Configuring settings
The Settings function covers various options for monitoring, configuring interfaces, and extracting support logs. It also covers remote authentication and the firmware update process. The Settings section of the IBM FlashSystem V9000 graphical user interface (GUI), shown in Figure 9-1 on page 406, is described in this chapter.
This chapter includes the following topics:
9.1 Settings menu
You can use the Settings panel to configure system options for event notifications, security,
IP addresses, FC connectivity, and preferences related to display options in the management GUI.
IP addresses, FC connectivity, and preferences related to display options in the management GUI.
The Settings menu includes six options:
•Notifications (alerting)
•Network (management and service, Ethernet, iSCSI, Fibre Channel)
•Security (remote authentication with Lightweight Directory Access Protocol (LDAP))
•System (time settings, firmware update, and so on)
•Support (extract support logs)
•GUI Preferences (customize the GUI)
9.1.1 Opening the Settings menu
Hover the cursor over the Settings function icon to view the Settings menu (Figure 9-1).
Figure 9-1 Settings menu
9.2 Notifications menu
IBM FlashSystem V9000 can use Simple Network Management Protocol (SNMP) traps, syslog messages, and call home email to notify you and IBM Support when significant events are detected. Any combination of these notification methods can be used simultaneously. Select Notifications from the Settings menu to manage notifications (Figure 9-2).
Figure 9-2 Notifications menu
9.2.1 Email and call home
The call home feature transmits operational and event-related data to you and IBM through a Simple Mail Transfer Protocol (SMTP) server connection in the form of an event notification email. When configured, this function alerts IBM service personnel about hardware failures and potentially serious configuration or environmental issues.
Configuration process
Setting up call home involves providing a contact that is available 24 x 7 if a serious call home event is received. IBM uses data analytics to process multiple call home events to proactively open problem management records (PMRs) prior to component failures. IBM support strives to report any issues in a timely manner; having a valid contact is important to achieving service level agreements.
The procedure for configuring call home is similar to the initialization of the IBM FlashSystem V9000, which also offers configuration of email event notifications. The initial system setup is described in 6.5.2, “System Setup wizard” on page 240.
The steps to enable call home are to configure the following information:
•System Location: Where is the system located?
•Contact Details: Who is IBM to contact in case of call home?
•Email Servers: What is the IP address of the SMTP email server?
This procedure assumes call home was not configured during initial installation. The procedure to update contact information or add extra notifications is basically the same. Simply edit the notifications.
Complete these steps:
1. If call home is not set up, a pop-up area opens (Figure 9-3). Initiate the configuration wizard by clicking Enable Notifications.
. 
Figure 9-3 Enable Notifications
2. The Email Event Notifications wizard starts (Figure 9-4). It briefly describes the benefits of call home. Read through it and then click Next.
Figure 9-4 Configuring Call home enables IBM to provide excellent service
3. System Location panel (Figure 9-5) is important for ensuring that any open support tickets have the correct equipment location. Complete the form and click Next.
Figure 9-5 System Location panel
|
Note: The State or province and Country or region fields must be configured correctly to ensure that IBM support is able to react on call home calls from the system. Hover the cursor to the right of State or province field, and click the window that displays these codes.
|
4. On the Contact panel (Figure 9-6) specify a contact available 24 x 7. IBM must be able to reach a valid contact if an urgent situation exists. Click Apply and Next.
Figure 9-6 IBM support uses this contact 24 x 7
5. The Configuring Email Settings panel (Figure 9-7) shows the results. It also shows the CLI version of the dialog. Click Close.
Figure 9-7 Commands run to register the contact and send inventory every 7 days
6. Enter your SMTP gateway IP address (Figure 9-8 on page 411). You can click Ping to ensure that there is a response to the address, if your SMTP server allows the ping function. Use the plus sign to add extra SMTP servers. Click Apply and Next to move to the next panel.
|
Note: Only the SMTP server IP address is supported, not the DNS server name. Only an SMTP server without authentication can be selected.
|
Figure 9-8 Specify and test the SMTP Gateway
Figure 9-9 SMTP Gateway for all email is defined
8. Review the summary page information that you entered in the wizard (Figure 9-10) and then click Finish.
Figure 9-10 Completed call home setup
9. Review the command results, which are displayed in the Configuring Email Settings window (Figure 9-11). It indicates that the mail service started. Click Close.
Figure 9-11 Results of starting the email service
10. After the wizard completes, you are returned to the notifications Email page (Figure 9-12 on page 413). Click Edit (1) to modify the values. Click Test (2) in the Call Home section to automatically send a call home mail to IBM and create a problem management record (PMR). IBM support uses the primary contact to confirm receipt of the call home.
Optionally, you can configure to send event notifications to email recipients (see the Email Users section) to be notified when issues that need attention occur. These users might be part of a support team in the customer’s organization or any organization providing services. Email Users are also valuable if email transport to IBM fails. An email transport error can occur due to an SMTP server outage, or if the SMTP server IP address is changed without updating the call home function of the IBM FlashSystem V9000 correctly. Enter any additional users in your organization for Email Users (3).
Select the Notification level, from Error to Info, knowing that Info can generate a large mail volume. Selecting the Inventory option includes information about parts and serial numbers, for inventory purpose, also provides detailed information about the system configuration that is used when PMRs are opened.
Figure 9-12 Email notifications
|
Tip: Testing call home is important to ensure that the system is correctly registered with IBM. Test call home by submitting an Email Notification test after the Event Notification wizard finishes. If configured correctly, IBM Support will contact the person listed under “Email contact” during regular business hours.
|
9.2.2 SNMP
Simple Network Management Protocol (SNMP) is a standard protocol for managing networks and exchanging messages. The system can send SNMP messages that notify personnel about an event. You can use an SNMP manager to view the SNMP messages that the system sends.
In the SNMP configuration menu, you can configure one or more SNMP servers. For each of these SNMP servers, you configure the following information:
•IP address
•SNMP server port (The default is port 162.)
•SNMP community (The default is public.)
•Event type (The default is Alerts but it can be changed to All events.)
Perform the following steps (see Figure 9-13):
1. Select the SNMP tab.
2. Select Actions → Add.
3. Complete the details in the Add SNMP Server form that opens.
4. Click Download MIB to download the Management Information Base (MIB) file to be use on your SNMP server.
This MIB file is used for SNMP to configure a network management program to receive SNMP messages that are sent by the system. This file can be used with SNMP messages from all versions of the software.
Figure 9-13 Add the SNMP Servers
Various SNMP trap receiver products are on the market. These are known as SNMP managers. IBM Tivoli NetView® or IBM Tivoli Netcool/OMNibus can be used as IBM SNMP managers.
9.2.3 Syslog
The syslog protocol is a standard protocol for forwarding log messages from a sender to a receiver on an IP network. The IP network can be either IPv4 or IPv6. The system can send syslog messages that notify personnel about an event.
The IBM FlashSystem V9000 can transmit syslog messages in either expanded or concise format.
As shown in Figure 9-14, you can perform these tasks:
1. Use a syslog manager to view the syslog messages that the system sends. The system uses the User Datagram Protocol (UDP) to transmit the syslog message.
2. Specify up to a maximum of six syslog servers using the plus sign (+).
Figure 9-14 Complete the Syslog Form
In the Syslog configuration section (Figure 9-14), you can configure one or more syslog servers. For each of these servers, you configure the following information:
•IP address.
•Facility: This determines the format for the syslog messages and can be used to determine the source of the message.
•Notifications: The default is Alerts/Error but it can be customized to show Warning and Informational Notifications also).
There are various syslog server products on the market. Many of these products are no-charge products that can be downloaded from the Internet.
9.3 Network menu
Select Network from the Settings menu (Figure 9-15) to update and configure the management IP addresses for the system, service IP addresses for the AC2 or AC3 control enclosures, Ethernet, and Fibre Channel configurations.
Figure 9-15 Select Network from the Settings menu
9.3.1 Management IP address
One Management IP address is defined when the system is initialized. The system supports multiple IP addresses to manage interfaces, such as the GUI and the CLI for the system. Select Settings → Network. Then, on the Network page (Figure 9-16), select Management IP Addresses. The current selection is outlined in the figure; you can enter a second management IP address to provide redundancy if the main management IP address is not reachable.
Figure 9-16 Change management IP address or add a redundant address
|
Note: By changing the management IP addresses, you will need to restart the GUI on the new IP address.
|
9.3.2 Service IP Addresses
On the Settings → Network page, the Service IP Addresses page (Figure 9-17) is used to access the service assistant tool, which you can use to complete service-related actions on the control enclosure. The system has a minimum of two control enclosures and each must have a different service address. If a control enclosure is in the service state, it does not operate as a member of the system.
Figure 9-17 Set Service IP addresses for each control enclosure
|
Tip: Connecting Ethernet cables to the AE2 storage enclosure and setting the service IP addresses is a good practice since if services are needed on the AE2 storage enclosure, a connection will be required. IBM FlashSystem V9000 AE2 storage enclosures can also be managed through the Service Assistant, described in Chapter 10, “Service Assistant Tool” on page 475.
|
9.3.3 Ethernet ports
Ethernet ports for each AC2 or AC3 control enclosure are on the rear of the system and are used to connect the system to iSCSI-attached hosts, and to other systems that are part of remote-copy partnerships. The Ethernet Ports panel indicates whether a specific port is being used for a specific purpose. You can modify how the port is used by selecting Actions → Modify or a right click on the port.
Use the Ethernet Ports panel (Figure 9-18) to display and change how Ethernet ports on the system are being used.
Figure 9-18 Examine Ethernet port connections to the controller
Change settings for Ethernet ports
The following considerations apply to each Ethernet port:
•A maximum of one IPv4 address and one IPv6 address can be designated.
•Each port can be simultaneously used for remote copy over IP and as an iSCSI target for hosts.
You can also configure Ethernet ports exclusively for remote copy. If you are using remote copy between a local and remote system using Ethernet ports, you must specify which ports are used for remote copy operations by creating a remote copy group. The remote copy group indicates the set of local and remote Ethernet ports that can access each other through a long-distance IP connection. For a successful partnership to be established between two systems, the remote copy group must contain at least two ports, one from the local system and the other one from the remote system. You can configure more than two ports from the same system in the remote copy group to enable IP connection failover if either the local or remote system experiences a control enclosure or port failure.
Modify IP address
To change the IP address of an Ethernet port select the port and select Actions → Modify IP Settings. The resulting dialog is shown in Figure 9-19.
Figure 9-19 Modify IP address for a port
Modify iSCSI hosts
iSCSI is enabled for IPv4 as default for each Ethernet port with a configured IP address. iSCSI can also be enabled and disabled for both IPv4 and IPv6. To enable or disable iSCSI for a port from the Settings > Network view, select Actions → Modify iSCSI hosts. The next dialog opens (Figure 9-20). You can also right-click the iSCSI host you want to modify.
Figure 9-20 Enable or disable iSCSI for a port
Modify remote copy
The following leading practices apply to setting up IP partnerships:
•If you have one inter-site link, configure one remote-copy port group.
•If you have two inter-site links, configure two remote-copy port groups.
•If you have one remote-copy group, configure at least one port from each control enclosure in one I/O group in that remote-copy port group. For systems with more than one I/O group, add ports from a second I/O group to the remote-copy group.
•If you have two remote-copy groups and one I/O group, configure one port on each system from one control enclosure in the first remote-copy group, then configure a port from the other control enclosure in the second remote-copy port group. For systems with more than one I/O group, add ports from a second I/O group to each of the two remote-copy groups.
|
Note: No more than two inter-site links or remote-copy port groups are supported.
|
To enable or disable iSCSI for a port select Actions → Modify Remote Copy. Configure the Ethernet port for remote copy Group 1. The resulting dialog is shown in Figure 9-21.
Figure 9-21 Modify Remote Copy
When remote copy has been configured on both systems and when they can communicate, a partnership can be configured and remote copy can be configured and enabled.
For more information about configuring remote copy and partnerships, see Implementing the IBM System Storage SAN Volume Controller with IBM Spectrum Virtualize V7.6, SG24-7933
Modify VLAN settings
VLAN tagging is a mechanism used by system administrators for network traffic separation at the Layer 2 level for Ethernet transport. Although network traffic separation can be configured at the layer 3 level using IP subnets, VLAN tagging supports traffic separation at the layer 2 level.
IBM FlashSystem V9000 supports VLAN tagging for both iSCSI host attachment and IP replication. Hosts and remote-copy operations can connect to the system through Ethernet ports. Each of these traffic types have different bandwidth requirements, which can interfere with each other if they share the same IP connections. VLAN tagging creates two separate connections on the same IP network for different types of traffic. The system supports VLAN configuration on both IPv4 and IPv6 connections.
When a VLAN ID is configured for the IP addresses used for either iSCSI host attach or IP replication on IBM FlashSystem V9000, appropriate VLAN settings on the Ethernet network and servers must also be properly configured in order to avoid any connectivity issues. After VLANs have been configured, changes to VLAN settings will disrupt iSCSI or IP replication traffic to and from IBM FlashSystem V9000.
During VLAN configuration for each IP address individually, the user must be aware that if VLAN settings for the local and failover ports on two control enclosures of an iogroup are different, switches must be configured so that failover VLANs are configured on the local switch ports. The switches must also be configured so that failover of IP addresses from the failing control enclosure to the surviving control enclosure succeeds. In cases where this is not done, the host experiences loss of paths to the IBM FlashSystem V9000 storage during a control enclosure failure.
To change VLAN settings for a pair of ports, select and right-click the port to be changed and select Modify VLAN (Figure 9-22). Select node1 port 2.
Figure 9-22 Modifying VLAN settings
Select Enable and type in the VLAN-tag to be enabled, as shown Figure 9-23.
Figure 9-23 Enter VLAN tag
Two ports are affected when applying this VLAN port modification: A port on one control enclosure corresponds to the same port on the partner control enclosure (see port number in the port column) because control enclosures work in clusters.
Click the 2 ports affected link to view additional details.
Review the additional details, and then click Modify (Figure 9-24).
Figure 9-24 Enable VLAN tag 3800
The wizard requests confirmation that you are about to change VLAN tags for two ports. Click Yes (Figure 9-25).
Figure 9-25 Confirm changes
The Modify Ethernet Port VLAN tag CLI commands run (Figure 9-26). Click Close to finish the configuration changes.
Figure 9-26 CLI commands run
The two ports now use modified VLAN-tags, which shows on the Ethernet Ports panel (Figure 9-27).
Figure 9-27 VLAN has been changed for two ports
For more information of configuring VLAN tagging, see Implementing the IBM System Storage SAN Volume Controller with IBM Spectrum Virtualize V7.6, SG24-7933
9.3.4 iSCSI
Volumes can be mapped to a host to allow access for a specific server to a set of volumes. A host within the IBM FlashSystem V9000 is a collection of host bus adapter (HBA) worldwide port names (WWPNs) or iSCSI qualified names (IQNs) that are defined on the specific server. The host IQN name can be obtained from the host iSCSI initiator software and in IBM FlashSystem V9000 the host is configured to reflect this IQN name. For more information about how to configure an IBM FlashSystem V9000 iSCSI host, see “Hosts in a IBM FlashSystem V9000 configured with iSCSI interface cards” on page 389.
To change the iSCSI control enclosure name and alias, select iSCSI from the Settings > Network view. The iSCSI Configuration panel is displayed (Figure 9-28).
Figure 9-28 iSCSI configuration
|
Note: Changing a control enclosure name also changes the iSCSI qualified name (IQN) of the control enclosure and might require reconfiguration of all iSCSI-attached hosts for the control enclosure.
|
iSCSI authentication
Authentication of the host server from the IBM FlashSystem V9000 system is optional and disabled by default. The user can choose to enable the Challenge Handshake Authentication Protocol (CHAP) authentication, which involves sharing a CHAP secret between the IBM FlashSystem V9000 system and the host. The IBM FlashSystem V9000, as authenticator, sends a challenge message to the specific server (peer). The server responds with a value that is checked by the IBM FlashSystem V9000. If there is a match, the IBM FlashSystem V9000 acknowledges the authentication. If not, the IBM FlashSystem V9000 ends the connection and does not allow any I/O to volumes.
A CHAP secret can be assigned to each IBM FlashSystem V9000 host object. The host must then use CHAP authentication to begin a communications session with a control enclosure in the system. A CHAP secret can also be assigned to the system.
Volumes are mapped to hosts and LUN masking is applied by using the same methods that are used for FC LUNs.
Because iSCSI can be used in networks where data security is a concern, the specification supports separate security methods. For more information about securing iSCSI, see Securing Block Storage Protocols over IP, RFC3723, which is available at this web page:
9.3.5 Fibre Channel
Use the Fibre Channel Connectivity panel (Figure 9-29) to display the Fibre Channel connectivity between AC2 or AC3 control enclosures, AE2 storage enclosure, and hosts. Click Show Results (1) to populate the panel. IBM FlashSystem V9000 individual components are selected (2). You can save the report by clicking the Save icon (3).
Figure 9-29 Fibre Channel Connectivity window
9.3.6 Fibre Channel ports
The preferred configuration is to use an internal SAN switch for control enclosure to control enclosure and control enclosure to AE2 storage enclosure communication, and an external SAN switch for the host and external storage communication to the IBM FlashSystem V9000. In any case, you must zone your host or the external storage on the WWPN address that is flagged Yes in Host IO Permitted column (Figure 9-30 on page 426). You can indicate specific ports to prevent communication between control enclosures in the local system or between control enclosures in a remote-copy partnership. This port specification is called Fibre Channel port mask.
Figure 9-30 Fibre Channel Port types
Click Actions and then from the menu select a method to copy the host WWPN to your clipboard or change the way the host WWPN is displayed (Figure 9-31).
Figure 9-31 Actions menu
9.4 Security menu
Select Security from the Settings menu (Figure 9-32) to manage the security of the system, including remote authentication and encryption.
Figure 9-32 Select Security from the Settings Menu
Remote Authentication
When remote authentication is configured, users authenticate with their domain user and password rather than a locally created user ID and password. Remote authentication gives you central access control. If someone leaves the company, you only need to remove access at the domain controller, which means that no orphan user IDs remain on the storage system. As shown in the Remote Authentication panel (Figure 9-33), click Configure Remote Authentication (1) to see choices and to launch the wizard. Click Global Actions to refresh the LDAP cache (2).
Figure 9-33 Remote Authentication panel
Encryption
IBM FlashSystem V9000 provides encryption, which protects against the potential exposure of sensitive user data and user metadata that are stored on discarded, lost, or stolen storage modules. Protection of encrypted data is enforced by encryption keys stored on external USB sticks inserted in the control enclosure. Starting with Version 7.8, a Security Key Lifecycle Manager (SKLM) key server can be used instead of the USB sticks. Figure 9-34 shows the Encryption panel.
Depending on the storage enclosure, the encryption is done as follows:
•On each flash module if the storage enclosure is an IBM FlashSystem 900
•On the SAS adapter card for all SAS storage enclosure
In both cases, the encryption is hardware-based.
Figure 9-34 Enable Encryption
|
Note: The Enable Encryption button is disabled if either this system is already encrypted or if the encryption license is not yet activated (see Settings → System → Licensed Functions).
|
Secure Communications
IBM FlashSystem V9000 uses a certificate to secure connections with web browsers. Based on the security requirements for your system, you can create either a new self-signed certificate or install a signed certificate that is created by a third-party certificate authority. Self-signed certificates are generated automatically by the system and encrypt communications between the browser and the system. Self-signed certificates can generate web browser security warnings and might not comply with organizational security guidelines (see Figure 9-35).
Figure 9-35 Secure Communications
9.4.1 Remote authentication
When an IBM FlashSystem V9000 system is created, the authentication settings default to local, which means that the IBM FlashSystem V9000 contains a local database of users and their privileges. Users can be created on the system and can log in using the user accounts they are given by the local superuser account.
You can create two types of users (local and remote) who can access the system. These types are based on how the users authenticate to the system.
•Local users are authenticated through the authentication methods that are on the IBM FlashSystem V9000.
If the local user needs access to the management GUI, a password is needed for the user. If the user requires access to the command-line interface (CLI) through Secure Shell (SSH), either a password or a valid SSH key file is necessary. Local users must be part of a user group that is defined on the system.
•A remote user is authenticated on a remote service with Lightweight Directory Access Protocol (LDAP) as configured in the Settings → Security section of the IBM FlashSystem V9000 GUI (see “Remote Authentication” on page 427).
Remote users have their roles defined by the remote authentication service.
Remote authentication is disabled by default and can be enabled to authenticate users against LDAP servers.
A user who needs access to the CLI must be configured as a local user on the IBM FlashSystem V9000.
Remote users do not need to be configured locally; they only need to be defined on the LDAP server.
User groups define roles that authorize the users within that group to a specific set of privileges on the system.
For users of the IBM FlashSystem V9000 system, you can configure authentication and authorization by using the CLI or the GUI, Users and User Groups menu.
For more information about configuring remote authentication and authorization for users of the IBM FlashSystem V9000, see the following topics in IBM Knowledge Center:
•Managing security:
•Working with local and remote users:
Reasons for using remote authentication
Use remote authentication for the following reasons:
•You do not have to configure a local user on every IBM storage system that exists in your storage infrastructure.
•If you have multiple LDAP-enabled storage systems, remote authentication helps to more efficiently set up authentication.
•The audit log shows the domain user name of the issuer when commands are run. The domain user name is more informative than a local user name or just superuser.
•Remote authentication gives you central access control. If someone leaves the company, you need to remove access only at the domain controller level, which means that no orphan user IDs remain on the storage system.
Preparing the LDAP server
The first step in configuring LDAP is to prepare the LDAP server. The example in this section uses a Microsoft Windows 2008 R2 Enterprise server, which was promoted to be a Domain Controller by using the dcpromo command. Next, the Active Directory Lightweight Directory Services computer role is added.
The privileges that the LDAP user gets on the IBM FlashSystem V9000 are controlled by user groups on the storage system. There must be matching user groups on the Active Directory (AD) server and on the IBM FlashSystem V9000, and the LDAP users must be added to the AD server group.
In this example (Figure 9-37 on page 430), a group named FlashAdmin is created, which is used to manage the IBM FlashSystem V9000 storage device.
To create this group, log on to the AD Domain Controller and configure Active Directory and then complete the following steps:
1. Launch the Active Directory interface: Go to Start → Run, type dsa.msc, and click OK. The Active Directory Users and Computers management console opens (Figure 9-36).
Figure 9-36 Active Directory Users and Computers window to create a new group
2. Click the Create a new group in the current container icon. The New Object - Group window opens (Figure 9-37).
Figure 9-37 Active Directory to create a FlashAdmin group
3. Specify FlashAdmin for the group name, keep the remaining default values, and click OK.
4. Highlight the users that you want to add to the IBM FlashSystem V9000 storage administrator group and click the Adds the selected objects to a group you specify icon (Figure 9-38).
Figure 9-38 Adds the selected objects to a group you specify
Figure 9-39 Active Directory Select Groups window to add users to the FlashAdmin group
Any other users that might be added to the FlashAdmin group get the same privileges on your IBM FlashSystem V9000.
If other users with different privileges are required, another group on the IBM FlashSystem V9000 with different privileges is required. A group on the AD server with a matching name is also required.
The LDAP server is now prepared for remote authentication.
Enabling remote authentication on IBM FlashSystem V9000
The next step in configuring remote authentication for the IBM FlashSystem V9000 is to specify the authentication server, test connectivity, and test whether users can authenticate to the LDAP server:
1. Select Settings → Security, and on the Security menu, click Remote Authentication. The default authentication method is Local authentication is enabled (Figure 9-40). Click Configure Remote Authentication.
Figure 9-40 Configure Remote Authentication
Figure 9-41 Remote Authentication wizard (step 1 of 4)
3. Select Microsoft Active Directory, and for Security, select None (Figure 9-42). Click Advanced Settings to expand it.
Figure 9-42 Remote Authentication wizard (step 2 of 4)
4. Any user with authority to query the LDAP directory can be used to authenticate. In this example, the Active Directory domain is itsolab.ibm.com, so the Administrator login name on the Domain itsolab.ibm.com is used to authenticate. Click Next (Figure 9-43).
Figure 9-43 Remote Authentication wizard (step 3 of 4)
5. Type the IP address of the LDAP server and the LDAP Group Base Domain Name (DN) for Microsoft Active Directory.
To obtain the LDAP User and Group Base DN for Microsoft Active Directory use the following commands:
dsquery user -name <username>
dsquery group -name <group name>
To look up the Base DN, log on to the LDAP server and run the commands shown in Example 9-1.
Example 9-1 Checking the LDAP server for the Base DN
C:UsersAdministrator>dsquery group -name FlashAdmin
"CN=FlashAdmin,CN=Users,DC=itsolab,DC=ibm,DC=com"
C:UsersAdministrator>
The Base DN to enable LDAP authentication requires only the domain part of the output in Example 9-1.
6. In the Base DN (Optional) field of the Configure Remote Authentication window (Figure 9-44), type the following text:
DC=itsolab,DC=ibm,DC=com
Figure 9-44 Remote Authentication wizard (step 4 of 4)
7. Click Finish to return to the Settings → Security window.
Figure 9-45 shows that LDAP is enabled and the window shows the preferences of the configured LDAP server.
Figure 9-45 Remote Authentication is enabled
Creating the IBM FlashSystem V9000 LDAP-enabled user group
The first part of the LDAP configuration is complete. However, you must create a new user group on the IBM FlashSystem V9000 with a name that matches the name that was configured on the LDAP server. The name FlashAdmin was configured on the LDAP server.
Complete the following steps:
Figure 9-46 Select Users
Figure 9-47 Create a new user group
3. The Create User Group window opens (Figure 9-48). For the Group Name, enter FlashAdmin, select Security Administrator, and select the Enable for this group check box under LDAP.
Figure 9-48 Select Security Administrator
|
Note: If the Remote Authentication field is not visible in the Create User Group window, remote authentication is disabled in Settings → Security.
|
The new user group is created and enabled for remote authentication (Figure 9-49).
Figure 9-49 New user group
Testing LDAP authentication
At this point, you can log out the superuser account and log in with the LDAP user. However, before you do that, the Remote Authentication window provides a capability to test LDAP.
Complete the following steps:
1. Select Settings → Security. On the Remote Authentication panel, click Global Actions (Figure 9-50) and then select Test LDAP Connections.
Figure 9-50 Test LDAP Connections
The Test LDAP Connections task window opens (Figure 9-51) and displays the CLI command that tests the connection. In a successful connection to the LDAP server, the Task completed message is displayed.
Figure 9-51 Remote Authentication: Test LDAP connections CLI result
2. From the Global Actions menu, you can also test whether the authentication for a specific user is functional. Click Test LDAP Authentication.
3. The next window opens (Figure 9-52). Type the user credentials of the LDAP user for whom you want to test authentication and click Test.
Figure 9-52 Remote Authentication: Test LDAP Authentication
When you click Test, the CLI command window opens (Figure 9-53):
– If the authentication is successful, you see the same output as in Figure 9-54 on page 438.
– If the test is unsuccessful, you see the message in Figure 9-53.
Figure 9-53 Remote Authentication: Test unsuccessful
Logging in as an LDAP user
Assuming that remote authentication is successful, the superuser user can now log out and the LDAP user can log in (Figure 9-54).
Figure 9-54 Login window for the LDAP user
Configuring remote authentication is complete.
9.4.2 Encryption
IBM FlashSystem V9000 provides optional encryption of data at rest, which protects against the potential exposure of sensitive user data and user metadata that are stored on discarded, lost, or stolen flash modules. Encryption of system data and system metadata is not required, so system data and metadata are not encrypted.
|
Attention: Encryption keys or data from IBM FlashSystem V9000 cannot be recovered or regenerated by IBM on an encryption-enabled system if the encryption keys are lost.
|
AES-XTS 256-bit data-at-rest encryption with local key management
Two functions are added to the encryption feature:
•Hot Encryption Activation: Adding an encryption license to a previously initialized system
•Encryption Rekey: Changing the encryption key on a previously initialized system
If you want to use encryption, ensure that you purchase Feature Code (FC) AF14: Encryption Enablement Pack (Plant).
Data Encryption Methology
The IBM FlashSystem V9000 data encryption uses the Advanced Encryption Standard (AES) algorithm, with a 256-bit symmetric encryption key in XTS mode. This encryption mode is known as XTS–AES–256, which is described in the IEEE 1619–2007 data encryption standard. The data encryption key itself is protected by a 256-bit AES key wrap when it is stored in non-volatile form. There are two layers of encryption used with stored data, first on the data being protected, and second on the data encryption key itself.
Protection Enablement Process (PEP)
The Protection Enablement Process (PEP) transforms a system from a state that is not protection-enabled to a state that is protection-enabled.
The PEP establishes a secret encryption access key to access the system, which must be stored and made available for use later, whenever the system needs to be unlocked. The secret encryption access key must be stored outside the system on a USB drive or key servers (version 7.8 is needed), which the system reads to obtain the key. The encryption access key must also be backed up to other forms of storage.
In IBM FlashSystem V9000, two functions comprise the encryption capability:
•Hot Encryption Activation
Allows an unencrypted IBM FlashSystem V9000 to be encryption-enabled while the system is running, without affecting customer data.
•Nondisruptive Rekey
Permits creating a new encryption access key that supersedes the existing key on a running IBM FlashSystem V9000 without affecting customer data.
Encryption can be enabled in three ways:
•Activating encryption using the GUI (preferred)
•Activating encryption using the CLI
•Creating new encryption keys (Rekey)
Consider these aspects of handling encryption and encryption keys:
•Keeping encryption keys from more systems on the same USB flash drives (stacking)
•Making copies of encryption keys
•Storing copies of USB flash drives holding encryption keys
•Leaving encryption keys in or out of the system during normal operation
•Using key servers
In IBM FlashSystem V9000 you can enable encryption either during initialization by using the setup wizard or after the system is initialized. When the encryption Feature Code AF14 is purchased IBM sends a total of three USB flash drives.
When IBM FlashSystem V9000 encryption is activated, an encryption key is generated by the system to be used for access to encrypted data that is stored on the system. The GUI starts a wizard that guides you through the process of copying the encryption key to multiple USB flash drives or setting up key servers.
The following actions are considered preferred practices for copying and storing encryption keys when using USB sticks:
1. Make copies of the encryption key on at least three USB flash drives to access the system.
2. In addition, copy the encryption keys to other forms of storage to provide resiliency and to mitigate risk, if, for example, the three USB flash drives are from a faulty batch of drives.
3. Test each copy of the encryption key to ensure that the key is recognized before writing any user data to the initialized system.
4. Securely store all copies of the encryption key. As an example, any USB flash drives that are not left inserted into the system can be locked in a safe. Take comparable precautions to securely protect any other copies of the encryption key stored to other forms of storage.
Enable the encryption license
Before you can enable encryption, install the encryption license on the system. Complete these steps:
Figure 9-55 Navigate to Licensed functions
2. In the Licensed Functions panel (Figure 9-56), select the License check box to activate the encryption license, and click Apply Changes.
Figure 9-56 Activate the encryption license
Figure 9-57 License Updated
Starting encryption
To start encryption, perform the following steps:
Figure 9-58 Open the Security panel
Figure 9-59 Enable Encryption
3. The Enable Encryption wizard starts (Figure 9-60). Select the type of encryption you want to define and then go to one of these sections to continue with the steps:
– “Encryption with USB keys” on page 442 for USB key.
– “Encryption with key servers” on page 445 for Key Servers.
Figure 9-60 Encryption setup of FlashSystem V9000
Encryption with USB keys
Perform the following steps:
1. Insert the IBM USB keys into the system (Figure 9-61), two keys in one control enclosure and one key in the other. The extra key will be removed later.
Figure 9-61 Set the IBM USB keys in the system
2. As shown in Figure 9-62, the USB key count is incremented (1) as each key is inserted. When the keys are created, click Next (2).
Figure 9-62 Create the encryption keys
|
Tip: Remove one of the USB keys and store it in a safe place. If security policies allow, leave the two remaining keys in the AC2 or AC3 control enclosure so they are available if the AE2 storage enclosure restarts.
Remember if the encryption keys are not present, a storage enclosure hard reboot is not possible.
|
Figure 9-63 Commit to make the encryption effective
4. A confirmation window opens (Figure 9-64). The AE2 storage enclosure is now encrypted. Click Close.
Figure 9-64 System is now encrypted
Encryption with key servers
Encryption with key servers requires FlashSystem V9000 Version 7.8 or later. At the time of writing, only one key server can be used, and it must be an IBM Security Key Lifecycle Manager (SKLM). Before you start this task, ensure that you can access the key servers by using the IP address.
For more information about SKLM, see the following resources:
•IBM Security Key Lifecycle Manager V2.6 documentation
•IBM Security Key Lifecycle Manager
•IBM DS8880 Data-at-rest Encryption, REDP-4500
To configure SKLM, perform the following steps:
1. In the Enable Encryption window, enter the IP address and port of the key server (Figure 9-65), and then click Next.
Figure 9-65 key server IP and port
2. Enter the Device Group name (Figure 9-66 on page 446).
The default device group name in the GUI is SPECTRUM_VIRT. The device group must be created on the SKLM server prior to this step; you can name the device group SPECTRUM_VIRT or use a name of your choice. Naming the device group SPECTRUM_VIRT is a good practice for compatibility with future versions of SKLM.
Click Next.
Figure 9-66 Device Group name, default for IBM SKLM server
3. Select the certificate you want to use (Figure 9-67):
– Certificate: Browse to the certificate provided by a Certificate Authority (CA).
– <Key server IP address>: Browse to the certificate provided by the SKLM server.
Figure 9-67 Authority or key server certificate.
|
Note: You can create either a new self-signed certificate or install a signed certificate that is created by a third-party certificate authority. Endpoint certificates should be self-signed certificates.
|
4. Transfer the IBM FlashSystem V9000 public key certificate to the key server. Click Export Public Key to get the certificate and add it to the key server.
When the key server is updated, select the check box to confirm the action and click Next (Figure 9-68).
Figure 9-68 IBM FlashSystem V9000 certificate for the Key Server
5. Review the summary of changes and click Finish to encrypt the data with the key server certificate (Figure 9-69).
Figure 9-69 Summary of changes
6. A confirmation window is displayed confirming that encryption is enabled and encryption keys reside on the key server (Figure 9-70).
Figure 9-70 Key server action completed
7. Review the Encryption panel to verify that the system is encrypted (Figure 9-71).
Figure 9-71 Key server encryption
Migration from USB stick encryption support to key server
Contact your IBM representative regarding this process.
9.4.3 Secure Communications
Use the Secure Communications page (Figure 9-72) to enable and manage secure connections.
During system setup, an initial certificate is automatically created to use for secure connections between web browsers. Based on the security requirements for your system, you can create either a new self-signed certificate or install a signed certificate that is created by a third-party certificate authority. Self-signed certificates are generated automatically by the system and encrypt communications between the browser and the system. Self-signed certificates can generate web browser security warnings and might not comply with organizational security guidelines.
Figure 9-72 Update certificate
Click Update Certificate.
You can then create a new self-signed certificate or import your own signed certificate (Figure 9-73). Complete the requested information and click Update to validate your changes or Cancel to ignore them.
Figure 9-73 Self-signed or signed certificate
Figure 9-74 and Figure 9-75 on page 452 show the update certificate process. The connection with the IBM FlashSystem V9000 GUI is lost as soon as the new certificate is enabled (Figure 9-74).
Click Yes to continue or No to cancel.
Figure 9-74 Lost connection warning
Figure 9-75 shows the certificate update status.
Figure 9-75 Create self-signed certificate in progress
9.5 System menu
Select Settings → System (Figure 9-76). The System page opens where you can set the time and date for the cluster, perform software updates for the cluster, and set GUI preferences to manage licensed functions.
Figure 9-76 System selection
9.5.1 Date and Time option
Select Date and Time to view the Date and Time panel (Figure 9-77). Update the fields are required and click Save to save your changes.
Figure 9-77 Date and Time panel
The preferred method for setting the date and time is to configure a Network Time Protocol (NTP) server. By using an NTP server, all log entries are stamped with an accurate date and time, which is important in troubleshooting. An example might be a temporarily broken FC link that caused a path failover at a connected host. To investigate the root cause of this event, compare logs from the host, logs from the storage area network (SAN) switches, and logs from the IBM FlashSystem V9000. If the date and time are not accurate, events cannot be easily compared and matched, which makes a root cause analysis much more difficult.
9.5.2 Licensed functions
The base license that is provided with your IBM FlashSystem V9000 includes the use of its basic functions. However, the extra licenses, listed in this section, can be purchased to expand the capabilities of your system. Administrators are responsible for purchasing extra licenses and configuring the systems within the license agreement, which includes configuring the settings of each licensed function on the system.
The base 5639-RB7 license entitles IBM FlashSystem V9000 (machine type 9846/9848) to all the licensed functions, such as Virtualization, FlashCopy, Global and Metro Mirroring, and Real-time Compression. Any connected storage that is not an IBM FlashSystem V9000 requires the External Virtualization license that is a per terabyte (or tebibyte (TiB)) capacity unit of metric. TiB measures volume sizes in binary, so 1 GiB equals 1,073,741,824 bytes, which is 1024 to the power of three; TB measures volume sizes in decimal, so 1 GB equals 1,000,000,000 bytes, which is 1000 to the power of three.
You use the Licensed Functions window in the System Setup wizard to enter External Virtualization licenses purchased for your system.
The system supports the following licensed functions for internal storage:
•Encryption
The system provides optional encryption of data at rest, which protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost, or stolen storage devices. Encryption is licensed only for AE2 storage enclosure all others storages (internals or externals) will not be encrypted except if the storage provides its own encryption mechanism that needs to be enable.
•External storage virtualization
The system does not require a license for its own AC2 or AC3 control enclosure and internals storage enclosures; however, a capacity-based license is required for any external systems that are being virtualized.
•FlashCopy
The FlashCopy function copies the contents of a source volume to a target volume. This license is capacity-based.
•Remote Copy (Global and Metro Mirror)
The remote-copy function enables the use of Metro Mirror, Global Mirror or Global Mirror with Change Volume functions. This function enables you to set up a relationship between volumes on two systems, so that updates that are made by an application to one volume are mirrored on the other volume. The volumes can be in the same system or on two different systems. This license is capacity-based.
•Real-time Compression
With the compression function, data is compressed as it is written to the drive, saving additional capacity for the system. This license is capacity-based.
For more details about the base licensed features for IBM FlashSystem V9000 internal storage, and for optional licensed features offered with IBM FlashSystem V9000 for external storage, see 2.7.2, “Software and licensing” on page 92.
For more information about licensing see IBM FlashSystem V9000 Version 7.7 Product Guide, REDP-5409.
Figure 9-78 highlights two areas:
1. Changing the Flash Copy license from 0 TiB to 60 TiB.
2. The Apply Changes button is automatically incremented.
Figure 9-78 Licensed Functions pane
9.5.3 Update software
Concurrent upgrade is the default way to upgrade the IBM FlashSystem V9000 system. All components of the system are upgraded including the AC2 or AC3 control enclosures and AE2 storage enclosures. Performance is affected during heavy I/O load. The suggestion is that you plan a three-hour change window for your upgrades. This time can vary depending on your system configuration.
This section demonstrates how to update firmware through the GUI of the IBM FlashSystem V9000. Before you start a system update, ensure that the system has no errors that might interfere with a successful update. Be sure that any errors are corrected before you start.
|
Tip: Firmware release notes often contain the latest information about specifics of an upgrade. There is also an upgrade test utility that examines the system that can be run non-disruptively before an upgrade. For more details about the upgrade test utility, see 13.3.8, “Using the IBM FlashSystem V9000 Software Upgrade Test Utility” on page 636.
The current firmware for the system can be downloaded from the Internet (if the system has access), or it can be downloaded by the administrator from the following web page:
|
A single building block takes approximately 2.5 hours for code upgrade.
A scale-out, scale-up configuration updates one AC2 or AC3 control enclosure of each IO Group, and then the others. All AE2 storage enclosures are updated at the same time. The total time is approximately 2.5 hours.
Host path recovery is an important part of the IBM FlashSystem V9000 upgrade process. There are intentional wait (30 minutes) to ensure that paths have recovered before the upgrade proceeds to the next component. The remaining figures in this section show various stages of the upgrade.
Firmware update is initiated from the Update System page (Figure 9-79). On this page, notice the current software level:
•Current version is 7.7.1.2
•Update version 7.7.1.3 is available
Figure 9-79 Firmware update main page
Before starting the firmware update, download the new firmware image file and the update test utility. The current firmware for the system can be downloaded from the Internet (if the system has access), or it can be downloaded by the administrator from the following address:
A firmware download requires an appropriate maintenance agreement or that the system is covered under warranty see 13.5.5, “Downloading from IBM Fix Central” on page 651.
You can update the FlashSystem V9000 firmware through the Settings menu. This update is referred to as Concurrent Code Load (CCL). Each AC2 or AC3 control enclosure and AE2 Storage Enclosure in the system automatically updates in sequence while maintaining interrupted accessibility for connected hosts.
The upgrade is concurrent. The process runs the upgrade utility and immediately starts the update if no problems are found. The test upgrade utility and code upgrade are started simultaneously, but run serially, with the test upgrade utility run first.
|
Note: The test utility can also be run by using the CLI.
|
To initiate CCL, select Settings → System → Update System. On the Update System panel, click Test & Update (Figure 9-79).
The Update System wizard begins (Figure 9-80) by requesting you to select the test utility and the update package. When you click Update, both files are uploaded and the test utility begin to run. If the test utility does not find any issues, the upgrade begins.
Figure 9-80 Test utility and firmware selection
The purpose of running the test utility is to verify that no errors exist and that the system is ready to update. If any issue is discovered by the test utility, the firmware update stops and sends a message to the administrator about the problems to fix before the update system procedure can be repeated.
|
Tip: The upgrade test utility can be run multiple times by using the CLI. For details, see “Using the IBM FlashSystem V9000 Software Upgrade Test Utility from the command line” on page 637.
|
The system inserts the current code level automatically, or the administrator can specify a different firmware level. This example updates to 7.7.1.3. Click Update to proceed.
The Update System panel opens where you can select Automatic update or Service Assistant Manual update. In this example, select Automatic update and click Finish (Figure 9-81).
Figure 9-81 Update System panel
The update test utility and update package files are uploaded to the IBM FlashSystem V9000 control enclosure, and then the firmware update for the entire system proceeds automatically.
The initial part of the Update System procedure is shown in Figure 9-82.
Figure 9-82 Code uploading panel
If any errors are identified by the test utility, they are indicated in the Update System panel. Any hardware error prevents the system update from proceeding. If an error is identified, take the correct actions to resolve the error identified by the update test utility.
|
Tip: During the upgrade, the GUI might go offline temporarily as the V9000 controllers are restarted during the upgrade. Refresh your browser to reconnect.
|
The Concurrent Code Load (CCL) firmware update is now running in the background. While the system updates, the progress is shown in the progress indicators (Figure 9-83).
Figure 9-83 Updating system controller
The system can be operated normally while it is upgrading; however, no changes can be made until the firmware update completes. If you are trying to fix an error condition, you see the message shown in Figure 9-84 (fixes cannot be applied while the system is being upgraded).
Figure 9-84 Fixes cannot be applied while upgrading
During the update, various messages display in the Update System window (Figure 9-85). The first control enclosure completes its update and the second controller starts to update.
Figure 9-85 Update System panel, one control enclosure completed
|
Tip: Host path recovery is often quicker than the time the FlashSystem V9000 pauses; the system takes a conservative approach to ensure that paths are stabilized before proceeding (30 minutes).
|
After completing the update to the second IBM FlashSystem V9000 control enclosure, the upgrade process moves to the storage enclosure, all are done in parallel. When the Update System wizard completes, the system returns to a healthy status. The system now has the current firmware (Figure 9-86).
Figure 9-86 Firmware update is now complete
During the hardware update, all individual components in the system are being firmware-updated. For example, the I/O ports are updated, during which time they are being taken offline for update one-by-one.
|
Tip: Customer change windows for update should include the entire upgrade process, approximately 2.5 hours.
|
As an alternative to upgrading firmware through the GUI, you can use the FlashSystem V9000 CLI. The process is described in IBM Knowledge Center:
Search for the “Updating the software automatically using the CLI” topic.
9.5.4 VVOL
The system supports VMware vSphere Virtual Volumes, sometimes referred to as VVols, which allow VMware vCenter to automate the management of system objects such as volumes and pools. You can enable VVOL by turning the switch to ON as shown in Figure 9-87. An NTP server must be configured before you can enabled the VVOL feature.
Figure 9-87 VVOL enable screen
Before you configure Virtual Volumes, the following prerequisites must be met:
•Ensure that your system is running version 7.6.0 or later.
•Ensure that IBM Spectrum Control Base Edition (version 2.2.1 or later) is installed.
•Ensure that you are running VMware vSphere (ESXi hosts and vCenter) V 6.0 (or later).
•Ensure that Network Time Protocol (NTP) server is configured on both on the IBM FlashSystem V9000 and on the IBM Spectrum Control Base server. NTP ensures that time settings are consistent between the system and IBM Spectrum Control Base server.
•Confirm that you have the network information for both VMware vCenter and IBM Spectrum Control Base Edition: the IP address, subnet mask, gateway, and fully qualified domain name (FQDN) such as hostname.domain.com.
Select On to enable Virtual Volumes. A utility volume is automatically created to store critical metadata that is required for Virtual Volumes. This utility volume is managed by the IBM Spectrum Control Base Edition server.
Select a storage pool to store the utility volume. If possible, store a mirrored copy of the utility volume in a second storage pool that is in a separate failure domain. For example, use a storage pool that is made from MDisks that are presented from different storage systems or a different I/O group.
Create a user account for the IBM Spectrum Control Base Edition server. Defining the user account for the IBM Spectrum Control Base Edition server automatically configures a new user with the VASA Provider role. IBM Spectrum Control Base Edition server uses these storage credentials and role privileges to access the system and to run the automated tasks that are required for Virtual Volumes. Record these storage credentials. You need them to configure your IBM Spectrum Control Base Edition server.
|
Note: The VASA Provider role is used only by the IBM Spectrum Control Base Edition server. Users must not directly log in to the management GUI or CLI with an account that has the VASA Provider user role and complete system tasks, unless they are directed to by support.
|
Figure 9-88 VVOL enable screen
A window showing the enable process is displayed followed by a success window (Figure 9-89).
Figure 9-89 VVOL confirmation window
9.5.5 Resources
Copy Services features and RAID require that small amounts of volume cache be converted from cache memory into bitmap memory to enable the functions to operate. If you do not have enough bitmap space allocated when you try to use one of the functions, you cannot complete the configuration. As an example, if bitmap space is too low, trying to expand a mirrored volume fails until the allocated bitmap space has been expanded.
Table 9-1 describes the amount of bitmap space necessary to configure the various copy services functions and RAID.
Table 9-1 Examples of memory required
|
Feature
|
Grain size
|
1 MB of memory provides the following volume capacity for the specified I/O group
|
|
Metro Mirror or Global Mirror
|
256 KB
|
2 TB of total Metro Mirror or Global Mirror volume capacity
|
|
FlashCopy
|
256 KB
|
2 TB of total FlashCopy source volume capacity
|
|
FlashCopy
|
64 KB
|
512 GB of total FlashCopy source volume capacity
|
|
Incremental FlashCopy
|
256 KB
|
1 TB of total incremental FlashCopy source volume capacity
|
|
Incremental FlashCopy
|
64 KB
|
256 GB of total incremental FlashCopy source volume capacity
|
|
Volume mirroring
|
256 KB
|
2 TB of mirrored volume capacity
|
The memory limit for Volume Mirroring is changed from the default of 20 MiB to 40 MiB (Figure 9-90). Type in the new amount of bitmap space and click Save.
Figure 9-90 Change bitmap space for Volume Mirroring
|
Remember: If you do not have enough bitmap space allocated when you try to use one of the functions, you cannot complete the configuration.
|
9.5.6 IP Quorum
In some HyperSwap configurations, IP quorum applications can be used at the third site as an alternative to third-site quorum disks.
No Fibre Channel connectivity at the third site is required to use an IP quorum application as the quorum device. The IP quorum application is a Java application that runs on a host at the third site.
Figure 9-91 shows the IP Quorum panel. Click the click here link for instructions (1). The IP network is used for communication between the IP quorum application and control enclosures in the system. If you currently have a third-site quorum disk, you must remove the third site before you use an IP quorum application.
Figure 9-91 IP Quorum main screen
9.5.7 I/OGroups: Enable and disable NPIV
N_Port ID Virtualization (NPIV) is a method for virtualizing a physical Fibre Channel port that is used for host I/O. When NPIV is enabled, ports do not become active until they are ready to service I/O. In addition, path failures due to an offline control enclosure are masked from host multipathing. See 7.12, “Using NPIV functionality” on page 311 for more details.
To enable or disable NPIV, you have to perform a transitional step during which the host will connect to the FlashSystem V9000 by using two WWPN addresses. This step ensures that the zoning is correct. Only after you confirm that the host can connect using both addresses, you can then perform the step to enable or disable NPIV.
The main I/O Groups page displays the status of NPIV; Figure 9-92 shows Enabled.
Figure 9-92 NPIV enabled
To disable NPIV, right-click the I/O Group and select Change Target Port Mode. The status changes from Enabled to Transitional. Click Continue (Figure 9-93).
Figure 9-93 NPIV transitional step
Target Port Mode is now Transitional. Confirm that your host can access the IBM FlashSystem V9000 using the new WWPN.
To verify which WWPN your host can use on the FlashSystem V9000, click Setting → Networks → Fibre Channel Ports. See the column Host IO Permitted (Figure 9-94).
Figure 9-94 Confirmation of Transitional mode
After you confirm that the host can connect to the IBM FlashSystem V9000 by using the correct WWPN address, you can change the target port mode to Disabled. Right-click IO_group and select Disabled (Figure 9-95). The Force change check box allows you to perform the action, ignoring whether hosts are still sending I/Os on the port that will be enabled or disabled.
|
Attention: Using force mode may cause a host access loss.
|
Figure 9-95 Disable WWPN virtualization
To confirm the results of this step, select Setting → Networks → Fibre Channel Ports as shown in Figure 9-96
Figure 9-96 NPIV disabled confirmation
|
Attention: To enable or disable host port virtualization, follow the same process. You have to use the transition step to ensure that your host can access the IBM FlashSystem V9000 to avoid a storage access lost.
|
9.6 Support menu
Access the Support menu to download support packages that contain log files and information that can be sent to support personnel to help troubleshoot problems with the system. You can either download individual log files or download statesaves, which are dumps or live dumps of system data.
Figure 9-97 Support selection
9.6.1 Download support package
IBM Support often requests log files when responding to an automatic support issue that is opened by the call home function or a support issue that is opened by the IBM FlashSystem V9000 administrators.
Select Settings → Support when log files are requested by IBM Support.
|
Tip: Log files are needed in most of the support cases processed for the IBM FlashSystem V9000. Clients who upload these logs when the support ticket number is available often have issues resolved quicker than waiting for IBM support to ask for them.
|
The system administrator downloads the requested support package from the system and then uploads it to IBM Support. IBM Support then analyzes the data.
To download a support package, follow these steps, as shown in Figure 9-98:
1. Select Settings → Support and click Download Support Package.
2. Select the type of support package to download, and then click Download.
Figure 9-98 Download support package panel
You can download the following types of support packages, as shown in Figure 9-98:
•Standard logs: Contains the most recent logs that were collected on the system. These logs are most commonly used by support to diagnose and solve problems.
•Standard logs plus one existing statesave: Contains the standard logs for the system and an existing statesave from any of the control enclosures in the system. Statesaves are also known as dumps or livedumps. One day to one week traces are also included.
•Standard logs plus the most recent statesave from each control enclosure: Contains the standard logs for the system and the most recent statesave from each of the control enclosures on the system.
•Standard logs plus new statesaves: Generates a new statesave (live dump) for all of the control enclosures in the system and packages them with the most recent logs.
IBM Support usually requests that you click Standard logs to begin an investigation. The length of time to download these logs from the IBM FlashSystem V9000 can be in the range of minutes to an hour, depending on the situation and the size of the support package that is downloaded.
Figure 9-99 shows that you can monitor the details of the running command. When this completes, it is replaced with the save-file form.
Figure 9-99 Generating the support package
The destination of the support package file is the system where the web browser was launched. Figure 9-100 shows the next step of saving the support package file.
Figure 9-100 Saving the Snap File
IBM Support usually requests log files to be uploaded to a specific PMR number, using Enhanced Customer Data Repository (EcuRep) as the upload method to IBM:
9.6.2 Download individual log files
You can select individual logs to download to review or send them directly to IBM Support. You can also increase CIMOM1 logging levels to add details to the support packages on the CIMOM-related events. However, increasing the logging level can affect system performance and is best used temporarily when you are resolving issues on the system.
After analyzing the uploaded support package, IBM Support might request additional files. To locate these files, select Settings → Support and click Show full log listing. This option supports the download of specific and individual log files.
An example is shown in Figure 9-101:
1. Select a single error log file.
2. Click Actions → Download.
Figure 9-101 Download specific file dialog
|
Note: Log files are saved from each of the components of the system.
|
9.6.3 Deleting log files
You can also delete certain types of log files from the system. To preserve the configuration and trace files, any files that match the following wildcard patterns cannot be deleted:
•*svc.config*
•.trc
•.trc.old
|
The Delete option: When the Delete option is not available, the file cannot be deleted because it is being used by the system.
|
Figure 9-102 shows the deletion process:
1. Select an old snap file.
2. Click Actions → Delete.
Figure 9-102 Deleting individual files
|
Tip: Systems running in production for a long time might require that old files be cleaned up before upgrades. Snaps with statesaves are large files, for example.
|
9.7 GUI Preferences
Figure 9-103 GUI Preferences selection
Use the Navigation tab to enable or disable floating animations (Figure 9-104). You can display the online help by hovering the mouse over the question mark (?) symbol (1). Select the Enabled check box to have the floating menu, and then click Save (2).
Figure 9-104 Navigation
Select the Login tab to add a message to be displayed to anyone logging into the GUI or in a CLI session (Figure 9-105).
Figure 9-105 Login Message
Use the General tab to set the following preferences in the GUI (Figure 9-106):
1. Restore default browser preferences
2. Automatic logoff
3. IBM Knowledge Center URL
4. Browser refresh (GUI refresh)
5. Low graphics mode
6. Enable pool extent size
Figure 9-106 GUI preferences panel
Restore default browser preferences or refresh GUI objects
Clicking the Clear button causes any settings that are changed in the browser to revert to their default settings.
Clicking the Refresh button causes all the panels in the GUI to be refreshed. IBM FlashSystem V9000 management interface keeps most windows up-to-date in real time. This operation provides you with a mechanism to initiate a refresh of all the panels.
IBM Knowledge Center
You can customize the URL to the online documentation that IBM provides in IBM Knowledge Center. IBM offers customers opportunities to participate in beta test programs. This option can be used to change the web address to point to alternate documentation.
Advanced pool settings
Consistent extent sizes are an important factor when migrating VDisks between pools on the IBM FlashSystem V9000. Clearing Allow extent size selection during pool creation means that the user is not offered the option to change the extent size from the default presented by the system.
Default logout time
Enter the elapse time in minutes after which an inactive GUI session is logged off.
Low graphics mode
By selecting Enable low graphics mode, you can customize the GUI to use less bandwidth. This option is available primarily for slow Internet connections; most clients do not need to change this parameter.
1 Common Information Model Object Manager (CIMOM)
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.