — This option requires that a Profile and Pool Entry Authorization (PEA) file was created to access the EMC Centera, and that a copy of the PEA file resides on the File Management appliance. If selected, the Pool Entry Authorization (PEA) file is used to authenticate the File Management connection with the EMC Centera. Type the path to the file on the local machine or browse for the file. A copy of the file will be stored with the File Management configuration.

4. Click Commit to define EMC Centera.

Backing up the configuration 39


Backing up the configurationThe FMA/VE contains configuration information and critical database tables. If data on an FMA/VE is lost, the FMA/VE software must be reinstalled and the last backup copy of the configuration and database tables must be restored. For this reason, nightly backups of the FMA/VE configuration and the critical database tables are highly recommended.

Note: Task and simulation log files are not included in a backup. To preserve these files, copy the /opt/rainfinity/filemanagement/log/fws directory to secure storage periodically or before performing a CD clean install.

The backup feature uses the following process:

◆ File Management provides backup scripts to dump appropriate critical data into a gzipped tar file (.tgz).

◆ The user copies the tar file to the EMC Centera machine or to other secure storage.

◆ To perform a disaster recovery, a restoration script reconstructs the system configuration from the tar file.

Creating a backup dumpRegular backups may be scheduled to run automatically using the GUI.

1. On the Configuration tab, select Backup and Recovery Settings.

Under File Management Backup Destination, specify:

• The number of backups — The default value is 5.

• Select Destination — The EMC Centera or NAS repository where the backup files will be stored.

• Select Disaster Recovery Location — The NFS export where the backup catalog file (DBBackup.out) will be stored.



2. On the Schedule tab, select Schedule a new task.

• Under Select Task Type, select Auxiliary and Backup.

• Under Select Start Time, schedule the repeating time for backups to run.

To perform a non-recurring backup or to perform a backup immediately, run the script:

/opt/rainfinity/filemanagement/bin/fmbackup

When the backup is complete, the system will return the message:

Done. The backup has been output into /tmp/DUMPFILE.

where DUMPFILE is a unique filename generated by the backup script.

Restoring a backup dumpBackups are typically restored after a system failure. To restore a backup, start with a freshly installed FMA/VE. Steps are performed both using the GUI and from the command line:

1. Configure FMA/VE networking. “Configuring networking” on page 25 provides details.

2. Configure the hostname, domain, and DNS servers. “Configuring the hostname, domain, and DNS server” on page 26 provides details.

3. Using the FMA/VE GUI, configure the destination for the restored files.

• If the backup files were archiving to an EMC Centera, configure an EMC Centera. “Using FMA/VE with the EMC Centera” on page 38 provides details.

• If the backup files were archiving to a NAS repository, configure a NAS repository. “Configuring a NAS-based repository” on page 36 provides details.

4. Mount the NFS export where the backup catalog file (DBBackup.out) is stored. This is the Disaster Recovery Location described in step 1 of “Creating a backup dump” on page 39.

5. Copy DBBackup.out to /opt/rainfinity/filemanagement/conf.

Backing up the configuration 41


6. On the Configuration tab in the FMA/VE GUI, select Backup and Recovery Settings.

Under Recover File Management, select the .tgz file to restore and click Restore. The backup file will be restored to /var/fmrestore.

7. Using database information from DBBackup.out, a restoration script will reconstruct the system configuration from the .tgz file. To run the script, type:

/opt/rainfinity/filemanagement/bin/fmrestore <backup_file.tgz>

As the restoration occurs, the system will prompt for input to:

• Confirm restoration.

• Start the Callback Daemon.

For each question, answer yes. When asked if you want to add another server, answer no.

If restoring data to the same machine, the software will automatically restart at the conclusion of the restoration process. If restoring data to a different machine, the FMA/VE must be manually restarted. Also, original network configuration files such as /etc/hosts, may need to be manually edited to reflect the new IP and hostname of the new machine.

Typical output of the fmrestore script is as follows.

[root@fm2 bin]# fmrestore /var/fmbackup_7.3_fm2.Sun_27-09-09_08_13.tgzExpanding /var/fmbackup_7.3_fm2.Sun_27-09-09_08_13.tgz in /var...This will overwrite your configuration and database. Are you sure?Press any key to continue or abort now...

Stopping FileManagement GUI...Stopping Tomcat server [ OK ]Stopping FileManagement...Stopping File Management watchdog [ OK ]Stopping File Management [ OK ]

Empty the current database...

Restore configuration and database...



Starting ntpd:

Starting FileManagement GUI...Starting Tomcat server [ OK ]

Starting FileManagemnt...Starting rslogd (already running): [ OK ]Starting rslogd Monitor (already running): [ OK ]Starting File Management [ OK ]Starting File Management watchdog [ OK ]rssystatd is running

Do you want to setup FPolicy Callback Service, y/n?yWarning: configuration file,

/opt/rainfinity/filemanagement/conf/fcd.xml, already exists. If you select to remove it, all the previous configurations will be missing.

Do you wish to remove and recreate it? (y/n)yStopping FPolicy Server watchdog [ OK ]Stopping FPolicy Server [ OK ]Configuration file removed.

By default the FPolicy Callback Daemon will connect to the File Management

service on the local machine.

Do you wish to configure another File Management machine? (y/n)nConfiguring FPolicy callback for File Management machine(s):127.0.0.1

Since there is only one interface, (10.10.9.56/255.255.255.192), it will be

used to receive FPolicy callbacks from NetApp.

FPolicy Callback Daemon successfully set up.

System service, fpolicycallback, enabled.

Starting rslogd (already running): [ OK ]Starting rslogd Monitor (already running): [ OK ]Starting FPolicy Server [ OK ]Starting FPolicy Server watchdog [ OK ]NOTE: Use the rsconfig command to add newly configured File

Management IP addresses as passthrough clients on all Rainfinity GFV nodes. Online help for the Stub Awareness Configuration provides information on how to use the rsconfig command.

Do you want to setup Celerra Callback Service, y/n?yWarning: configuration file,

/opt/rainfinity/filemanagement/conf/ccd.xml, already exists. If you select to remove it, the previous configurations will be missing.

Do you wish to remove and recreate it? (y/n)yStopping celerracallback Server watchdog [ OK ]Stopping celerracallback Server [ OK ]Configuration file removed.

By default the Celerra Callback Daemon will connect to the File Management

service on the local machine.

Do you wish to configure another File Management machine? (y/n)nConfiguring Celerra callback for File Management machine(s):127.0.0.1

Database Maintenance 43


quiet is set to 0Since there is only one interface, (10.10.9.56/255.255.255.192), it

will beused to receive CelerraDaemon callbacks from Celerra.

Initialized encryption key from fileCelerra Callback Daemon successfully set up.

System service, celerracallback, enabled.

Starting rslogd (already running): [ OK ]Starting rslogd Monitor (already running): [ OK ]Starting celerracallback Server [ OK ]Starting celerracallback Server watchdog [ OK ]NOTE: Use the rsconfig command to add newly configured File

Management IP addresses as passthrough clients on all Rainfinity GFV nodes. Online help for the Stub Awareness Configuration provides information on how to use the rsconfig command.

Database MaintenanceAfter archiving millions of files, archiving tasks may become slow as the number of entries in the archival database grows larger. To improve performance, use an FMA/VE process to clear the database of unused and entries and re-index the entries that remain.

The database maintenance process can take several hours and while the process is running, the File Management daemon must be halted and the GUI may not be used. System administrators should plan to run database maintenance when the FMA/VE is not needed.

Note: Recalls are not interrupted by database maintenance.

Start database maintenance from the console of the FMA/VE by typing:

/opt/rainfinity/filemanagement/bin/rffm doDBMaintenance

A script will stop the File Management daemon and GUI, run the database vacuum process, and then restart the daemon and the GUI. The output of the process is available from: /opt/rainfinity/filemanagement/conf/DBMaintenance.log.

UPG upgradeMinor version changes require only a UPG upgrade. This upgrade changes the core packages:

1. If the FMA/VE GUI is running, log out.

2. Stop the File Management daemon with the command:

filemanagement stop

3. Download the FM upgrade file to the root directory on the appliance:

rf_7.3-##.i686.upg

where ## indicates the build number.

4. Back up the FMA/VE configuration with the command:

fmbackup



The process writes a backup file to /var/fmbackup.<machine_name>.<timestamp>.tgz.

Copy the fmbackup file to another system. If needed for disaster recovery, restore the backup with the command:

fmrestore /var/fmbackup.<machine_name>.<timestamp>.tgz

“Restoring a backup dump” on page 40 provides more details on the fmrestore command.

5. Start the upgrade with the command:

/opt/rainfinity/filemanagement/bin/rfupgrade rf_7.3-##.i686.upg

The upgrade process begins with a database pretest script that checks to see if the FMA databases are consistent between the old and new releases. If the pretest finds inconsistencies, the upgrade will exit with a "Failed to upgrade database" error message. Contact EMC technical support to correct the problem before restarting the upgrade.

If no problems are encountered, the process upgrades the excecutables.

6. Start the File Management daemon.

Note: For large databases, the upgrade between versions (for example, 7.2.5 to 7.3) will require significantly more time than the upgrade within the same version. To avoid any disruption during the upgrade process, it is best to start the File Management daemon from a server that will not be rebooted or shutdown.

Type the command:

filemanagement start

There are significant changes to the Celerra configuration for FMA/VE 7.3. After upgrading, follow the procedure in “Using FMA/VE with the Celerra Data Mover as a source” on page 28 before using FMA.

File Management System Settings 45

3

This chapter contains the following sections:

◆ Security hardening ......................................................................................................... 46◆ Configuring the GUI access method ........................................................................... 48◆ STIG hardening............................................................................................................... 49◆ LDAP client configuration ............................................................................................ 51◆ RADIUS and TACACS+................................................................................................ 54◆ Certificate management ................................................................................................ 54◆ Appliance mail delivery settings ................................................................................. 55◆ Log settings ..................................................................................................................... 56◆ System command accounting....................................................................................... 61◆ Windows domain user................................................................................................... 62

File ManagementSystem Settings


File Management System Settings

Security hardeningBy default, security hardening is not enabled.

1. To configure security hardening:

a. Start the Rainfinity setup tool, type rfhsetup.

b. Select Configure System Security.

2. A set of security settings options appears. Select Harden Appliance.

The default settings for the items that affect the appliance security level are:

• Use single security database =no

• Disable root logins =no

• Strengthen passwords =no

• Age passwords =no

• Harden to STIG requirements =disabled

If any of the settings is set to a non-default value, security hardening is enabled.

Conversely, when all four settings are “no,” security hardening is disabled and this disabled security level is referred to as the default level.

Note: In addition to the security settings, the GUI access method may also be configured from the Harden Appliance menu. By default, the GUI is accessible over both http and https. Enabling https only or redirecting http to https does not change the appliance setting to hardened.

Single security databaseIf the single security database setting is enabled, all authentication on the device will go through standard Linux Pluggable Authentication Modules (PAMs). This applies to both GUI and CLI access.

Both the GUI and the CLI provide two types of users:

◆ Admin users belonging to the wheel group and Rainfinity groups

◆ Ops users belonging to the Rainfinity group

CLI users are configured independently from the GUI users.

Admin users An admin user who is a member of the wheel group and logged in through ssh can su to:

• Create/delete other users

• Run rfhsetup

To add an admin user for access from the CLI:

a. Log in to the Rainfinity appliance as root.

b. Type the following commands:

adduser –G rainfinity,wheel <username>passwd <username>

Security hardening 47


Ops users An ops user belongs to the Rainfinity group.

To add an ops user for access from the CLI:

a. Log in to the Rainfinity appliance as root

b. Type the following commands:

adduser –G rainfinity <username>passwd <username>

Linux PAM users A Linux PAM user is created through the CLI. When a Linux PAM user is logged in to the GUI with the single security database setting enabled, the user’s role (admin or ops) is cached for the duration of the session.

If the administrator changes the user’s setting while the user is logged in, the user’s role will not be refreshed until one of the three following conditions occurs:

◆ User logs out.

◆ GUI is restarted.

◆ Cached user information in the Tomcat server expires due to inactivity.

Adding users with the GUITo add a new admin or ops user with the GUI:

1. Log in as admin.

2. From the Configuration tab, select Rainfinity Users.

3. Select Add a New User. In the Rainfinity User Properties dialog box that appears:

a. Type the name.

b. Type a new password.

c. Specify the type of user:

– Super User — The admin user.– Regular User — The ops user.

Note: When the single security database setting is disabled, users created through the GUI are allowed to log in through the GUI but not the CLI. In addition, if the single security database setting is enabled, user accounts cannot be created through the GUI. If the user attempts to invoke the configuration page for Rainfinity Users, a warning will appear.

Disable root loginsIf root logins are disabled, the only way to add new users or to run rfhsetup is for an admin user (such as a user who belongs to the wheel group) to log in to the device, and then su to root.

When the disable root logins setting is being changed to yes, Rainfinity checks to ensure that:

◆ There is at least one admin user other than root who belongs to the wheel group. This user must have a configured password.



◆ The wheel users are in the local /etc/group file. Rainfinity ignores LDAP users while performing this check because LDAP servers occasionally become unreachable. The same holds true for RADIUS users.

Note: It is strongly recommended that a small set of admin users are locally configured for each Rainfinity appliance and that the bulk of admin and ops users are configured on an LDAP server. In this way, the management of these users scales to large networks.

Strengthen passwordsIf the passwd command is run with password strengthening enabled, your new password must be at least eight characters long and satisfy the following requirements:

◆ At least three characters are different from the previous password.

◆ At least one character is an uppercase letter.

◆ At least one character is a number.

◆ At least one character is a special character.

In a clustered environment, run the passwd command on both the primary and backup nodes.

Note: The root user can change any password including its own to any value, regardless of the Password Strengthening setting.

Age passwordsIf password aging is enabled, every user (except root) who can log in with a shell account will have an aging password. The root user configures:

◆ When to print a user warning that a password is about to expire.

◆ The maximum number of days a password can remain valid before it must be changed.

◆ How often a password may be changed.

◆ The number of days following password expiration after which the account will be locked. Once an account is locked, only the root user can unlock the account by using the change command to change the age of the password.

Note: If a large number of devices are deployed, a central authentication service (such as LDAP) should be used. Password administration through the central site greatly facilitates user scalability, as one user is not required to log in to every deployed Rainfinity appliance to update an aging password.

Configuring the GUI access methodBy default, the GUI can be accessed by both http and https. To change this for the File Management appliance:

1. Start the Rainfinity setup tool, type rfhsetup.

2. Select Configure System Security.

3. A set of security settings options appears. Select Harden Appliance.

STIG hardening 49


4. Select Configure GUI access method:

• To disable access over http, select Only enable GUI access over https.

• To redirect http traffic to https instead of disabling http, select Redirect GUI access over http to https.

STIG hardeningSecurity Tests Implementation Guide (STIG) is a set of security guidelines issued by the US Department of Defense. These STIG UNIX guidelines define how UNIX/Linux appliances should behave from a security standpoint.

Enabling STIG hardeningRainfinity provides an option for hardening the appliance to meet the UNIX STIG Guide (Version 5, Release 1). When STIG hardening is enabled, the security settings change as follows:

◆ The user will be required to type the root password to gain access to the Rainfinity appliance in single user mode.

◆ After three consecutive login attempts, the account will be disabled. Only the root user can re-enable a disabled account.

◆ The login delay between login prompts will be increased from 2 to 4 seconds.

◆ New passwords are required to be a minimum of nine characters in length.

◆ When changing passwords, the past five passwords cannot be reused as the new password value.

◆ The root account’s home directory will be set to a permission value of 700.

◆ Man page file permissions will be set to 644.

◆ User directories must not contain undocumented startup files with permissions greater than 750 (that is, they must allow write access only for that user).

◆ The system and default user umask must be set to 077.

◆ Access to the cron utility will be restricted using the cron.allow and cron.deny files.

◆ Crontab file permissions above 700 will not be permitted (in the /etc/cron.daily, /etc/cron.hourly, /etc/cron.weekly directories).

◆ The inetd.conf file permissions will be set to 440.

◆ Unnecessary accounts, for example, games and news will be deleted.

◆ sysctl.conf file will be set to 600 permission.

To enable STIG hardening on the FM/FMHA appliances, perform the following steps:



3. Select Harden Appliance.

4. Select Harden to STIG requirements.

5. When prompted with Enable changes to conform to STIG Hardening requirements?, type Y.



Disabling STIG hardeningWhen STIG hardening is disabled, the security settings change as follows:

◆ No password prompt will be made prior to connecting in single-user mode.

◆ User accounts will not be locked, even after three or more failed login attempts.

◆ The login delay will be set to the current default setting, which is less than 4 seconds at this time.

◆ When changing passwords, the minimum length will be:

• If password hardening is enabled: 8 characters, with at least 1 lowercase, 1 uppercase, 1 digit, and 1 special character.

• If password hardening and STIG hardening are disabled: the minimum requirements for the new password is to have it be six characters long.

◆ When STIG hardening is disabled, the user can reuse previously set passwords.

◆ The /root directory permissions will be reset to 750.

◆ Man page file permissions will be left at 644 (that is, this STIG hardening change will not be undone).

◆ User-directory permissions will not be restored to the value prior to STIG hardening.

◆ The system and default user umask must be set to 022.

◆ Unnecessary groups/accounts that are deleted during STIG hardening will remain deleted even after STIG hardening is disabled.

◆ Access to the cron utility will not be restricted using the cron.allow and cron.deny files.

To disable STIG hardening on the FM appliance, perform the following steps:



3. Select Harden Appliance.

4. Select Harden to STIG requirements.

5. When prompted with Enable changes to conform to STIG Hardening requirements?, type N.

In addition, STIG hardening will be disabled when the appliance hardening level is reset to the default level as follows:



3. Select Remove Appliance Hardening Settings.

LDAP client configuration 51


LDAP client configuration LDAP directory trees are used to represent hierarchical directory information, such as people and phone numbers belonging to an organization. Rainfinity supports Lightweight Directory Access Protocol (LDAP) for user authentication and authorization.

Global LDAP settings Global LDAP settings affect all LDAP operations. The following settings impact how the LDAP client on the Rainfinity appliance will behave when the LDAP server does not respond.

Bind type — There are two types of binds:

◆ Hard — Rainfinity will continue to retry the bind attempt until a maximum timeout is reached.

◆ Soft — Rainfinity will attempt to bind once and abort if the server does not respond.

Time limits — There are two types of time limits.

◆ Search time limit — The amount of time that the LDAP client will wait for an initial response from the server.

◆ Bind time limit — The amount of time that the LDAP client will attempt to bind.

By default, these time limits are set to 10 seconds to allow the appliance to remain responsive when the LDAP server is down, and to fail-over to an alternate authentication mechanism, if another mechanism is configured.

Server type — The Rainfinity LDAP client works with three types of LDAP servers:

◆ OpenLDAP

◆ Active directory with SFU 3.5 support

◆ Active directory with RFC 2307 support

LDAP authentication When LDAP is configured, LDAP authentication is established through a sequence of events.

◆ A user connects to the Rainfinity appliance. The user is challenged for user authentication.

◆ The Rainfinity LDAP client contacts the LDAP server to validate the user’s credentials. To validate that the client is trusted, the server attempts:

• To accept anonymous bind attempts, such as accepting all connections without a password.

• To accept a plain-text password sent over an unencrypted communication channel.

• To establish a secure communication channel with the client, and then authenticate using a plain-text password or SASL.

The client establishes the secure communication channel as follows:

– The client requests the server’s public key.– The client validates that the server’s public certificate is signed by a known

Certificate Authority (CA).



– The client then encrypts its data using the server’s public certificate. Only the private key stored on the server can decrypt this data.

Initial data from the client contains negotiation information that the server and client will both use to establish a secure communication channel.

Just as the client uses the server’s public key to encrypt its first message, the server ensures that the client is authentic by requesting the client’s public certificate, and validating that it is signed by a known Certificate Authority.

After the secure channel is established, the password is exchanged. If SASL is configured, it may be used instead of a password.

◆ The server and client may negotiate an encryption scheme to secure all traffic between them.

Once authentication is established and an encryption scheme is optionally selected, the LDAP client will request user authentication.

Configuring basic LDAP settingsTo start LDAP configuration:



3. Select Configure LDAP.

4. Select Enable LDAP.

Configure the basic LDAP settings:

◆ Maximum time the LDAP client will wait for an initial response from the server

Type a period of time. The client will retry after waiting for 2 seconds, and thereafter continue retrying after doubling the wait time from the previous retry attempt. The client will continue retries until either the server responds or the configured LDAP search timelimit is exceeded. The default timelimit is 10 seconds.

◆ LDAP bind policy

Select soft or hard. The default setting is hard, and indicates that the client will retry bind connections to the LDAP server.

◆ Maximum time the LDAP client will wait for a bind response from the server

Type a period of time. If the bind policy is set to soft, this setting has no effect. If the bind policy is set to hard, this policy will cause a bind retry mechanism to occur.

◆ LDAP server type

Select from the supported server types:

• OpenLDAP — Applies to LDAP servers distributed by OpenLDAP.

• Active Directory deployed with SFU (Services For Unix) 3.5

• Active Directory with RFC2307 support

Note: Other LDAP servers have not been validated for Rainfinity version 7.2 or later.

LDAP client configuration 53


◆ IP address or hostname for the LDAP server

When using SSL and TLS, type the hostname that matches the hostname used in the certificate generation. If an IP address was used in the certificate generation instead of the hostname, type the IP address.

Note: Failure to enter the proper information will create problems during the LDAP setup. This is one of the most common configuration errors during LDAP setup.

◆ LDAP basedn

Type the suffix for your domain name.

◆ Advanced LDAP settings

Type Y, to configure a bind password, or enable SASL (Kerberos), SSL, or TLS. If advanced LDAP settings are left unconfigured, anonymous bind without a bind password is used by default.

If the GUI is running and LDAP is enabled through rssetup, the GUI will not recognize LDAP authentication attempts until it is restarted by typing the command:

/opt/rainfinity/filemanagement/bin/fmgui restart

To avoid this problem, enable external authentication (LDAP, RADIUS, TACACS+) before enabling the single security database. Then invoke the GUI.

Configuring advanced LDAP settingsOnce basic configuration is complete, the user may continue to configure advanced LDAP settings:

◆ Anonymous or simple bind

If simple is selected:

• Type the binddn user+domain name that will be used to connect to the LDAP server.

• Type the password that will be used to authenticate with the LDAP server.

◆ SASL

To configure SASL, provide:

• SASL KDC address

• Domain name

• Kerberos principal details

Note: When configuring SASL, enter the absolute path for the scp path. ~ is not supported as root home.

◆ Encryption type

Select cleartext, SSL or TLS.

◆ Option for the LDAP client to validate the server’s certificate

Select Y if using SSL or TLS. Rainfinity will prompt you to scp the CA certificate.

◆ Option for the LDAP server to validate the client’s certificate

Before enabling this option, ensure that the client’s key and certificate were generated and placed on the Rainfinity client.



RADIUS and TACACS+ To configure RADIUS or TACACS+:


2. Select Display advanced menu options.


A set of security settings options appears.

a. Configure RADIUS:

– Type the RADIUS server address– Type 1812 as the default RADIUS port number

b. Configure TACACS+:

– Type the server address– Type the server secret

Note: After the appliance checks with the RADIUS and TACACS+ servers for authentication, it will by default check the local /etc/passwd file for authorization information.

If the user does not exist in the local file, add the user with the commands:

useradd –G rainfinity,wheel <adminusername>useradd –G rainfinity <opsusername>

Using multiple authentication methodsIf TACACS+ or LDAP, and RADIUS are configured, Rainfinity will attempt to authenticate users in the following order:

◆ Credentials are checked against either the TACACS+ or the LDAP database.

◆ If TACACS+ or LDAP authentication fails, credentials are checked against the RADIUS database.

◆ If RADIUS authentication fails, credentials are checked against the local authentication database including the /etc/shadow, /etc/group, and /etc/passwd information stored on the Rainfinity appliance.

Certificate management When configuring LDAP, TLS, and SSL for authentication, key and certificate files are required. In order for authentication encryption to work correctly, these keys and certificates must be:

◆ Periodically refreshed

◆ Correctly located on the appliance

Each certificate has an expiration date. Every week, Rainfinity checks the validity of each certificate. Certificate warning information is logged into the /var/log/secure file, and if the alert is enabled, email is sent when the certificate is due to expire. Once a certificate expiration warning is received, SSL/TLS certificates must be updated.

To update and manage the keys and certificates:



Appliance mail delivery settings 55


3. Select Certificate Management.

4. To update either:

• Certificate Authority (CA) public certificate

• Client key and certificate for use with SSL/TLS

a. Select Update Certificate.

b. Select Y.

c. Type the scp path from which the selected certificate or key file will be copied to the FMA.

Appliance mail delivery settingsRainfinity supports delivery of alerts using email. To send these alerts, sendmail must be properly configured. A menu is provided within the rfhsetup tool. To use this menu, follow these steps:


2. Select Configure Appliance Mail Configuration.

3. The Appliance Mail Configuration menu appears.

Follow the prompts to configure:

a. Change Configuration — When prompted, type Y.

b. Sender’s email address — Type the address that will appear in the From field of the alert emails sent by the Rainfinity Appliance. For example, [email protected].

c. SMTP server — Type the server to which mail should be sent. For example, mailhub.eng.acme.com.

d. email verification — Type a recipient email address to which test emails may be sent. For example, [email protected]. The rfhsetup script will attempt to verify the mail configuration by sending two emails.

Wait a few minutes. Check the email account to see if these emails were successfully received.

4. Rainfinity Mail Test 1 — To confirm the receipt of an email with the subject Rainfinity Mail Test 1, type Y. Otherwise, type N.

5. Rainfinity Mail Test 2 — To confirm the receipt of an email with the subject Rainfinity Mail Test 2, type Y. Otherwise, type N.

If either of the test emails was received, mail delivery is working and mail setup is done.

If neither test email was received, verify:

◆ The name of the SMTP server. Check with your system administrator.

◆ The email address provided for the test email.

◆ The SMTP server is reachable. Try pinging it.



Log settingsWhen the security level is set to harden, any event that might affect the security of the system is written to the Rainfinity log files. Use the Rainfinity setup tool to administer and preserve log files.

Configuring log rotationWith log rotation, the user controls the periodic rotation of files.

To configure log rotation:


2. Select Display advanced menu options.

3. Select Configure Logging Options.

4. Select Configure Log Rotation.

5. Follow the prompts to configure:

• Log rotation frequency — Daily, weekly, or monthly.

• Rotation mode — Size or time.

• Max log size (for non-debug files).

• Max debug log size.

• Number of copies to keep for each log file.

Configuring SCP of rotated log filesLog rotation is the first step in archiving the Rainfinity system logs. These log files are eventually deleted as a part of the normal rotation process. However, in many customer environments, it may be necessary to preserve these files by copying them to a remote server. Use Rainfinity to create a tar file of these rotated system and Rainfinity logs, then secure copy them to a remote server.

Configuring the public-private key exchange — Prior to configuring secure copy (SCP) of rotated log files, a public-private key exchange must take place.

To configure the public-private key exchange:

1. Log in to the FM or FMHA appliance as root.

2. Generate the public key by typing ssh-keygen -t rsa.

• When prompted, press Enter to accept default answers for:

– File in which to save the key, or /root/.ssh/id_rsa

– No passphrase– Confirm no passphrase

• At the end of the configuration, a message appears acknowledging:

– Your identification is saved in /root/.ssh/id_rsa.– Your public key is saved in /root/.ssh/id_rsa.pub.

3. For the external server where the log files will be placed, create a user with write access to the copy directory. Do not use the root user.

Log settings 57


Note: In the following steps, server is the IP address or hostname of the external server and user is the name of the user on the external server which will copy the files.

4. Log in to the FMA and use ssh to:

a. Create the directory ~/.ssh by typing the command:

ssh <user>@<server> mkdir -p .ssh

b. Type the user password.

c. Append the public key on the FMA by typing the command:

cat /root/.ssh/id_rsa.pub | ssh <user>@<server> 'cat >> .ssh/authorized_keys'

d. Type the user password.

e. Set correct permissions by typing the command:

ssh <user>@<server> chmod -R 700 .ssh

f. Type the user password.

5. To verify successful completion, attempt to log in to the external server as user from the root account on Rainfinity by typing:

ssh <<user>@<server>

You should not be prompted for a password.

You can now successfully use SCP without a password to send the rotated log files to your external server.

Configuring SCP of rotated log files using rfhsetup — Once the public-private key exchange is completed, configure scp of rotated log files:



3. Select Configure SCP of Rotated Log Files.


• The SCP Remote Address — The IP address or hostname of the external server. This is the external server referenced in “Configuring the public-private key exchange” on page 56.

• The username to whose account the log files will be copied — The name of the user on the external server who will copy the files. Same as the user provided in “Configuring the public-private key exchange” on page 56.

• The full path to the directory at the remote site where the log files should be placed. The user must have write access to this directory.

Following the configuration, Rainfinity will test SCP by attempting to copy a test file. If this test fails, the SCP settings will be accepted, but SCP is probably not configured properly. Correct the error that is blocking SCP and rerun the Rainfinity setup tool.



AlertsRainfinity can be configured to monitor various system log files and send an email or SNMP alert whenever an event of interest occurs.

The most critical Rainfinity alerts are grouped by type:

◆ Security alerts

◆ Operational alerts

Table 2 on page 58 lists security alerts that apply to all Rainfinity appliances.

Table 3 on page 58 lists operational alerts that are specific to the File Management appliance.

All alerts are listed in the Log Pattern Index of the Rainfinity GUI.

A different throttle time may be applied to each alert pattern. If alerts occur more than once within a specified throttle time, the repeated alerts are suppressed.

Note: In order to generate alert email messages from the device, sendmail must be configured.

Table 2 Critical security alerts

Index Pattern name Description

001-0005 Failed to bind to LDAP server Attempt to bind to the LDAP server failed. This could be due to a misconfigured LDAP server address, or due to a network connectivity issue. The user could see delays in logging in or executing commands if the LDAP server is unavailable.

001-0011 Security level change System security level has been modified.

001-0013 Certificate expiration warning One certificate will expire soon or has already expired.

Table 3 Critical operational alerts

Index Pattern name Description

001-0017 Log alerts system enabled rfalertd has been started.

001-0018 Log alerts system disabled rfalertd has been terminated.

002-3001 Rainfinity daemon not present File Management daemon is not present.

002-3002 Rainfinity stopped File Management daemon has been stopped.

002-3003 Rainfinity started File Management daemon has been started.

002-1007 Capacity utilization Disk capacity utilization exceeds the preconfigured threshold of 85%.

003-0001 Partition full Disk partition is full. This alert is triggered when any partition on the system exceeds 99% utilization.

301-0001 Rainfinity enabled File Management daemon has been enabled.

301-0002 Rainfinity disabled File Management daemon has been disabled.

301-0007 Could not update capacity values

FMA is unable to obtain disk capacity values for primary servers. Restart the File Management daemon. If the alert persists, contact Rainfinity technical support.

304-0001 Exceeds threshold NAS Repository exceeds the configured threshold.

Log settings 59


Configuring email alertsTo review and configure the list of email alerts using the GUI:

1. Click the Alert Settings link on the Configuration tab.

2. Click the Edit log alert Pattern link.

A list of alerts with the various alert settings appears.

• Alerts may be individually enabled.

• If alerts occur more than once within a specified time period, edit the throttle time to suppress the repeated alerts. A different throttle time may be applied to each alert.

Note: Only admin users can view this configuration page.

To configure email alerts from the command line:



3. Select Configure Log Alerts.


• Select Yes, when asked to enable alerts.

• Specify one or more email addresses separated by a space or comma, to receive the alerts.

Configuring SNMP alertsTo configure SNMP alerts using the GUI:

1. Click the SNMP Configuration link on the Configuration tab.

2. On the SNMP Settings page that appears, add a notification host. This is the host to which alerts will be sent:

• IP address

• UDP port

• Community string

• Security type

Click Commit.

3. Click the Alert Settings link on the Configuration tab.

4. Under Alerts, click Enable SNMP alerts.

Note: Only admin users can view this configuration page.

To configure SNMP alerts from the command line:

1. Configure the SNMP Notification Host:


b. Select Configure Logging Options.

c. Select Configure SNMP.



d. Select Configuration SNMP Notification Hosts.

e. Add the SNMP Notification Hosts:

– The number of hosts that may be added is unlimited.– For each host, specify: IPv4 address, UDP port number, SNMP community

string, and SNMP verion.– The community string must be alphanumeric, and may include dashes and

underscores.2. Enable SNMP alert generation:


b. Select Configure Logging Options.

c. Select Configure Log Alerts.

d. Follow the prompts to configure:

– Select Yes, when asked to enable alerts.– Specify the type of alert delivery. Select either email only, SNMP only, or

email and SNMP.

Enabling SNMP pollingTo enable SNMP polling using the GUI:

1. Click the SNMP Configuration link on the Configuration tab.

2. On the SNMP Settings page that appears:

• Type a community string.

• Select a security type.

• Click Add. The community string is added to the Current Community String list.

3. Click Commit.

To enable SNMP polling from the command line, configure the SNMP Community String to be used for polling:



3. Select Configure SNMP.

4. Select Configuration SNMP Community Strings.

5. Add the SNMP Community Strings.

• The number of strings that may be added is unlimited.

• For each string, specify the SNMP community string and SNMP version.

• The community string must be alphanumeric, and may include dashes and underscores.

Note: To poll for SNMP objects without enabling rfalertd, execute the command: service rfsnmp start from the root account. This restarts SNMP and no alert history is viewable until the alert daemon is restarted.

System command accounting 61


System command accountingRainfinity provides the ability to track any command that is successfully executed and launches a new process.

To track command history, Rainfinity uses the psacct Process Accounting package. This package tracks commands that are entered. In addition to commands, Rainfinity extends this package to track command arguments.

To enable System Command Accounting on the FM appliance:


2. Select Configure Logging Options

3. Select Configure System Command Accounting

4. Type Y to enable system command accounting.

Tracking user command historyAfter enabling System Command Accounting, admin users can track the list of commands entered on the system with the tool: /opt/rainfinity/bin/rflastcomm.

To use this tool, admin users must su to root first. Examples of its use are as follows:

◆ To list the commands entered by all users, use the tool without any options, or:

/opt/rainfinity/bin/rflastcomm

◆ To list the commands entered by a specific user, type:

/opt/rainfinity/bin/rflastcomm –u <username>

◆ To list commands entered by a user since a start date on 5 P.M. on June 6, 2007, use the tool with the following arguments:

/opt/rainfinity/bin/rflastcomm –u <username> –s ‘2007-06-06 17:00:00’

◆ To track system/daemon/session history, type:

/opt/rainfinity/bin/rfquerycshis.sh

◆ For a help menu and additional options, type:

/opt/rainfinity/bin/rflastcomm --help

Tracking user login historyAfter enabling System Command Accounting, admin users can track the login history with the tool:/usr/bin/last.

To run this tool, admin users must su as root first.

This tool is part of the standard psacct Process Accounting package. For detailed info on using this tool, type: man last.



Tracking daemon command historyTo query daemon command history such as xmlrpc commands issued to the daemon from the GUI or using various Rainfinity CLI commands, use the tool: /opt/rainfinity/bin/rfquerycshis.sh.

◆ To obtain the daemon command history, type:

/opt/rainfinity/bin/rfquerycshis.sh -t dc

◆ To query the system command history, type:

/opt/rainfinity/bin/rfquerycshis.sh -t sc

◆ To query the user login history, type:

/opt/rainfinity/bin/rfquerycshis.sh -t ls

◆ To list hardware related messages from the system log files, type:

/opt/rainfinity/bin/rfquerycshis.sh -t hw

Windows domain userWhen a new file server is added to the FMA/VE configuration, CIFS specific settings include the username and password for the Windows domain user to be used by the FMA/VE. Before adding a new CIFS file server, use the instructions in the following sections to set up the Windows domain user:

◆ “Creating a Windows domain user” on page 62

◆ “Adding an admin user to the local administrator group” on page 63

In addition, when using an FMA/VE in a Windows 2008 domain, the domain controller Group Policy Object (GPO) must be configured to support NTLM versions 1 and 2 for CIFS authentication. “Configuring Windows 2008 for NTLM” on page 63 provides information on how to modify the domain controller configuration.

Creating a Windows domain userTo create an administrator in the Windows 2000, 2003, or 2008 domain:

1. Log in to the primary domain controller as the Domain Administrator.

2. From the Start menu, select Start > Programs > Administrative Tools > Active Directory Users and Computers.

3. Right-click Users.

4. Select New > User. The New Object — User dialog box appears:

a. In the Full name box, type Rainfinity Administrator.

b. In the Login name box, type rsadmin.

rsadmin is the Rainfinity Administrator Windows Domain user.

c. Type a password.

This password is the rsadmin Windows password.

d. Optionally, select Password Never Expires.

5. Click Finish.

Windows domain user 63


Adding an admin user to the local administrator groupThe Rainfinity administrator account must be added to the Administrators group on the CIFS file servers that will be involved in FMA/VE archiving. To add a Rainfinity Windows domain user on an EMC Celerra Data Mover:

1. Log on to the primary domain controller as the Domain Administrator.

2. From the Start menu, select Start > Programs > Administrative Tools > Computer Management. The MMC application appears.

3. To start a Computer Management session with the file server:

a. From the Action menu, select Connect to another computer. The Select Computer dialog box appears.

b. Click Browse or type the file server name to select the NetApp or Celerra to connect to.

c. Click OK.

4. To include the rsadmin user in the Administrator group for the CIFS File Server:

a. Under System Tools, in the folder Local Users and Groups, select Groups.

b. Select Administrators. The Administrators Properties dialog box appears.

c. Click Add. The Select Users or Groups dialog box appears.

– Click Locations. From the Locations menu, select the domain instead of the local computer.

– Under Enter the object names to select, type rsadmin to add the domain user.

d. Click OK. The Administrator’s Properties dialog box reappears with the newly added rsadmin user.

e. Click OK.

Repeat this process for any other file servers that will be involved in FMA/VE archiving.

Configuring Windows 2008 for NTLMBy default, the Windows 2008 domain controller supports Kerberos authentication only and disables NTLM authentication. File Management only supports NTLM versions 1 and 2 authentication for CIFS. Kerberos is not supported. To use an FMA/VE in a Windows 2008 domain, confirm that the domain controller is configured for NTLM authentication:

1. Log in to the Windows 2008 domain controller as the Domain Administrator.

2. From the Start menu, select Run. In the Run dialogue box that appears, type gpmc.msc and click OK. The Group Policy Management dialog box appears.

3. Expand the domain. Under Group Policy Objects, right-click Default Domain Policy and select Edit. The Group Policy Management Editor appears.

4. Under Computer Configuration, select Policies > Window Settings > Security Settings > Local Policies > Security Options.

In the list of policies, scroll down to Network security: LAN Manager Authentication. Confirm that the policy setting shows that NTLM is configured for authentication.



5. This applies to Celerra DART 5.5. Under Computer Configuration, select Policies > Administrative Templates > System > Net Logon.

In the Net Logon list that appears, double-click Allow cryptography algorithms compatible with Windows NT 4.0. Confirm that the setting is enabled.

6. Close the Group Policy Management Editor.

Network Topology Scenarios 65

A

The appendix includes the following sections:

◆ Advanced network topologies ..................................................................................... 66◆ Configuring FMA/VE with two subnets.................................................................... 67◆ Configuring FMA/VE with more than two subnets ................................................ 68◆ VLAN tagging modes for FMA/VE............................................................................ 69

Network TopologyScenarios


Network Topology Scenarios

Advanced network topologiesFor many environments using a single networking interface will satisfy networking requirements. However, there are cases when more complex topologies are needed:

◆ Using two subnets, one for the NAS primary storage tier, and another for either the NAS/CAS secondary tier or for a management interface. “Configuring FMA/VE with two subnets” on page 67 provides details on how to set up this network topology.

◆ Using more than two subnets, for example, when there are three teams using an FMA/VE distributed across three different subnets. “Configuring FMA/VE with more than two subnets” on page 68 provides details on how to set up this network topology.

Configuring FMA/VE with two subnets 67


Configuring FMA/VE with two subnetsIn this example, the FMA/VE is configured for two subnets with two ethernet interfaces. This configuration utilizes VLAN tagging and the ESX virtual switch connected to the FMA/VE ethernet ports must be properly configured for tagging. “VLAN tagging modes for FMA/VE” on page 69 provides information on how to perform the configuration:

1. Start the network configuration menu:

a. Type rfhsetup from the FMA/VE command prompt to invoke the system setup menu.

b. Select Configure File Management Networking. The network configuration menu appears.

c. Select Configure Networking.

2. Edit settings for the physical ports eth0 and eth1:

a. Use the up and down arrows to select eth0 and press Enter. The configuration menu for the eth0 interface appears.

b. Provide information for each item to properly configure the interface.

– Press Enter to edit an item, the press Enter again to complete.– Press the left arrow to exit the menu. – Answer Yes to keep new settings.

c. Repeat these steps for the eth1 interface.

3. Save new settings, exit and restart network services:

a. Press the left arrow to exit the main menu. When prompted, select Yes to commit the configuration.

b. The setup utility will restart the FMA/VE network services according to the new configuration and return to the network configuration setup menu.



Configuring FMA/VE with more than two subnetsIn this example, the FMA/VE is configured for more than two subnets with two physical interfaces. This configuration utilizes VLAN tagging and the ESX virtual switch connected to the FMA/VE ethernet ports must be properly configured for tagging. Using Cisco terminology, the switchport mode is set to trunk and the required VLANs are allowed on the ports:

1. Start the network configuration menu:

a. Type rfhsetup from the FMA/VE command prompt to invoke the system setup menu.

b. Select Configure File Management Networking. The network configuration menu appears.

c. Select Configure Networking.

2. Add new VLAN interfaces:

a. Type A to add an interface. Use the right arrow to select Vlan, and press Enter.

b. Type a name for the VLAN interface. The naming convention is <interface>.<vlan-ID>. For example, eth0.5 is a VLAN interface on eth0 with a VLAN ID of 5

c. Repeat these steps to create two more VLAN interfaces.

3. Edit the VLAN configuration:

a. Use the up and down arrows to select the new VLAN interface. Press Enter. The configuration menu for the interface appears.

b. Provide information for each item to properly configure the interface.

– Press Enter to edit an item, the press Enter again to complete.– Press the left arrow to exit the menu. – Answer Yes to keep new settings.

c. Repeat these steps for each new VLAN interface.

4. Save new settings, exit and restart network services:

a. Press the left arrow to exit the main menu. When prompted, select Yes to commit the configuration.

b. The setup utility will restart the FMA/VE network services for the new configuration and return to the network configuration menu.

VLAN tagging modes for FMA/VE 69


VLAN tagging modes for FMA/VEFMA/VE supports two VLAN tagging modes:

◆ “ESX server virtual switch tagging” on page 69

◆ “ESX server virtual guest tagging” on page 69

ESX server virtual switch tagging In the Virtual Switch Tagging (VST) mode, a VLAN ID is assigned to an ESX Server switch port. Untagged layer 2 traffic is sent using the link between the switch port and the FMA/VE interface. When the switch receives this traffic, it directs it to the configured VLAN.

On the FMA/VE, configure each physical eth1, eth2, eth3 or eth4 port with an IP address, Net Mask, and Default Gateway.

Note: When using the VST mode, do not create a VLAN interface.

Configuring the VLAN number on the ESX switchport in VST modeVirtual Switch Tagging is enabled when the port group’s VLAN ID is set to any number between 1 and 4094, inclusive.

To use VST, create appropriate port groups. Give each port group a label and a VLAN ID. Port group values must be unique on a virtual switch. Once the port group is created, you can use the port group label in the virtual machine configuration.

To configure port group properties:

1. Log into the VMware VI Client and select the server from the inventory panel. The hardware configuration page for this server appears.

2. On the Configuration tab, click Networking.

3. On the right side of the window, click Properties for a network. The vSwitch Properties dialog box appears.

4. On the Ports tab, select the port group and click Edit.

5. In the Properties dialog box for the port group, click the General tab to edit:

• Network Label — This is the name of the port group that you are creating.

• VLAN ID — This identifies the VLAN that the port group’s network traffic will use.

6. Click OK to exit the vSwitch Properties dialog box.

ESX server virtual guest tagging In the Virtual Guest Tagging (VGT) mode, the link between the ESX Server switch port and the FMA/VE ethernet port is permitted to carry traffic for multiple VLANs. This is achieved by adding a VLAN ID or tag to each layer 2 frame transmitted between the switch port and the FMA/VE ethernet port.

In Cisco parlance, this link is a trunk link.

The advantage of this link is that during VMware VMotion, the remote ESX Server recreates the trunk port, and the administrator does not need to pre-configure the



VLANs on the destination ESX Server/Switch combination. Using VGT prevents errors during VMotion.

Configuring VGT onthe ESX Server

To configure VGT, perform the following steps:

1. Log into the VMware VI Client, and select the server from the inventory panel. The hardware configuration page for this server appears.

2. On the Configuration tab, click Networking.

3. On the right side of the window, click Properties for a network. The vSwitch Properties dialog box appears.

4. On the Ports tab, select the port group and click Edit.

5. In the Properties dialog box for the port group, click the General tab to edit:

• Network Label — This is the name of the port group that you are creating.

• VLAN ID — This identifies the VLAN that the port group’s network traffic will use. To use VGT, type 4095.

6. Click OK to exit the vSwitch Properties dialog box.

Configuring VLANinterfaces on the

FMA/VE

On the FMA/VE side, the VGT mode requires the creation of VLAN interfaces on top of the FMA/VE ethernet interface. IP addresses are assigned only to the VLAN interfaces. Use the rfhsetup networking menu to bring the ethernet interface up.

To add a VLAN interface on the FMA/VE, perform the following steps:

1. Log in to the FMA/VE. The rfhsetup configuration menu appears.

2. Select Configure FileManagement networking. The Network configuration menu appears.

3. Select Configure Networking. A list of interfaces appears as shown below:

FileManagement Network Setup, Main Menu

Name IP Address Network Mask Up/Down Comment

eth0 DOWN Unconfiguredeth1 DOWN Unconfiguredeth2 DOWN Unconfiguredeth3 DOWN Unconfigured

1 of 4 entries displayedCommand: [Q]uit [A]dd [R]emove [S]ave [U]p [D]own re[F]resh [H]elp Status: OK rfhsetup <- Network configuration -> Interface eth0's configuration

4. Type A to add a new interface. Use the left and right arrows to select a VLAN interface and press Enter.

5. Type a name for the VLAN interface. The naming convention is <bond>.<vlan-ID>. For example, to add VLAN ID 20 on eth0, the name will be eth0.20. After typing the name, press Enter.

The new VLAN bond interface (for example, eth0.20) will be added to the interface list.

6. Use the up and down arrows to select the newly created VLAN interface. Press the right arrow. The eth0.20 VLAN configuration screen appears. Add the IP address, netmask and gateway.

VLAN tagging modes for FMA/VE 71


7. Press the left arrow to exit the eth0.20 configuration menu and save the configuration.

8. Press the left arrow to exit the Configure Networking menu and apply the saved configuration.


This glossary contains terms related to file management. Many of these terms are used in this manual.

AAPI Application programming interface. A source code interface provided by the

computer application to support requests for services.

archiving Process that walks the share/export and performs policy-based file archiving.

CCelerra Callback

ServiceFile Management callback service to support FileMover recall from EMC Centera.

Celerra FileMover HSM implementation used to support offline files on the Celerra.

DDHSM Distributed Hierarchical Storage Management is the former name for Celerra

FileMover.

EEMC Centera API API used to write and read files from EMC Centera.

EMC Centera contentaddress

Unique key to the saved file on EMC Centera.

FFile version Multiple copies on secondary storage of the same file or path.

FileMover API API over HTTP exposed by Celerra Data Mover to create stub files.

FQDN Fully Qualified Domain Name. Used with the Celerra Callback DNS entry.

HHSM Hardware security module.

Glossary


Glossary

LLDAP Lightweight Directory Access Protocol

MMB Megabyte, 106 bytes.

NNAS Network attached storage.

Oorphan file Files on the secondary storage with no reference to the primary storage.

Pprimary storage NAS device that exports CIFS or NFS volumes.

RRADIUS Remote Authentication Dial In User Service

retention period Number of days from time of archiving that a file can not be deleted.

Ssecondary storage Data storage that is a backup to primary storage.

SNMP Simple Network Management Protocol

STIG Security Technical Implementation Guide

stub file/offline files Files that appear as normal files on the primary storage but point to data content stored on the secondary storage.

TTACACS+ Terminal Access Controller Access-Control System Plus

VVMotion VMware VMotion technology is virtual machine mobility unique to VMware.


Aaccess node IP 38access node string 38admin user 46age passwords 48alert settings

email 59SNMP 59

alerts 58anonymous 38anonymous bind 53authentication 38

Bbackup dump

create 39File Management 39restore 40

bind policy 51bind type 51

Cccdsetup.sh 30Celerra

Atmos callback agent 29callback agent settings 29Control Station 29DART version 29file management configuration 28FileMover API user 32FQDN 29prearchiving tasks 32source 29VDM 29

Celerra callback agentCelerra properties 29

Celerra Callback Service 30Certificate Authority 51certificate authority 55certificate management 54CIFS specific settings

Celerra 29

cleartext 53CLI login 27client certificate 55client configuration 51command history 61command line interface 27community string 60control station 29

DDART version 29database maintenance 43DBMaintenance.log 43Deploy OVF Template 22DHSM 33

automatically create connections 33manually create connections 35

directory exclusion 29disaster recovery 39DNS entry 37

Callback Daemon 31DNS server 26domain 26DUMPFILE 40

EEMC Centera

access node IP 38access node string 38authentication 38configure in File Management GUI 38creating connection from Celerra 35recall from 30

enable SNMP alerts 59ESX 21

FFile Management

adding Celerra 28backup 39, 40Celerra to Centera archiving 30configure EMC Centera 38

Index


Index

configure NetApp 28overview 14restore 39

File Management setup tool 25filemanagement 43FileMover API

setting in FMA/VE 28setting on Celerra 34

FMA/VE setupnetworking 25

fmbackup 27before upgrade 43creating backup 40

fmrestore 27, 40, 41fmsupportdump 27FQDN 29fs_dhsm 35

Gglobal LDAP 51graphical user interface 26GUI

login 26

Hharden appliance 46, 48, 54hostname 26

KKerberos 53

Llast 61LDAP 54

advanced settings 53authentication 51basic settings 52bind policy 52global settings 51server type 51, 52time limits 51

Linux PAM users 47local authentication database 54log alert pattern 59logs

alerts 58rotating 56

NNAS repository 36NAS repository list 37nasadmin 32NetApp

configure in File Management GUI 28directory exclusion 29

notification host 59

Oonline help 17Open LDAP 51ops user 47OVF file 21

PPAM. See pluggable authentication modulepasswords

strengthen 48PEA file 38pluggable authentication module

definition 46Pool Entry Authentication file 38pretest script 44Process Acounting package 61psacct 61

RRADIUS 54rainccd.domain 30rainfinity group

ops user definition 47recall settings 28repository 36restore

dumpfile 40file management 40

reverse lookup zones 31rfalertd 60rffm 27rfhsetup 46, 48, 52, 55, 56, 57, 59, 61rflastcomm 61rfsnmp 60rfupgrade 44root logins 47rotating logs 56rsadmin 62rssetup

security hardening 54rssystat 27

SSASL 53scp

configure 56security hardening

features 46logs 56

sendmail 58server type 51simple bind 53single security database 46SNMP

community string 60notification host 59

SNMP alerts 59SNMP polling 60


Index

STIG hardening 49strengthen passwords 48system command accounting 61

TTACACS+ 54tgz file 40time limits 51TLS 53track command history 61track user login history 61

Uuc_config 32Unicode 32UPG upgrade 43upgrade

pretest script 44UPG 43

user profile 38UTF-8 32

VVGT 69VI Client 23virtual data mover 29VLAN tagging mode

virtual guest tagging 69virtual switch tagging 69

VMDK file 21VMotion 69VMware

ESX 4.0 server 21ESXi 3.5 server 21

VST 69

Wwheel group 46Windows domain user 62

Xxlt.cfg 32


Index

EMC Rainfinity File Management Appliance/VE Getting ... · PDF fileEMC Rainfinity File...

Documents

Transcript of EMC Rainfinity File Management Appliance/VE Getting ... · PDF fileEMC Rainfinity File...