Product

Copyright BM Corp. 2013. All rights reserved.
209
Draft Document for Review February 7, 2014 7:33 pm 8189Settings.fm
Chapter 7. Configure Settings
n this chapter you will learn how to operate the Settings section of BM FlashSystem 840
Graphical User nterface (GU) as shown in Figure 7-1 on page 210. The Settings function
cover various options for monitoring and configuring network interfaces and Fibre Channel
ports. t also covers remote authentication and the firmware upgrade process. We also
discuss how to get access to the Service Assistant Tool.
Topics discussed in this chapter cover:
Configure Network settings
Configure Directory services
Configure Remote Authentication using LDAP
Configure Event Alerting and Call Home
How to Upgrade firmware
The Service Assistant Tool
7
8189Settings.fm Draft Document for Review February 7, 2014 7:33 pm
210 mplementing BM FlashSystem 840 Storage
7.1 Settings menu
You can use the Settings panel to configure system options for event notifications, directory
services, P addresses, Fibre channel connectivity and preferences related to display options
in the management GU.
The Settings Menu includes five options which are:
Event Notifications
Directory Services
Network
Support
General
7.1.1 Navigating to the Settings Menu
n the following section, we describe the Settings menu and its options. f you hover the cursor
over the Settings function icon, the Settings menus opens (Figure 7-1).
Figure 7-1 Navigate to the Settings menu
Chapter 7. Configure Settings 211
7.1.2 Event Notification menu
FlashSystem 840 can use Simple Network Management Protocol (SNMP) traps, syslog
messages, and Call Home email to notify you and BM Support when significant events are
detected. Any combination of these notification methods can be used simultaneously.
Notifications are normally sent immediately after an event is raised. However, there are some
events that might occur because of service actions that are being performed. f a
recommended service action is active, these events are notified only if they are still unfixed
when the service action completes.
EmaiI
The Call Home feature transmits operational and event related data to you and BM through a
Simple Mail Transfer Protocol (SMTP) server connection in the form of an event notification
email. When configured, this function alerts BM service personnel about hardware failures
and potentially serious configuration or environmental issues.
To configure email alerts, navigate to Settings Event Notification which opens the
window shown in Figure 7-2. From this window, you can configure the email alerts which are
included in the Call Home function. During the configuration of Call Home you configure
contact information and email receivers for your own notification.
Figure 7-2 Event notification window Email
To initiate the configuration wizard click EnabIe EmaiI Event Notification and the setup Call
Home window opens. The procedure for configuring Call Home is similar to when
FlashSystem 840 is inititialized for first time. The procedure for configuring this is described in
detail in Chapter 4, "nstallation and Configuration on page 57.
SNMP
Simple Network Management Protocol (SNMP) is a standard protocol for managing networks
and exchanging messages. The system can send SNMP messages that notify personnel
about an event. You can use an SNMP manager to view the SNMP messages that the system
sends.
Figure 7-3 on page 212 shows the SNMP configuration menu.
Figure 7-3 Event notification window SNMP
n the SNMP configuration menu you can configure one or more SNMP servers. For each of
these you configure:
P address
SNMP server port (default port 162)
SNMP community (default public)
Event type (default Alerts - can be changed to All events)
There are various SNMP trap receiver products on the market. These are known as SNMP
managers. Some of the BM SNMP managers that can be mentioned are Tivoli NetView or
Tivoli Enterprise Console.
SysIog
The syslog protocol is a standard protocol for forwarding log messages from a sender to a
receiver on an P network. The P network can be either Pv4 or Pv6. The system can send
syslog messages that notify personnel about an event.
FlashSystem 840 can transmit syslog messages in either expanded or concise format. You
can use a syslog manager to view the syslog messages that the system sends. The system
uses the User Datagram Protocol (UDP) to transmit the syslog message. You can specify up
to a maximum of six syslog servers(Figure 7-4 on page 213).
Figure 7-4 Event notification window Syslog
n the Syslog configuration menu you can configure one or more Syslog servers. For each of
these you configure the following:
P address
Facility
- The facility determines the format for the syslog messages and can be used to
determine the source of the message.
Event type (default Alerts - can be changed to All events)
There are various Syslog server products on the market. Many of these are free of charge
and can be downloaded from the internet.
7.1.3 Directory Services
When a FlashSystem 840 clustered system is created, the authentication settings default to
Local meaning that FlashSystem 840 contains a local database of users and their privileges.
Users can be created on the system and can log in using the user accounts they have been
given by the local superuser account.
You can create two types of users who can access the system. These types are based on
how the users authenticate to the system. Local users are authenticated through the
authentication methods that are located on the FlashSystem 840 system.
f the local user needs access to the management GU, a password is needed for the user. f
the user requires access to the command-line interface (CL) through SSH, either a password
or a valid SSH key file is necessary. Local users must be part of a user group that is defined
on the system. User groups define roles that authorize the users within that group to a
specific set of privileges on the system.
For users of FlashSystem 840 clustered system you can configure authentication and
authorization using the Command Line nterface (CL) as well as the Graphical user nterface
(GU) as configured in the Users and User Groups Menu.
A remote user is authenticated on a remote service with Lightweight Directory Access
Protocol (LDAP) as configured in Settings Directory Services on the FlashSystem 840
GU (Figure 7-1 on page 210). Remote users have their roles defined by the remote
authentication service.
Remote Authentication is disabled by default and can be enabled to authenticate users
against LDAP servers.
Users who need access to the CL must be configured as a local user on FlashSystem 840.
Remote users do not need to be configured locally, they only need to be defined on the LDAP
server.
For more information of how to configure Remote Authentication and authorization for users
of FlashSystem 840 refer to the User Authentication Configuration section of BM nfocenter
--------
--
Reasons for using Remote Authentication
When Remote Authentication is configured users authenticate with their domain user and
password rather than a locally created userid and password.
This saves you from having to configure a local user on every BM storage system there
may be in your storage infrastructure.
f you have multiple LDAP enabled storage systems this makes it more efficient to set up
authentication.
The audit log will show the domain username of the issuer when commands are executed
which is more informative then a local username, or just superuser
Remote Authentication gives you central access control. f someone leaves the company
you just need to remove access at the domain controller, meaning there are no orphan
userids left on the storage system.
Prepare LDAP server
The first step in configuring LDAP is to prepare the LDAP server. We use a Microsoft
Windows 2008 R2 Enterprise server which we promoted to be a Domain Controller using
. Next we added the computer role Active Directory Lightweight Directory Services.
The privileges the LDAP user gets on FlashSystem 840 are controlled by User Groups on the
storage system. There must be matching User Groups on the AD server and on FlashSystem
840 and the LDAP users must be added to the AD server group.
n our example we create a group called FlashAdmin which we use for managing our
FlashSystem 840 storage device.
To create this group we need to logon to the AD Domain Controller and configure Active
Directory. An easy way to do this from the AD controller is to go to Start Run and type
-- and click OK. The Active Directory Users and Computers Management Console
opens as shown in Figure 7-5
Figure 7-5 AD users screen - click add new group
We now click Create a new group in the current container and get to the New Object
Group as shown in Figure 7-6 on page 215
Figure 7-6 Active Directory create FlashAdmin group
We name the new group FlashAdmin and leave the remaining default options and click OK.
We now highlight the users we want to add to FlashSystem 840 storage administrator group
and click Adds the seIected object to a group you specify as shown in Figure 7-7.
Figure 7-7 Add select user and add to group
n the Select groups dialogue we type FIashAdmin and click Check Names as shown in
Figure 7-8 on page 216
Figure 7-8 AD add users to group FlashAdmin
Any other users that may be added to the FlashAdmin group get the same privileges on our
FlashSystem 840.
f other users with different privileges are required then another group on FlashSystem 840
with different privileges is required as well as a group on the AD server with a matching name.
Our LDAP server is now prepared for remote authentication.
Configure Remote Authentication
The next step in configuring remote authentication for FlashSystem 840 is to specify the
authentication server and to test connectivity and if users can authenticate to the LDAP
server.
From the menu Settings Directory Services click Remote Authentication Configure
Remote Authentication as shown in Figure 7-9 on page 216.
Figure 7-9 Remote Authentication disabled
The Configure Remote Authentication dialogue window opens and we select LDAP as shown
in Figure 7-10
Figure 7-10 RA wizard step 1
Next we select LDAP and select Microsoft Active Directory and select security None as
shown in Figure 7-11.
We then expand Advanced Settings. Any user with authority to query the LDAP directory
can be used to authenticate. Our Active Directory domain is itsolab.ibm.com so we use the
Administrator login name on the Domain itsolab.ibm.com to authenticate. We then click Next
as shown in Figure 7-12.
We now type in the P Address of our LDAP server which is 9.19.91.219 and the LDAP Group
Base DN for Microsoft Active Directory.
The LDAP User and Group Base DN for Microsoft Active Directory can be found using the
following commands:
- - -
-
To look up the Base DN we log on to the LDAP server and execute the following commands
(Example 7-1 on page 218):
Example 7-1 Checking the LDAP server for Base DN
---- -
----
---
The Base DN we need to enable LDAP authentication only requires the domain part of the
output in the example above. We now type in DC=itsoIab,DC=ibm,DC=com in the Base DN
field in the Create Remote Authentication dialogue as shown in Figure 7-13
We click Finish and are then returned to the Settings Directory Services window.
Figure 7-14 shows that we now have LDAP enabled and it shows the preferences of the
configured LDAP server.
Figure 7-14 Remote Authentication enabled
Create FIashSystem 840 LDAP enabIed User Group
The first part of our LDAP configuration is now complete. We need however, to create a new
user group on our FlashSystem 840, with a matching name of that we configured on the
LDAP server. The LDAP server group name was called FlashAdmin.
First navigate to Users User Groups as shown in Figure 7-15
Figure 7-15 Navigate to User Groups
Figure 7-16 on page 219 shows the current configured user groups and we click Create User
Group
Figure 7-16 Create new user group
Figure 7-17 shows that we Select Security Administrator and check EnabIe for this group.
We type in the name FlashAdmin for the new user group.
Figure 7-17 Select Security Administrator
Our new user group is now created and enabled for Remote Authentication as shown in
Figure 7-18
Figure 7-18 Group FlashAdmin created
Testing LDAP Authentication
At this point we could log out user superuser and try to login with the LDAP user. However
before doing that the Remote Authentication dialogue gives us the possibility to test LDAP.
We click GIobaI Actions and Test LDAP Connections as shown in Figure 7-19 on page 221
Note: f the field Remote Authentication is not visible in the Create User Group
dialogue, then Remote Authentication is disabled in Settings Directory Services
Figure 7-19 RA test LDAP connections
Now the Test LDAP Connections task window opens and displays the CL command used to
test the connection. n case of successful connection to the LDAP server we get the output
shown in Figure 7-20.
Figure 7-20 RA test LDAP connections CLI result
From the menu GIobaI Actions we also have the option to test if authentication for a given
user is functional. We do this by clicking Test LDAP Connections and get the dialogue
shown in Figure 7-21 on page 221. We type in the user credential of the LDAP user we want
to test authentication for and click Test.
Figure 7-21 RA test LDAP Authentication
When you click Test the CL command window displays. f successful authentication we get
the same output as shown in Figure 7-20 on page 221
f unsuccessful we get the message shown in Figure 7-22
Figure 7-22 RA test unsuccessful
Login as LDAP user
Assuming successful Remote Authentication the user superuser can now logout and the
LDAP user can login as shown in Figure 7-23.
Figure 7-23 Login screen LDAP user
Figure 7-24 on page 223 shows FlashSystem 840 home screen where the upper right corner
displays which user is currently logged in.
Figure 7-24 Main screen LDAP user logged in
We have now completed configuring Remote Authentication.
7.1.4 Network menu
The network setup for all the interfaces in the cluster is configured here.
Clicking Settings Network opens the network menu. From here you can update the
network configuration, configure Service P addresses and view information about the Fibre
Channel connections.
Management IP Addresses
The Management P is the P address of the FlashSystem 840 management interfaces.
These interfaces include the GU and the CL. The GU is accessed via a web browser and
the CL is accessed via SSH using PuTTY or similar tool.
The configured Management P address can be reviewed or changed when hovering over the
ports as shown in Figure 7-25.
Figure 7-25 Network Menu
Service IP Addresses
The Service Ps are P addresses of each of the two FlashSystem 840 controllers called
canisters. These canisters have their own P addresses where several support actions can be
performed. Some of these are listed here:
Review installed hardware
Place canister in Service State
Power cycle canister
dentify canister
Clear all system configuration data
Create new cluster
Recover a failed system - action ONLY performed by BM Support
Upgrade firmware manually with controllers offline
Extract system event logs
For more information of how to access and use the Service Assistant Tool refer to 7.2,
"Service Assistant Tool on page 233
7.1.5 Support menu
The Settings Support menu is used when log files are requested by BM Support. BM
Support often requests log files when a support case is opened by FlashSystem 840
administrators or by the Call Home function.
The overall process is that the system administrator download the requested support
package from the system and then upload it to BM Support where after the data can be
analyzed by the BM Support.
DownIoad Support Package
To download a Support Package click Settings Support and DownIoad Support
Package as shown in Figure 7-26 on page 225.
Figure 7-26 Download Support Package
Note: The Service P addresses are normally not used by the FlashSystem 840
administrator. They are used ONLY in case of troubleshooting and scheduled maintenance
or when BM Support performs certain service actions.
BM Support usually request Standard Iogs pIus new statesaves. These logs may take
from minutes to hours to download from FlashSystem 840 depending of the situation and the
size of support package that is getting downloaded.
The destination of the Support Package file is the system from where the web browser was
launched. Figure 7-27 shows the next step where we save the Support Package file on our
Windows system.
Figure 7-27 Download Support Package Save file
BM Support usually request log files to be uploaded to a given PMR number using EcuRep
as the upload media to BM. EcuRep can be found at the following URL:
DownIoad individuaI Iog fiIes

After analyzing the uploaded support package BM Support may request additional files.
These can be located from Settings Support and click Show fuII Iog Iisting. This allows
for download of specific and individual log files. An example is shown in Figure 7-28.
Figure 7-28 Download support - individual files
You can download any of the various log files or delete them by selecting a single item
Figure 7-29 and click either the DownIoad or DeIete options under the Actions button.
Figure 7-29 Download / Delete options of the Actions button
DeIete option: When the Delete option is not available, the file cannot be deleted because
it is being used by the system.
Log files are saved from each of the installed canisters (logically called nodes). At the upper
left of the window, there is a node option that can be used to show node 1 or 2 log files
(Figure 7-30).
Figure 7-30 Change the log listing of the Nodes canister
7.1.6 GeneraI menu
The General menu allows for setting the time and date for the cluster, enable Open Access,
perform software upgrades for the cluster and to change the preferences for the GU.
Date and Time
Clicking the Settings GeneraI option opens the window shown in Figure 7-31. This
window provides options to set the date and time.
Figure 7-31 General menu - date and time preferences
The preferred method for setting date and time is to configure a Network Time Protocol (NTP)
server. By doing that all log entries are stamped with an accurate date and time which is
important in case of troubleshooting. An example could be that a temporarily broken fibre
channel link caused a path failover at a connected host. n order to investigate the root cause
of such an event logs from the host, the SAN switches as well as logs from FlashSystem 840
need to be compared. f date and time is not accurate, then events cannot be compared and
matched making a root cause analysis harder to make.
Open Access
BM FlashSystem 840 can be configured to allow Open Access or to disallow Open Access.
Open Access is feasible when the system is directly connected to a host, because then no
other hosts are able to connect to the system and hence by accident read from or write to
volumes that belong to other hosts.
Allowing Open Access could also be used in case FlashSystem 840 is connected to properly
zoned SAN switches. However disallowing Open Access and forcing the system to map its
volumes only to selected hosts provides an extra layer of security.
Figure 7-32 on page 231 shows the Settings GeneraI Open Access window. Open
Access can only be enabled when no host mappings are present.
Figure 7-32 General - Open Access
Upgrade software
The menu Settings GeneraI Upgrade Software allows for upgrade of FlashSystem
840 firmware. This is also referred to as Concurrent Code Upgrade (CCU) in which each node
in the clustered system automatically upgrades in sequence while maintaining full
accessibility for connected hosts.
The latest firmware for the system can be downloaded from the internet (if the system has
access), or it can be downloaded by the administrator from the following URL:
--
To initiate Concurrent Code Upgrade click Upgrade Software Launch Upgrade Wizard
as shown in Figure 7-33 on page 232.
Figure 7-33 General - Upgrade Software
The Upgrade Software wizard begins by requesting the administrator to select the Firmware
Upgrade test Utility, which checks for errors before the firmware upgrade file can be uploaded
and the upgrade started.When the file is selected you can click Next and the firmware file is
being uploaded to FlashSystem 840 controller nodes where after the software upgrade
begins.
As an alternative to upgrading firmware through the GU FlashSystem 840 CL can be used
instead. The process is described at BM nfocenter at the following URL:
--------
--
For more information of how to upgrade firmware on the FlashSystem 840 refer to
Chapter 10, "Hints and Tips on page 289.
GUI preferences
The menu Settings GeneraI GUI Preferences allows for changing the web address of
BM nfocenter which the help page for BM FlashSystem 840. This help page can be reached
from any screen in the management GU by clicking the question mark in the upper right
corner of the GU as shown in Figure 7-34.
Figure 7-34 Infocenter access
Any address can be configured in the Web Address field as shown in Figure 7-35 on
page 233
Figure 7-35 General - GUI Preferences
7.2 Service Assistant TooI
The Service Assistant Tool is used for troubleshooting or when an BM support engineer
directs you to get there.
7.2.1 How to access the Service Assistant TooI
The Service Assistant Tool is accessed with a web browser. An example of getting access is
to point your browser to the cluster management P followed by /service. An example of such
a URL could be:
--
Each of the canisters individual service Ps can also be reached. There are different options
for getting access to the Service Assistant Tool. Below is an example of which Ps are
configured and how they are accessed:
192.168.10.10 - Service P canister 1
- -- opens the Service Assistant Tool for canister 1
- - opens the Service Assistant Tool for canister 1
192.168.10.11 - Service P canister 2 (configuration node)
- -- opens the Service Assistant Tool for canister 2
- - opens the cluster management GU
192.168.10.12 - Cluster P
- -- opens the Service Assistant Tool for the configuration
node
- - opens the cluster management GU
7.2.2 Log in to the Service Assistant TooI
The login screen of the FlashSystem 840 Service Assistant Tool only allows for user
superuser to login thus username cannot be changed as shown in Figure 7-36.
Figure 7-36 Service Assistant Tool login
After typing in the password for user superuser you get to the Service Assistant Tool as
shown in Figure 7-37 on page 235.
Note: Canisters are named Canister 1 (view from rear left side) and Canister 2 (view from
rear right side). The logical names for canisters in the Service Assistant Tool are node 1
and node 2. Which is node 1 and node 2 depends of the actual configuration and in which
order the controllers were added to the cluster. f canister 2 was added first it will get the
logical name node 1. There is hence no direct relation between canister number and node
number.
Figure 7-37 Service Assistant Tool main page
From the Home page of the Service Assistant Tool you have different options for examining
installed hardware and revision levels as well as identifying canisters or place these into
service state.
Note: Care should be taken when opening the Service Assistant Tool as incorrect use may
cause unattended downtime or even data loss. Only use the Service Assistant Tool when
directed to by BM Support.

Product

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Product

Uploaded by

Copyright:

Available Formats

Copyright BM Corp. 2013. All rights reserved.

DownIoad individuaI Iog fiIes

You might also like