m01res01

Copyright 2013 EMC Corporation. All rights reserved

This module focuses on the basics of VNX Unisphere security and basic management. Discussed will be the user interface options, authentication, auditing and monitoring

Unisphere Security and Basic Management 1


This lesson covers the available interfaces for the configuration, administration and management of a VNX storage system. The lesson will also discuss the peculiarities of the Unisphere graphical interface navigation, as well as the concept of Command Line Interface (CLI) for File and Block access.



Administration of VNX is performed with the Unisphere Graphical User Interface (GUI), and Command Line Interface (CLI).

Unisphere is a web-based user interface that lets you securely manage VNX storage systems locally on the same LAN or remotely over the Internet, using a common browser. Unisphere resides on a storage system or a Windows Server 2003/2008/2012 that is running the Storage Management Server software.

File enabled VNX systems have the option to use a command line interface to the Control Station for file administrative tasks. CLI administration for File is performed over a serial connection or a secure network connection to the Control Station.

Block enabled systems have a host-based Secure CLI software option available for block administrative tasks. The CLI can be used to automate management functions through shell scripts and batch files.



Unisphere is web-based software that allows the configuration, administration, and monitoring of a single or multiple VNX storage systems from one GUI. Unisphere provides an overall view of what is happening in the environment plus an intuitive and easier way to manage EMC unified storage. With a single sign-on, Unisphere allows the user to manage all the systems in the management domain.

Unisphere can be launched by simply entering the IP address of the VNX Control Station or SP on the URL address of a supported web browser. Also, Unisphere client can be installed on a Windows workstation. Unisphere client launches Unisphere locally and it can be pointed to any system in the user environment.



The Unisphere interface has three main areas which are the top navigation bar, task pane, and main pane.

Top Navigation is made of:

Previous and Next Icons: The left and right arrows allow users to go back and forth

Home Icon: It shows the Dashboard screen.

System Drop-down menu: It allows the user to switch between VNX storage systems registered on the domain.

Context-Sensitive Menu Bar: presents the main options for VNX for File/Unified and VNX for Block. It varies depending on the system been managed.

Task pane: It is task based navigation which means common tasks are placed together facilitating the access. Depending on the menu selected different tasks will appear.

Main pane: It is where the pertinent information about a particular menu is displayed.

The division between Task Pane and Main Pane can be resized by clicking the mouse with the cursor over the division bar, and dragging it to the new position. Also, the Task Pane can be hidden by clicking the right arrow on the division bar which will expand the Main Pane. The Task Pane can be expanded again by clicking the left arrow on the division bar which will re-dimension the size of the Main Pane.



Additionally, Unisphere has a Toolbar on the top of the page with basic and advanced object Search options, and a General Tab with options to set interface preferences, log and exit, and retrieve Unisphere Help.

The bottom of the interface displays the user that is logged into Unisphere, and the top of the interface displays a trail with the location of the user within the application.

The Tasks Sub menus on the Task Pane can be hidden or expanded by using the up and down arrows on the corner of each menu box.



The tabs belonging to each task pane provide detail about the component that was selected. A mouse over an option from the Navigation Toolbar will open a submenu with available functions and features for the selected component of interface.

Right-clicking on a component in a main pane runs a java applet which generates a sub menu of actions that can be performed for the selected object. The selectable items will vary depending on the selection.



Pages with queries and reports are displayed on the Main Pane with a different toolbar with functions on the top right corner. These functions will be different depending on the type of report or query. This toolbar will contain an option to select (and de-select) the columns for the report, refresh the page, open the page help dialog box, and export the report or query to a Comma Separated Value (CSV) file, to produce custom reports. Some queries may also contain an option to filter the table contents.



The VNX Unisphere Help page is invoked from the help link on the General Options tab on the top of the Application page. The VNX Unispheres online help guide includes comprehensive instructions for administering the VNX storage system. Topics including procedures are also addressed in this page.



This slide shows some tips for gathering explanation about forms on the task pages or dialog boxes. A mouse over a form field name will show a description of the information that must be filled in the selected field. In this example, the user is creating a NFS export for a file system. (This operation is just referenced here as an example of tool tip functionality and will be described in details in its own module during this course.) In the Create NFS Export dialog box, the user then positioned the mouse cursor over the Read-only hosts and waited for 2 seconds. The field description was displayed on a message window.



Unisphere includes wizards to help with the set up and configure of the VNX for File and VNX for Block storage system. The wizards step the user through procedures that can be also performed manually using the standard features of Unisphere.



The VNX for File Command Line Interface (CLI) is one of the most versatile VNX for File management tools. Most of the administrative tasks can be completed via the CLI. The administrator can configure file systems, failover, disaster recovery solutions, virus checking, network interfaces, network topologies, replications requirements, and mount and export file systems, using the CLI.

A powerful CLI function is for the scripting of common repetitive tasks that may run on a pre-determined schedule to ease administrative burden.

The command line can be accessed on the Control Station via the serial console, or SSH.

The Data Movers do not have a CLI. Commands are entered at the Control Station which, in turn, sends the necessary commands to the Data Movers and storage systems. The administrator can use either local or remote access to the Control Station. Since the Control Station runs an EMC-customized version of Linux, standard Linux scripting and scheduling tools can be used with the VNX for File CLI.



VNX for File CLI commands are prefixed depending on what they administer. There is a total of five different sets of commands, which are listed below:

cel_ commands execute to the remotely-linked VNX for File system

cs_ commands execute to the local Control Station

fs_ commands execute to the specified file system

nas_ commands execute directly to the Control Station database

server_ commands require a movername entry and execute directly to a Data Mover. (For example, server_ifconfig server_2)



Unisphere does not contain interfaces to manage all VNX for File tasks, but you can manage those features using CLI Commands features or open an SSH session to the control station. The CLI Commands feature in Unisphere allows you to enter a single command and view the results but only accepts a single command at a time.

Some items that can be created using the CLI cannot be managed from Unisphere. You may be able to view these items from Unisphere, but will need to use the CLI to modify or delete them. An example is event notifications that specify individual event identifiers.

When your CLI session is complete, you may need to click the Refresh icon in Unisphere to see the results.



VNX Command Line Interface (CLI) for Block includes the Secure CLI on supported operating systems.

Secure CLI is a comprehensive VNX CLI for Block solution that provides one application and one security model for all CLI commands. Host Secure CLI is a client application installed on supported Windows, Linux and Unix hosts. The application allows scripted operations on EMC VNX, CX, CX3, CX4, and AX4-5 storage systems.

Secure CLI commands run in a command or terminal window. Commands are issued to individual systems through a command line structure. Some commands are then directed to a server client (host agent). Each command consists of the naviseccli command (and options) together with another subcommand (and its options).

VNX CLI for Block commands refer to configuration and management operations related to block storage, storage domain and host agents.

Note: navicli is also available from the VNX Control Station CLI from the /nas/sbin directory. However, it is not part of the PATH environment, and therefore requires to full path in the command, or changing to the /nas/sbin directory.



Besides the previously discussed VNX administration applications and tools, users can also interface with the Storage Processor configuration through the Setup page: https:///setup. The user must authenticate using the administrative login and password.

By means of this interface, the user can change the SP host name, create a new Global Administrator account, manage the SSL/TLS Certificate, update parameters for agent communication, set RemotelyAnywhere access restrictions, and many other functions.



This lesson covered the available interfaces for the configuration, administration and management of a VNX storage system. The lesson also discussed the peculiarities of the Unisphere graphical interface navigation, as well as the concept of Command Line Interface (CLI) for File and Block access.



This lesson covers the different strategies used by Unisphere to prevent unauthorized access to VNX systems. The lesson will also discuss the different authentication scopes and how to assign privileges associated with tasks an administrative user can perform on particular VNX objects.



VNX storage systems can be accessed by different management applications for configuration, maintenance, and administration: Unisphere, CLI, Unisphere Service Manager (USM), Unisphere Host Agent (or Server Utility), Unisphere Initialization Utility, VNX Installation Assistant (VIA), SNMP management software, Admsnap and Admhost, ESRS, Unisphere Server.

VNX implements different methods to ensure that only limited authorized users and applications have secure management access to the system:

Authentication: Identify who is making a request, and only grant access to the authorized users. VNX systems will not permit any actions without the validation of the authentication.

Authorization: Determine if the requestor has the right to exercise the request. The Storage Management Server authorizes user activity based on the role of the user.

Privacy: Protect against snooping of data. Security settings enable definition of controls to prevent data stored in the VNX system to be disclosed in an unauthorized manner. VNX Systems use several proprietary data integrity features to protect user data with encryption and secure connections.

Trust: Verify the identify of the communication parties. VNX systems use certificates for securing network operations associated with managing the system. Certificates provide a mechanism of establishing a trusted identity on the network.

Audit: Keep a record of who did what, and when. VNX event logs contain messages related to user management actions, activities performed by service personnel, and internal events.



Administrative users must authenticate to the VNX when using either the Unisphere or CLI interfaces.

The VNX provides flexible options for administrative user accounts. One administrative user account is provided on the VNX by default.

For deployments where the VNX will be administered by multiple people, the VNX offers the ability for creating multiple unique administrative accounts. Different administrative roles can be defined for the user accounts to distribute different administrative tasks for the users.

The user authentication and system management operations to the VNX with the Unisphere GUI or CLI are performed over the network using industry standard protocols such as Secure Socket Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH). GUI administration can be performed using a network browser or the Unisphere client software.



The VNX provides three different administrative user authentication scopes for flexible administrative options.

The Global authentication scope is used when the VNX is configured to be a member of a Storage Domain. All the systems within the domain can be administered using a single sign-on with a global account. If a user selects the Global scope during login to a VNX that is not a Storage Domain member, Unisphere will use local authentication for the user.

The Local authentication scope is used to manage a specific system only. Logging into a system using a local user account is recommended when there are a large number of systems in the domain and you want to restrict visibility to a single system and or certain features on a given system.

The LDAP authentication scope is used when the VNX is configured to bind to an LDAP domain. The VNX performs an LDAP query to the domain to authenticate the administrative users. LDAP domain users and groups are mapped to user and group IDs on the VNX. When the use LDAP option is selected during user login, the Global or Local scope setting is disregarded.

When you start a session, Unisphere prompts you for a username, password, and scope. These credentials are encrypted and sent to the storage management server. The storage management server then attempts to find a match within the user account information. If a match is found, you are identified as an authenticated user. All subsequent requests that the applet sends contain the cached digest in the authentication header.



The Security Initialization is different for VNX for File or Unified system, and VNX for Block deployments.

VNX for File and Unified systems have management accounts factory installed. These default accounts are listed here:

root : This is a VNX for File local account and provides root-level privileges on the Control Station.

nasadmin : This is a VNX for File local account and provides administrator level privileges on the Control Station.

sysadmin: This is a global system account and provides administrator level privileges for both VNX for File and VNX for Block.

VNX Unified and VNX for File systems require at least one system account. This account cannot be deleted unless another global account or global security administrator account is available.

VNX for Block systems do not have a default management account. However, a global system account can be created when these systems are initialized, or in the first login to Unisphere.



Administrative roles allow assignment of different administrative user privileges for specific responsibilities. Roles simplify the GUI for administrative users by limiting the operations they can perform, and limits system administration operations by those that shouldnt be attempting them. VNX offers both predefined and custom roles.

A role defines the privileges (read, modify, or full control) the administrative user can perform on a particular VNX object. By default, all administrative users have read privileges, allowing them to view objects. Modify privileges allow an administrative user to make changes to an existing object. Full control privileges allow an administrative user to create and delete objects and make significant changes.

An administrative user account is always associated with a primary group and each group is assigned a role. There is a one-to-one relationship of group-to-role. If an administrative user is a member of multiple groups, the users accumulative privileges are applied in a least restrictive manner. For example, if the user has a role defining a Read privilege and another role defining a Full Control privilege to the same VNX object, the resultant privilege to the object will be Full Control.

The VNX is configured with a variety of system-defined roles which cannot be modified or deleted. The system-defined roles provide a rich set of administrative options for assignment to user primary groups. It is also possible to create user defined roles for customizing administrative activities for users.

Roles are applied to administrative users accessing the GUI and CLI.



VNX systems use certificates for securing network operations associated with managing the system. Certificates provide a mechanism of establishing a trusted identity on the network. They also provide the public and private keys used for encoding and decoding network communications for PKI-based (public key infrastructure) network protocols.

VNX systems provide self-signed certificates by default. These self-signed certificates are in place for SPA, SPB and the Control Station(s) on VNX systems. The certificates utilize a 2048-bit RSA keys for the encryption/decryption of network operations.

By default VNX Data Movers are not configured with certificates. It is possible to generate certificates for the Data Movers that are Control Station self-signed. The certificates can then be used for various network operations for the Data Movers such as name services from LDAP and establishing a trusted identity for FileMover and VMware operations.

It is also possible to configure the VNX with CA-signed certificates. The system-generated public certificate can be submitted to a CA (Certificate Authority) for signing. Once signed, the public certificate can be imported. CA-signed certificates can be configured on all the SP, Control Station and Data Mover components of the VNX system.

24 Unisphere Security and Basic Management


Unisphere provides audit logging capabilities for both VNX for Block and VNX for File system configurations, by capturing system activities surrounding or leading to an operation, procedure or event.

Audit information on VNX for Block systems is contained within the event log on each SP. The log contains a time-stamped record for each event, with information about the storage system, the affected SP and the associated host. An audit record is also created every time a user logs in, enters a request through Unisphere, or Secure CLI command.

On VNX for File systems, configuration files and commands capture management activities initiated from the Control Station, special access to key system files and end-user data.

The RSA enVision application provides collection, analysis and reporting of administrative events logged by the VNX storage systems.



This lesson covered the different methods used by Unisphere to validate and secure users access to VNX systems. The lesson also discussed the different authentication scopes and how to assign privileges that grant an administrative user the right to perform different levels of tasks on particular VNX objects.



This lesson covers the integration and management of VNX Unified storage systems with LDAP domains and users. The lesson will demonstrate how to configure LDAP authentication and how to map VNX administrative roles to LDAP groups and users.



The VNX system supports administration by users from an LDAP domain.

LDAP-based domains include Microsoft Active Directory domains, Sun Microsystems iPlanet domains and any systems implementing open sourced OpenLDAP domains.

Administrative users can thus use their LDAP-based account credentials for administrating the VNX system. When administrative users establish a session selecting the LDAP scope, the VNX system queries the LDAP server for the user authentication.

Configuring administrative users for LDAP authentication is a multi-step operation.

The first step requires binding the VNX to the LDAP domain.

The next step is mapping a VNX administrative role to an LDAP domain group.

The final step is performed automatically by the VNX. A local group is created on the VNX that maps to the LDAP domain group.

In the following several slides LDAP authentication for an administrative user will be configured. The slides will illustrate the multi-step operation required.



Configuring the VNX for an LDAP domain binding is performed from the Unisphere GUI and requires Administrator or Security Administrator privileges.

Navigate to the Settings > Security page, then from the right-side systems task pane select the Manage LDAP Domain link. The dialog window has three tabs for configuring LDAP; Server, Role Mapping, and Advanced.

The Server tab requires the operator to input information for binding to the LDAP domain. The LDAP server host name or IP Address must be provided along with the Port Number used for LDAP binding. The Server Type is selectable for either LDAP or Active Directory, the Protocol is selectable between LDAP or LDAPS. The operator inputs the LDAP domain name in the Domain Name field. The BindDN field requires an account within the domain for the bind and the Bind Password requires the associated password for the account. The operator also needs to define the LDAP User Search Path and Group Search Path. Finally if certificates are being used to secure the LDAP communications, the Add Certificate button enables adding it.



Within the Role Mapping tab the operator selects a role to map to a named LDAP Group. Finally the operator selects from a pull-down the administrative role for the LDAP user or group. The Add button will complete the object configuration and add it to a list of configured LDAP users and groups.

The Advanced tab allows an operator to configure any customized LDAP attributes for the LDAP or Active Directory domain. The tab has default LDAP attributes populated. The values can be changed if the LDAP domain has been customized.



A new local group will automatically be created on the VNX that is mapped to the LDAP group. LDAP users who are members of the LDAP group will be granted the administrative rights of the LDAP groups mapped administrative role.

The example screenshot displays two LDAP groups, managers and is, that have been mapped individually to two administrative roles, Operator and Administrator. The two local groups, managers and is, were created automatically on the VNX and are mapped to the LDAP group names.



The administrative Login to the VNX Unisphere GUI and the VNX Control Station CLI are shown here.

The Unisphere login with LDAP authentication requires the users LDAP credentials. The Use LDAP option must be selected for the login to be authenticated by the LDAP domain. The user will be able to manage administrative tasks based on the administrative role configured for the LDAP group of which the use is a member.

The CLI login to the VNX requires that the user input the username in the following format:

@

In the examples shown, the LDAP User ptesca from the LDAP domain corp.hmarine.com is logging in to a VNX using LDAP authentication.



This lesson covered the integration and management of VNX Unified storage systems with LDAP domains and users. The lesson demonstrated how to configure LDAP authentication and how to map VNX administrative roles to LDAP groups and users.



This lesson covers the VNX auditing capabilities used for logging security-relevant events performed from a Control Station. The lesson will provide an overview of the events that can be configured for auditing, the commands used to retrieve the audit logs, and to create reports, and where the audit logs and audit configuration files are backed up.



Auditing is a specialized form of logging. The purpose of auditing is to record the security-relevant events that happen on a system and provide sufficient information about who initiated the event and the events affect on the system (e.g., success or failure). The key is deciding on which security-relevant to audit.

Auditing is one of the highest priority data center requirements in the system management arena. This is driven by several factors, such as compliance concerns and basic system management practice.

The auditing feature is enabled by default and starts when the Control Station is booted.



The audit.rules file defines the events that will be audited. The file is configured to provide auditing events important for the VNX. The file can be modified to provide for any custom audit requirements. By default, root file system access by administrators is audited. A list of VNX sensitive file systems is configured in the default auditing and accessing them will generate audit events. Any changes to the audit configuration will be tracked. User authentication to the Control Station is also tracked.



There are several main record types associated to the audit events. A SYSCALL record contains information associated with a system call invocation. A PATH record will contain information about a file being accessed. A CWD record displays a path to the working directory of a process. User authentication information is contained in a specific user (USER_XXXX) record. When a file system is accessed that has a watch configured on it, the FS_WATCH record will have the access information for it.



The commands for auditing are native Linux commands. There are no VNX specific commands for auditing. All the commands have man pages that detail their use. To run the commands requires having root permissions.

The /sbin/auditctl command controls the kernels audit subsystem.

The /sbin/ausearch command reads the audit trail. Although the audit.log file is in plain text it contains numeric values that make it difficult to read. The ausearch command offers options that translate the values to names.

The /sbin/aureport command produces summary reports of the audit logs. There are options for the command to generate various reports.

The command /sbin/service auditd controls the audit subsystem and has the listed options.



The /sbin/auditctl command controls the kernels audit subsystem. This slide shows some of the parameters that can be configured through this command.



Although the audit.log file is in plain text it contains numeric values that make it difficult to read. The ausearch command offers options that translate the values to names. The example shown here illustrates some audit records that are associated to accessing paths to Control Station file systems. The example shown is a very small subset of the audit records.



To generate audit summary reports, the aureport command is used. There are options for the command to generate various reports. The example shown is an Authentication report.



Audit logs are located in the /celerra/audit directory.

The current audit log file and the auditing configuration files are backed up to the backend file system /nas/var/auditing.

Every 180 seconds the auditing backup is performed for each Control Station. If the Control Station in slot 0 is replaced, the software recovery steps automatically restore the audit configuration from the backend backups. Recovery of the slot 1 Control Station auditing has to be performed manually from the backup files.



This lesson covered the VNX auditing capabilities used for logging security-relevant events performed from a Control Station. The lesson also provided an overview of the events that can be configured for auditing, the commands used to retrieve the audit logs, and to create reports, and where the audit logs and audit configuration files are backed up.



This lesson covers the monitoring features provided by Unisphere, how to check alerts and event logs associated with VNX system activities, and how to enable notifications for both File and Block systems.



Within the Unisphere System monitoring page, there are several areas where the system can be monitored, including:

Alerts for various system conditions

SP Event Logs for monitoring block related activities

Background Tasks for File

Event Logs for File

Notification Logs for File

Notifications for Block

Statistics for File

Statistics for Block

QoS Manager



In the Alerts section, the user can see if there are any critical errors, warning, or errors. To obtain details for the alert, simply double-click on the alert of interest to retrieve its properties. The Alert Details will provide further information on the status of the alert and how to resolve it.

Alerts may come from the Block side or the backend, or from the File side of the VNX system.



In the Background Tasks for File area, File-related tasks are logged, and can be monitored.

This page will report the tasks with the following information:

ID - Unique identifier for the task.

State - Status of task: Succeeded, Failed, Running, or Recovering.

Originator - User and host that initiated the task.

Start Time - Time the administrator initiated task. The start time is in the format:

month/date/year hours:minutes

Description - Brief task description.

Schedule - Frequency of occurrence and type of task.

Systems - Name of the remote system involved in the task.

The logged task properties can be visualized by double-clicking the mouse over the selection or by hitting the Properties button.



In Event Logs for File area, File-related events can be monitored.

The page can be configured to display log messages from the Control Station or the Data Movers based on a selected time interval and severity level:

Severity - Severity of event. The severity is converted from a numerical value (0-6) in the log file to one of four named values. Events provides a comparison.

Time - Date and time of event.

Facility - Component that generated event.

Description - Description of event.

To view details about an event right-click the mouse over the record and select details.



In the SP Event Logs section, logs for each one of the SPs can be retrieved for visualization, filtered by type of event, saved on a local file on the client machine, and printed. The displayed report fields are:

Date - Date that the event occurred.

Time - Time that the event occurred.

Event Code - Numerical code that pertains to the particular event.

Description - Brief description of the event.

Storage System - Name of the storage system that generated the event. Displays N/A for non-device event types.

Device - Name of the device within the storage system on which the event occurred. Displays N/A for non-device event types.

SP - SP to which the event belongs SP A or SP B.

Host - Name for the currently running Agent SP Agent or Host Agent.



Notifications for File are actions that the Control Station takes in response to a particular system condition. These features are configurable notifications based on system events and system resource utilization.

The system Event notifications are based on pre-defined system events, such as a temperature being too high. As displayed in this table, these notifications are configured based on the Facility affected and the Severity levels (Critical, Error, Warning, Info). The user can set what is the action that must be taken in case the defined criteria is met, and what is the destination of the notification: path of Control Station log file, Single SNMP trap for the traps, and a list of e-mail addresses separated by a comma.

The other tabs of the Notifications for File are Storage Usage, Storage Projection and Data Mover Load. These refer to notifications based on resource utilization. The user can also configure conditions or threshold for triggering the notifications.



Even Notifications for Block Storage Systems allows the configuration of either Centralized Monitoring or Distributed Monitoring. With Centralized Monitoring a single Unisphere Agent monitors selected storage systems. With Distributed Monitoring each Unisphere Agent monitors its own storage systems.

When creating a template, the user is able to define Severity level and Category for general events or configure notifications for explicit events. The severity levels are Info, Warning, Error, and Critical. The Categories relate to the events pertaining to Basic Array feature, MirrorView, SnapView, SAN Copy, VNX Snapshots, etc.

Some of the actions that can be configured regarding a notification include the following:

Logging the event in an event log file

Sending an email message for single or multiple system events to a specific email address

Generating an SNMP trap

Calling home to the service provider

Running a script



Statistics for File provides the user with information about the file system utilization, storage and network performance.

Graphs are configurable and given in real-time.

The Statistics page displays a live graph of the statistics for components of the VNX. The legend under the graphic explains the chart data. The graph can display a maximum of 14 statistics at any one time.

The top line on the page includes two arrows that allows the user to navigate backward and forward in the accumulated data, and text stating the time period covered by the visible graph.

To manipulate the graph, the user can right-click the graph and select:

Export Data: to export the data in the graph into a comma-separated values file for import into Microsoft Excel or other applications that import data this way. For details, refer to Export graph or table data into a file.

Print: to print the graph, rotated or scaled to fit a page as needed. Time Interval: to change the time period displayed by the graph. Select Stats: - to add or remove types of statistical data displayed in the graph. Polling Control: to change the polling interval for statistical update queries and to

disable and enable statistical update polling. For details, refer to Change the polling interval for statistical update queries.

Polling Interval: the rate at which an object is polled. The default polling interval for updated stats is five minutes for Data Mover and storage system data. File system data is polled at a fixed interval of 10 minutes.



Statistics for Block are provided by the Unisphere Analyzer feature.

The Unisphere Analyzer feature lets the user monitor the performance of the storage-system components: LUNs, the storage processors (SPs) that own them, and their disk modules. Unisphere Analyzer gathers block storage-system performance statistics and presents them in various types of charts. This information allows the administrator to find and anticipate bottlenecks in the disk storage component utilization.

Analyzer can display the performance data in real time or as a file containing past performance data from an archive. The user can capture the performance data in an archive file at any time and store it on the host where Unisphere was launched.

The statistics are displayed as seven different types of charts: Performance Survey chart, Performance Summary, Performance detail, Performance Overview (for RAID Group LUNs, metaLUNs only), and LUN IO Disk detail chart (for LUNs only).



This lesson covered the monitoring features provided by Unisphere, how to check alerts and event logs associated with VNX system activities, check statistics and how to enable notifications for both File and Block systems.



This lesson covers the implementation of Unisphere security features for the administration of a VNX Unified storage system. The lesson will introduce the concept of storage domains and how to configure and manage a multi-domain environment. The lesson will also describe the steps to set email notifications via Event Monitor, and how to set notifications for File per severity level.



Each VNX Unified storage system by default is configured into its own storage domain. The systems SPs and its Control Station are members of the domain by default. A VNX system can be managed using a Unisphere session to any member of the storage domain. The system also includes a default sysadmin global user account in the domain. The account is configured with the Administrator role.



Unisphere supports multi-domain configurations. A multi-domain environment lets you manage and monitor a group of domains (potentially all the systems in a storage enterprise) using the same instance of Unisphere.

The example illustrates the management of multi-domains within Unisphere by using the Manage Multi-Domain Configuration link from the right-side system tasks pane which is available by navigating to the All Systems > Domains page. In the dialog, the operator adds the IP address of the VNX domain gateway (the SP IP address of the domain master) and provides a name for the domain. The additional domain can then be moved into the Selected Domains section of the dialog. After creation, the newly added domain is displayed by navigating to the All Systems > Domains page.



To add a VNX system into an existing VNX local domain, in Unisphere navigate to the System List page and click on the Add button at the bottom of the page. A Unisphere connect page will be displayed for the operator to input an SP IP address of the VNX system to be added. When adding a system into the domain, the system being added will be removed from any of its existing domain configurations as illustrated by the message. The operator will also be prompted for credentials to login to the VNX system being added (that screen shot is not shown in this example). Once the VNX system is added, it will be displayed in the System List page. In this example, both VNX systems can now be managed from a single sign-on into Unisphere.



New administrative users can be created on VNX systems using Unisphere. Only users with the Administrator or Security Administrator roles can create new administrative users.

To create the new administrative user, in Unisphere navigate to Settings > Security > User Management. It is possible to create new global users within the storage domain or new local administrative users for File or for Block. A global administrative user can be configured with roles to manage file and/or block related administrative tasks for all VNX systems within the storage domain. A local administrative user for File or for Block can manage their respective administrative tasks only on the local system. Global accounts are recommended if the desire is to have the user manage multiple VNX systems. Local accounts are recommended if the desire is to limit management to a single system.

The example illustrates creating a new global administrative user named global_admin_user and assigning it to the Administrator role within the domain.



Some management tasks on the Control Station require root privileges such as configuring the Control Station networking. It is common to create a global user and then assign the new user root privileges.

The example illustrates a global user being customized for File management. The users properties page allows configuring the users Primary Group, the Group (Role) Membership the user is assigned to and Client Access (if the user account is enabled for CLI access). In the example, the user is being assigned to the root local group and enabled for CLI access.



For notifications to be sent via SMTP mail an email user must be configured. From the System page, under the Service Tasks listing on the right, click the Manage Email User. In the configuration screen input email addresses for recipient and CC personnel to receive notifications of the event. Also provide an SMTP email server address or hostname, a subject line for the email and an email address for the sender.



For an example of email notifications, the Control Station can send an email message to an administrator when a critical system event occurs, such as a disk failure. Or, a notification can relate to a system resource threshold being reached, such as a file system reaching its capacity limit. VNX for File allows the user to set up notifications based on several categories of system conditions; Events, Storage Usage, Storage Projection and Data Mover Load.

To create a File notification , navigate to System > Monitoring and Alerts > Notifications for File.

Then select the Create button and a popup screen will then prompt for which facility you want to monitor.

Choose the event you want monitored. Then choose the severity level (Critical, Error, Warning, or Info) for events to be notified for. Then select how the notification will be sent (mail, log file, or SMTP trap). For the logfile option, type an absolute path on the Control Station and save it (e.g. /vnxnotification/alerts). For the SMTP trap, a trap can be an IPv4 or IPv6 address, community name, or a hostname.

In our example, we have selected several facilities to be monitored. When a component in the Event Log reaches a Critical severity for example, we will receive an email notification to [email protected] from [email protected].



Event notification is a feature that supports centralized or distributed monitoring of block system events in a heterogeneous environment. Event notification is part of the Host or SP Agent, and it is supported on many operating systems.

Shown here in this slide is the Configuration Wizard (also known as the Event Monitor Wizard) used to set up monitoring configurations. The wizard helps setting up distributed or centralized monitoring environments. The wizard allows the selection of monitoring agents and then create and assign configuration templates to these agents.

A template contains events, responses, and message formatting and can be mapped to one or more storage systems. This common template specifies the storage system events to be monitored and the method of event notification.

Notifications can be set when selected events occur using any combination of the following methods:

E-mail

Paging via modem or E-mail

Sending an SNMP trap to an industry-standard network-management tool such as HP OpenView, Tivoli NetView, and CA-Unicenter TNG.

Custom response

Once configured, event notification runs continuously as a service or daemon, observing the state of all specified storage systems and notifying you when selected events have occurred.



This lesson covered the implementation of Unisphere security features for the administration of a VNX Unified storage system. The lesson also discussed the concept of storage domains and how to configure and manage a multi-domain environment. The lesson also described the steps to set email notifications via Event Monitor, and how to set VNX OE for File events to monitor and notify in accordance with severity level.



This module covered: VNX user interface options, including Unisphere and CLI; Unisphere authentication options and role management; managing events using Control Station Auditing and/or Unisphere monitoring.


m01res01

Documents

Transcript of m01res01