IBM DS8880 Management Console planning and setup
This chapter describes the planning tasks that are involved in the setup of the required DS8880 Management Console, which is also known as the Hardware Management Console (HMC).
This chapter covers the following topics:
8.1 DS8880 Management Console overview
The Management Console (MC) is a multi-purpose piece of equipment that provides the services that the client needs to configure and manage the storage and manage several of the operational aspects of the storage system. It also provides the interface where service personnel perform diagnostic and repair tasks. The MC does not process any of the data from hosts. It is not even in the path that the data takes from a host to the storage. The MC is a configuration and management station for the DS8880.
The MC, which is the focal point for DS8880 management, includes the following functions:
•DS8880 power control
•Storage provisioning
•Storage Subsystem health monitoring
•Storage Subsystem performance monitoring
•Advanced Copy Services management
•Embedded Copy Services Manager
•Interface for onsite service personnel
•Collection of diagnostic data and call home
•Problem management and alerting
•Remote support access
•Storage management through the data storage graphical user interface (DS GUI)
•Connection to IBM Security Key Lifecycle Manager (SKLM) for encryption management functions, if required
•Interface for Licensed Internal Code (LIC) and other firmware updates
Every DS8880 installation includes an MC that is in the base rack. A second optional MC can be installed in the DS8880 base rack to provide redundancy.
8.1.1 Management Console hardware
The MC consists of a small form factor (SFF) personal computer, as shown in Figure 8-1.
Figure 8-1 MC location in DS8880
The use of an SFF personal computer makes the MC efficient in many ways, including power consumption. The MC is mounted on the bottom of the rack, underneath the direct current uninterruptible power supply (DC-UPS). Because of the small width, both primary and secondary MCs are mounted in the base rack. The keyboard and display slide out from the left side of the rack for service. The MCs are equipped with Ethernet connections for the client’s network.
A second, redundant, MC workstation is orderable and needs to be used in environments that use encryption management or Advanced Copy Services functions. The second MC is installed in the DS8880 rack. For more information about adding a secondary MC, see 8.6, “Optional Secondary Management Console” on page 215.
8.1.2 Private Ethernet networks
The MC communicates with the storage facility through a pair of redundant Ethernet networks, which are designated as the Black Network and the Gray Network. Two switches are included in the rear of the DS8880 base rack. Each MC and each central processor complex (CPC) is connected to both switches. Figure 8-2 on page 204 shows how each port is used on the pair of DS8880 Ethernet switches. Do not connect the client network (or any other equipment) to these switches because they are for the DS8880 internal use only.
In most DS8880 configurations, two or three ports are unused on each switch.
|
Important: The internal Ethernet switches that are shown in Figure 8-2 on page 204 are for the DS8880 private network only. Do not connect directly to these internal switches from the client network.
|
Figure 8-2 DS8880 internal Ethernet switches
8.2 Management Console software
The MC, which is based on Linux, includes the following application servers:
•DS Management GUI
The DS GUI server is used to perform configuration and management tasks.
•IBM enterprise storage server network interface (ESSNI) server
ESSNI is the logical server that communicates with the DS GUI server and interacts with the two processor nodes of the DS8880. It is also referred to as the DS Network Interface (DSNI).
•RESTful application programming interface (API) services
The DS8880 provides industry-standard Representational State Transfer (RESTful) API services for management applications and RESTful clients. RESTful services are running on the MC and can be upgraded without requiring a DS8880 LIC update.
The DS8880 MC provides the following management interfaces:
•DS Management graphical user interface (GUI)
•Data storage command-line interface (DS CLI)
•DS Open application programming interface (DS Open API)
•RESTful application programming interface (RESTful API)
•Web-based user interface (Web UI)
•Copy Services Manager interface (CSM)
The GUI and the DS CLI are comprehensive, easy-to-use interfaces for a storage administrator to perform DS8880 management tasks to provision the storage arrays, manage application users, and change MC options. The interfaces can be used interchangeably, depending on the particular task.
The DS Open API provides an interface for external storage management programs, such as Spectrum Control, to communicate with the DS8880. It channels traffic through the IBM System Storage Common Information Model (CIM) agent, which is a middleware application that provides a CIM-compliant interface.
Similar to DS Open API, the RESTful API services provide an interface for external management programs and applications to interact with the DS8880. Clients can develop and tailor their specific DS8880 management applications based on the standard RESTful APIs.
Copy Services Manager, which replaced the Tivoli Productivity Center for Replication, is now embedded within the DS8880 code from release 8.1. This simple and effective replication management and automation tool is now part of the MC code, removing the requirement for an external server to host the software.
8.2.1 DS Management GUI
Although the DS Management GUI runs on the MC, it is not possible to access it when you are logged in to the MC console. It can be accessed remotely either by using a web browser on a workstation that is attached to the client’s network to which the MC is attached, or through Spectrum Control. For more information, see 11.2.1, “Accessing the DS8000 Storage Management GUI” on page 249.
8.2.2 Data storage command-line interface
The data storage command-line interface (DS CLI), which must be run in the command environment of an external workstation, is a second option to communicate with the MC. The DS CLI is a good choice for configuration tasks when many updates are needed. This option avoids the web page load time for each window in the DS GUI when you perform Copy Services tasks.
For more information about DS CLI use and configuration, see Chapter 12, “Configuration with the data storage command-line interface” on page 327. For a complete list of DS CLI commands, see IBM Systems Storage DS8000 Series: Command-Line Interface User’s Guide, GC27-4212.
8.2.3 DS Open application programming interface
Calling DS Open application programming interfaces (DS Open APIs) from within a program is a third option to implement communication with the MC. The DS CLI and DS Open API communicate directly with the ESSNI server software that is running on the MC.
For the DS8000, the CIM agent is preinstalled with the MC code and is started when the MC starts. An active CIM agent allows access only to the DS8000s that are managed by the MC on which it is running. Configuration of the CIM agent must be performed by an IBM SSR by using the DS CIM command-line interface (DSCIMCLI). For more information about the CIM agent, see this website:
8.2.4 RESTful application programming interface
DS8880 RESTful API services provides a similar but easier to use application programming interface (RESTful API) to manage DS8880 through communication with the MC. The RESTful API communicates with RESTful services that run on the MC. The RESTful services in turn interact with the ESSNI server software that runs on the MC to pass requests and receive replies. For more information about the RESTful API, see Deploying Flex System in a BladeCenter Environment, REDP-5122.
8.2.5 Copy Services Manager Interface
Embedded CSM offers a preinstalled GUI and CLI on your DS8880 HMC to manage and automate replication and disaster recovery for up to four DS8000 storage systems. Although this feature is only available in release 8.1 of the DS8880 microcode, it can also manage previous release systems based on CSM interoperability. Embedded CSM functions in active/standby coordination with CSM installed and running an external server.
This new feature removes the requirement for an external server to host CSM, providing savings on infrastructure costs and OS licensing. Administration costs are also reduced, as the embedded CSM instance is upgraded through the DS8880 code maintenance schedule, which is performed by IBM support personnel.
For more information about embedded CSM, see IBM DS8880 Integrated Copy Services Manager and LDAP Client on the HMC, REDP-5356.
|
Important: Although possible, IBM does NOT recommend configuring the primary HMC and the secondary HMC of the same storage system as the active and standby CSM servers of an environment.
|
8.2.6 Web-based user interface
The web-based user interface (Web UI) is a browser-based interface that is used for remote access to system utilities.
Complete the following steps to log in to the MC by using the Web UI:
1. Start the MC Web GUI as shown in Figure 8-3. Click the Service icon to access the Service Management Console.
Figure 8-3 DS Management GUI logon panel
2. Click Log on and launch the Hardware Management Console web application to open the login window as shown in Figure 8-4 and log in. The default user ID is customer and the default password is cust0mer.
Figure 8-4 Service Management Console application
3. If you are successfully logged in, you see the MC window, in which you can select
Status Overview to see the status of the DS8880. Other areas of interest are shown in Figure 8-5.
Status Overview to see the status of the DS8880. Other areas of interest are shown in Figure 8-5.
Figure 8-5 Web UI main window
Because the MC Web UI is mainly a services interface, it is not covered here. For more information, see the Help menu.
8.3 Management Console activities
This section covers planning and maintenance tasks for the DS8880 MC. For more information about overall planning, see Chapter 7, “IBM DS8880 physical planning and installation” on page 175. If a second external MC was ordered for the DS8880, information about planning that installation is included. If a second, external MC was not ordered, the information can be safely ignored.
8.3.1 Management Console planning tasks
The following tasks are needed to plan the installation or configuration:
•A connection to the client network is needed at the base rack for the primary MC. Another connection is also needed at the location of the secondary MC. The connections must be standard CAT5/6 Ethernet cabling with RJ45 connectors.
•IP addresses for the primary and secondary MCs are needed. The DS8880 can work with IPv4 and IPv6 networks. For more information about procedures to configure the DS8880 MC for IPv6, see 8.4, “Management Console and IPv6” on page 211.
•Most users access the DS GUI remotely through a browser. You can also use Spectrum Control in your environment to access the DS GUI.
•The web browser to be used on any administration workstation must be supported, as described in the IBM System Storage DS8880 Introduction and Planning Guide, GC27-8525.
•The IP addresses of Simple Network Management Protocol (SNMP) recipients must be identified if the client wants the DS8880 MC to send SNMP traps to a monitoring station.
•Email accounts must be identified if the client wants the DS8880 MC to send email messages for problem conditions.
•The IP addresses of Network Time Protocol (NTP) servers must be identified if the client wants the DS8880 MC to use NTP for time synchronization.
•When a DS8880 is ordered, the license and certain optional features must be activated as part of the customization of the DS8880. For more information, see Chapter 9, “IBM DS8880 features and licensed functions” on page 217.
•The installation tasks for the optional external MC must be identified as part of the overall project plan and agreed upon with the responsible IBM personnel.
|
Important: Applying increased feature activation codes is a concurrent action.
|
8.3.2 Planning for Licensed Internal Code upgrades
The following tasks must be considered regarding the LIC upgrades on the DS8880:
•LIC changes
IBM might release changes to the DS8880 series Licensed Machine Code.
•LIC installation
An IBM SSR can install the changes. Check whether the new LIC requires new levels of DS CLI and DS Open API. Plan on upgrading them on the relevant workstations, if necessary.
•Code prerequisites
When you are planning for initial installation or for LIC updates, ensure that all prerequisites for the environment are identified correctly. These include, but are not limited to, host operating system versions, fixes, and host bus adapter (HBA) levels, interconnect/fabric types, and operating system versions.
DS8880 interoperability information is available at the IBM System Storage Interoperation Center (SSIC) at this website:
To prepare for downloading the drivers, see Interoperability Search Details in the SSIC report. This report provides an end-to-end support matrix from the host to the DS8880, and covers all versions of operating system, multipathing software, and firmware. This check is necessary to ensure that the DS8880 storage subsystem is in a supported environment.
|
Important: The SSIC includes information about the latest supported code levels. This availability does not necessarily mean that former levels of HBA firmware or drivers are no longer supported. Some host type interoperability, such as Netapp Ontap might need to be confirmed in the vendor’s support matrix. If you are in doubt about any supported levels, contact your IBM representative.
Never proceed with a LIC update without adhering to all prerequisites.
|
•Maintenance windows
The LIC update of the DS8880 is a designed to be a nondisruptive action. A concurrent maintenance window, with added time for contingency, is still desirable. This contingency period gives you time to confirm all environment pre-requisites are met before the upgrade begins.
For more information about LIC upgrades, see Chapter 13, “Licensed machine code” on page 377.
8.3.3 Time synchronization
With the DS8880, the MC can use the NTP service. Clients can specify NTP servers on their internal or external network to provide the time to the MC. It is a client responsibility to ensure that the NTP servers are working, stable, and accurate. An IBM SSR enables the MC to use NTP servers (ideally at the time of the initial DS8880 installation). Changes can be made by the client by using the Change Date and Time action under MC Management on the MC.
|
Important: For correct error analysis, it is important that the date and time information is synchronized as much as possible on all components in the DS8880 environment. The components include the DS8880 MC, the attached hosts, Spectrum Control, and DS CLI workstations.
|
8.3.4 Monitoring DS8880 with the Management Console
A client can receive notifications from the MC through SNMP traps and email messages. Notifications contain information about your storage complex, such as open serviceable events. You can choose one or both of the following notification methods:
•SNMP traps
For monitoring purposes, the DS8880 uses SNMP traps. An SNMP trap can be sent to a server in the client’s environment, perhaps with System Management Software, which handles the trap that is based on the Management Information Base (MIB) that was delivered with the DS8880 software. A MIB that contains all of the traps can be used for integration purposes into System Management Software. The supported traps are described in the documentation that comes with the LIC on the CDs that are provided by the IBM SSR. The IP address to which the traps need to be sent must be configured during initial installation of the DS8880. For more information about the DS8880 and SNMP, see Chapter 14, “Monitoring with Simple Network Management Protocol” on page 387.
•Email
When you enable email notifications, email messages are sent to all the addresses that are defined on the MC whenever the storage complex encounters a serviceable event or must alert individuals to other information.
During the planning process, create a list of the individuals who need to be notified.
Additionally, when the DS8880 is attached to a z Systems server, a service information message (SIM) notification occurs automatically and requires no setup. A SIM message is displayed on the operating system console if a serviceable event occurs. These messages are not sent from the MC, but from the DS8880 through the channel connections that run between the server and the DS8880.
SNMP and email notification options for the DS8880 require setup on the MC.
8.3.5 Event Notification through Syslog
To meet ever increasing security requirements, beginning with DS8000 release 8.1, the DS8880 supports security and logging events to be forwarded to a syslog server. Previously only available on the MC, events that are contained in the audit log are forwarded to configured syslog receivers. Up to eight external syslog servers can be configured, with varying ports if required. Events that are forwarded include user login/logout, all commands issued by using the GUI or DSCLI while the user is logged in, and remote access events. Events are sent from Facility 19, and are logged as level 6.
8.3.6 Call home and remote support
The MC uses outbound (call home) and inbound (remote service) support.
Call home is the capability of the MC to contact the IBM Support center to report a serviceable event. Remote support is the capability of IBM support representatives to connect to the MC to perform service tasks remotely. If the IBM Support center is allowed to connect to the MC to perform service tasks remotely based on the setup of the client’s environment, an IBM SSR can connect to the MC to perform detailed problem analysis. The IBM SSR can view error logs and problem logs and start trace or memory dump retrievals.
Remote support can be configured for Remote Support Center (RSC), IBM Tivoli Assist On-site (AOS), or embedded AOS. Setup of the remote support environment is performed by the IBM SSR during the initial installation. For more information, see Chapter 15, “Remote support” on page 401.
8.4 Management Console and IPv6
The DS8880 MC can be configured for an IPv6 network. IPv4 also is still supported.
8.4.1 Configuring the Management Console in an IPv6 environment
Usually, the IBM SSR configures the MC during the DS8880 initial installation. Complete the following steps to configure the DS8880 MC client network port for IPv6:
1. Start and log in to the Web UI. For more information, see 8.2.6, “Web-based user interface” on page 206. The MC Welcome window opens, as shown in Figure 8-6.
Figure 8-6 Web UI Welcome window
Figure 8-7 Web UI HMC Management window
3. Click the LAN Adapters tab.
4. Only eth2 is shown. The private network ports are not editable. Click Details.
5. Click the IPv6 Settings tab.
6. Click Add to add a static IP address to this adapter. Figure 8-8 shows the LAN Adapter Details window where you can configure the IPv6 values.
Figure 8-8 Web UI IPv6 settings window
8.5 Management Console user management
User management is performed by using the DS CLI or the DS GUI. An administrator user ID is preconfigured during the installation of the DS8880 and this user ID uses the following defaults:
•User ID: admin
•Password: admin
The password of the admin user ID must be changed before it can be used. The GUI forces you to change the password when you first log in. By using the DS CLI, you log in but you cannot run any other commands until you change the password. For example, to change the admin user’s password to passw0rd, use the following DS CLI command:
chuser-pw passw0rd admin
After you issue that command, you can run other commands.
8.5.1 Password policies
DS8880 supports different role-based users. For more information about user and role management, see 10.2, “User and role management” on page 242. When the administrator adds a user, the administrator enters a password. During the user’s first login, this password must be changed. Password settings include the time period (in days) after which passwords expire and a number that identifies how many failed logins are allowed. The user ID is deactivated if an invalid password is entered more times than the limit. Only a user with administrator rights can then reset the user ID with a new initial password.
|
General rule: Do not set the value of the chpass command to 0 because this setting indicates that passwords never expire and unlimited login attempts are allowed.
|
If access is denied for the administrator because of the number of invalid login attempts, the administrator can use the security recovery utility tool on the Management Console to reset the password to the default value. The detailed procedure is described by selecting Help Contents and can be accessed from the DS Management GUI.
|
Important: Upgrading an existing storage system to the latest code release does not change old default user-acquired rules. Existing default values are retained to prevent disruption. The user might opt to use the new defaults with the chpass –reset command. The command resets all default values to the new defaults immediately.
|
The password for each user account is forced to adhere to the following rules:
•Passwords must contain one character from at least two groups and must be 8 - 16 characters. In addition, the following changes were made:
– Groups now include alphabetic, numeric, and punctuation.
– The old rules required at least five alphabetic and one numeric character.
– The old rules required the first and last characters to be alphabetic.
•Passwords cannot contain the user’s ID.
•Initial passwords on new user accounts are expired.
•Passwords that are reset by an administrator are expired.
•Users must change expired passwords at the next logon.
The following password security implementations are included:
•Password rules are checked when passwords are changed.
•The valid character set, embedded user ID, age, length, and history are also checked.
•Passwords that are invalidated by a change remain usable until the next password change.
•Users with invalidated passwords are not automatically disconnected from the DS8880.
•The following password rules are checked when a user logs on:
– Password expiration, locked-out user, and failed attempts are checked.
– Users with passwords that expire or that are locked out by the administrator while they are logged on are not automatically disconnected from the DS8880.
|
Important: User names and passwords are case-sensitive. For example, if you create a user name that is called Anthony, you cannot log in by using the user name anthony.
|
8.5.2 Remote Authentication
Starting with DS8000 version 8.1 you can enable and configure remote authentication through either IBM Spectrum Control (formerly IBM Tivoli Productivity Center) or IBM Copy Services Manager to connect to a Lightweight Directory Access Protocol (LDAP) repository.
With Copy Services Manager now preinstalled on the Management Console, an external proxy is now optional. When remote authentication is enabled, the installation is guided though the Remote Authentication Wizard. Figure 8-9 shows the Welcome page. After you complete all the steps of the wizard, the DS8000 is enabled and configured for remote authentication.
Figure 8-9 Remote Authentication Wizard Welcome page.
The following prerequisites are required to complete the Remote Authentication Wizard:
•Access to create users and groups on your remote authentication server.
•A primary LDAP repository URI is required.
•A truststore file with password is required.
•An IBM WebSphere® user name with password is required.
•A secondary LDAP repository URI is optional.
For more information about LDAP-based authentication and configuration, see IBM DS8880 Integrated Copy Services Manager and LDAP Client on the HMC, REDP-5356.
8.6 Optional Secondary Management Console
An optional secondary MC (for redundancy) can be ordered for the DS8880. The secondary MC is an optional purchase, but it is highly useful. The primary MC is referred to as MC1, and the secondary MC is referred to as MC2. The two MCs run in a dual-active configuration, so either MC can be used at any time. Each MC is assigned a role of either primary (normally MC1) or secondary (normally MC2). Certain service functions can be performed only on the primary MC. For this book, the distinction between the primary and secondary MC is only for the purposes of clarity and explanation because they are identical in function.
The DS8880 can run all storage duties while the MC is down or offline, but configuration, error reporting, and maintenance capabilities become severely restricted. Any organization with high availability requirements should consider deploying an MC redundant configuration.
|
Important: The primary and secondary MCs are not available to be used as general-purpose computing resources.
|
8.6.1 Management Console redundancy benefits
MC redundancy provides the following advantages:
•Enhanced maintenance capability
Because the MC is the only interface that is available for service personnel, an alternative MC provides maintenance operational capabilities if the internal MC fails.
•Greater availability for power management
The use of the MC is the only way to safely power on or power off the DS8880. A secondary MC is necessary to shut down the DS8880 if the primary MC fails.
•Greater availability of encryption deadlock recovery
If the DS8880 is configured for Full Disk Encryption and an encryption deadlock situation occurs, the use of the MC is the only way to input a Recovery Key to allow the DS8880 to become operational.
•Greater availability for Advanced Copy Services
Because all Copy Services functions are driven by the MC, any environment that uses Advanced Copy Services needs to include dual MCs for operational continuity.
•Greater availability for configuration operations
All configuration commands must go through the MC. This requirement is true regardless of whether access is through Spectrum Control, DS CLI, DS Management GUI, or DS Open API with another management program. A secondary MC allows these operations to continue if the primary MC fails.
When a configuration or Copy Services command is run, the DS CLI or DS Management GUI sends the command to the first MC. If the first MC is unavailable, it automatically sends the command to the second MC instead. Typically, you do not need to reissue the command.
Any changes that are made by using one MC are instantly reflected in the other MC. No host data is cached within the MC, so no cache coherency issues occur.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.