Administrator's Guide

Transcription

1 IBM Tioli Storage Productiity Center Version Administrator's Guide SC

2 Note: Before using this information and the product it supports, read the information in Notices on page 285. This edition applies to ersion 5, release 2, modification 4 of IBM Tioli Storage Productiity Center (product numbers 5725-F92, 5725-F93, and 5725-G33) and to all subsequent releases and modifications until otherwise indicated in new editions. This edition replaces SC Copyright IBM Corporation US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents About this guide ii Who should read this guide ii Publications ii Accessing publications online ii Downloading publications iii Tioli Storage Productiity Center Serice Management Connect community iii Contacting IBM Software Support iii Reporting a problem ix Conentions used in this guide ix Chapter 1. Configuring Starting Tioli Storage Productiity Center Starting the Tioli Storage Productiity Center web-based GUI Starting the Tioli Storage Productiity Center stand-alone GUI Starting Tioli Storage Productiity Center for Replication Oeriew of required user names for initial logon to the Tioli Storage Productiity Center family of products Adding resources Configuring alert notifications Configuring alert notifications Configuring SNMP alert notifications Configuring Tioli Netcool/OMNIbus alert notifications Configuring history and data retention Authorizing users Configuring role to group mappings Role-based authorization Assigning a role Modifying the authentication mechanism Functions aailable in the web-based GUI based on role and license Functions aailable in the stand-alone GUI based on role and license Tioli Common Reporting roles Changing the user authentication configuration.. 26 Adding an LDAP repository to the federated repositories Remoing an LDAP repository from the federated repositories Adding customized text to the web-based GUI logon page Configuration tasks in the stand-alone GUI License Keys Cached Batch Report Retention Quota and Constraint Address Rules Scan/Probe Agent Administration Manual NAS Serer Entry History Aggregator Resource History Retention for Databases Remoed Resource Retention for Databases.. 67 Configuration History Settings Configuring switches Managing a SAN without agents Setting timeout alues for the Deice serer Configuring Serice Location Protocol Router configuration SLP directory agent configuration Enironment configuration SLP registration and slptool SLP discoery Configuring IP addressing Configuring Tioli Storage Productiity Center with multiple IP addresses Changing the HOSTS file Configuring the VASA proider Registering a Tioli Storage Productiity Center VASA proider Using a Tioli Storage Productiity Center Storage Proider certificate Unregistering a Tioli Storage Productiity Center VASA proider Filter storage and file systems Creating custom VM Storage Profiles Configuring the Sphere Web Client extension for Tioli Storage Productiity Center Deploying the Sphere Web Client extension from Tioli Storage Productiity Center serer.. 80 Deploying the Sphere Web Client extension for Tioli Storage Productiity Center locally Unregistering the Sphere Web Client extension for Tioli Storage Productiity Center Updating the Sphere Web Client extension for Tioli Storage Productiity Center Deploying Storage Resource agents Deployment guidelines and limitations for Storage Resource agents Creating a certificate for SSH protocol Replacing custom SSL certificates Configuration guidelines for 500 or more agents 112 Including a Storage Resource agent with a serer master image Configuring LUN proisioning for Oracle Solaris 113 Assigning TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUNs to Oracle Solaris HBAs Modifying the HBA configuration file Setting Persistent Name Binding for QLogic HBAs by using the appropriate software Modifying the SCSI disk configuration file Checking for TotalStorage Enterprise Storage Serer, DS6000, or DS8000 multipaths in VxDMP Checking for a fully qualified host name Checking for a fully qualified host name for AIX systems Copyright IBM Corp iii

4 Checking for a fully qualified host name for Linux systems Checking for a fully qualified host name for Oracle Solaris Checking for a fully qualified host name for Windows systems Importing authentication information for a Storage Resource agent Configuring Jazz for Serice Management for DS8000 LDAP authentication Configuring multiple Jazz for Serice Management serers with one DS8000 R Setting up dual Jazz for Serice Management serers for high aailability Configuring SAN Volume Controller or Storwize V7000 with LDAP authentication Configuring Tioli Storage Productiity Center and Jazz for Serice Management for single sign-on Configuring and controlling the Tioli Storage Productiity Center Monitoring Agent Configuring the Tioli Storage Productiity Center Monitoring Agent on Windows Configuring the Tioli Storage Productiity Center Monitoring Agent on AIX or Linux Starting and stopping the Tioli Storage Productiity Center Monitoring Agent Installing and configuring the Tioli Storage Productiity Center serer with multiple NIC cards 137 Creating an SSH certificate for the root user ID Configuring DB2, AIX, and Linux for IP6-only enironment Chapter 2. Administering Administering resources and data sources Checking the status of data sources Storage systems Hyperisors and VMware data sources Switches and fabrics Serers and Storage Resource agents CIM agents Out-of-band fabric agents Tioli Storage Productiity Center serers Starting and stopping the Tioli Storage Productiity Center serers Stopping the Tioli Storage Productiity Center serers Starting the Tioli Storage Productiity Center serers Default locations of log files Checking the ersion and license of Tioli Storage Productiity Center Checking Tioli Storage Productiity Center status 200 Troubleshooting problems with the Tioli Storage Productiity Center system Packaging Tioli Storage Productiity Center system log files for IBM Software Support Changing the LTPA token expiration for single sign-on Increasing the memory allocation for the Data serer Increasing the memory allocation for the Data serer that is running on AIX Increasing the memory allocation for the Data serer that is running on Linux Increasing memory allocation for Data serer that is running on Windows Setting timeout alues for the Deice serer Changing passwords Changing passwords by using the password tool Changing passwords by editing configuration files Granting local administratie priileges to a domain account SQL access to Tioli Storage Productiity Center iews Accessing iews in the database repository Collecting diagnostic information about Tioli Storage Productiity Center Serice tool oeriew Creating a compressed file for serers Creating a compressed file for a Storage Resource agent How to customize the serice tool Administering the Tioli Storage Productiity Center database Backing up the database Maintaining and improing the performance of the database Repository copy tool Administering DB Using the command line on UNIX and Linux 235 Manually starting DB2 on Windows Manually stopping DB2 on Windows Starting the IBM Data Studio full client Monitoring DB Appendix A. Reference Return codes used by Storage Resource agent Agent types for monitoring fabrics and switches 242 Supported storage systems proiding full disk encryption and solid-state dries agent.sh command Configuration files serer.config file scheduler.config file TPCD.config file Specifying the tablespace size for IBM Tioli Storage Productiity Center agent.config file csmconnections.properties file diagnostics.properties file repcli.properties file rmserer.properties file rmserer.properties file tpcrcli-auth.properties file Log files Default locations of log files Script parameters Arguments and window locations aailable with the inbound launch in context feature i IBM Tioli Storage Productiity Center: Administrator's Guide

5 Launch in context parameters Launch-in-context task parameters Aailable windows Opening Tioli Storage Productiity Center on Windows operating systems Opening Tioli Storage Productiity Center CLIs and GUIs Accessing administration tools Windows serices used by IBM Tioli Storage Productiity Center Frequently Asked Questions General and Migration information Data Manager Fabrics and switches Disk Manager Protocols and standards Web Based Enterprise Management Storage Management Initiatie Specification Serice Location Protocol Simple Network Management Protocol Fibre Channel Methodologies of Interconnects 277 Appendix B. Accessibility features for Tioli Storage Productiity Center Appendix C. Accessibility features for Tioli Storage Productiity Center for Replication Notices Priacy policy considerations Trademarks Glossary Index Contents

6 i IBM Tioli Storage Productiity Center: Administrator's Guide

7 About this guide IBM Tioli Storage Productiity Center manages storage infrastructure by centralizing, automating, and simplifying the management of complex and heterogeneous storage enironments. IBM Tioli Storage Productiity Center for Replication helps you manage data-copy functions. This guide proides task-oriented administration information that helps you to obtain optimal product performance. Who should read this guide This guide is intended for administrators who are configuring and maintaining IBM Tioli Storage Productiity Center. A single administrator can manage Tioli Storage Productiity Center, or seeral people can share administratie responsibilities. Administrators should be familiar with the following topics: General procedures for managing software and serices on Microsoft Windows, IBM AIX, and Linux. Storage area network (SAN) concepts Tioli Storage Productiity Center concepts IBM DB2 and database concepts Simple Network Management Protocol (SNMP) concepts Publications A number of publications are proided with Tioli Storage Productiity Center and Tioli Storage Productiity Center for Replication. The following section describes how to access these publications online. Accessing publications online Use the following table to iew and download publications for Tioli Storage Productiity Center. Translated documents are aailable for some products. Table 1. Locations of publications for Tioli Storage Productiity Center and related products Product Online location IBM Tioli Storage Productiity Center and IBM Tioli Storage Productiity Center for Replication IBM DB2 Database for Linux, UNIX, and Windows Jazz for Serice Management Tioli Netcool/Impact To search across all publications or to download PDF ersions of indiidual publications, go to the product documentation at knowledgecenter/ssne44_5.2.4/. SSEPGG/welcome SSEKCU/welcome SSSHYH/welcome Copyright IBM Corp ii

8 Downloading publications IBM publications are aailable in electronic format to be iewed or downloaded free of charge. You can download IBM publications from knowledgecenter/. Tioli Storage Productiity Center Serice Management Connect community Connect, learn, and share with Serice Management professionals: product support technical experts who proide their perspecties and expertise. Access Serice Management Connect at sericemanagement/. Use Serice Management Connect in the following ways: Become inoled with transparent deelopment, an ongoing, open engagement between other users and IBM deelopers of Tioli products. You can access early designs, sprint demonstrations, product roadmaps, and prerelease code. Connect one-on-one with the experts to collaborate and network about Tioli and the Storage Management community. Contacting IBM Software Support Read blogs to benefit from the expertise and experience of others. Use wikis and forums to collaborate with the broader user community. You can contact IBM Software Support by phone, and you can register for support notifications at the technical support website. Go to the IBM Tioli Storage Productiity Center technical support website at Tioli_Storage_Productiity_Center. To receie future support notifications, sign in under Subscribe to support notifications. You are required to enter your IBM ID and password. After you are authenticated, you can configure your subscription for Tioli Storage Productiity Center technical support website updates. Customers in the United States can call IBM-SERV ( ). For international customers, go to the Tioli Storage Productiity Center technical support website to find support by country. Expand Contact support and click Directory of worldwide contacts. You can also reiew the IBM Software Support Handbook, which is aailable at The support website offers extensie information, including a guide to support serices; frequently asked questions (FAQs); and documentation for all IBM Software products, including Redbooks and white papers. Translated documents are also aailable for some products. When you contact IBM Software Support, be prepared to proide identification information for your company so that support personnel can readily assist you. Company identification information might also be needed to access arious online serices aailable on the website. See Reporting a problem on page ix. iii IBM Tioli Storage Productiity Center: Administrator's Guide

9 Reporting a problem Proide the IBM Support Center with information about the problems that you report. Hae the following information ready when you report a problem: The IBM Tioli Storage Productiity Center ersion, release, modification, and serice leel number. The communication protocol (for example, TCP/IP), ersion, and release number that you are using. The actiity that you were doing when the problem occurred, listing the steps that you followed before the problem occurred. The exact text of any error messages. Conentions used in this guide Information is gien about the conentions that are used in this publication. This publication uses seeral conentions for special terms and actions, and for operating system-dependent commands and paths. The following typeface conentions are used in this publication: Bold Flags that display with text Graphical user interface (GUI) elements (except for titles of windows and dialogs) Names of keys Italic Variables Values that you must proide New terms Words and phrases that are emphasized Titles of documents monospace Commands and command options Flags that display on a separate line Code examples and output Message text Names of files and directories Text strings that you must type, when they display within text Names of Oracle Jaa methods and classes HTML and XML tags that display like this, in monospace type For syntax notations, remember the following details. In AIX, the prompt for the root user is #. In AIX and Linux, the commands are case-sensitie, so you must type commands exactly as they are shown. About this guide ix

10 x IBM Tioli Storage Productiity Center: Administrator's Guide

11 Chapter 1. Configuring After Tioli Storage Productiity Center is installed, you can configure it according to the standards and requirements of your storage enironment. Some configuration tasks can be completed in the Tioli Storage Productiity Center GUIs. The configuring tasks that you want to complete determines which GUI to use: Web-based GUI Determine how you are notified of alert conditions within a storage enironment. Specify how long to retain the data that is collected about resources and the log files that are generated by Tioli Storage Productiity Center. Determine the authentication mechanism and authorization leel for Tioli Storage Productiity Center users. The authentication mechanism determines the user groups to which you can assign roles. Roles determine the product functions that are aailable to the users in a group. Customize the lists of resources, tasks, and alerts. Enable Tioli Storage Productiity Center reports in Tioli Common Reporting. Stand-alone GUI Specify licenses for enabling certain functions within Tioli Storage Productiity Center. Determine how long to retain batch reports. Specify rules for generating addresses of users who break quota and constraint policies. Assign Storage Resource agents to run scans and probes on NAS filers. Enter and iew information about Network Attached Storage (NAS) serers. Configure data aggregation. Specify how long to keep a history of information that is collected about databases. Specify how long to keep information that is related to a database that was remoed and can no longer be found. Specify how often Tioli Storage Productiity Center captures snapshots of your configuration and when to delete them. Starting Tioli Storage Productiity Center Tioli Storage Productiity Center proides two graphical user interface (GUI) applications for managing and monitoring the resources in a storage enironment: a web-based GUI and a stand-alone GUI. You can start these GUIs on the Tioli Storage Productiity Center serer or on a remote system. Each GUI proides different functions for working with monitored resources. Copyright IBM Corp

12 Starting the Tioli Storage Productiity Center web-based GUI You can start the web-based Tioli Storage Productiity Center GUI by opening a web browser and entering a web address for the Tioli Storage Productiity Center logon page. For example, you might enter Before you start IBM Tioli Storage Productiity Center, ensure that you are using a supported web browser. For a list of web browsers that you can use with Tioli Storage Productiity Center, see the support matrix at support/dociew.wss?uid=swg In the Agents, Serers and Browser column, click the ersion of Tioli Storage Productiity Center that is installed on your system. On the next page, click Web Browsers to find the web browsers that you can use. The web-based GUI proides quick access to pages that you can use to monitor the condition, capacity, and relationships of the resources within your storage enironment. Start the web-based GUI if you are interested in monitoring your storage enironment, but do not need the full set of administratie tools aailable in the stand-alone GUI. 1. On a serer running the Windows operating system, start TPC Web-based GUI. If you are not on a serer running the Windows operating system, start a web browser and enter the following address in the address field: In the preceding address, specify the following alues: hostname The Tioli Storage Productiity Center serer. You can specify the host name as an IP address or a Domain Name System (DNS) name. port The port number for Tioli Storage Productiity Center. The default port number for connecting to Tioli Storage Productiity Center by using the HTTP protocol is Howeer, this port number might be different for your site. For example, the port number might be different if the default port range was not accepted during installation. If the default port number does not work, ask your Tioli Storage Productiity Center administrator for the correct port number. Tip: If you hae a non-default port, check the alue of the WC_defaulthost property in TPC_installation_directory/web/conf/portdef.props file. You might be redirected from the address that you enter to another address and port that proides secure access using the HTTPS protocol. This page is the Tioli Storage Productiity Center logon page. 2. From the Tioli Storage Productiity Center logon page, type your user name and password and click Log in. The web-based Tioli Storage Productiity Center GUI opens in the browser. Starting the Tioli Storage Productiity Center stand-alone GUI The stand-alone GUI contains functions for monitoring the condition of storage resources, and all the tools for managing data, disk, fabric, and replication. How you start the stand-alone GUI depends on whether the stand-alone GUI component is installed on your system. 2 IBM Tioli Storage Productiity Center: Administrator's Guide

13 On the Tioli Storage Productiity Center serer, or on a remote system where the stand-alone GUI component is installed, you start the stand-alone GUI by running a batch file or a shell script. For Windows operating systems, you run the batch file tpc.bat, which you can run from the Start menu. For AIX or Linux operating systems, you run the shell script TPCD.sh. If the stand-alone GUI component is not installed on a remote system, you use a Jaa Web Start application to download and start the stand-alone GUI. Starting the Tioli Storage Productiity Center stand-alone GUI by using Jaa Web Start Start the stand-alone Tioli Storage Productiity Center GUI by using Jaa Web Start to interact remotely with Tioli Storage Productiity Center running on the serer. Before you start Tioli Storage Productiity Center, ensure that you are using a supported web browser. For a list of web browsers that you can use with Tioli Storage Productiity Center, see the support matrix at support/dociew.wss?uid=swg In the Agents, Serers and Browser column, click the ersion of Tioli Storage Productiity Center that is installed on your system. On the next page, click Web Browsers to find the web browsers that you can use. On remote systems where the stand-alone GUI component is not installed, you can start the stand-alone Tioli Storage Productiity Center GUI using Jaa Web Start. To start the stand-alone GUI by using Jaa Web Start, you click a web link that downloads a Jaa Network Launching Protocol (JNLP) file from the serer. The JNLP file specifies all the files needed by the application. The Jaa Web Start Launcher on the remote system opens the JNLP file, downloads and caches all the required files, and starts the stand-alone GUI in a new window. 1. Start a web browser, and type the following address for the Jaa Web Start page. In the preceding address, specify the following alues: hostname The Tioli Storage Productiity Center serer. You can specify the hostname as an IP address or a Domain Name System (DNS) name. To erify your host name, ask your Tioli Storage Productiity Center administrator. port The port number for the Deice serer. The default port number for connecting to the Deice serer using the HTTP protocol is Howeer, this port number might be different for your site. For example, the port number might be different if the default port range was not accepted during installation. If the default port number does not work, ask your Tioli Storage Productiity Center administrator for the correct port number. 2. The Tioli Storage Productiity Center GUI requires an IBM Jaa Runtime Enironment Links are proided on the Jaa Web start page for you to download the IBM Jaa Runtime Enironment for Windows, Linux, or AIX. If an IBM Jaa Runtime Enironment is not already installed on the system, click the link to download the IBM Jaa Runtime Enironment for your operating system. On Windows, download a self-extracting executable. On Linux, download an RPM file. On AIX, download an executable JAR file. Install Chapter 1. Configuring 3

14 the JRE from the file that you downloaded before you start the stand-alone GUI. If you are prompted to install the JRE as the system JRE or to oerwrite the current system JRE, click No. 3. From the Jaa Web Start page, click TPC GUI (Jaa Web Start) The JNLP file is downloaded. Important: Depending on your browser and operating system and their default settings for your browser and operating system) you might need to: Verify to your browser that the tpcgui.jnlp file is safe to download Indicate that JNLP files are to be opened by the Jaa Web Start Launcher. 4. The stand-alone Tioli Storage Productiity Center GUI opens in a separate window. To log on to Tioli Storage Productiity Center, enter the following information and click OK. a. Enter the user ID and password that was defined for the installation of Tioli Storage Productiity Center. b. If the serer field does not contain the address and port number of for the serer, specify the following alues for the hostname and port. hostname The Tioli Storage Productiity Center serer. You can specify the hostname as an IP address or a Domain Name System (DNS) name. To erify your host name, ask your Tioli Storage Productiity Center administrator. port The port number for the Data serer. The default port number for connecting to the Data serer is Howeer, this port number might be different for your site. For example, the port number might be different if the default port range was not accepted during installation. Starting the Tioli Storage Productiity Center stand-alone GUI on a system where the GUI component is installed On the Tioli Storage Productiity Center serer, or on a remote system where the stand-alone GUI component is installed, you start the Tioli Storage Productiity Center stand-alone GUI using the batch file tpc.bat on a Windows operating system or the shell script TPCD.sh on an AIX and Linux operating system. A typical installation of Tioli Storage Productiity Center on the serer includes the stand-alone GUI component. A remote system can also hae the stand-alone GUI component installed. On a system where the stand-alone GUI component is installed, use the following instructions for starting the stand-alone GUI. If you are on a remote system where the stand-alone GUI component is not installed, start the stand-alone GUI by using Jaa Web Start instead. 1. Start the Tioli Storage Productiity Center GUI on Windows operating systems. Open the Tioli Storage Productiity Center stand-alone GUI.. If you are on a remote system, the Start menu or Start page for the stand-alone GUI might not be aailable. In this case, run the tpc.bat file directly. The default location for the batch file is C:\Program Files\IBM\TPC\gui\tpc.bat. On AIX or Linux, type the following path and command at the command line. /opt/ibm/tpc/gui/tpcd.sh 4 IBM Tioli Storage Productiity Center: Administrator's Guide

15 2. From the Tioli Storage Productiity Center GUI logon window, log on to Tioli Storage Productiity Center. a. Enter your user ID and password. b. If the serer field does not contain the address of the serer, enter the information in the format hostname:port. Specify the following alues for the hostname and port: hostname The Tioli Storage Productiity Center serer. You can specify the hostname as an IP address or a Domain Name System (DNS) name. port The port number for the Data serer. The default port number for connecting to the Data serer is Howeer, this port number might be different for your site. For example, the port number might be different if the default port range was not accepted during installation. c. Click OK. Starting Tioli Storage Productiity Center for Replication You can start the IBM Tioli Storage Productiity Center for Replication GUI by opening a web browser and entering a web address for the Tioli Storage Productiity Center for Replication logon page. Before you start Tioli Storage Productiity Center for Replication, ensure that you are using a supported web browser. For a list of web browsers that you can use with Tioli Storage Productiity Center, see the support matrix at In the Agents, Serers and Browser column, click the ersion of Tioli Storage Productiity Center that is installed on your system. On the next page, click Web Browsers to find the web browsers that you can use. The Tioli Storage Productiity Center for Replication GUI proides a single point of control to configure, manage, and monitor copy serices. Whether you start it on the serer or on a remote system, the GUI is web-based and is displayed in a browser. 1. On a serer that is running on the Windows operating system, click Start > Programs > IBM Tioli Storage Productiity Center > TPC Replication Manager GUI to open a browser to the correct address. If you are not using a serer that is running on the Windows operating system, start a web browser and enter the following address in the address field. The address is case-sensitie. In the preceding address, specify the following alues: hostname The Tioli Storage Productiity Center for Replication serer. You can specify the host name as an IP address or a Domain Name System (DNS) name. port The port number for Tioli Storage Productiity Center for Replication. The default port number for connecting to Tioli Storage Productiity Center for Replication using the HTTPS protocol is Howeer, this port number might be different for your site. For example: Chapter 1. Configuring 5

16 If you upgraded from Tioli Storage Productiity Center for Replication ersion 3.3 or earlier, the default HTTPS port is If you upgraded from Tioli Storage Productiity Center for Replication ersion 3.4 or later, the default HTTPS port is If you are using IBM WebSphere Application Serer for z/os, the default HTTPS port is If you are using IBM WebSphere Application Serer OEM Edition for z/os, the default HTTPS port is You can find the port number for the Replication serer in the install_root/wlp/usr/serers/replicationserer/properties/ portdef.props file. The default port for the HTTP protocol is defined by the WC_defaulthost_secure property property in the file. You can find the port number for the web-based GUI in the install_root/ewas/profiles/websererprofile/properties/portdef.props file. The default port for the HTTP protocol is defined by the WC_defaulthost property in the file. 2. From the Tioli Storage Productiity Center for Replication logon page, type your user name and password and click Login. The web-based Tioli Storage Productiity Center for Replication GUI opens in the browser. Oeriew of required user names for initial logon to the Tioli Storage Productiity Center family of products All the graphical user interfaces (GUIs) in the Tioli Storage Productiity Center family require a user ID and password. If you are logging on to a GUI immediately after you installed the software, the user ID that you must use differs depending on the type of installation and the GUI interface. Immediately after you install the software, you must use the user name as described in the following tables. After you log on, you can assign roles for users in Tioli Storage Productiity Center and Tioli Storage Productiity Center for Replication. When users log on, their user roles determine their authorization leel and the components that they can iew in each GUI. Required user name for initial logon after installation on a single serer when only the common user is defined After you install Tioli Storage Productiity Center in a single-serer enironment, the required user name for the initial logon is the common user name that was defined for the Tioli Storage Productiity Center installation. You must use this user name to log on to the stand-alone GUI, the web-based GUI, the Tioli Storage Productiity Center for Replication web-based GUI, and the Tioli Storage Productiity Center command-line interface. Required user name for initial logon after installation on multiple serers with a remote database schema After you install the software on multiple serers with a remote database schema, you must use the user name as described in the following table. 6 IBM Tioli Storage Productiity Center: Administrator's Guide

17 Table 2. Required user name for initial logon after installation on multiple serers with a remote database schema To log on to: Tioli Storage Productiity Center stand-alone GUI Tioli Storage Productiity Center web-based GUI Tioli Storage Productiity Center for Replication web-based GUI Use this user name: The user name that was defined for the installation of Tioli Storage Productiity Center serer. The user name that was defined for the installation of Tioli Storage Productiity Center serer. The user name that was defined for the installation of Tioli Storage Productiity Center serer. Required user name for initial logon after installation on multiple serers and Tioli Storage Productiity Center reports are remote After you install the software on multiple serers, and Tioli Storage Productiity Center reports are remote, you must use the user name as described in the following table. Table 3. Required user name for initial logon after installation on multiple serers and Tioli Storage Productiity Center reports are remote To log on to: Tioli Storage Productiity Center stand-alone GUI Tioli Storage Productiity Center web-based GUI Tioli Storage Productiity Center for Replication web-based GUI Use this user name: The user name that was defined for the installation of Tioli Storage Productiity Center serer. The user name that was defined for the installation of Tioli Storage Productiity Center serer. The user name that was defined for the installation of Tioli Storage Productiity Center serer. Adding resources You must add resources for monitoring before you can collect data, generate reports, and manage storage that is related to those resources. Tioli Storage Productiity Center proides wizards in the web-based GUI and stand-alone GUI that guide you through the steps for discoering the resources in your enironment, adding the resources as data sources, and scheduling data collection. The GUI that you use determines which resources can be added: Web-based GUI Storage systems Fabrics Switches Hyperisors Serers Chapter 1. Configuring 7

18 For information about adding resources in the web-based GUI, go to the product documentation at knowledgecenter/ssne44_5.2.4/com.ibm.tpc_v524.doc/ tpch_t_wz_adding_resources.html. Stand-alone GUI Tioli Storage Productiity Center serers as subordinate serers. NAS filers For information about adding resources in the stand-alone GUI, go to the product documentation at knowledgecenter/ssne44_5.2.4/com.ibm.tpc_v524.doc/ fqz0_t_administering_agents.html. Restriction: You cannot add resources that are already being monitored by Tioli Storage Productiity Center. A resource is considered to be monitored if it is included in a data collection job such as a probe, performance monitor, or scan. Configuring alert notifications Alerts can define notification actions that send , generate Simple Network Management Protocol (SNMP) traps, or generate IBM Tioli Netcool/OMNIbus eents. To enable these notification actions, you must configure Tioli Storage Productiity Center for , SNMP, or Tioli Netcool/OMNIbus alert notifications. Configuring alert notifications You can define an alert to send notifications to specific addresses when an alert condition is detected on a monitored resource. To enable the notification, you must configure Tioli Storage Productiity Center to use the correct mail serer. To modify alert notification settings, you must be assigned the Administrator role. To configure alert notifications, complete the following steps: 1. In the menu bar in the web-based GUI, go to Settings > Alert Notifications. 2. Click the tab. 3. Click Edit, and specify new settings or remoe existing settings. To specify new settings, complete the following steps: a. Specify the following alert notification settings: Reply to address Specify an address. If a user replies to an that was triggered by an alert, the reply is sent to this address. Typically, this address is an administrator's address. This address also receies any undelierable messages for alerts that are configured with incorrect or inalid address. Mail serer Specify the name of the mail serer to use. You can specify a host name, an IP4 address, or an IP6 address depending on what is supported within your enironment. Port The port number for the outgoing SMTP serer. This port number is usually IBM Tioli Storage Productiity Center: Administrator's Guide

19 b. To erify that alert notifications are configured correctly, you can send a test . To send a test , click Test. c. Click Sae. To delete the configuration settings without specifying new settings, click Remoe. Configuring SNMP alert notifications You can define an alert to generate SNMP traps when an alert condition is detected on a monitored resource. To enable SNMP alert notifications, configure Tioli Storage Productiity Center to direct the traps to at least one SNMP destination. To modify alert notification settings, you must be assigned the Administrator role. You must be running an SNMP management application in your system enironment. Management Information Base (MIB) files are proided in the Tioli Storage Productiity Center installation. You must set up the SNMP trap receier with the MIB files to receie SNMP traps from Tioli Storage Productiity Center. To configure SNMP alert notifications, complete the following steps: 1. In the menu bar in the web-based GUI, go to Settings > Alert Notifications. 2. Click the SNMP tab. 3. Click Edit, and specify new settings or remoe existing settings. To specify new settings, complete the following steps: a. Specify the following SNMP alert notification settings for each SNMP destination. You can specify up to two SNMP destinations. Community Specify the name of the SNMP community for sending SNMP traps. By default, the community is public. IP address Specify the host that is configured to receie SNMP traps. You can specify a host name, an IP4 address, or an IP6 address depending on what is supported within your enironment. Port Specify the port number for receiing SNMP traps. SNMP trap messages are sent to this port when an alert condition is detected. By default, the port is set to 162. b. Click Sae. To delete the current configuration settings without specifying new settings, click Remoe. Configuring Tioli Netcool/OMNIbus alert notifications You can define an alert to generate Tioli Netcool/OMNIbus eents when an alert condition is detected on a monitored resource. To enable Tioli Netcool/OMNIbus notifications, configure Tioli Storage Productiity Center to direct the eents to a Tioli Netcool/OMNIbus serer. To modify alert notification settings, you must be assigned the Administrator role. In your system enironment, you must be running a Tioli Netcool/OMNIbus serer that is configured to receie Tioli Storage Productiity Center alerts. Chapter 1. Configuring 9

20 To configure Tioli Netcool/OMNIbus alert notifications, complete the following steps: 1. In the menu bar in the web-based GUI, go to Settings > Alert Notifications. 2. Click the Netcool/OMNIibus tab. 3. Click Edit, and specify new settings or remoe existing settings. To specify new settings, complete the following steps: a. Specify the following Tioli Netcool/OMNIbus alert notification settings: IP address Specify the NetCool/OMNIbus serer that is configured to receie notifications. You can specify a host name, and IP4 address, or an IP6 address. You cannot use a serer that is configured for IP6 only. The serer must be IP4 or dual stack enabled. Port Specify the port for receiing alert notifications. Alert notifications are sent to this port when an alert condition is detected. By default, the port is set to b. Click Sae. To delete the current configuration settings without specifying new settings, click Remoe. Configuring history and data retention Specify how long to retain the data that is collected about resources and the log files that are generated by Tioli Storage Productiity Center. By specifying the number of weeks for history retention, you can control the amount of data that is retained and aailable for historical analysis and charting. The longer that you retain data, the more informatie your analysis, but the more storage space that is required to store that data. Data that Tioli Storage Productiity Center collects about a storage enironment is stored in a DB2 database repository. The amount of data that is retained about resources can grow oer time, and thus require more storage space for the repository. You can use the History Retention page to modify the data retention settings according to the monitoring and storage requirements of your enironment. You must be assigned the Administrator role to modify data retention settings. 1. In the menu bar in the web-based GUI, go to Settings > History Retention. 2. Click Edit to modify the following data retention settings: Capacity history Specify how long to retain a history of the capacity data that is collected about monitored resources. This alue determines the amount of capacity data that is retained and aailable for historical analysis and charting. The longer that you retain data, the more informatie your analysis, but the more storage space that is required. Daily Specify how long to retain capacity data that is collected daily about resources. You can retain daily data for up to 72 weeks and a minimum of 2 weeks. Weekly Specify how long to retain capacity data that is aggregated weekly for monitored resources. You can retain weekly aggregates for up to 96 weeks and a minimum of 4 weeks. 10 IBM Tioli Storage Productiity Center: Administrator's Guide

21 Monthly Specify how long to retain capacity data that is aggregated monthly for monitored resources. You can retain monthly aggregates for up to 48 months and a minimum of 2 months. Retention alues from the stand-alone GUI: When you upgrade from Tioli Storage Productiity Center V5.2 or earlier, the retention alues that were defined in the stand-alone GUI are automatically consolidated and migrated. During the consolidation, the retention alues that were defined for storage systems in the stand-alone GUI are also applied to directories, file systems, pings, computer uptime, and disks. During the migration, Tioli Storage Productiity Center ensures that the consolidated alues are within acceptable boundaries. For example, if the monthly alue for storage systems was set to 56 months in the stand-alone GUI, that alue is changed to 48 months in the web-based GUI. Performance data Specify how long to retain data that is collected by performance monitors. Sample Specify how long to retain sample data that is collected by performance monitors. Sample data represents the data that is collected each time a performance monitor is run. Because sample data is collected frequently, retaining that data can require significant disk space in the database repository. The required disk space is determined by the types of switches, storage systems, and number of olumes that are being monitored. You can retain sample data for up to 12 weeks. Hourly Specify how long to retain hourly data that is collected by performance monitors. You can retain hourly data for up to 24 weeks. Daily Specify how long to retain daily data that is collected by performance monitors. You can retain daily data for up to 156 weeks. Data for remoed resources Specify how long to retain data about internal resources that are no longer detected by Tioli Storage Productiity Center. You can retain the data of remoed resources for up to 52 weeks. If the internal resource of a top-leel resource is not detected when that top-leel resource is probed, data about the resource is remoed when the time limit is reached. The internal resource is remoed only from the top-leel resource that is probed. For example, if two weeks are specified, the data for a pool that is missing from a storage system for more than two weeks will be remoed. Only internal resources are automatically remoed according to this setting. Storage systems, serers, hyperisors, switches, and fabrics must be remoed manually. Alerts Specify how long to retain alerts. An entry is generated each time that an alert condition is detected on a resource. Any alert that is older than this alue is deleted. You can retain alerts for up to 12 weeks. Chapter 1. Configuring 11

22 Authorizing users Job logs Specify the maximum number of logs that are retained for data collection jobs. A log file is created each time that a job is run. When this number is reached, the entry for the oldest log is deleted. For example, if you accept the default alue 5, and then run a probe 6 times, the log file for the first run is deleted. You can retain up to 20 logs for a job. 3. Click Sae to apply the retention settings. 4. Optional: Click Restore Defaults to restore the retention settings to their default alues. After IBM Tioli Storage Productiity Center is installed, you can assign roles to the user groups that are contained in the authentication repository. The authentication repository can be a local operating system or an LDAP-compliant directory. Roles determine the product functions that are aailable to users in a group. Configuring role to group mappings After you determine to which groups a user belongs, you can configure role-to-group mapping in the Tioli Storage Productiity Center web-based GUI and log on to the Tioli Storage Productiity Center stand-alone GUI. The mapping applies to Windows domains, LDAP, and local OS accounts. Determining the group to which a user name belongs To determine to which groups a user belongs, complete the following steps: 1. In a web browser, log in as a Windows domain user to the WebSphere Integrated Solutions Console. 2. In the naigation tree, click Users and Groups > Manage Users. 3. In the Search by list, search for the user name. For example, search for janedcloud Click the user name link. For example, you can click TPC\janedcloud321. Tip: If there are multiple user names in the search results, select the check box for a user and click the user name link. 5. On the User Properties page, click the Groups tab to see the groups to which the user belongs. 6. Note the groups to which the user name belongs. Configuring role-to-group mappings To configure role-to-group mappings, complete the following steps: 1. Log on to Tioli Storage Productiity Center web-based GUI. If you used the common user name when you installed Tioli Storage Productiity Center, you can use this user name to log on to the web-based GUI. 2. Click Settings > User Management. 3. On the User Management window, click Add Group. 12 IBM Tioli Storage Productiity Center: Administrator's Guide

23 4. On the Add Group window, enter the group names enter the names of the groups to which the user belongs. 5. Click Search. 6. Select the group and the role that you want to assign to the group. 7. Click OK. Role-based authorization Roles determine the functions that are aailable to users of Tioli Storage Productiity Center. When a user ID is authenticated to Tioli Storage Productiity Center through the GUI, CLI, or APIs, membership in an operating system or LDAP group determines the authorization leel of the user. In Version 5.2, the roles that were preiously defined in Tioli Storage Productiity Center were consolidated into a smaller set of roles. The following table shows how the roles in ersions earlier than 5.2 are mapped to the current set of roles: Table 4. How roles in preious ersions of Tioli Storage Productiity Center are mapped to the roles in ersion 5.2 and later Roles in preious ersions Superuser Productiity Center administrator Disk administrator Fabric administrator Data administrator Tape administrator Disk operator Fabric operator Data operator Tape operator Roles in ersion 5.2 and later Administrator Monitor Authorization leel This role has full access to all monitoring and administratie functions. At least one group must hae the Administrator role. Note: When Tioli Storage Productiity Center is first installed, the following operating system groups are assigned the Administrator role: Windows: Administrators UNIX and Linux: root AIX: system In the web-based GUI, this role has access to the following read-only functions: Viewing and exporting information about monitored resources Viewing and acknowledging alerts Viewing tasks and data collection jobs Viewing data paths Opening management GUIs Opening logs Tiering storage In the stand-alone GUI, this role has access to the following functions: Viewing data that is collected by Tioli Storage Productiity Center Creating, generating, and saing reports Chapter 1. Configuring 13

24 Table 4. How roles in preious ersions of Tioli Storage Productiity Center are mapped to the roles in ersion 5.2 and later (continued) Roles in preious ersions This role did not exist in ersions 5.1 or earlier. Roles in ersion 5.2 and later External Application Authorization leel This role enables users of other applications to use the proisioning capability of Tioli Storage Productiity Center to proision storage. For example, a VMware user with this role can proision storage in the Sphere GUI by using the Sphere Web Client extension for Tioli Storage Productiity Center. If you assign the External Application role to the user, you must also assign one or more serice classes to the user. This role does not enable users to log in to the Tioli Storage Productiity Center GUIs. Tips: If a user belongs to multiple groups and the groups hae different roles, the role with the highest leel of authorization is granted to the user. For example, if a user belongs to a group that is assigned the Administrator role and also belongs to a group that is assigned a Monitor role, the user is granted the authorization of the Administrator role. If a user is not a member of a group that is assigned a Tioli Storage Productiity Center role, no access is granted to that user. The role of the user who is logged in to the web-based GUI is displayed in parenthesis in the upper-right corner of the banner at the top of eery page. For rollup reports, you need Administrator authority to do the following actions: Add, remoe, or modify the Tioli Storage Productiity Center subordinate serer that the master serer is monitoring. Create or run probe jobs that include Tioli Storage Productiity Center subordinate serers. Any Tioli Storage Productiity Center role can generate rollup reports. The Tioli Storage Productiity Center installation program adds the administrator, external application, and monitor roles to the Tioli Storage Productiity Center installation user. Assigning a role Assign a Tioli Storage Productiity Center role to one or more user groups. The role that is assigned to a group determines the product functions that are aailable to the users in that group. To assign a role to a user group, complete the following steps: 1. In the menu bar in the web-based GUI, go to Settings > User Management. 2. Click Add Group to search for groups that are defined in the authentication repository. You can type the name of a group if you know its name, or specify a filter to search for existing groups in the authentication repository. For filters, use an asterisk (*) to represent unknown characters. You must enter at least one 14 IBM Tioli Storage Productiity Center: Administrator's Guide

25 character in addition to an *. For example, type tpc* to search for groups that begin with the letters "tpc" or "TPC". Type *t to search for groups that begin with or contain the letter "t" or "T". 3. In the list of groups, select one or more groups to which you want to assign a role. 4. In the Role field, select the role to assign to the group. 5. Click OK to assign the role. The role that you select is applied to all the groups that you are adding. You can change the role assignments at any time after the group is added. Related reference: Role-based authorization on page 13 Roles determine the functions that are aailable to users of Tioli Storage Productiity Center. When a user ID is authenticated to Tioli Storage Productiity Center through the GUI, CLI, or APIs, membership in an operating system or LDAP group determines the authorization leel of the user. Modifying the authentication mechanism To modify how Tioli Storage Productiity Center authenticates users and user groups, configure the authentication repository. You must be assigned the Administrator role to modify the authentication repository and manage role and group assignments. The authentication mechanism determines how Tioli Storage Productiity Center authenticates users and the user groups that are aailable to be assigned roles. During the installation process, the WebSphere Application Serer is configured with a federated repository. By default, authentication is configured in the federated repository with a file repository and a local operating system repository. The file repository is tpcfileregistryuser and the local operating system repository is localos. The localos repository includes the operating system groups that are defined on the serer where Tioli Storage Productiity Center is installed. For a serer that is a member of a Windows domain, the localos repository also includes the groups in that domain. 1. In the menu bar in the web-based GUI, go to Settings > User Management. 2. On the User Management page, click Modify authentication mechanism. The WebSphere Integrated Solutions Console is displayed in a separate tab on the web browser. 3. In the naigation tree, go to Security > Global security. 4. Make your changes, and then click Apply. Related concepts: Changing the user authentication configuration on page 26 The Tioli Storage Productiity Center installation program establishes a default authentication configuration by using the federated repositories feature of the IBM WebSphere Application Serer. You can change this authentication configuration. Functions aailable in the web-based GUI based on role and license When you use the web-based GUI, your Tioli Storage Productiity Center role and product license determine the functions that are aailable. Chapter 1. Configuring 15

26 Users who are assigned the Administrator role or the Monitor role can use the web-based GUI. The functions that are aailable depend on the role that is assigned to the user: Administrator role Users who are assigned the Administrator role hae access to all monitoring and administratie functions and are limited only by license restrictions. Monitor role Users who are assigned the Monitor role can iew information about monitored resources and other objects such as tasks, alerts, and serice classes. They can acknowledge alerts and resource statuses, open logs, and open management GUIs. Users who are assigned the Monitor role do not hae access to administratie functions, with the following exceptions: They can assign storage pools to tiers. They can be granted permission in a serice class to proision storage by using the serice class. If so, they can use the Proision Storage wizard to create a proisioning task. Users can delete proisioning tasks that they create. If the serice class specifies that administrator approal is not required, the users can run or schedule the proisioning tasks that they create. To use some functions of the web-based GUI, you must hae the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license. If you hae the Tioli Storage Productiity Center license or the Tioli Storage Productiity Center Select license, the following functions are not aailable: Storage tier optimization. The Analyze Tiers wizard is not aailable. Pool balancing. The Balance Pools wizard is not aailable. Block storage proisioning. You are not able to proision olumes by using either the Proision Storage wizard or the Sphere Web Client extension. Howeer, there are no license restrictions for file storage proisioning, therefore, Network Attached Storage (NAS) file shares can be proisioned. The following table outlines the functions aailable by role. Some functions are restricted to the Administrator role. Functions that are restricted to the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license are also shown. In addition to the restrictions listed in this table, users who are assigned the Monitor role do not hae access to user management functions. 16 IBM Tioli Storage Productiity Center: Administrator's Guide

27 Table 5. Role and license restrictions in the web-based GUI Resource or object Performance monitors Functions aailable by role Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about the switch or storage system that is being monitored Open performance monitor logs Export performance monitor information to a file Functions that require the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license All functions are aailable, depending on role. Alerts Tasks Users who are assigned the Administrator role can also complete the following administratie actions: Start or stop a performance monitor Schedule a performance monitor Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about alerts Acknowledge alerts Export alert information to a file Users who are assigned the Administrator role can also remoe alerts, edit alert definitions, and edit alert notification settings. Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about tasks Open task logs Export task information to a file If a user assigned the Monitor role has permission to proision storage by using a serice class, the user can delete proisioning tasks that the user creates. If the serice class does not require administrator approal, the user can also schedule and run the proision tasks that the user creates. Users who are assigned the Administrator role can also complete the following administratie actions: Run tasks Schedule tasks Delete tasks All functions are aailable, depending on role. All functions are aailable, depending on role. Chapter 1. Configuring 17

28 Table 5. Role and license restrictions in the web-based GUI (continued) Resource or object Storage systems Functions aailable by role Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about storage systems Acknowledge storage system status Open the management GUI or element manager for a storage system Export storage system information to a file Functions that require the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license Optimize storage tiering Volumes Users who are assigned the Administrator role can also complete the following administratie actions: Add and remoe storage systems Schedule data collection jobs Optimize storage tiering Add storage systems to capacity pools Administer connections Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about olumes Acknowledge olume status Export olume information to a file Optimize storage tiering Users who are assigned the Administrator role can also complete the following administratie actions: Transform storage olumes Optimize storage tiering Pools Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about pools Acknowledge pool status Export pool information to a file Balance pools Optimize storage tiering Shares Users who are assigned the Administrator role can also complete the following administratie actions: Add pools to capacity pools Balance pools Optimize storage tiering Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about shares Export pool information to a file All functions are aailable, depending on role. 18 IBM Tioli Storage Productiity Center: Administrator's Guide

29 Table 5. Role and license restrictions in the web-based GUI (continued) Resource or object Serers Functions aailable by role Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about serers Acknowledge serer status View and collect logs Export serer information to a file If a user assigned the Monitor role has permission to proision storage by using a serice class, the user can proision storage to serers. Functions that require the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license Proision block storage. There are no license restrictions for proisioning file storage. Optimize storage tiering. Hyperisors Users who are assigned the Administrator role can also complete the following administratie actions: Add and remoe serers Schedule data collection jobs Proision storage to serers Modify Storage Resource agents Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about hyperisors Acknowledge hyperisor status Export hyperisor information to a file If a user who is assigned the Monitor role has permission to proision storage by using a serice class, the user can proision storage to hyperisors. Users who are assigned the Administrator role can also complete the following administratie actions: Add and remoe hyperisors Schedule data collection jobs Proision storage to hyperisors Administer connections Proision block storage. There are no license restrictions for proisioning file storage. Chapter 1. Configuring 19

30 Table 5. Role and license restrictions in the web-based GUI (continued) Resource or object Switches Functions aailable by role Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about switches Acknowledge switch status Open the management GUI or element manager for a switch Export switch information to a file Functions that require the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license Enable automatic zoning Fabrics Serice classes Users who are assigned the Administrator role can also complete the following administratie actions: Add and remoe switches Schedule data collection jobs Administer connections Enable automatic zoning Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about fabrics Acknowledge fabric status Export fabric information to a file Users who are assigned the Administrator role can also complete the following administratie actions: Add and remoe fabrics Schedule data collection jobs Administer connections Enable automatic zoning Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about serice classes Export serice class information to a file Users who are assigned the Administrator role can also complete the following administratie actions: Create serice classes Modify serice classes Delete serice classes Enable automatic zoning Create block-storage serice classes. There are no license restrictions for working with file-storage serice classes. 20 IBM Tioli Storage Productiity Center: Administrator's Guide

31 Table 5. Role and license restrictions in the web-based GUI (continued) Resource or object Capacity pools Functions aailable by role Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about capacity pools Export capacity pool information to a file Functions that require the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license All functions are aailable, depending on role. Applications and departments Users who are assigned the Administrator role can also complete the following administratie actions: Create capacity pools Modify capacity pools Delete capacity pools Users who are assigned the Monitor or Administrator role can complete the following monitoring actions: View information about applications and subcomponents View information about departments and subdepartments View related resources assigned to applications and departments Users who are assigned the Administrator role can also complete the following administratie actions: Create applications and departments Create filters to add resources Modify filters to change resources Remoe filters Add resources to applications directly Remoe resources from applications Add applications as members of other applications Create departments Add departments to other departments Add applications to departments All functions are aailable, depending on role. Functions aailable in the stand-alone GUI based on role and license When you use the stand-alone GUI, your Tioli Storage Productiity Center role and product license determine the functions that are aailable. Users who are assigned the Administrator role or the Monitor role can use the stand-alone GUI. The functions that are aailable depend on the role that is assigned to the user: Chapter 1. Configuring 21

32 Administrator role Users who are assigned the Administrator role hae access to all monitoring and administratie functions and are limited only by license restrictions. Monitor role Users who are assigned the Monitor role can iew data that is collected by Tioli Storage Productiity Center, and can create, generate, and sae reports. To use some functions of the stand-alone GUI, you must hae the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license. The following table outlines the functions that are restricted to the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license. The table mirrors the naigation tree of the stand-alone GUI. The table shows nodes of the naigation tree and indicates whether that function is aailable with all licenses, or whether the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license is required. Table 6. Functions with each Tioli Storage Productiity Center license Function Administratie Serices Data Sources 1 Tioli Storage Productiity Center or Storage Productiity Center Select Edition CIMOM agents Yes Yes Storage Resource agents Yes Yes Storage Subsystems Yes Yes TPC Serers No Yes VMWare VI Data Source Yes Yes Discoery Yes Yes Configuration Yes 2 Yes IBM Tioli Storage Productiity Center Job Management Yes Yes Reporting Yes Yes My Reports System Reports Rollup Reports Data Source Reports See Table 7 on page 24 for a list of aailable reports. Topology Viewer Yes Yes Monitoring (data collection) Probe Alert Configurations Yes Yes TPC Serer Probes No Yes Storage Resource Group Management Yes 5 Yes Analytics IBM SmartCloud Virtual Storage Center Storage Analytics Engine See Table 7 on page 24 for a list of aailable reports. Configuration History Configuration Analysis No No Yes Yes Alerting: 22 IBM Tioli Storage Productiity Center: Administrator's Guide

33 Table 6. Functions with each Tioli Storage Productiity Center license (continued) Function Tioli Storage Productiity Center or Storage Productiity Center Select Edition IBM SmartCloud Virtual Storage Center Storage Analytics Engine Authentication Configuration Alerts Alert Log Data Manager Monitoring: (data collection) Yes Yes Yes 3 Yes Groups Yes Yes Pings Yes Yes Scans No Yes Profiles No Yes Alerting Yes 4 Yes Policy Management No Yes Reporting Yes Yes Not all reports are aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license. See Table 7 on page 24 for a list of aailable reports. Data Manager for Databases No Yes Data Manager for Chargeback No Yes Disk Manager Storage Subsystem Yes Yes Monitoring (data collection) Groups Jobs Subsystem Performance Alert Configurations Alerting Yes Yes Reporting Yes Yes Yes Yes Yes Yes Groups Storage Subsystems Storage Subsystem Performance Yes Yes Yes Yes Yes Yes Fabric Manager Monitoring (data collection) Groups Yes Yes Switch Performance Alert Configurations Yes Yes Fabrics Yes Yes Chapter 1. Configuring 23

34 Table 6. Functions with each Tioli Storage Productiity Center license (continued) Tioli Storage Function Productiity Center or Storage Productiity Center Select Edition IBM SmartCloud Virtual Storage Center Storage Analytics Engine Alerting Yes Yes Switch Performance Yes Yes Replication Manager Yes Yes Note: 1. You cannot associate TPC Serers with Tioli Storage Productiity Center in the Tioli Storage Productiity Center or Storage Productiity Center Select license. VMware Data Sources are associated with the Tioli Storage Productiity Center or Storage Productiity Center Select license. TPC Serers are associated with the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license. 2. The following nodes under Configuration are not aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license: License Keys Quota and Constraint Address Rules Resource History Retention for Databases Remoed Resource Retention for Databases Configuration History Settings 3. The following nodes under Alert Log are not aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license: Directory User OS User Group Configuration Analysis 4. The following node under Data Manager > Alerting is not aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license: Directory Alerts. The node for Other NAS Alerts is aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license. 5. You cannot create a storage resource group for a type of capacity pool. Table 7. Aailable reports with each IBM Tioli Storage Productiity Center license Tioli Storage Reports Productiity Center or Storage Productiity Center Select IBM SmartCloud Virtual Storage Center Storage Analytics Engine Batch reports Yes 1, 2 Yes 1 System Reports: Data Yes 4 Yes Fabric Yes Yes Disk Yes Yes Rollup Reports No Yes Data Source Reports Yes Yes Asset reports 24 IBM Tioli Storage Productiity Center: Administrator's Guide

35 Table 7. Aailable reports with each IBM Tioli Storage Productiity Center license (continued) Reports Tioli Storage Productiity Center or Storage Productiity Center Select By Cluster Yes Yes By Computer Yes Yes By Hyperisor Yes Yes By IBM Storwize V7000 Unified/IBM Yes Yes SONAS Yes Yes By OS Type Yes Yes By Storage Subsystem Yes 3 Yes System-wide Aailability reports Yes Yes TPC-wide Storage Space reports: IBM SmartCloud Virtual Storage Center Storage Analytics Engine Disk Space Yes Yes File System Space Yes Yes Consumed File System Space Yes Yes Aailable File System Space Yes Yes Usage reports No Yes (these reports are a result of a scan) Usage Violation reports No Yes (these reports are a result of a scan) Backup reports: No Yes (these reports are a result of a scan) Monitored Computer Storage Space reports Yes Yes Storage Subsystem reports Yes Yes Storage Subsystem Performance reports Yes Yes Switch Performance reports Yes Yes Chapter 1. Configuring 25

36 Table 7. Aailable reports with each IBM Tioli Storage Productiity Center license (continued) Reports Note: Tioli Storage Productiity Center or Storage Productiity Center Select IBM SmartCloud Virtual Storage Center Storage Analytics Engine 1. A Storage Resource agent must be deployed on the computer where you want to run batch reports. 2. The following batch reports are not aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license: Rollup Usage Usage Violations Backup 3. The following Asset > System-wide reports are aailable with the IBM SmartCloud Virtual Storage Center Storage Analytics Engine license: Monitored Directories Unmanaged Computers Users OS User Groups 4. The following Data system reports are aailable with the Tioli Storage Productiity Center or Storage Productiity Center Select license: Disk Space Summary Disk Defects Computer Storage Aailability Computer Disk Space Aailable File System Space Tioli Common Reporting roles This topic proides a list of the predefined roles in IBM Tioli Common Reporting. Table 8. Roles in Tioli Common Reporting. Role administrator Description During installation of Tioli Common Reporting an administrator role is created by default. Logging in with this role allows you to access the user and group administration and report set authorizations features.. Changing the user authentication configuration The Tioli Storage Productiity Center installation program establishes a default authentication configuration by using the federated repositories feature of the IBM WebSphere Application Serer. You can change this authentication configuration. In the federated repositories framework, the Tioli Storage Productiity Center installation program creates the following repositories: 26 IBM Tioli Storage Productiity Center: Administrator's Guide

37 File-based user repository This repository contains the user tpcfileregistryuser. This user password is the same as the common user password that was entered during the Tioli Storage Productiity Center installation. Operating system repository In the federated repositories framework, the Tioli Storage Productiity Center installation program creates two repositories on the Tioli Storage Productiity Center WebSphere Application Serer web serer. This serer, which is located in the TPC_INSTALL_DIR/ewas/profiles/WebSererProfile directory, is used as the primary WebSphere Application Serer for user authentication in Tioli Storage Productiity Center. The Deice and Replication serers run on the WebSphere Application Serer Liberty Profile, and these serers are only configured with File-based user repository. If the web serer is down, the Deice serer and Replication serer are used as the backup serers to perform the user authentication and allow the user name that was proided during the Tioli Storage Productiity Center installation and the tpcfileregistryuser to log in to the Tioli Storage Productiity Center stand-alone GUI and Tioli Storage Productiity Center web-based GUI. You can add an LDAP repository after you install Tioli Storage Productiity Center. This configuration is completed on the WebSphere Integrated Solutions Console serer. The LDAP repository configuration settings are not propagated to the Deice and Replication serers. Therefore, if the web serer is down, the authorized LDAP users cannot log in to Tioli Storage Productiity Center stand-alone GUI and the Tioli Storage Productiity Center for Replication web-based GUI. The backup user authentication mechanism that is based on Deice and Replication serers allows the user name that was proided during the Tioli Storage Productiity Center installation and the tpcfileregistryuser to log in to the Tioli Storage Productiity Center stand-alone GUI and the Tioli Storage Productiity Center web-based GUI. On computers that are members of a Windows domain, the local OS repository also contains the domain users and groups that are managed by the Windows domain, if the computer is correctly configured with the Windows domain. The LDAP repositories that are supported by Tioli Storage Productiity Center depend on the WebSphere Application Serer support. For more information about the supported LDAP repositories, see the releant topic for your operating system and search for LDAP Serers using Federated Repository Configuration: For the Windows operating system, see dociew.wss?rs=180&uid=swg For the AIX operating system, see dociew.wss?rs=180&uid=swg For the Linux operating system, see dociew.wss?rs=180&uid=swg When you change the user authentication configuration by adding or remoing an LDAP repository in the federated repositories framework, you must first back up the existing WebSphere Application Serer configuration files. You must also back up the WebSphere configuration files after you add an LDAP repository to the user Chapter 1. Configuring 27

38 authentication configuration and want to later change the LDAP authentication settings. You also need to backup, and then restore the isc.ear file in the TIP_installation_directory. If these users or groups are present in more than one repository in the federated repositories framework, the WebSphere Application Serer cannot resole duplicated users or groups. An example of a duplicated user is, for example, when an Administrator user exists in both the local OS and LDAP repository. You must ensure that the duplicated users (or groups) are not used during the configuration or to manage Tioli Storage Productiity Center. Adding an LDAP repository to the federated repositories You can configure Tioli Storage Productiity Center and Jazz for Serice Management to communicate with an external Lightweight Directory Access Protocol (LDAP) repository, such as IBM Tioli Directory Serer or Microsoft Actie Directory. When you change the authentication configuration, Tioli Storage Productiity Center is aailable to users and groups in other repositories. Important: When you install Tioli Storage Productiity Center on a computer that is a member of a Windows domain, Actie Directory users and groups also exist in the local OS repository. To determine whether the Actie Directory users exist in the local OS repository, log in to the WebSphere Integrated Solutions Console and click Users and Groups > Manage users. If the Actie Directory users exist in the local OS repository, you should not add that same Actie Directory as an LDAP repository to the federated repositories in Tioli Storage Productiity Center Version Important: The IBM WebSphere Application Serer cannot resole duplicated users or groups when these users or groups are present in more than one repository in the federated repositories framework. For example, an Administrator user can exist in both the local OS and LDAP repository. You must ensure that the duplicated users (or groups) are not used during the configuration or to manage Tioli Storage Productiity Center. Tioli Storage Productiity Center and Jazz for Serice Management each hae their own WebSphere Application Serer instance. You must configure both of these WebSphere instances to communicate with the LDAP repository. The procedure to configure these instances are almost identical, so the steps are proided only once. You must repeat the steps to configure both of these WebSphere Application Serer instances with the LDAP repository. The WebSphere Application Serer instance in Tioli Storage Productiity Center is also called the web serer. This procedure uses the ariable name WebSphere_Directory to indicate where WebSphere Application Serer is located. The location of the WebSphere Application Serer directory is different for each instance: The Jazz for Serice Management WebSphere Application Serer directory: JAZZSM_INSTALL_DIR/profile The Tioli Productiity WebSphere Application Serer or web serer directory: TPC_INSTALL_DIR/ewas/profiles/WebSererProfile 28 IBM Tioli Storage Productiity Center: Administrator's Guide

39 Important: Some of the field names can be different between the Tioli Storage Productiity Center WebSphere instance and the Jazz for Serice Management WebSphere instance. To add an LDAP repository to the federated repositories in Tioli Storage Productiity Center or Jazz for Serice Management, complete the following steps: Tip: If you need assistance, contact your LDAP serer administrator. 1. Before you add an LDAP repository to the federated repositories, complete the following steps: Important: If you log in by using a Windows domain user name, before you run the backup commands, click Start > Command Prompt and select Run as administrator. a. Back up the WebSphere Application Serer configuration for the Tioli Storage Productiity Center instance of WebSphere Application Serer and back up the WebSphere Application Serer configuration for the Jazz for Serice Management instance of WebSphere Application Serer. On Windows operating systems, run the following command: WebSphere_Directory\bin\backupConfig.bat -username adminuser -password adminpassword -nostop In the WebSphere Application Serer configurations for Tioli Storage Productiity Center and Jazz for Serice Management, adminuser is the user name that was used to install Tioli Storage Productiity Center (for example, db2admin) or Jazz for Serice Management (for example smadmin), and adminpassword is the password that is associated with adminuser. Tip: If you completed a default installation on the Windows operating system: The Tioli Storage Productiity Center WebSphere Application Serer directory is located here: C:\Program Files\IBM\TPC\ewas\profiles\ WebSererProfile\ The Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On AIX or Linux operating systems, run the following command: WebSphere_Directory/bin/backupConfig.sh -username adminuser -password adminpassword -nostop In the WebSphere Application Serer configurations for Tioli Storage Productiity Center and Jazz for Serice Management, adminuser is the user name that was used to install Tioli Storage Productiity Center (for example, db2inst1) or Jazz for Serice Management (for example smadmin), and adminpassword is the password that is associated with adminuser. Tip: If you completed a default installation on the AIX or Linux operating system: The Tioli Storage Productiity Center WebSphere Application Serer directory is located here: /opt/ibm/tpc/ewas/profiles/websererprofile/ Chapter 1. Configuring 29

40 Jazz for Serice Management WebSphere Application Serer directory is located here: /opt/ibm/jazzsm/profile/ b. Back up the soap.client.props file for the Tioli Storage Productiity Center instance of WebSphere Application Serer. On the Windows operating system, run the copy command to back up this file: WebSphere_Directory\properties\soap.client.props Tip: If you completed a default installation on the Windows operating system, the Tioli Storage Productiity Center Version soap.client.props file is in this directory: C:\Program Files\IBM\TPC\ewas\profiles\WebSererProfile \properties\ On the AIX or Linux operating systems, run the cp command to back up this file: WebSphere_Directory/properties/soap.client.props Tip: If you completed a default installation on the AIX or Linux operating systems, the Tioli Storage Productiity Center Version soap.client.props file is in this directory: /opt/ibm/tpc/ewas/profiles/websererprofile/properties c. Back up the IBM Cognos.ear directory for the Jazz for Serice Management WebSphere Application Serer. On the Windows operating system, run the xcopy command to back up this directory: WebSphere_Directory\installedApps\JazzSMNode01Cell \IBM Cognos.ear Tip: If you completed a default installation on the Windows operating system, the Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On the AIX or Linux operating systems, run the cp command to back up this directory: WebSphere_Directory/installedApps/JazzSMNode01Cell /IBM Cognos.ear Tip: If you completed a default installation on the AIX or Linux operating systems, the Jazz for Serice Management WebSphere Application Serer directory is located here: /opt/ibm/jazzsm/profile/ Tip: The default cell name JazzSMNode01Cell is used in the sample commands. If you did not use the default cell name when you installed Jazz for Serice Management, you must specify the correct cell name in this step. 2. In the eent of a problem when you add an LDAP repository, complete the following steps to restore the items you backed up in step 1: a. Run the restoreconfig.sh or the restoreconfig.bat command to restore the WebSphere Application Serer configuration for the Tioli Storage Productiity Center instance of WebSphere Application Serer and restore the WebSphere Application Serer configuration for the Jazz for Serice 30 IBM Tioli Storage Productiity Center: Administrator's Guide

41 Management instance of WebSphere Application Serer. The restoreconfig command is in one of the following directories: On the Windows operating system, go to this directory: WebSphere_directory/bin/restoreConfig.bat Tip: If you completed a default installation on the Windows operating system: The Tioli Storage Productiity Center WebSphere Application Serer directory is located here: C:\Program Files\IBM\TPC\ewas\profiles\WebSererProfile\ The Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On the AIX or Linux operating system, go to this directory: WebSphere_directory/bin/restoreConfig.sh Tip: If you completed a default installation on the AIX or Linux operating system, the Tioli Storage Productiity Center Version soap.client.propsis in this directory: /opt/ibm/tpc/ewas/profiles/websererprofile/properties b. Restore the soap.client.props file for the Tioli Storage Productiity Center instance of WebSphere Application Serer. On the Windows operating system, run the copy command to restore this file: WebSphere_Directory\properties\soap.client.props Tip: If you completed a default installation on the Windows operating system, the Tioli Storage Productiity Center Version soap.client.props is in this directory: C:\Program Files\IBM\TPC\ewas\profiles\WebSererProfile\properties\ On the AIX or Linux operating system, run the cp command to restore this file: WebSphere_Directory/properties/soap.client.props Tip: If you completed a default installation on the AIX or Linux operating systems, the Tioli Storage Productiity Center Version soap.client.props is in this directory: /opt/ibm/tpc/ewas/profiles/websererprofile/ c. Restore the IBM Cognos.ear directory for the Jazz for Serice Management WebSphere Application Serer. On the Windows operating system, run the xcopy command to restore this directory: WebSphere_Directory\installedApps\JazzSMNode01Cell\IBM Cognos.ear Tip: If you completed a default installation on the Windows operating system, the Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On the AIX or Linux operating systems, run the cp command to restore this directory: WebSphere_Directory/installedApps/JazzSMNode01Cell/IBM Cognos.ear Chapter 1. Configuring 31

42 Note: The default cell name JazzSMNode01Cell is used in the sample commands. If you did not use the default cell name when you installed Jazz for Serice Management, you must specify the correct cell name in this step. Tip: If you completed a default installation on the AIX or Linux operating systems, the Jazz for Serice Management WebSphere Application Serer directory is located here: /opt/ibm/jazzsm/profile/ d. Restart the Tioli Storage Productiity Center web serer and the Jazz for Serice Management serer. The execution of the restoreconfig command stops those WebSphere Application Serer instances. For information about starting the Tioli Storage Productiity Center web serer or Jazz for Serice Management serer, see the Tioli Storage Productiity Center information center. Search for Starting the Tioli Storage Productiity Center serices. 3. To access the WebSphere Integrated Solutions Console, complete one of the following tasks: For Tioli Storage Productiity Center: a. Log in to the Tioli Storage Productiity Center web-based GUI. You must log in to the Tioli Storage Productiity Center web-based GUI with a user name that has the Administrator role. b. Go to Settings > User Management. c. On the User Management page, click Modify authentication mechanism. For Jazz for Serice Management, open a web browser, and enter one of the following web addresses in the address field: The hostname is the serer that is running Jazz for Serice Management, such as the serer name or IP address, and port is the port number for the Jazz for Serice Management instance of WebSphere Application Serer. The port number differs depending on which protocol that you use (http or https) and the options that you selected when you installed Jazz for Serice Management. To determine the port number for the Jazz for Serice Management instance of WebSphere Application Serer, complete the following steps: a. Open the WebSphere_Directory/properties/portdef.props file. b. The port number is the alue that is assigned to one of the following keys: For protocols that are not secure (for example, WC_adminhost For protocols that are secure (for example, WC_adminhost_secure 4. Log in to the WebSphere Integrated Solutions Console. If you are logging into the Tioli Storage Productiity Center instance of the WebSphere Integrated Solutions Console, log in by using the Tioli Storage Productiity Center common user name. If you are logging into the Jazz for Serice Management instance of the WebSphere Integrated Solutions Console, log in by using the Jazz for Serice Management user name that was created when you installed Jazz for Serice Management. 32 IBM Tioli Storage Productiity Center: Administrator's Guide

43 5. In the WebSphere Integrated Solutions Console naigation tree, click Security > Global security. 6. On the Global security page, in the User account repository section, click Configure next to the Aailable realm definitions menu. Figure 1. Global security page, configure federated repositories 7. On the Global security > Federated repositories page, under Related Items, click the Manage repositories link. Chapter 1. Configuring 33

44 Figure 2. Federated repositories page, Manage repositories 8. On the Global security > Federated repositories > Manage repositories page, add the LDAP repository that you want to use for authentication. To add the LDAP repository, complete these steps: a. Click Add > LDAP repository to add a new repository. 34 IBM Tioli Storage Productiity Center: Administrator's Guide

45 Figure 3. Manage repositories page, Add a new repository b. Enter the alues for the following fields: Repository identifier A unique identifier for the LDAP repository, which identifies the repository in the realm, for example, LDAP1. Directory type The type of LDAP serer to which you want to connect. Primary host name The host name of the primary LDAP serer. This host name is either an IP address or a domain name serice (DNS) name. Port The LDAP serer port. The default alue is 389. Depending on your LDAP serer configuration, you can specify a different port. If you do not know which port to use, contact your LDAP serer administrator. Bind distinguished name The distinguished name (DN) for WebSphere Application Serer to use when it binds to the LDAP repository. If no name is specified, WebSphere Application Serer binds anonymously to the LDAP repository. In most cases, bind DN and bind password are required. Howeer, when an anonymous bind can satisfy all of the required functions, bind DN and bind password are not required. Chapter 1. Configuring 35

46 If you are not sure whether an anonymous bind has satisfied the required functions, contact your LDAP serer administrator. Attention: There is no single alue for the Bind distinguished name field that is correct for eery Actie Directory Serer or for eery LDAP serer. The correct alue for the Bind distinguished name field depends on the configuration of your Actie Directory Serer or your LDAP serer. If you are unsure about the correct alue to use for the Bind distinguished name field, contact your LDAP serer administrator. Bind password The password for WebSphere Application Serer to use when you bind to the LDAP repository. Login properties The authentication properties that are used to log on to WebSphere Application Serer. Type uid;cn in this field. This alue enables WebSphere Application Serer to use the property that is required for the directory type. Figure 4. Manage repositories > New page c. Click OK. d. In the messages dialog box that is displayed on the Manage repositories page, click the Sae link in Sae directly to the master configuration. Important: On the Global security > Federated repositories > Manage repositories page, do not delete the local OS repository. 9. From the Manage repositories page, return to the Global security > Federated repositories page. 10. In the Repositories in the realm panel, click Add Base entry to Realm. Tip: In the Jazz for Serice ManagementWebSphere Integrated Solutions Console, the label for this button is Add repositories (LDAP, custom, etc). 36 IBM Tioli Storage Productiity Center: Administrator's Guide

47 Important: Do not change the Primary Administrator user name. Figure 5. Global security > Federated repositories page, Add base entry to realm 11. If the Messages dialog box is displayed on the Repository reference page, click the Sae link in Sae directly to the master configuration. 12. On the Repository reference page, configure the following items: a. In the Repository list, select the repository that you created in step 8 on page 34. b. In the Distinguished name of a base entry that uniquely identifies this set of entries in the realm field, enter a DN for the repository. This DN maps to the DN of the base entry in the LDAP repository that you entered in the Distinguished name of a base entry in this repository field. Tip: In Jazz for Serice Management WebSphere Integrated Solutions Console, the label for this field is Unique distinguished name of the base (or parent) entry in federated repositories. To aoid duplicate results during searches, the DN must uniquely identify the base entry in the repository. If multiple repositories are included in the realm and the repositories hae the same base entry, use this field to define a DN that uniquely identifies each base entry. For example, repositories LDAP1 and LDAP2 might both use o=ibm,c=us as the base entry in the repository. Enter a DN in this field that distinguishes the base entries for each repository. For example: o=ibm,c=us for LDAP1 and o=ibm2,c=us for LDAP2. Chapter 1. Configuring 37

48 c. In the Distinguished name of a base entry in this repository field, enter the DN of the base entry in the LDAP repository that you want to map to the DN that you entered in the Distinguished name of a base entry that uniquely identifies this set of entries in the realm field. In most instances, the alue is the same in both fields. The alue in this field indicates the starting point for searches in the LDAP directory serer. For example, for a user with a DN of cn=john Doe, ou=rochester, o=ibm, c=us, you can specify the LDAP base entry as any of the following options: ou=rochester, o=ibm, c=us o=ibm, c=us c=us Important: The DN alue that is entered in this field must be broad enough to include both users and the groups to which the users belong. For example, if a user in ou=rochester, o=ibm, c=us is also a member of groups that are in dc=stategroups, ou=rochester, o=ibm, c=us, enter o=ibm, c=us in this field. Tip: In the Jazz for Serice ManagementWebSphere Integrated Solutions Console, the label for this field is Distinguished name of a subtree in the main repository. You must first select the Distinguished name in the repository is different check box and then enter a alue in the Distinguished name of a subtree in the main repository field. In most instances, you will enter the same alue in the Unique distinguished name of the base (or parent) entry in federated repositories field and the Distinguished name of a subtree in the main repository field. d. Click OK. 38 IBM Tioli Storage Productiity Center: Administrator's Guide

49 Figure 6. Global security > Federated repositories > Repository reference page, Add base entry to realm e. In the messages dialog box that is displayed, click the Sae link in Sae directly to the master configuration. Important: In the Repositories in the realm table, do not remoe the localos entry or the InternalFileRepository entry. 13. Log out of the WebSphere Integrated Solutions Console. 14. Log out of the web-based GUI. 15. Stop and restart Tioli Storage Productiity Center web serer or Jazz for Serice Management serer. For information about stopping and starting the Tioli Storage Productiity Center web serer or Jazz for Serice Management serer, see the Tioli Storage Productiity Center information center. Search for Starting and stopping the Tioli Storage Productiity Center serices. To erify that the LDAP federated repository is configured correctly, complete the following steps: 1. Log in to the WebSphere Integrated Solutions Console by using the same user name and password from step 5 on page 33. Tip: If you try to log in to the WebSphere Integrated Solutions Console by using a local OS user name or a domain user name, an error message states that the user name or password is inalid. This error may occur because the Chapter 1. Configuring 39

50 user name that you are using to log in to the WebSphere Integrated Solutions Console exists in the LDAP federated repository that you just added. To resole this issue, complete one of the following tasks: For local OS user names, add the computer name as a prefix to the user name For domain user names, add the domain name as a prefix to the user name 2. In the WebSphere Integrated Solutions Console naigation tree, click Users and Groups > Manage Users. 3. In the Search by list, select User ID. 4. Click Search to search for users in the federated repositories. The list of users includes users from the local file repository, the operating system repository, and the LDAP repository. 5. In the WebSphere Integrated Solutions Console naigation tree, click Users and Groups > Manage Groups. 6. In the Search by list, select Group name. 7. Click Search to search for groups in the federated repositories. The list of groups includes groups from the operating system repository and the LDAP repository. After adding an LDAP repository to the federated repositories for Tioli Storage Productiity Center or Jazz for Serice Management, you must establish the authorization configuration before you can log in to Tioli Storage Productiity Center, Tioli Storage Productiity Center for Replication, or Jazz for Serice Management with LDAP credentials. When you establish the authorization configuration, you assign users and/or groups to roles for each application. Important: Before you establish the authorization configuration for Tioli Storage Productiity Center, Tioli Storage Productiity Center for Replication, or Jazz for Serice Management, ensure that there are no duplicated user names or group names in the local file repository, the operating system repository, and the LDAP repository. For Tioli Storage Productiity Center LDAP configurations, you must add the group from the LDAP serer to Tioli Storage Productiity Center. In the Tioli Storage Productiity Center web-based GUI, click Settings > User Management to assign the roles to the user groups. For more information about assigning these roles to groups, see Role-based authorization. For Tioli Storage Productiity Center for Replication LDAP configurations, you must add the LDAP group in the Tioli Storage Productiity Center for Replication GUI. You can then log in by using the LDAP user name. For information about assigning roles to users and roles to groups for Tioli Storage Productiity Center for Replication, see Security. For information about assigning roles in Jazz for Serice Management, see com.ibm.psc.doc_ /admin/psc_ctr_admin_users_groups.html. 40 IBM Tioli Storage Productiity Center: Administrator's Guide

51 Enabling secure communication between Tioli Storage Productiity Center and the LDAP repository You can use the Secure Socket Layer (SSL) protocol to secure the communication between Tioli Storage Productiity Center and the LDAP repository that you are using for user authentication. The SSL protocol proides security and data integrity for communications oer Transmission Control Protocol/Internet Protocol (TCP/IP) networks. Tioli Storage Productiity Center and Jazz for Serice Management hae their own WebSphere Application Serer instance. You can configure both these WebSphere instances to communicate with LDAP repository. The procedure to configure these instances are almost identical, so the steps are proided only once. You must repeat the steps to configure both of these WebSphere Application Serer instances with the LDAP repository. The WebSphere Application Serer instance in Tioli Storage Productiity Center is also called the web serer. The location of the WebSphere Application Serer directory is different for each instance: The Jazz for Serice Management WebSphere Application Serer directory: JAZZSM_INSTALL_DIR/profile The Tioli Productiity WebSphere Application Serer or web serer directory: TPC_INSTALL_DIR/ewas/profiles/WebSererProfile To enable SSL for LDAP communications, you must complete the following steps in the WebSphere Integrated Solutions Console: 1. To access the WebSphere Integrated Solutions Console, complete one of the following tasks: For Tioli Storage Productiity Center: a. Log in to the Tioli Storage Productiity Center web-based GUI. You must log in to the Tioli Storage Productiity Center web-based GUI with a user name that has the Administrator role. b. Go to Settings > User Management. c. On the User Management page, click Modify authentication mechanism. For Jazz for Serice Management, open a web browser, and enter one of the following web addresses in the address field: The hostname is the serer that is running Jazz for Serice Management, such as the serer name or IP address, and port is the port number for the Jazz for Serice Management instance of WebSphere Application Serer. The port number differs depending on which protocol that you use (http or https) and the options that you selected when you installed Jazz for Serice Management. To determine the port number for the Jazz for Serice Management instance of WebSphere Application Serer, complete the following steps: a. Open the WebSphere_Directory/properties/portdef.props file. b. The port number is the alue that is assigned to one of the following keys: For protocols that are not secure (for example, WC_adminhost Chapter 1. Configuring 41

52 For protocols that are secure (for example, WC_adminhost_secure 2. Log in to the WebSphere Integrated Solutions Console. If you are logging into the Tioli Storage Productiity Center instance of the WebSphere Integrated Solutions Console, log in by using the Tioli Storage Productiity Center common user name. If you are logging into the Jazz for Serice Management instance of the WebSphere Integrated Solutions Console, log in by using the Jazz for Serice Management user name that was created when you installed Jazz for Serice Management. 3. In the WebSphere Integrated Solutions Console naigation tree, click Security > SSL certificate and key management. 4. On the SSL certificate and key management page, in the Related Items section, click Key stores and certificates. 5. On the SSL certificate and key management > Key stores and certificates page, in the table, click NodeDefaultTrustStore. 6. On the SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore page, in the Additional Properties section, click Signer Certificates. If the existing certificate has expired, complete the following steps: a. Click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates. b. Select the expired certificated, and click Delete. 7. On the SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer Certificates page, click Retriee from port. 8. On the SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer Certificates > Signer Certificates > Retriee from port page, enter the alues for the following fields: Host Port The fully qualified host name and domain name of your LDAP-compliant repository. The port where the LDAP repository is listening for secure communications; this port is usually 636. SSL configuration for outbound connection Accept the default alue. Alias An alias name for the retrieed certificate (for example, LDAPCert) 9. Click Retriee signer information. 10. When the signer information is displayed, click OK. 11. In the messages dialog box that is displayed on the Signer certificates page, click the Sae link in Sae directly to the master configuration. 12. In the WebSphere Integrated Solutions Console naigation tree, click Security > Global security. 13. On the Global security page, in the User account repository section, click Configure next to the Aailable realm definitions menu. 14. On the Global security > Federated repositories page, under Related Items, click the Manage repositories link. 15. On the Global security > Federated repositories > Manage repositories page, click the identifier for the LDAP repository for which you want to enable the SSL protocol. 16. On the configuration page for the LDAP repository, configure the following items: 42 IBM Tioli Storage Productiity Center: Administrator's Guide

53 a. In the Port field, enter the port where your LDAP repository is listening for secure communications; this port is usually 636. b. Select the Require SSL communications check box. c. Select Use specific SSL alias and select the alias that was created in step 8 on page 42. Click OK. 17. On the Global security > Federated repositories > Manage repositories page, click the Sae link in Sae directly to the master configuration. 18. Log out from the WebSphere Integrated Solutions Console. 19. Stop and restart Tioli Storage Productiity Center web serer or Jazz for Serice Management serer. For information about stopping and starting the serer, see Starting and stopping the Tioli Storage Productiity Center serers on page 196. Disabling secure communication between Tioli Storage Productiity Center and the LDAP repository You can disable the Secure Socket Layer (SSL) protocol between the LDAP repository and the Tioli Storage Productiity Center system at any time. Tioli Storage Productiity Center and Jazz for Serice Management hae their own IBM WebSphere Application Serer instance. You can disable the use of SSL for LDAP communications in both of these WebSphere instances. The procedure to modify these instances are almost identical, so the steps are proided only once. You must repeat the steps to disable the use of SSL for LDAP communications in both of these WebSphere Application Serer instances. The location of the WebSphere Application Serer directory is different for each instance: The Jazz for Serice Management WebSphere Application Serer directory: JAZZSM_INSTALL_DIR/profile The Tioli Productiity WebSphere Application Serer or web serer directory: TPC_INSTALL_DIR/ewas/profiles/WebSererProfile To disable the use of SSL for LDAP communications, complete the following steps in the WebSphere Integrated Solutions Console: 1. To access the WebSphere Integrated Solutions Console, complete one of the following tasks: For Tioli Storage Productiity Center: a. Log in to the Tioli Storage Productiity Center web-based GUI. You must log in to the Tioli Storage Productiity Center web-based GUI with a user name that has the Administrator role. b. Go to Settings > User Management. c. On the User Management page, click Modify authentication mechanism. For Jazz for Serice Management, open a web browser, and enter one of the following web addresses in the address field: The hostname is the serer that is running Jazz for Serice Management, such as the serer name or IP address, and port is the port number for the Jazz for Serice Management instance of WebSphere Application Serer. The Chapter 1. Configuring 43

54 port number differs depending on which protocol that you use (http or https) and the options that you selected when you installed Jazz for Serice Management. To determine the port number for the Jazz for Serice Management instance of WebSphere Application Serer, complete the following steps: a. Open the WebSphere_Directory/properties/portdef.props file. b. The port number is the alue that is assigned to one of the following keys: For protocols that are not secure (for example, WC_adminhost For protocols that are secure (for example, WC_adminhost_secure 2. Log in to the WebSphere Integrated Solutions Console. If you are logging into the Tioli Storage Productiity Center instance of the WebSphere Integrated Solutions Console, log in by using the Tioli Storage Productiity Center common user name. If you are logging into the Jazz for Serice Management instance of the WebSphere Integrated Solutions Console, log in by using the Jazz for Serice Management user name that was created when you installed Jazz for Serice Management. 3. In the WebSphere Integrated Solutions Console naigation tree, click Security > Global security. 4. On the Global security page, in the User account repository section, click Configure next to the Aailable realm definitions menu. 5. On the Global security > Federated repositories page, under Related Items, click the Manage repositories link. 6. On the Global security > Federated repositories > Manage repositories page, click the identifier for the LDAP repository for which you want to disable the SSL protocol. 7. On the configuration page for the LDAP repository, configure the following items: a. In the Port field, enter the port where your LDAP repository is listening for nonsecure communications; this port is usually 389. b. Clear the Require SSL communications check box. Click OK. 8. In the messages dialog that is displayed on the Global Security > Federated repositories > Manage repositories page, click the, click the Sae link in Sae directly to the master configuration. 9. Log out from the WebSphere Integrated Solutions Console. 10. Stop and restart Tioli Storage Productiity Center web serer or Jazz for Serice Management serer. For information about stopping and starting the serer, see Starting and stopping the Tioli Storage Productiity Center serers on page 196. Remoing an LDAP repository from the federated repositories To remoe an LDAP repository from the federated repositories, you must use the IBM WebSphere Integrated Solutions Console. If remoing an LDAP repository from the federated repositories in Tioli Storage Productiity Center leaes only the local OS repository and the file-based repository, the use of the Tioli Storage Productiity Center single sign-on feature 44 IBM Tioli Storage Productiity Center: Administrator's Guide

55 is limited. Storage system element managers do not support the local OS repository for single sign-on, een if the element manager is installed on the same system as Tioli Storage Productiity Center. The location of the WebSphere Application Serer directory is different for each instance: The Jazz for Serice Management WebSphere Application Serer directory: JAZZSM_INSTALL_DIR/profile The Tioli Storage Productiity Center WebSphere Application Serer or web serer directory: TPC_INSTALL_DIR/ewas/profiles/WebSererProfile To remoe an LDAP repository to the federated repositories in Tioli Storage Productiity Center or Jazz for Serice Management, complete the following steps: 1. Before you remoe an LDAP repository to the federated repositories, complete the following steps: Important: If you log in by using a Windows domain user name, before you run the backup commands, click Start > Command Prompt and select Run as administrator. a. Back up the WebSphere Application Serer configuration for the Tioli Storage Productiity Center instance of WebSphere Application Serer and back up the WebSphere Application Serer configuration for the Jazz for Serice Management instance of WebSphere Application Serer. On Windows operating systems, run the following command: WebSphere_Directory\bin\backupConfig.bat -username adminuser -password adminpassword -nostop In the WebSphere Application Serer configurations for Tioli Storage Productiity Center and Jazz for Serice Management, adminuser is the user name that was used to install Tioli Storage Productiity Center (for example, db2admin) or Jazz for Serice Management (for example smadmin), and adminpassword is the password that is associated with adminuser. Tip: If you completed a default installation on the Windows operating system: The Tioli Storage Productiity Center WebSphere Application Serer directory is located here: C:\Program Files\IBM\TPC\ewas\profiles\ WebSererProfile\ The Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On AIX or Linux operating systems, run the following command: WebSphere_Directory/bin/backupConfig.sh -username adminuser -password adminpassword -nostop In the WebSphere Application Serer configurations for Tioli Storage Productiity Center and Jazz for Serice Management, adminuser is the user name that was used to install Tioli Storage Productiity Center (for example, db2inst1) or Jazz for Serice Management (for example smadmin), and adminpassword is the password that is associated with adminuser. Chapter 1. Configuring 45

56 Tip: If you completed a default installation on the AIX or Linux operating system: The Tioli Storage Productiity Center WebSphere Application Serer directory is located here: /opt/ibm/tpc/ewas/profiles/websererprofile/ Jazz for Serice Management WebSphere Application Serer directory is located here: /opt/ibm/jazzsm/profile/ b. Back up the soap.client.props file for the Tioli Storage Productiity Center instance of WebSphere Application Serer. On the Windows operating system, run the copy command to back up this file: WebSphere_Directory\properties\soap.client.props Tip: If you completed a default installation on the Windows operating system, the Tioli Storage Productiity Center Version 5.2 soap.client.props file is in this directory: C:\Program Files\IBM\TPC\ewas\profiles\WebSererProfile \properties\ On the AIX or Linux operating systems, run the cp command to back up this file: WebSphere_Directory/properties/soap.client.props Tip: If you completed a default installation on the AIX or Linux operating systems, the Tioli Storage Productiity Center Version 5.2 soap.client.props file is in this directory: /opt/ibm/tpc/ewas/profiles/websererprofile/properties c. Back up the IBM Cognos.ear directory for the Jazz for Serice Management WebSphere Application Serer. On the Windows operating system, run the xcopy command to back up this directory: WebSphere_Directory\installedApps\JazzSMNode01Cell \IBM Cognos.ear Tip: If you completed a default installation on the Windows operating system, the Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On the AIX or Linux operating systems, run the cp command to back up this directory: WebSphere_Directory/installedApps/JazzSMNode01Cell /IBM Cognos.ear Tip: If you completed a default installation on the AIX or Linux operating systems, the Jazz for Serice Management WebSphere Application Serer directory is located here: /opt/ibm/jazzsm/profile/ Tip: The default cell name JazzSMNode01Cell is used in the sample commands. If you did not use the default cell name when you installed Jazz for Serice Management, you must specify the correct cell name in this step. 46 IBM Tioli Storage Productiity Center: Administrator's Guide

57 2. In the eent of a problem when you remoe an LDAP repository, complete the following steps to restore the items you backed up in step 1: a. Run the restoreconfig.sh or the restoreconfig.bat command to restore the WebSphere Application Serer configuration for the Tioli Storage Productiity Center instance of WebSphere Application Serer and restore the WebSphere Application Serer configuration for the Jazz for Serice Management instance of WebSphere Application Serer. The restoreconfig command is in one of the following directories: On the Windows operating system, go to this directory: WebSphere_directory/bin/restoreConfig.bat Tip: If you completed a default installation on the Windows operating system: The Tioli Storage Productiity Center WebSphere Application Serer directory is located here: C:\Program Files\IBM\TPC\ewas\profiles\WebSererProfile\ The Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On the AIX or Linux operating system, go to this directory: WebSphere_directory/bin/restoreConfig.sh Tip: If you completed a default installation on the AIX or Linux operating system, the Tioli Storage Productiity Center Version 5.2 soap.client.propsis in this directory: /opt/ibm/tpc/ewas/profiles/websererprofile/properties b. Restore the soap.client.props file for the Tioli Storage Productiity Center instance of WebSphere Application Serer. On the Windows operating system, run the copy command to restore this file: WebSphere_Directory\properties\soap.client.props Tip: If you completed a default installation on the Windows operating system, the Tioli Storage Productiity Center Version 5.2 soap.client.props is in this directory: C:\Program Files\IBM\TPC\ewas\profiles\WebSererProfile\properties\ On the AIX or Linux operating system, run the cp command to restore this file: WebSphere_Directory/properties/soap.client.props Tip: If you completed a default installation on the AIX or Linux operating systems, the Tioli Storage Productiity Center Version 5.2 soap.client.props is in this directory: /opt/ibm/tpc/ewas/profiles/websererprofile/ c. Restore the IBM Cognos.ear directory for the Jazz for Serice Management WebSphere Application Serer. On the Windows operating system, run the xcopy command to restore this directory: WebSphere_Directory\installedApps\JazzSMNode01Cell\IBM Cognos.ear Chapter 1. Configuring 47

58 Tip: If you completed a default installation on the Windows operating system, the Jazz for Serice Management WebSphere Application Serer directory is located here: C:\Program Files\IBM\JazzSM\profile\ On the AIX or Linux operating systems, run the cp command to restore this directory: WebSphere_Directory/installedApps/JazzSMNode01Cell/IBM Cognos.ear Note: The default cell name JazzSMNode01Cell is used in the sample commands. If you did not use the default cell name when you installed Jazz for Serice Management, you must specify the correct cell name in this step. Tip: If you completed a default installation on the AIX or Linux operating systems, the Jazz for Serice Management WebSphere Application Serer directory is located here: /opt/ibm/jazzsm/profile/ d. Restart the Tioli Storage Productiity Center web serer and the Jazz for Serice Management serer. The execution of the restoreconfig command stops those WebSphere Application Serer instances. For information about starting the Tioli Storage Productiity Center web serer or Jazz for Serice Management serer, see the Tioli Storage Productiity Center information center. Search for Starting the Tioli Storage Productiity Center serices. 3. To access the WebSphere Integrated Solutions Console, complete one of the following tasks: For Tioli Storage Productiity Center: a. Log in to the Tioli Storage Productiity Center web-based GUI. You must log in to the Tioli Storage Productiity Center web-based GUI with a user name that has the Administrator role. b. Go to Settings > User Management. c. On the User Management page, click Modify authentication mechanism. For Jazz for Serice Management, open a web browser, and enter one of the following web addresses in the address field: The hostname is the serer that is running Jazz for Serice Management, such as the serer name or IP address, and port is the port number for the Jazz for Serice Management instance of WebSphere Application Serer. The port number differs depending on which protocol that you use (http or https) and the options that you selected when you installed Jazz for Serice Management. To determine the port number for the Jazz for Serice Management instance of WebSphere Application Serer, complete the following steps: a. Open the WebSphere_Directory/properties/portdef.props file. b. The port number is the alue that is assigned to one of the following keys: For protocols that are not secure (for example, WC_adminhost 48 IBM Tioli Storage Productiity Center: Administrator's Guide For protocols that are secure (for example,

59 WC_adminhost_secure 4. Log in to the WebSphere Integrated Solutions Console. If you are logging into the Tioli Storage Productiity Center instance of the WebSphere Integrated Solutions Console, log in by using the Tioli Storage Productiity Center common user name. If you are logging into the Jazz for Serice Management instance of the WebSphere Integrated Solutions Console, log in by using the Jazz for Serice Management user name that was created when you installed Jazz for Serice Management. 5. On the WebSphere Integrated Solutions Console naigation tree, click Security > Global Security. Figure 7. Opening the Global security page 6. On the Global security page, in the User account repository section, click Configure next to the Aailable realm definitions menu. Chapter 1. Configuring 49

60 Figure 8. Configuring the aailable realm definitions 7. On the Global security > Federated repositories page, in the Repositories in the realm table, select the entry for the LDAP repository you preiously added, and click Remoe. 50 IBM Tioli Storage Productiity Center: Administrator's Guide

61 Figure 9. Remoing the LDAP repository 8. In the message dialog box that is displayed on the Federated repositories page, click the Sae link in Sae directly to the master configuration. 9. On the Global security > Federated repositories page, under Related items, click Manage repositories. Chapter 1. Configuring 51

62 Figure 10. Managing the repositories 10. On the Global security > Federated repositories > Manage repositories page, select the entry for the LDAP repository that you preiously added and click Delete. 52 IBM Tioli Storage Productiity Center: Administrator's Guide

63 Figure 11. Deleting the LDAP repository 11. In the message dialog box that is displayed on the Manage repositories page, click the Sae link in Sae directly to the master configuration. 12. Log out from the WebSphere Integrated Solutions Console. 13. Log out of the web-based GUI. 14. Stop and restart the Tioli Storage Productiity Center web serer or Jazz for Serice Management serer. For information about stopping and starting the serer, see Starting and stopping the Tioli Storage Productiity Center serers on page 196. Important: Before you establish the authorization configuration for the WebSphere Integrated Solutions Console, Tioli Storage Productiity Center, and Tioli Storage Productiity Center for Replication, you must ensure that there are no duplicated user names or group names in the local file-based repository and the localos repository. After you remoe the LDAP repository from the Tioli Storage Productiity Center federated repositories authentication configuration, you must establish the authorization configuration for the WebSphere Integrated Solutions Console. You should also assign Tioli Storage Productiity Center roles to groups. To assign the roles to the user groups, access the Tioli Storage Productiity Center web-based GUI and click Settings > User Management. For more information about assigning these roles to groups, see Role-based authorization. Chapter 1. Configuring 53

64 For information about assigning roles to users and roles to groups for Tioli Storage Productiity Center for Replication, go to the product documentation at Security. Adding customized text to the web-based GUI logon page On the logon page for Tioli Storage Productiity Center, you can show customized text when users access the web-based GUI. 1. Open the directory that was created to install Tioli Storage Productiity Center: The default installation directory for Windows operating systems is C:\Program Files\IBM\TPC. The default installation directory for AIX or Linux operating systems is /opt/ibm/tpc. 2. Go to the customization directory: On Windows operating systems The customization directory is in \ewas\profiles\websererprofile\ installedapps\webserercell\webserer.ear\tpc-gui.war\. On AIX or Linux operating systems The customization directory is in /ewas/profiles/websererprofile/ installedapps/webserercell/webserer.ear/tpc-gui.war/. 3. Open the LoginText.html file in a text editor: a. Type the text that you want to show to the user before they log on to the web-based GUI. Tip: To format the text that you want to add, you can use HTML tags, such as paragraph tags, list tags, bold tags, and italic tags. b. Sae the LoginText.html file. 4. Open the web-based GUI for Tioli Storage Productiity Center. The customized text that you added is shown below the logon page. Configuration tasks in the stand-alone GUI Use the stand-alone GUI to configure some of the functions within Tioli Storage Productiity Center. In the stand-alone GUI, you can complete the following configuration tasks in the Administratie Serices > Configuration section of the naigation tree: Specify licenses for enabling certain functions within Tioli Storage Productiity Center. Determine how long to retain batch reports. Specify rules for generating addresses of users who break quota and constraint policies. Assign Storage Resource agents to run scans and probes on NAS filers. Enter and iew information about Network Attached Storage (NAS) serers. Configure data aggregation. Specify how long to keep a history of information that is collected about databases. 54 IBM Tioli Storage Productiity Center: Administrator's Guide

65 Specify how long to keep information that is related to a database that was remoed and can no longer be found. Specify how often Tioli Storage Productiity Center captures snapshots of your configuration and when to delete them. In the web-based GUI, you can complete the following configuration tasks in the Settings section of the naigation tree: Determine how you are notified of alert conditions within a storage enironment. Specify how long to retain the data that is collected about resources and the log files that are generated by Tioli Storage Productiity Center. Determine the authentication mechanism and authorization leel for Tioli Storage Productiity Center users. The authentication mechanism determines the user groups to which you can assign roles. Roles determine the product functions that are aailable to the users in a group. Related tasks: Configuring alert notifications on page 8 Alerts can define notification actions that send , generate Simple Network Management Protocol (SNMP) traps, or generate IBM Tioli Netcool/OMNIbus eents. To enable these notification actions, you must configure Tioli Storage Productiity Center for , SNMP, or Tioli Netcool/OMNIbus alert notifications. Configuring history and data retention on page 10 Specify how long to retain the data that is collected about resources and the log files that are generated by Tioli Storage Productiity Center. By specifying the number of weeks for history retention, you can control the amount of data that is retained and aailable for historical analysis and charting. The longer that you retain data, the more informatie your analysis, but the more storage space that is required to store that data. Authorizing users on page 12 After IBM Tioli Storage Productiity Center is installed, you can assign roles to the user groups that are contained in the authentication repository. The authentication repository can be a local operating system or an LDAP-compliant directory. Roles determine the product functions that are aailable to users in a group. License Keys You must set database permissions to monitor databases with the Data Manager. You must hae the following permissions that are set to monitor the databases with Data Manager: Table 9. Database permissions Database DB2 Microsoft SQL Serer Oracle Sybase Permissions db2admin public DBA SA leel To monitor Oracle databases with Tioli Storage Productiity Center, the Oracle user needs DBA authority. A non-dba Oracle user with create session, select Chapter 1. Configuring 55

66 any dictionary, analyze any, and analyze any dictionary roles can still monitor the Oracle database through Tioli Storage Productiity Center. Howeer, Tioli Storage Productiity Center is not able to obtain free space information for database objects. During the database registration, when a non-dba Oracle user is used with the roles mentioned in the preceding list, the following warning message displays. RDBMS login does not hae dba priilege. Freespace will not be calculated for system objects. Clicking OK continues with the registration process. This message is also displayed in the scan logs when scan jobs are run. Through the License Keys node, you can administer the license keys for Data Manager for Databases. Assign Data Manager for Databases licenses to your Storage Resource agents. Edit, add, and delete the instances within your organization that you want to monitor. View the number of Data Manager for Databases licenses. View the number of Data Manager for Databases licenses that are not currently assigned (unused) to agents. Before you can use Storage Resource agents to manage the storage for your instances, you must do the following steps. 1. Assign Data Manager and Data Manager for Databases licenses to the agents that are monitoring RDBMS instances. 2. Register the instances on the systems that contain licensed agents. Assigning Data Manager database licenses to installed agents This topic describes how to assign Data Manager database licenses to an agent. To assign a Data Manager database license to an agent, complete the following steps: 1. Expand Administratie Serices > Configuration > License Keys. The License Editor window is displayed. 2. Click the icon for the IBM Tioli Storage Productiity Center for Data - Databases row. The Tioli Storage Productiity Center for Data - Databases License Editor window is displayed. The field and button descriptions for the Licensing tab are: Select All Selects all the Licensed boxes. Deselect All Remoes all the licenses for Data Manager - Databases. Computer Displays all the computers on which a Data Manager agent is installed. OS Type Displays the operating system of the computer where the agent is installed. Domain Displays the domain of a computer where the agent is installed. 56 IBM Tioli Storage Productiity Center: Administrator's Guide

67 Tree Name For NetWare deices that are managed by Storage Resource agents from preious releases. Licensed Contains a check box that indicates whether a computer is licensed for use with Data Manager - Databases. If you hae unused Data Manager - Databases licenses, continue to the next step. To unassign licenses from agents, see Unassigning Data Manager - Databases license on page Click the check box in the Licensed column next to the computer with the instance you want to monitor. 4. Click File > Sae to sae the updated license settings. If an instance is registered on the machine where you licensed the agent, you are ready to set up your Data Manager - Databases jobs to monitor its storage. If an instance is not registered on the machine where you licensed the agent, see Registering instances on machines that contain licensed agents. Registering instances on machines that contain licensed agents This topic describes how to register instances on machines that contain licensed agents. 1. Click the RDBMS Logins tab on the IBM Tioli Storage Productiity Center for Data - Databases License Editor window. 2. The RDBMS Logins window is displayed. Use this window to edit, add, and delete the instances within your organization that you want to monitor. The field and button descriptions for the RDBMS Logins tab are: Edit Highlight a row and click this button to edit the login information for the corresponding instance. The RDBMS Login Editor window is displayed. Add New Click this button to add login information for a new instance. The RDBMS Login Editor window is displayed. Delete Highlight a row for an instance and click this button to delete that instance from Data Manager - Databases. Once you delete an instance, all the preiously gathered statistics for that instance are automatically deleted from the database repository and that instance is no longer aailable for selection in the reporting section of the naigation tree. 3. Click Add New to add a new instance. The RDBMS Login Editor window is displayed. Use this window to enter information about the instance that you want Data Manager - Databases to monitor. Note: In an Oracle Parallel Serer (OPS) enironment, you only need to register one of the instances within that enironment. OPS is a resource-sharing system that increases aailability and performance by partitioning the workload across multiple serers of a cluster (nodes). Databases installed on clustered serers or clustered database serers (for example, Oracle Real Application Cluster (RAC) enironment) are not supported for monitoring. 4. Select the name of the machine where the instance is running from the Host Name list box. Note: You can only register instances on machines that contain licensed agents. 5. Enter the following information in the next field: Chapter 1. Configuring 57

68 For Oracle Enter the Oracle SID and host for the instance. For Microsoft SQL/Serer Enter the name of the instance you want to register in the Instance field. Note: When you use the Storage Resource agent to monitor the RDBMS, the JDBC field is not shown. The Storage Resource agent does not require this field. For Sybase Enter the serer name in the Serer field. For IBM UDB Enter the name of the instance you want to register in the Instance field. 6. Enter a user ID that has the appropriate database priileges within the instance in the User field. See License Keys on page 55. For Oracle The following priileges are required for this user ID: CREATE SESSION SELECT ANY DICTIONARY ANALYZE ANY Note: For Oracle 9i or 10g, specify ANALYZE ANY DICTIONARY For Microsoft SQL Serer The login ID that Data Manager uses to log in to Microsoft SQL Serer instances that you want to probe must hae "permit" access. 7. Enter a password for the user ID in the Password field. 8. Enter the port on which the instance is listening in the Port field. For Oracle The default port is For Microsoft SQL/Serer The default port is You must also proide the fully qualified path to the JDBC drier in the JDBC Drier field. Note: When you use the Storage Resource agent to monitor the RDBMS, the JDBC field is not shown. The Storage Resource agent does not require this field. For Sybase The default port is For IBM UDB When monitoring multiple UDB instances within your enironment, you must ensure that the port numbers you choose are open (unique for each instance) for JDBC and Jaa connections to those instances. To open up a port, run the following DB2 command on the machine where the instance is located: db2jstrt The default port number is You can change this default by indicating the port number you want to use when running the db2jstrt command. For example: 58 IBM Tioli Storage Productiity Center: Administrator's Guide

69 db2jstrt 6790 If you enter an incorrect port number, an error occurs. To erify the port number for an instance, complete one of the following tasks: UNIX or Linux View the etc/serices file to confirm the correct port number. AIX Run the following command: ps -ef grep db2jd The output from this command indicates the port on which the instance is listening. Use this port number when running the db2jstrt command. Windows Use the information in the IBM DB2 configuration tools to confirm the port number. 9. Click File > Sae to sae the instance configuration information. You can now run a probe job against the registered instances. You must run a probe job against an instance before you can select any databases or table spaces against which you want to run a scan job. Configuring Microsoft SQL Serer 2008 or Microsoft SQL Serer 2008 R2: Before you can monitor a Microsoft SQL Serer 2008 or Microsoft SQL Serer 2008 R2 database, you must make some configuration changes to the Microsoft SQL Serer. Note: Before registering an instance of Microsoft SQL Serer 2008 or Microsoft SQL Serer 2008 R2 to be monitored by a Storage Resource agent, make sure that the directory containing the sqlcmd utility (sqlcmd.exe) is in the system PATH enironment ariable on the Microsoft SQL Serer system. The default location of sqlcmd is C:\Program Files\Microsoft SQL Serer\<ersion>\Tools\Binn. Before monitoring the Microsoft SQL Serer database, follow these steps: 1. Install the Microsoft SQL Serer and proide the required information about the installation panels. See the Microsoft SQL Serer 2008 or 2008 R2 Installation and Configuration Guide for detailed information. For the installation and configuration guides, see library/ms143219(=sql.105).aspx. 2. Make sure that the Microsoft SQL Serer is using Mixed Mode authentication. 3. After the installation, go to the SQL Serer Configuration Manager and make sure that you set the Dynamic TCP/IP port to the default port (See the Microsoft SQL Serer 2008 or 2008 R2 Installation and Configuration Guide for detailed information.) To configure the Microsoft SQL Serer, follow these steps: a. Open the SQL Serer Configuration Manager. b. Go to SQL Serer Network Configuration. c. Select Protocols for MSSQLINST (name of the instance). d. Right-click TCP/IP. e. Select Enable: Yes. f. Go to the IP Addresses / IP All and add TCP Dynamic Ports : 1433 (default port). 4. Launch the Microsoft SQL Serer setup.exe. Chapter 1. Configuring 59

70 5. Go to Installation/Search for product updates. You are redirected to the Microsoft update website that scans the computer for the components that need to be updated. 6. When finished, select Express Install to install the components found. 7. Install the Storage Resource agent on the Microsoft SQL Serer system. 8. Open the RDBMS Login Editor. Expand Administratie Serices > Configuration > License Keys. In the content pane, click RDBMS Logins tab. 9. Click Add New. The RDBMS Login Editor opens. Enter the following information: Database Microsoft SQL/Serer. Instance name Name of the instance (mssqlinst). User User ID to logon to the Microsoft SQL Serer. Password Password for the user ID. Port Click Sae. Unassigning Data Manager - Databases license This topic describes how to unassign a Data Manager - Databases license. To unassign a license, complete the following steps: 1. Expand Administratie Serices > Configuration > License Keys. 2. The License Editor window is displayed. 3. Click the icon for the IBM Tioli Storage Productiity Center for Data - Databases row. The IBM Tioli Storage Productiity Center for Data - Databases License Editor window is displayed. Use the Licensed column in this window to iew the agents to which licenses are currently assigned. 4. Clear the Licensed check box next to a machine to remoe the license for the agent on that machine. 5. Click File > Sae. When you remoe the license for an agent, the following actions occur: All the data gathered by that agent for the instance it monitors is remoed from the database repository. You can no longer run monitoring, alerting, or policy management jobs against the instance on the machine where the agent was located. The number of unused licenses increases by one. Cached Batch Report Retention Specify the maximum number of days to retain batch reports that were generated but not deliered to the corresponding Storage Resource agent. Note: In V5.2.1, the ability to specify how long to retain job information and logs was remoed from the stand-alone GUI. You can now use the web-based GUI to complete those tasks. 1. In the naigation tree of the stand-alone GUI, go to Administratie Serices > Configuration > Cached Batch Report Retention. 60 IBM Tioli Storage Productiity Center: Administrator's Guide

71 2. In the Cached Batch Report Retention field, enter the maximum number of days to retain a batch report that was not deliered to a Storage Resource agent. If a batch report is generated, but the Tioli Storage Productiity Center serer cannot delier it to the corresponding Storage Resource agent, the batch report is cached on the serer for the amount of time that you specify. When the maximum number of days is reached for a batch report, it is remoed from the serer. You can determine if a batch report was not deliered by iewing its log file. Additionally, a notification is sent upon failure if an alert was configured for the batch report. Tip: When the batch report is created on the Tioli Storage Productiity Center serer and copied to the Storage Resource agent, the copying of the report to the agent might fail. If a failure occurs, no attempt is made to send the report again. Instead, the report remains cached on the Tioli Storage Productiity Center serer. You can configure the time that the report remains cached on the Tioli Storage Productiity Center serer. Quota and Constraint Address Rules You can specify rules for generating addresses of users who break the quota and constraint address rules that are based on their user ID, gien name, or family name as they are registered in the operating system. The user names are obtained as follows: On Windows operating systems: Full name field, from LDAP. On UNIX or Linux operating systems: User description from the Password file. To set the rules, complete the following steps: 1. Expand Administratie Serices > Configuration > Quota and Constraint Address Rules. 2. Click Add After or Add Before to include elements in an address template. An address template describes how to build the user ID. The user ID is notified in the eent of a quota iolation. This user ID represents the actual user who breaks the quota rules. 3. Select USERNAME, FIRSTNAME, LASTNAME, Text, orsubstring from the menu to include as an element in the address rule: USERNAME: the login ID of the user who breaks the quota or constraint rules. FIRSTNAME: the gien name of the user who breaks the quota or constraint rules. LASTNAME: the family name of the user who breaks the quota or constraint rules. Text: free form text that you want to appear in the address. Substring: an element in the address that is a substring of USERNAME, LASTNAME, orfirstname. For example, LASTNAME + SUBSTRING(USERNAME, 0, 3) You must include the first three characters of the USERNAME. For example, if the family name is Smith and USERNAME (as defined by file owner information) is 9A0723, then this substring example is equal to SMITH9A0. To define a substring, complete the following steps: a. Select Substring after you click Add After or Add Before. Chapter 1. Configuring 61

72 b. Select the substring ariable: USERNAME, LASTNAME, or FIRSTNAME. c. Highlight the range for the substring. d. Click OK. That substring appears in the address template. e. Click File > Sae to sae the address rule. Scan/Probe Agent Administration You can assign Storage Resource agents to run scan and probe jobs. Assign the Storage Resource agents to perform scans against the following objects: File systems within NAS filers IBM Tioli Storage SAN File Systems The window associated with this node proides a complete listing of the NAS filers and SAN File System discoered by Data Manager. Manual NAS Serer Entry Use the Manual NAS Serer Entry node to enter, and iew information about Network Attached Storage (NAS) serers. In the manual NAS Serer Entry node, you can complete the following tasks: Enter information about Network Attached Storage (NAS) serers that you want to monitor in your enironment. After you enter information about the NAS serers, you can assign agents to the serers in the Scan/Probe Agent window. View a list of NAS filers. The NAS filers that were registered using the Data Manager are shown in the list. Delete NAS filers. The NAS filers that were registered using the Data Manager are deleted. You can set up indiidual NAS serers for monitoring by Data Manager using this window, or you can use a discoery method to automatically add multiple serers simultaneously. When you want to add multiple NAS Filers for monitoring, use the discoery method. When you want to add indiidual NAS Filers for monitoring, use the Manual NAS Serer Entry window. For more information about configuring NAS, see Search for sg Manually adding a NAS filer or gateway You can manually add a NAS filer or gateway. To manually add a NAS filer or gateway, complete the following steps: 1. Expand Administratie Serices > Configuration > Manual NAS Serer Entry. 2. Click Add NAS Serer. The Add NAS Serer window is displayed. 3. Enter the following information: Network name Enter the network name of the NAS serer you want to add. 62 IBM Tioli Storage Productiity Center: Administrator's Guide

73 When manually adding a NAS Gateway or Filer that is monitored by a Storage Resource agent on a UNIX system, you must add the NAS by using the same name that was used when file systems were mounted on that UNIX system. You can mount file systems by using the short name, fully qualified name, or IP address of a NAS. For example, if the file systems from a NAS Gateway were mounted to a UNIX computer (where the Storage Resource agent is installed) by using the short name of the NAS Gateway, you must add the NAS Gateway in Tioli Storage Productiity Center by using the short name of the NAS Gateway. If the file systems from a NAS Gateway are mounted by using an IP address, you must add the NAS Gateway in Tioli Storage Productiity Center by using the IP address as its name. Consider the following example: a. The NAS filer named "oxide" was mounted on the UNIX system where a Storage Resource agent is located. The following commands used the short name and IP address to identify the NAS filer during a file system mount: oxide:/ol/john % 123 5% /n3700_john :/ol/ol % % /n3700_ol0 b. To add this NAS filer to Tioli Storage Productiity Center, enter the following alues in the Network Name field: oxide If file systems from a NAS Gateway or Filer is mounted on a UNIX system in different ways, you must add that NAS to Tioli Storage Productiity Center with the names used in both methods. For example, if one file system is mounted by using the fully qualified name of a NAS Gateway and the other file system is mounted by using the IP address, you must add that NAS Gateway to Tioli Storage Productiity Center twice: once with the fully qualified name and once with the IP address. Only one row is displayed for this NAS on Manual NAS Serer Entry panel, but both file systems are listed on the Scan/Probe Agent Administration panel. Data Manager Agent OS Type Select the operating system of the computer that contains the agent that gathers information about the NAS filer. Accessible from Select the agent that you want to use to "discoer" the NAS filer. This list box displays agents that are: Running under the operating system that is selected in the Data Manager Agent OS Type field. Found on Windows or UNIX operating systems that are accessible to the NAS filers (agents for the Data Manager are not found on the NAS filers themseles): Windows: agents are found on Windows operating systems within the same domain as the NAS filers. UNIX: agents are found on UNIX or Linux operating systems that hae NFS imports for the file systems within the NAS filers. Chapter 1. Configuring 63

74 SNMP Community Enter the name of the SNMP communities that Data Manager uses when it communicates with systems in your enironment. If you do not enter the name of an SNMP community, the default community public is used. Data Manager uses the SNMP protocol to contact and identify NAS filers. This field is optional. Login ID (Windows operating systems only.) Enter the Administrator user ID for the Storage Resource Agent serice it runs on when you log in to the NAS filer. Password (Windows operating systems only.) Enter the password that Data Manager uses when you log in to the NAS filer. Add as Other NAS Select this check box to add a NAS serer as Other NAS filer. With this option, you can monitor and report on file system information about the NAS filer or gateway through Windows CIFS or UNIX NFS shares accessible to the scan or probe job for the agent. No controllers, disks, and logical olumes information are collected or reported. NAS Serer Vendor Name Enter the endor name (or manufacturer) hosting the file system of the NAS serer. The default endor is Network Appliance. 4. Click OK to hae the Data Manager erify the filer for which you entered information. During this erification, Data Manager completes the following tasks: Log in to the NAS filer. Gather information about the file systems isible on those filers to the agent. For the UNIX or Linux operating system, it gathers information about the file systems that it can actually see (for example, file systems that are mounted to the UNIX operating systems). By default, file systems are discoered at the root. For the Windows operating system, it finds all the NAS filers that are isible through CIFS. Determine which file systems are isible to which agents. Enter the NAS serer information into the repository. 5. Expand Administratie Serices > Configuration > Scan/Probe Agent Administration. This window helps you to assign agents to each file system of the NAS serer. Note: At any time, you can change the login ID and password for a NAS filer on the Administratie Serices > Configuration > License Keys > Filer Logins window. Deleting a manually added NAS filer You can manually delete a NAS filer that you added. To delete a NAS filer whose information was manually entered into Data Manager, complete the following steps: 1. Expand Administratie Serices > Configuration > Manual NAS Serer Entry. 2. Highlight a row that represents the deice you want to delete. 3. Click Delete. 64 IBM Tioli Storage Productiity Center: Administrator's Guide

75 Tip: When you delete a deice from this window, all information about that deice is remoed from the repository. Editing Data Manager configuration files Tioli Storage Productiity Center proides you with the ability to edit Data Manager configuration files to further customize the settings for a component according to the standards at your site. Data Manager has configuration files for customizing the operation of the serer and agent components within your enironment. These files are located in the TPC_installation_directory/config/ directory, where TPC_installation_directory represents the directory where you installed the product. The configuration file for the Tioli Storage Productiity Center serer is located in the following default installation directory: Windows operating system C:\Program files\ibm\tpc\data\config\ UNIX or Linux operating system /opt/ibm/tpc/data/config The agent configuration file for the Storage Resource agent is located in the following default installation directory: Windows operating system C:\Program Files\IBM\TPC\agent\config UNIX or Linux operating system /opt/ibm/tpc/agent/config/ When you change the configuration files for the serer component on the UNIX or Linux operating system, you must stop and start the serer before those changes take effect. Edit the agent.config file to configure the Data Manager agents in your enironment. This file is located in the agent installation directory on eery computer where an agent is installed. Edit the nas.config file to configure the Data Manager NAS feature for your enironment. The nas.config file contains the following information: On each line not beginning with #, the first blank-delimited field must contain the SNMP Enterprise code of a NAS filer that the agent discoers, probes, or scans. The second field contains identifying information about the filer. Any remote host that cannot be reached by SNMP or whose enterprise code does not match one of these alues is ignored. Editing the NAS configuration file This topic proides information about editing the nas.config file for the Data Manager NAS feature. Edit the nas.config file to configure the Data Manager NAS feature for your enironment. Chapter 1. Configuring 65

76 The nas.config file contains the following information: On each line not beginning with #, the first blank-delimited field must contain the SNMP Enterprise code of a NAS filer that the agent discoers, probes, or scans. The second field contains identifying information about the filer. Any remote host that cannot be reached by SNMP or whose enterprise code does not match one of these alues are ignored. History Aggregator You can configure reports for data aggregation. The History Aggregator in IBM Tioli Storage Productiity Center defines and runs jobs to sum data in the database repository for historical reporting purposes. For example, you can iew the sum of usage across multiple storage resources, by file system. With trending, you can see patterns of your historical data across your entire network. You hae the option of turning aggregation off, although this action is not adised. To turn off aggregation, access the History Aggregator window, clear the Enabled check box, and select File > Sae. To configure reports for data aggregation, complete the following steps. 1. Expand Administratie Serices > Configuration > History Aggregator. 2. The Edit History Aggregator panel is displayed in the topic pane. You can specify the following information. How often to run the job How to handle time zones Triggering conditions Triggered actions Resource History Retention for Databases You can specify how long to keep a history of the database-related statistical elements collected by the system. By specifying a number of days, weeks, or months for each element, you can control the amount of data that is retained and is aailable for historical analysis and charting. The longer you keep the data, the more informatie your analysis. You can retain the histories for: Databases-Tablespaces Tables Note: If you do not select a check box, the data related to that check box is retained permanently. This action might cause a large amount of data to accumulate in the database repository oer time. If you select a check box and enter a alue of 0, the data related to that check box is remoed immediately from the database repository. To set the retention period, complete the following steps: 1. Expand Administratie Serices > Configuration > Resource History Retention for Databases. 66 IBM Tioli Storage Productiity Center: Administrator's Guide

77 2. The Retain History panel is displayed in the content pane. Enter the retention period information. Remoed Resource Retention for Databases You can specify how long to keep information in the enterprise repository that is related to a database entity that has been remoed from the system and can no longer be found. By specifying a number for days, you can indicate how long to keep information for table spaces and tables that hae been remoed from the system. Note: If you do not select a check box, the data related to that check box is retained permanently. This action might cause a large amount of data to accumulate in the database repository oer time. If you select a check box and enter a alue of 0, the data related to that check box is remoed immediately from the database repository. To specify a retention period, complete the following steps: 1. Expand Administratie Serices > Configuration > Remoed Resource Retention for Databases. 2. The Retain Remoed panel is displayed in the content pane. Enter the information for the retention period. Configuration History Settings You can specify how often the system captures snapshots of your configuration and when to delete them. In addition to displaying the number of snapshots in the database and determining when the last snapshot was taken, you can also create and enter a title for a snapshot on demand. You must configure and sae the settings on this page before you can use the Configuration History function. To specify the configuration history settings, complete the following steps: 1. In the Create snapshot eeryfield, type how often (in hours) you want the system to take snapshot iews of the configuration. 2. To automatically delete snapshots, select the check box to place a check mark before Delete snapshots older than. In the box that follows that field, type how long you want to keep the snapshots (in days) before they are automatically deleted. 3. To optionally refresh the date and time of when the latest snapshot was created, click Update. 4. To optionally create a snapshot on demand, click Create Snapshot now. Ifyou choose, you might want to type a name for the snapshot in the box Title this snapshot (optional). 5. To change your settings to the default, click Reset to defaults. The defaults are create snapshots eery 12 hours and delete snapshots older than 14 days. 6. Click File > Sae to sae the configuration history settings. Chapter 1. Configuring 67

78 Configuring switches IBM Tioli Storage Productiity Center can discoer deices in the SAN, display a topology of the SAN enironment, and collect data about the performance of the deices. You must configure the switches in your SAN correctly to enable Tioli Storage Productiity Center to complete these tasks. Tioli Storage Productiity Center is designed to operate using industry-based standards for communicating with Fibre Channel switches and other SAN deices. This communication can be done using the simple network management protocol (SNMP) interface for out-of-band agents, the FC-GS-3 interface for Storage Resource agents, Storage Management Initiatie (SMI) agents, or a combination of these agent types. FC-GS-3 refers to the Fibre Channel Generic Serices 3 standard. To gather and display the information as expected, the switches must be configured correctly. The configuration aries by endor and the type or types of agents that are used. The supported switch endors are Brocade, Cisco, and QLogic. Other endors such as IBM, often sell these switches under their own labels. Determining the agent type or types to use with a switch For Brocade fabrics, the preferred type of agent is the SMI agent. The SMI agent proides most fabric functions and the other agent types can be added for redundancy. Howeer, Storage Resource agents are required to gather host bus adapter (HBA) information. For QLogic and Cisco fabrics, a combination of different agent types is required to enable all functions. For information about information that is gathered by each type of agent, see Agent types for switch and fabric functions on page 161. Using Storage Resource agents With Tioli Storage Productiity Center Storage Resource agent discoery, the Tioli Storage Productiity Center for agent software is installed on SAN-attached hosts. The Storage Resource agents collect information about the fabric across the Fibre Channel network by querying the switch and the attached deices through the host bus adapter (HBA) in the system. For the switches to successfully receie and respond to the queries, the switch must support the FC-GS-3 standard interface for discoery. Name serer Configuration serer Unzoned name serer For Storage Resource agent discoery, fabric eents are automatically sent from the agent to Tioli Storage Productiity Center. There is no need for configuration. For Storage Resource agent discoery, you must configure SNMP traps to be sent from the switches in your fabric to the Tioli Storage Productiity Center Deice serer. 68 IBM Tioli Storage Productiity Center: Administrator's Guide

79 Using out-of-band SNMP agents Out-of-band SNMP agent discoery collects some of the same information that can be obtained by Storage Resource agents, but out-of-band agent discoery is performed differently. In out-of-band discoery, Tioli Storage Productiity Center queries the switch directly rather than going through a Storage Resource agent and the Fibre Channel network.tioli Storage Productiity Center uses the SNMP protocol to send queries across the IP network to management information bases (MIBs) supported on the switch. Tioli Storage Productiity Center uses the Fibre Alliance FC Management MIB and the Fibre Channel FE MIB. The queries are sent only to switches that were added to Tioli Storage Productiity Center for use as SNMP agents. SNMP information is collected for a single switch. The out-of-band discoery registers each switch. For a switch to successfully receie and respond to queries from Tioli Storage Productiity Center, the following basic requirements must be met: Tioli Storage Productiity Center uses SNMP1 to probe switches and fabrics, and uses SNMP2 to collect performance data. Tioli Storage Productiity Center does not support SNMP3. Switches that Tioli Storage Productiity Center probes must use the SNMP1 protocol. Switches that Tioli Storage Productiity Center collects performance data from must use the SNMP2 protocol. Some switches are configured to use SNMP3 by default. The switch must be configured to receie SNMP1 queries and respond in SNMP1. Some switches are configured to use SNMP2 or SNMP3 by default. The Fibre Alliance FC Management MIB and Fibre Channel FE MIB must be enabled on the switch. The community string that is configured in Tioli Storage Productiity Center must match one of the community strings that are configured on the switch with read access. Cisco switches must additionally hae a community string match for write access. The default community strings in Tioli Storage Productiity Center are "public" for read access and "priate" for write access. Other community strings can be defined on the switches, but are not used. SNMP access control lists must include the Tioli Storage Productiity Center system. Some lists automatically include all hosts while others exclude all by default. Another aspect of the SNMP configuration includes trap notification. SNMP traps are generated by the switch and directed to Tioli Storage Productiity Center as an indication that something in the fabric changed and that a discoery must occur to identify the changes. The default configuration for handling switch traps is to send them from the switch to port 162 on the Tioli Storage Productiity Center system. To successfully generate and receie traps, there are some configuration requirements: The trap destination parameter on the switch must be set. This parameter is the host that receies the trap and sends it to Tioli Storage Productiity Center. The parameter is set on the switch. The destination port parameter on the switch must be set. Tioli Storage Productiity Center listens on port 162 by default. The parameter is set on the host. The traps must be sent as SNMP1. This parameter is set on the switch. The trap seerity leel must be set to generate traps for change conditions. This leel typically means to send error leel traps and anything more seere. This parameter is set in Tioli Storage Productiity Center. Chapter 1. Configuring 69

80 Using SMI agents You must install or enable an SMI agent for to perform the following tasks: Gather fabric performance data. Collect and configuring Brocade zone aliases. For information about installing or enabling a SMI agent for the switch, contact your switch endor. Managing a SAN without agents You can manage a SAN when there are no agents. In the following situations, there might not be any agents on the SAN: The hosts do not currently hae a Storage Resource agent or Fabric agent installed. The host operating system is not supported by the Storage Resource agent or Fabric agent. The customer requirements do not require the deployment of a Storage Resource agent or Fabric agent. In these cases, it is recommended that an agent is installed on the Deice serer itself. This action allows the Deice serer to use adanced features like Remote Node Identification, which requires an agent. Normally the Deice serer does not hae a Fibre Channel host bus adapter. In this configuration, the following steps are taken: 1. A Fibre Channel host bus adapter is added to the manager. 2. An agent is installed on the Deice serer(the Deice serer is installed first). 3. All storage deices are erified to ensure that they use LUN masking techniques. The LUN masking techniques preent the Deice serer from accessing the disks used by the host systems. 4. The Fibre Channel host bus adapter is attached to the SAN to be managed. This host is added to each zone that is intended to be managed by the Deice serer. Setting timeout alues for the Deice serer If a probe or discoery of a storage subsystem times out before the operation completes, you can increase the timeout alues for the Deice serer. If a probe or discoery of a storage subsystem times out before the operation completes, you receie the following error message: HWN021650E Encountered timeout while connecting to CIMOM IP:port. Check the CIMOM or increase timeout alue. where IP is the IP address, and port is the port number. If you determine that the Common Information Model Object Manager (CIMOM) is not the cause of the problem, you can use the command-line interface (CLI) to increase the timeout alues for the Deice serer. For those storage systems that use natie interfaces to connect to Tioli Storage Productiity Center you see this error message: 70 IBM Tioli Storage Productiity Center: Administrator's Guide

81 HWN020103E The external process exceeded the timeout limit and was cancelled. The following storage systems use natie interfaces to connect to Tioli Storage Productiity Center: System Storage DS8000 SAN Volume Controller The XIV system Storwize V3500 Storwize V3700 Storwize V7000 Storwize V7000 Unified IBM SONAS GPFS clusters and GSS systems 1. Run the getdscfg command to determine the current alues of the timeout properties. From the command prompt, enter the following command: cli>tpctool getdscfg -user user -pwd password -url host:port -property timeout_property where: user is an IBM Tioli Storage Productiity Center user ID. password is the password for the Tioli Storage Productiity Center user ID. host is the host name or IP address, and port is a alid port number for the HTTP serice of the Deice serer. The default alue for port is typically timeout_property is one of the following strings: httptimeout CIMClientWrapper.Timeout Probe.Timeout.Array Probe.Timeout.LMM Discoery.Timeout CIMOMManager.TestConnectionTimeout Important: Timeout properties are displayed in milliseconds. If the alue is 0 (zero), it means that there is no timeout. For the storage systems that use the natie interface, the timeout_property strings are: NAPI.Timeout.TestConnection NAPI.Timeout.Probe NAPI.Timeout.EentPoll 2. Run the setdscfg command to increase the timeout alue. Run the following command: cli>tpctool setdscfg -user user -pwd password -url host:port -property timeout_property timeout_alue For more information about tpctool, go to the product documentation at com.ibm.tpc_v524.doc/fqz0_r_tpctool_command.html. You also can iew help from the command line by issuing the command with the -help option. Chapter 1. Configuring 71

82 Configuring Serice Location Protocol You can enable Tioli Storage Productiity Center to discoer a larger set of storage deices through Serice Location Protocol (SLP). In addition to some of the more common SLP configuration issues, there is also information about router configuration, SLP directory agent configuration, and enironment configuration. For additional information about SLP, see the Serice Location Protocol Request for Comments website at Note: The storage systems that use the natie interfaces (DS8000, XIV system, SAN Volume Controller, and Storwize V7000) do not use SLP discoery. Router configuration Configure the routers in the network to enable general multicasting or to allow multicasting for the SLP multicast address and port, , port 427. The routers of interest are the ones associated with subnets that contain one or more storage deices that are to be discoered and managed by Tioli Storage Productiity Center. To configure your router hardware and software, refer to your router and configuration documentation. SLP directory agent configuration Reiew these suggestions when you configure the SLP directory agent. Configure the SLP directory agents (DAs) to circument the multicast limitations. With statically configured DAs, all serice requests are unicast by the user agent. Therefore, it is possible to configure one DA for each subnet that contains storage deices that are to be discoered by Tioli Storage Productiity Center. One DA is sufficient for each of the subnets. Each of these DAs can discoer all serices within its own subnet, but no other serices outside its own subnet. To allow Tioli Storage Productiity Center to discoer all the deices, it needs to be statically configured with the addresses of each of these DAs. This operation can be accomplished by using the Tioli Storage Productiity Center Discoery Preference panel. You can use this panel to enter a list of DA addresses. Tioli Storage Productiity Center sends unicast serice requests to each of these statically configured DAs, and sends multicast serice requests on the local subnet on which Tioli Storage Productiity Center is installed. Configure an SLP DA by changing the configuration of the SLP serice agent (SA) that is included as part of an existing CIM Agent installation. This action causes the program that normally runs as an SLP SA to run as an SLP DA. Note: The change from SA to DA does not affect the CIMOM serice of the subject CIM Agent, which continues to function normally, sending registration and deregistration commands to the DA directly. Enironment configuration This section proides information about the configuration of your enironment. It might be adantageous to configure SLP DAs in the following enironments: 72 IBM Tioli Storage Productiity Center: Administrator's Guide

83 In enironments where there are other non-disk Manager SLP UAs that frequently perform discoery on the aailable serices, an SLP DA must be configured. This action ensures that the existing SAs are not oerwhelmed by too many serice requests. In enironments where there are many SLP SAs, a DA helps decrease network traffic that is generated by the multitude of serice replies. It also ensures that all registered serices can be discoered by a gien UA. The configuration of an SLP DA is recommended when there are more than 60 SAs that need to respond to any gien multicast serice request. SLP registration and slptool Tioli Storage Productiity Center uses Serice Location Protocol (SLP) discoery, which requires that all the CIMOMs that Disk Manager discoers are registered by using the SLP. In a non-multicast network enironment, SLP can only discoer CIMOMs that are registered in its IP subnet. For CIMOMs outside of the IP subnet, you need to use an SLP DA and register the CIMOM by using slptool. Ensure that the CIM_InteropSchemaNamespace and Namespace attributes are specified. For example, enter the following command: slptool register serice:wbem: Where myhost.com is the name of the serer that is hosting the CIMOM, and port is the port number of the serice, for example Note: slptool is installed with a CIMOM. Run the command from the computer that is hosting the CIMOM. SLP discoery A common problem with SLP discoery is due to IP multicasting being disabled on the network router. Communication between the SLP SA and UA is done with IP multicasting. Follow these recoery procedures when there are SLP discoery problems and IP multicasting is disabled on the network router. Note: The storage systems that use natie interfaces (DS8000, XIV system, SAN Volume Controller, and Storwize V7000) do not use SLP discoery. There are two recoery procedures when there are SLP discoery problems and IP multicasting is disabled on the network router: 1. Configure one DA for each subnet within the enironment. 2. Enable IP multicasting on the router which is disabled by default. Here is a list of common router configurations for multicasting: Internet Group Management Protocol (IGMP) is used to register indiidual hosts in particular multicast groups and to query group membership on particular subnets. Distance Vector Multicast Routing Protocol (DVMRP) is a set of routing algorithms that use a technique called reerse path forwarding. These algorithms proide the best solution for how multicast packets are to be routed in the network. Protocol-Independent Multicast (PIM) comes in two arieties: dense mode (PIM-DM) and sparse mode (PIM-SM). The dense mode and sparse mode Chapter 1. Configuring 73

84 routines are optimized for networks where either a large percentage of nodes requires multicast traffic (dense) or a small percentage of nodes requires the sparse traffic. Multicast Open Shortest Path First (MOSPF) is an extension of OSPF. It is a link-state unicast routing protocol that attempts to find the shortest path between any two networks or subnets to proide the most optimal packet routing. Configuring IP addressing To properly configure the routers for multicasting, see the reference and configuration documentation from the router manufacturer. This section proides information about configuring IP addressing. Configuring Tioli Storage Productiity Center with multiple IP addresses If the system where IBM Tioli Storage Productiity Center is to be installed has multiple IP addresses, then a configuration alue must be set manually as a post-installation task by using the tpctool setdscfg command. The alue to be set is for the local IP address, which must be used for subscription for CIM Indications for CIM agents. Restriction: This task does not apply to storage systems that use the natie interfaces (DS8000, XIV system, SAN Volume Controller, and Storwize V7000). If you are using IP6 computers, go to the product documentation at com.ibm.tpc_v524.doc/fqz0_r_planning_ip6.html. For multiple IP6 addresses, the IP6 address to use for CIM indication subscription by Tioli Storage Productiity Center can be specified by setting the property System.LocalIP6Address as described. With dual stack IP4 and IP6 Tioli Storage Productiity Center serers, two IP addresses are required to subscribe to IP4 CIMOMs and IP6 CIMOMs. The configuration property System.LocalIP6Address is used for IP6 CIMOMs and the property System.LocalIPAddress is used for IP4 CIMOMs. To change the IP address, follow these steps: 1. Open a command prompt window on the serer system. 2. Change to the following directory: cd TPC_installation_directory\cli 3. Enter the following command: tpctool setdscfg -user user_id -pwd password -url host:port -property System.LocalIP6Address alue Where: user_id Is the user ID. password Is the password for the user. 74 IBM Tioli Storage Productiity Center: Administrator's Guide

85 host port Is either the host name or IP address of the system that is running Tioli Storage Productiity Center. Is a alid port number for the HTTP serice of the Deice serer (the default is 9550). alue Is the local IP address, which must be used for subscription for CIM Indications for CIM agents. 4. Verify that the command was successful by entering this command: tpctool getdscfg -user user_id -pwd password -url host:port -property System.LocalIP6Address Changing the HOSTS file When you install Tioli Storage Productiity Center on your Windows operating systems, you must follow these steps to aoid addressing problems with the systems you want to manage. These problems are caused by the address resolution protocol that returns the host short name rather than the fully qualified host name. You can aoid this by modifying the entries in the corresponding host tables on the DNS serer and on the local computer system. The fully qualified host name must be listed before the short name in each entry that is associated with systems managed by Tioli Storage Productiity Center. The HOSTS file is in the %SystemRoot%\system32\driers\etc\ directory. To change the HOSTS file, follow these steps: 1. Open the HOSTS file in a text editor. 2. Add, remoe, or modify the host entries. In the following example of a HOSTS file, the short name is incorrectly listed before the fully qualified host name. This can cause address resolution problems in IBM Tioli Storage Productiity Center. # Copyright (c) Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an indiidual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on indiidual # lines or following the machine name denoted by a # symbol. # # For example: # # rhino.acme.com # source serer # x.acme.com # x client host # jason jason.groupa.mycompany.com 3. In the following example, the order of the host names has been changed so that the fully qualified host name is placed before the short name. The host names must be entered in the order that is shown so IBM Tioli Storage Productiity Center can locate the host. Use this format for any hosts that are associated with IBM Tioli Storage Productiity Center. # For example: # # rhino.acme.com # source serer # x.acme.com # x client host # jason.groupa.mycompany.com jason Chapter 1. Configuring 75

86 Configuring the VASA proider Note: Host names are case-sensitie. This is a WebSphere requirement. For example, if your computer shows the name as JASON (uppercase), then you must enter JASON in the HOSTS file. You need to register a Tioli Storage Productiity Center serer as a VASA proider to iew Tioli Storage Productiity Center data in Center reports and iews, to export alarms, and to filter which storage and file systems share Tioli Storage Productiity Center data with Center. Registering a Tioli Storage Productiity Center VASA proider Use the Sphere Client or the Sphere Web Client to register Tioli Storage Productiity Center as a VASA proider. The Tioli Storage Productiity Center VASA proider is automatically deployed and running after a Tioli Storage Productiity Center installation. To register Tioli Storage Productiity Center as a VASA proider for a Center, follow these steps: 1. Start the Sphere Client or the Sphere Web Client. 2. If you are using Sphere Client: Under Home, click Administration and then Storage Proiders. To add a VASA proider, click Add. 3. If you are using Sphere Web Client: Under Home, click Hosts and Clusters and then select the Center serer. In the Manage tab, click Storage Proiders. To add a VASA proider, click the plus (+) sign. 4. For Name, specify the display name you want to assign to the proider. 5. For URL, enter the address, where <TPCSerer> is the name of the Tioli Storage Productiity Center host and <port> is the port that is used for registering the VASA proider. The default port is For Login, specify a alid Tioli Storage Productiity Center user name. 7. For Password, specify the associated password. 8. If you are using the Tioli Storage Productiity Center Storage Proider certificate, see Using a Tioli Storage Productiity Center Storage Proider certificate on page Click OK. You may see a pop up dialog asking you if you trust the host. If so, click Yes. When the registration completes, the status of the proider remains Unknown for some minutes. Center collects data from the VASA proider as part of its synchronization process. When synchronization is completed, proider status changes to Online. Center must update its reports before users can see the VASA data collected by Center reflected in reports and iews. The time required to complete this task depends on the number of assigned olumes, shares and existing data stores in the target ESX enironment. The task can take some time. When this process completes, you can iew Tioli Storage Productiity Center information in VASA proider reports and iews. 76 IBM Tioli Storage Productiity Center: Administrator's Guide

87 VMware does not support scenarios where multiple VASA proiders manage the same storage. Note: VMware Center does not refresh VASA proider information after a Tioli Storage Productiity Center upgrade. This can result in some information, including VASA ersion information, not being up to date. With Center eents and alarms, information may be displayed in an older format, if a newer VASA ersion contains any new formats, eents or alarms. When you upgrade Tioli Storage Productiity Center, you must manually unregister and register the VASA proider again if you want to see updated VASA proider information. Using a Tioli Storage Productiity Center Storage Proider certificate Specify a Tioli Storage Productiity Center storage proider certificate when registering manually on Sphere Web Client. When registering a Tioli Storage Productiity Center VASA proider, the Use storage proider certificate is optional. By default, it is not selected. If you want the Center Serer to add the VASA proider certificate to its truststore during the VASA proider registration, select this option. Otherwise, it is not required. Before selecting this option, you need to sae the certificate from Tioli Storage Productiity Center VASA proider as a file. To sae a Tioli Storage Productiity Center storage proider certificate for use during registration, follow these steps in Firefox, or their equialent in another browser: 1. In a web browser, enter the address, serices/tpc, where <TPCSerer> is the name of the Tioli Storage Productiity Center host and <port> is the port that is used for registering the VASA proider. The default port is Click the lock icon to display the security information for this page. Click on More Information. 3. Click View Certificate. Click the Details tab under Security and select the certificate you require from the certificate hierarchy. 4. Click Export, and sae the certificate as a.crt file. If you decide to select the Use storage proider certificate option during VASA registration, click on Browse..."" to select the.crt file that you saed. After selecting the Use storage proider certificate option, you will not be presented with a pop up dialog confirming that you trust the certificate. Note: The VASA proider certificate is remoed from the Center truststore when the VASA proider is remoed from the Center. This is the case whether or not you selected the Use storage proider certificate option. Unregistering a Tioli Storage Productiity Center VASA proider Use the Sphere Client or the Sphere Web Client to unregister Tioli Storage Productiity Center as a VASA storage proider. Chapter 1. Configuring 77

88 To unregister a Tioli Storage Productiity Center VASA proider, follow these steps: 1. With the Sphere Client. Under Home, click Storage Proiders. Select the proider and click Remoe. 2. With the Sphere Web Client. Click Hosts and Clusters. IntheManage tab, click Storage Proiders. Select the proider and click the delete (X) sign. Verify that Tioli Storage Productiity Center is unregistered as a VASA proider by inspecting the list of proiders. Note: VMware Center does not refresh VASA proider information after a Tioli Storage Productiity Center upgrade. When you upgrade Tioli Storage Productiity Center, you must manually unregister and register the VASA proider again to see updated VASA proider information. Filter storage and file systems You can exclude certain types of storage and file systems from the data Tioli Storage Productiity Center VASA proider shares with Center. If you are using multiple VASA proiders, you can exclude certain system types from the information Tioli Storage Productiity Center VASA proider shares with Center. To exclude system types, use the filter properties file asa_filter.properties in <TPC_installation_directory>/web/conf/. asa_filter.properties is created when Tioli Storage Productiity Center VASA proider is added to a Center. The asa_filter.properties file lists supported system types, together with the associated include/exclude setting. By default, all system types are included: DS3000/DS4000=include DS5000=include IBM_ESS=include IBM_DS6000=include IBM_DS8000=include IBM_SONAS=include IBM_Storwize_V7000=include IBM_Storwize_V7000U=include IBM_SVC=include IBM_XIV=include EMC=include Hitachi=include HP=include HP_XP=include NetApp/IBM_N_Series=include Other_NAS=include Sun=include Unknown=include Use a text editor to modify this file. Set a system type to include or exclude all systems of that type from the information that is shared with Center. Restriction: On Windows installations, if you installed Tioli Storage Productiity Center by using a domain user account, you must disable User Account Control to edit the asa_filter.properties file. 78 IBM Tioli Storage Productiity Center: Administrator's Guide

89 The asa_filter.properties file is refreshed when you synchronize the Tioli Storage Productiity Center VASA proider from Center. The refresh maintains any changes in the file at the time of the refresh. Note: If an excluded system is deleted, the refresh adds it back to asa_filter.properties, set to include. When Tioli Storage Productiity Center is upgraded, the asa_filter.properties file remains in its last known state. When the VASA proider is synchronized from Center, the asa_filter.properties file is refreshed, and retains existing system settings. After synchronizing, inspect the information in the Center reports to erify that excluded systems are no longer isible. Creating custom VM Storage Profiles Use the VMware Web Client to create custom VM Storage Profiles based on system-defined capabilities proided by VASA. You can use the VMware Web Client to iew system-defined capabilities, or to create user-defined capabilities. It is also possible to create VM Storage Profiles based on system-defined capabilities proided by VASA. When you create a new VM Storage Profile, the capabilities of VASA are listed. You can either create a new user defined capability, or select one or more capabilities as the basis for custom user-defined capabilities. To create VM Storage Profiles based on system-defined capabilities proided by VASA: 1. Use the Sphere Web Client to naigate to Home. 2. Click Rules and Profiles and select VM Storage Profiles. 3. Click Create a new VM Storage Profile. 4. Select one or more system-defined capabilities proided by VASA. Configuring the Sphere Web Client extension for Tioli Storage Productiity Center Before you can use the Sphere Web Client extension for Tioli Storage Productiity Center to proision storage or iew reports, you must deploy the extension. You can use the web-based GUI for Tioli Storage Productiity Center to deploy the Sphere Web Client extension, or you can deploy the extension locally on the Center Serer system. When you deploy the extension from the Tioli Storage Productiity Center serer, the serer configures the Sphere Web Client extension. The deployment process also registers Tioli Storage Productiity Center as a VASA proider for the Center Serer system. You can then iew Tioli Storage Productiity Center data in Sphere reports and iews, export alarms, and filter which storage and file systems share Tioli Storage Productiity Center data with the Center Serer system. Chapter 1. Configuring 79

90 When you deploy the extension locally on the Center Serer system, you must manually sae the Tioli Storage Productiity Center serer configuration information. You must also manually register Tioli Storage Productiity Center as a VASA proider. Related tasks: Saing the Tioli Storage Productiity Center serer configuration information on page 84 You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. Registering a Tioli Storage Productiity Center VASA proider on page 76 Use the Sphere Client or the Sphere Web Client to register Tioli Storage Productiity Center as a VASA proider. Deploying the Sphere Web Client extension from Tioli Storage Productiity Center serer Before you can use the Sphere Web Client extension for Tioli Storage Productiity Center to proision storage, iew reports, or iew alerts, you must deploy the extension. You can deploy the Sphere Web Client extension and register Tioli Storage Productiity Center as a VASA proider when you add a Center Serer system, ersion 5.1 or later, as a data source in the web-based GUI. Adding Center Serer systems For Tioli Storage Productiity Center to monitor multiple hyperisors, you must first add a Center Serer system. When you add Center Serer ersion 5.1 or later, you can deploy the Sphere Web Client extension for Tioli Storage Productiity Center and register the latter as a VASA proider. You can then proision storage, iew reports, and publish alerts in the Sphere Web Client about storage that is monitored by Tioli Storage Productiity Center. You can add multiple hyperisors by specifying connection information for a Center Serer system. For a complete list of hyperisors and Center Serers that you can add, see the Agents, Serers and Browsers section in the Tioli Storage Productiity Center interoperability matrix. 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. 2. Click Add Hyperisor. 3. Select VMware Center and enter connection information about the Center Serer system. 4. Optional: To deploy the Sphere Web Client extension for Tioli Storage Productiity Center and register Tioli Storage Productiity Center as a VASA proider, in the Deploy Sphere extension page, enter your credentials. For VMware Center Serer, enter a user name and password for the Sphere administrator user. For Tioli Storage Productiity Center, enter a user name and password for a Tioli Storage Productiity Center user ID. You must hae Administrator, Monitor, or External Application authority to deploy the extension. If you entered a Sphere administrator user name and password for the Center Serer system, enter only the Tioli Storage Productiity Center credentials. 5. Schedule a probe for the hyperisors that were discoered. 6. Follow the instructions in the wizard to add the Center Serer system. 80 IBM Tioli Storage Productiity Center: Administrator's Guide

91 After a Center Serer system is added, probes collect status and asset information about the hyperisors. You can iew detailed information about the hyperisors in the web-based GUI and in the stand-alone GUI. Related tasks: Adding ESX and ESXi hyperisors on page 154 Add ESX and ESXi hyperisors for monitoring by Tioli Storage Productiity Center. Checking permissions to browse data stores on page 156 Determine if the user name that you specified for a VMware data source has permission to browse through the data stores on a hyperisor. Deploying the Sphere Web Client extension for Tioli Storage Productiity Center locally Before you can use the Sphere Web Client extension for Tioli Storage Productiity Center to proision storage, iew reports, or iew alerts, you must deploy the extension. As part of the deployment process, you must register the Sphere Web Client extension and sae the Tioli Storage Productiity Center serer configuration information. When you sae the configuration information, the Tioli Storage Productiity Center serer is also automatically registered as a VASA proider for the Center Serer system. Registering the Sphere Web Client extension for Tioli Storage Productiity Center You can deploy the Sphere Web Client extension for Tioli Storage Productiity Center on a Center Serer so that you can use Tioli Storage Productiity Center with a Center Serer. Ensure that Tioli Storage Productiity Center is installed. You must also complete the planning actiities. For more information about planning, go to the product documentation at SSNE44_5.2.4/com.ibm.tpc_V524.doc/ fqz0_r_m_planning_webclient_extension.html. To deploy the extension for Tioli Storage Productiity Center, you must copy the deployment setup utility to the Center Serer, run the setup utility, and register the extension to the Center Serer. When the extension is registered with a Center Serer, you can use Tioli Storage Productiity Center on any Sphere Web Client that connects to the same Center Serer. 1. On the serer where Tioli Storage Productiity Center is installed, go to the plug-in installation directory: On Windows operating systems: C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin On AIX or Linux operating systems: /opt/ibm/tpc/web/tpcvmwarevsphereplugin 2. Copy the directory to the Center Serer or the Center Serer Appliance host machine, into a directory of your choice. Use binary mode for the transfer. 3. From the command line on the Center Serer or the Center Serer Appliance host machine, go to TPCVmwareVspherePlugin directory. 4. To start the registration process, run the deployment utility by using one of the following methods: Chapter 1. Configuring 81

92 Run the deployment utility in command-line mode by issuing the setup command with the following parameters: On Windows operating systems: C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin> setup register -password password -tpcsereraddress tpcsereraddress On Linux operating systems: /opt/ibm/tpc/web/tpcvmwarevsphereplugin>./setup.sh register -password password -tpcsereraddress tpcsereraddress This method registers the extension by using the default alues for the command parameters. Run the deployment utility in read-from-file mode by issuing the setup command with the -file option to accept the parameters from a properties file: On Windows operating systems: C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin> setup -file filename On Linux operating systems: /opt/ibm/tpc/web/tpcvmwarevsphereplugin>./setup.sh -file filename where filename is the name of the properties file, including the path and the extension, that contains the parameters for the setup command. To create the properties file, follow the instructions in Creating the setup command properties file on page 83. Run the deployment utility in interactie mode by issuing the setup command and entering alues when you are prompted: On Windows operating systems: C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin> setup On Linux operating systems: /opt/ibm/tpc/web/tpcvmwarevsphereplugin>>./setup.sh Run the deployment utility in silent mode by using the -silent option. In silent mode, any output that is generated is saed to the log file on the disk. The log file, TPCDeploymentUtility.log, is in the following location: On Windows operating systems: %ALLUSERSPROFILE%\IBM\TPC For example, C:\Documents and Settings\All Users\IBM\TPC\ or %PROGRAMDATA%\IBM\TPC For example, C:\ProgramData\IBM\TPC\ On Linux operating systems: /opt/ibm/tpc Sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. When you sae the configuration information, the Tioli Storage Productiity Center serer credentials and connection information persist. Related tasks: Saing the Tioli Storage Productiity Center serer configuration information on page 84 You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. Related reference: 82 IBM Tioli Storage Productiity Center: Administrator's Guide

93 setup command for the Sphere Web Client extension on page 86 Use the setup command from the command line on a Center Serer system or Center Serer Appliance to install and register the Sphere Web Client extension for Tioli Storage Productiity Center. You can also use this command to unregister the extension on the Center Serer system or the Center Serer Appliance. Sample properties files for the Sphere Web Client extension on page 91 You can use a properties file to register or unregister the Sphere Web Client extension for Tioli Storage Productiity Center by using the setup command in read-from-file mode. Creating the setup command properties file You can create a properties file to use for registering or unregistering the Sphere Web Client extension for Tioli Storage Productiity Center in read-from-file mode. You can run the setup command with the -file option to register or unregister the Sphere Web Client extension by accepting the parameters from a properties file. You use key-alue pairs to specify the parameters when you create the properties file. 1. Create a properties file that contains the following key-alue pairs: -mode=register The -mode parameter is required. Enter the register alue if you are creating a properties file to use in registration mode. When you register the Sphere Web Client extension for Tioli Storage Productiity Center, you can use Tioli Storage Productiity Center with a Center Serer. Enter the unregister alue if you are creating a properties file to use when you unregister the Sphere Web Client extension. -password=password The -password parameter is required. Enter the alue in clear text. -user=user The -user parameter is optional. If you do not specify a user ID, the administrator ID is used. -websererpath=websererpath The -websererpath parameter is optional. If you specify a path, you must use "\" as an escape character for the file path separator. For example, if the path is C:\Program Files\VMware\Infrastructure\ tomcat, you must enter C:\\Program Files\\VMware\\Infrastructure\\ tomcat. If you do not specify a path, the alue from the Windows registry is used. Tip: This parameter is not used when you are installing the Sphere Web Client extension on a Center Serer Appliance. -tpcsereraddress=tpcsereraddress The -tpcsereraddress parameter is required only for register mode. Enter the host name or IP address of the serer where Tioli Storage Productiity Center is installed. -tpcsererhttpsport=tpcsererhttpsport The -tpcsererhttpsport parameter is optional and only applies to register mode. Enter the HTTPS port of the Tioli Storage Productiity Center web serer. If you do not specify the port, the default port, 9569, is used. 2. Specify a file name, and sae the file to a location of your choice. Related tasks: Chapter 1. Configuring 83

94 Unregistering the Sphere Web Client extension for Tioli Storage Productiity Center on page 92 You can remoe the Sphere Web Client extension for Tioli Storage Productiity Center as an extension on the Center Serer if you no longer want to use Tioli Storage Productiity Center with a Center Serer. Related reference: setup command for the Sphere Web Client extension on page 86 Use the setup command from the command line on a Center Serer system or Center Serer Appliance to install and register the Sphere Web Client extension for Tioli Storage Productiity Center. You can also use this command to unregister the extension on the Center Serer system or the Center Serer Appliance. Sample properties files for the Sphere Web Client extension on page 91 You can use a properties file to register or unregister the Sphere Web Client extension for Tioli Storage Productiity Center by using the setup command in read-from-file mode. Saing the Tioli Storage Productiity Center serer configuration information You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. When you sae the configuration information, it persists for subsequent sessions. Ensure that you register the Sphere Web Client extension for Tioli Storage Productiity Center. To access the Sphere Web Client extension for Tioli Storage Productiity Center, you must be assigned the Administrator, Monitor, or External Application role. Complete this task when you want to sae Tioli Storage Productiity Center configuration information for the first time. When you use the Sphere Web Client extension for Tioli Storage Productiity Center, you can proision storage and iew information about resources that are monitored by Tioli Storage Productiity Center. When you sae the configuration information, the Tioli Storage Productiity Center serer can also be automatically registered as a VASA proider for the Center Serer. To iew Tioli Storage Productiity Center storage data in the existing Center Serer reports and iews, you must ensure that the VASA proider registration process is completed. 1. Start the Sphere Web Client, and log on to the Center Serer system. 2. From the Sphere Web Client Home tab, in the Administration section, click the IBM Tioli Storage Productiity Center icon. 3. In the Host name field on the Tioli Storage Productiity Center page, enter the host name of the system that is running Tioli Storage Productiity Center. 4. In the Port field, enter the HTTPS port of the Tioli Storage Productiity Center web serer or accept the default port, Enter an authorized user name and password. 6. Click Sae. The TPCSererConfiguration.properties file is saed in the following location: On Windows operating systems: %ALLUSERSPROFILE%\IBM\TPC 84 IBM Tioli Storage Productiity Center: Administrator's Guide

95 For example, C:\Documents and Settings\All Users\IBM\TPC\ or %PROGRAMDATA%\IBM\TPC For example, C:\ProgramData\IBM\TPC\ On Linux operating systems: /opt/ibm/tpc 7. Optional: If the registration process for the VASA proider displays an error message at the top of the window, you must manually register the VASA proider. Complete the manual registration process only if you want to iew Tioli Storage Productiity Center storage data in the existing Center Serer reports and iews. Related tasks: Registering the Sphere Web Client extension for Tioli Storage Productiity Center on page 81 You can deploy the Sphere Web Client extension for Tioli Storage Productiity Center on a Center Serer so that you can use Tioli Storage Productiity Center with a Center Serer. Registering a Tioli Storage Productiity Center VASA proider on page 76 Use the Sphere Client or the Sphere Web Client to register Tioli Storage Productiity Center as a VASA proider. Related reference: Registration of Tioli Storage Productiity Center as a VASA proider You must complete the VASA proider registration process so that you can iew Tioli Storage Productiity Center storage data in the existing Center Serer reports and iews. When you sae the credentials and connection information for the Tioli Storage Productiity Center serer in the Sphere Web Client, Tioli Storage Productiity Center can also be registered automatically as a VASA proider for the Center Serer. Registration of Tioli Storage Productiity Center as a VASA proider: You must complete the VASA proider registration process so that you can iew Tioli Storage Productiity Center storage data in the existing Center Serer reports and iews. When you sae the credentials and connection information for the Tioli Storage Productiity Center serer in the Sphere Web Client, Tioli Storage Productiity Center can also be registered automatically as a VASA proider for the Center Serer. Automatic registration The registration process completes automatically in the following situations: No VASA proiders are registered. VASA proiders are registered. The Tioli Storage Productiity Center VASA proider is registered, but it is not registered for the same Tioli Storage Productiity Center serer. Manual registration You must complete the registration process manually in the following situations: Only non-ibm VASA proiders are registered. Tioli Storage Productiity Center is already registered as a VASA proider for the same Tioli Storage Productiity Center serer. Related tasks: Chapter 1. Configuring 85

96 Registering a Tioli Storage Productiity Center VASA proider on page 76 Use the Sphere Client or the Sphere Web Client to register Tioli Storage Productiity Center as a VASA proider. Registering the Sphere Web Client extension for Tioli Storage Productiity Center on page 81 You can deploy the Sphere Web Client extension for Tioli Storage Productiity Center on a Center Serer so that you can use Tioli Storage Productiity Center with a Center Serer. Saing the Tioli Storage Productiity Center serer configuration information on page 84 You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. setup command for the Sphere Web Client extension Use the setup command from the command line on a Center Serer system or Center Serer Appliance to install and register the Sphere Web Client extension for Tioli Storage Productiity Center. You can also use this command to unregister the extension on the Center Serer system or the Center Serer Appliance. Use the setup.sh command to run the deployment utility on Center Serer Appliance. You can run the command in command-line, interactie, or read-from-file mode. You must proide all the required parameters when you are using command-line mode. The password alue is not hidden and is displayed in plain text in command-line mode. If you do not inoke command-line mode, the command output prompts you to enter the parameters or accept the defaults. You must hae Administrator authority to use this command. Before you issue the setup command, ensure that you complete the following actiities: Complete the planning actiities. For more information about planning, go to the product documentation at SSNE44_5.2.4/com.ibm.tpc_V524.doc/ fqz0_r_m_planning_webclient_extension.html. Copy the plug-in installation directory, which is in the Tioli Storage Productiity Center web directory on the Tioli Storage Productiity Center serer system. Place the copy in any directory on the Center Serer or the Center Serer Appliance host machine. Create a properties file to store command parameters, if you plan to run the command in read-from-file mode. Run the command from the TPCVmwareVspherePlugin directory on the Center Serer or the Center Serer Appliance. You can check the command log file, TPCDeploymentUtility.log, to see the status of the command. The log file is in the following location: On Windows operating systems: %ALLUSERSPROFILE%\IBM\TPC For example, C:\Documents and Settings\All Users\IBM\TPC\ 86 IBM Tioli Storage Productiity Center: Administrator's Guide

97 or %PROGRAMDATA%\IBM\TPC For example, C:\ProgramData\IBM\TPC\ On Linux operating systems: /opt/ibm/tpc Syntax setup -file filename register unregister -password password -user user -websererpath websererpath -tpcsereraddress tpcsereraddress -tpcsererhttpsport tpcsererhttpsport -silent -help Parameters -file filename Specifies the name and location of the properties file that contains the parameters. The parameters are specified in key-alue pairs. You can create a properties file if you plan to run the command in read-from-file mode. register unregister Specifies the action that the command is to complete. You can specify one of the following actions: register Register the Tioli Storage Productiity Center plug-in package as an extension on the Center Serer. Tip: If the Tioli Storage Productiity Center plug-in package is already registered with the Center Serer, the extension information is updated on the Center Serer. The TPC_VmPlug.zip package is also updated. unregister Remoe the Tioli Storage Productiity Center plug-in package as a Center Serer extension. -password password Specifies the password that is used to authenticate with the Center Serer. -user user Specifies a Center Serer user ID. If you do not specify a user ID, the default alue is the administrator ID. -websererpath websererpath Specifies the Center Serer web serer installation path. If you do not specify a path, the default alue is copied from the Windows registry. Note: This parameter is not used in a Center Serer Appliance installation. -tpcsereraddress tpcsereraddress Specifies the host name or IP address of the serer where Tioli Storage Productiity Center is installed. Chapter 1. Configuring 87

98 Restriction: This parameter is required only for register mode. -tpcsererhttpsport tpcsererhttpsport Specifies the HTTPS port of the Tioli Storage Productiity Center web serer. If you do not specify the port, the default alue is Restriction: This parameter only applies to register mode. -silent Specifies that any output that is generated is redirected to the command log file and not to the console. By default the output is generated on the console and to the log file. -help Lists help information for the command. Example: Register the Sphere Web Client extension for Tioli Storage Productiity Center in read-from-file mode with the silent option Register the Sphere Web Client extension for Tioli Storage Productiity Center as a Center Serer extension in read-from-file mode. C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin>setup -file register_file -silent The command output is written to the command log file. Example: Register the Sphere Web Client extension for Tioli Storage Productiity Center in command-line mode Register the Sphere Web Client extension for Tioli Storage Productiity Center as a Center Serer extension in command-line mode. C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin>setup register -password password -tpcsereraddress system1.tpc.example.com -tpcsererhttpsport 9569 The following output is returned: INFO: 12/18/ :08:42 Operating in command-line mode... INFO: 12/18/ :08:42 Communicating with the Center serer... INFO: 12/18/ :08:55 Successfully authenticated with the Center serer... INFO: 12/18/ :08:55 Mode: register INFO: 12/18/ :08:55 Center Serer address: INFO: 12/18/ :08:55 Center Serer port: 443 INFO: 12/18/ :08:55 Center Serer user ID: Administrator INFO: 12/18/ :08:55 Tioli Storage Productiity Center address: omni.storage.tucson.ibm.com INFO: 12/18/ :08:55 HTTPS port of the Tioli Storage Productiity Center web serer: 9569 INFO: 12/18/ :08:55 Registering TPC extension TPC_VmPlug.zip with Center serer. INFO: 12/18/ :08:55 Creating TPC extension com.ibm.tpc.tpc... INFO: 12/18/ :08:55 Extension URL: asa/tpc_vmplug.zip INFO: 12/18/ :08:55 The Sphere Web Client extension for Tioli Storage Productiity Center is not found to be registered with Center Serer. INFO: 12/18/ :08:55 Successfully registered TPC extension TPC_VmPlug.zip with Center serer. INFO: 12/18/ :08:55 Operation completed. Log information is generated in C:\ProgramData\IBM\TPC\TPCDeploymentUtility.log. 88 IBM Tioli Storage Productiity Center: Administrator's Guide

99 Example: Register the Sphere Web Client extension for Tioli Storage Productiity Center in interactie mode Register the Sphere Web Client extension for Tioli Storage Productiity Center as a Center Serer extension in interactie mode. C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin>setup In interactie mode, you are prompted to enter the parameters or accept the defaults. Enter the mode [register or unregister]: register Enter the Center Serer user ID [Administrator]. Press Enter for default: Enter the Center Serer password: Enter the Center Serer web serer path [C:\Program Files\VMware\Infrastructure\ tomcat\]. Press Enter for default: INFO: 12/18/ :21:42 Communicating with the Center serer... INFO: 12/18/ :21:57 Successfully authenticated with the Center serer... Enter the Tioli Storage Productiity Center address: system1.tpc.example.com Enter the HTTPS port of the Tioli Storage Productiity Center web serer [9569]. Press Enter for default: INFO: 12/18/ :22:19 Mode: register INFO: 12/18/ :22:19 Center Serer address: INFO: 12/18/ :22:19 Center Serer port: 443 INFO: 12/18/ :22:19 Center Serer user ID: Administrator INFO: 12/18/ :22:19 Tioli Storage Productiity Center address: system1.tpc.example.com INFO: 12/18/ :22:19 HTTPS port of the Tioli Storage Productiity Center web serer: 9569 INFO: 12/18/ :22:19 Registering TPC extension TPC_VmPlug.zip with Center serer. INFO: 12/18/ :22:19 Creating TPC extension com.ibm.tpc.tpc... INFO: 12/18/ :22:19 Extension URL: asa/tpc_vmplug.zip INFO: 12/18/ :22:20 Extension com.ibm.tpc.tpc found to be registered with Center serer. INFO: 12/18/ :22:20 Updating extension com.ibm.tpc.tpc on the Center serer. INFO: 12/18/ :22:20 Successfully updated extension com.ibm.tpc.tpc on the Center serer. INFO: 12/18/ :22:20 Successfully registered TPC extension TPC_VmPlug.zip with Center serer. INFO: 12/18/ :22:20 Operation completed. Log information is generated in C:\ProgramData\IBM\TPC\TPCDeploymentUtility.log. Example: Unregister the Sphere Web Client extension for Tioli Storage Productiity Center in read-from-file mode with silent option Unregister the Sphere Web Client extension for Tioli Storage Productiity Center as a Center Serer extension in read-from-file mode. C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin>setup -file unregister_file -silent The command output is written to the command log file. Example: Unregister the Sphere Web Client extension for Tioli Storage Productiity Center in command-line mode Unregister the Sphere Web Client extension for Tioli Storage Productiity Center as a Center Serer extension. C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin>setup unregister -password password Chapter 1. Configuring 89

100 INFO: 12/18/ :07:49 Operating in command-line mode... INFO: 12/18/ :07:49 Communicating with the Center serer... INFO: 12/18/ :08:03 Successfully authenticated with the Center serer... INFO: 12/18/ :08:03 Mode: unregister INFO: 12/18/ :08:03 Center Serer address: INFO: 12/18/ :08:03 Center Serer port: 443 INFO: 12/18/ :08:03 Center Serer user ID: Administrator INFO: 12/18/ :08:03 Unregistering TPC extension TPC_VmPlug.zip from Center serer. INFO: 12/18/ :08:03 Extension com.ibm.tpc.tpc found to be registered with Center serer. INFO: 12/18/ :08:03 Successfully unregistered TPC extension TPC_VmPlug.zip from Center serer. INFO: 12/18/ :08:03 Operation completed. Log information is generated in C:\ProgramData\IBM\TPC\TPCDeploymentUtility.log. Example: Unregister the Sphere Web Client extension for Tioli Storage Productiity Center in interactie mode Unregister the Sphere Web Client extension for Tioli Storage Productiity Center as a Center Serer extension in interactie mode. C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin>setup In interactie mode, you are prompted to enter the parameters or accept the defaults. Enter the mode [register or unregister]: unregister Enter the Center Serer user ID [Administrator]. Press Enter for default: Enter the Center Serer password: Enter the Center Serer web serer path [C:\Program Files\VMware\Infrastructure\ tomcat\]. Press Enter for default: INFO: 12/18/ :10:14 Communicating with the Center serer... INFO: 12/18/ :10:26 Successfully authenticated with the Center serer... INFO: 12/18/ :10:26 Mode: unregister INFO: 12/18/ :10:26 Center Serer address: INFO: 12/18/ :10:26 Center Serer port: 443 INFO: 12/18/ :10:26 Center Serer user ID: Administrator INFO: 12/18/ :10:26 Unregistering TPC extension TPC_VmPlug.zip from Center serer. INFO: 12/18/ :10:26 Extension com.ibm.tpc.tpc found to be registered with Center serer. INFO: 12/18/ :10:26 Successfully unregistered TPC extension TPC_VmPlug.zip from Center serer. INFO: 12/18/ :10:26 Operation completed. Log information is generated in C:\ProgramData\IBM\TPC\TPCDeploymentUtility.log. Related tasks: Creating the setup command properties file on page 83 You can create a properties file to use for registering or unregistering the Sphere Web Client extension for Tioli Storage Productiity Center in read-from-file mode. Registering the Sphere Web Client extension for Tioli Storage Productiity Center on page 81 You can deploy the Sphere Web Client extension for Tioli Storage Productiity Center on a Center Serer so that you can use Tioli Storage Productiity Center with a Center Serer. Saing the Tioli Storage Productiity Center serer configuration information on page 84 You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. 90 IBM Tioli Storage Productiity Center: Administrator's Guide

101 Unregistering the Sphere Web Client extension for Tioli Storage Productiity Center on page 92 You can remoe the Sphere Web Client extension for Tioli Storage Productiity Center as an extension on the Center Serer if you no longer want to use Tioli Storage Productiity Center with a Center Serer. Related reference: Sample properties files for the Sphere Web Client extension You can use a properties file to register or unregister the Sphere Web Client extension for Tioli Storage Productiity Center by using the setup command in read-from-file mode. Sample properties files for the Sphere Web Client extension You can use a properties file to register or unregister the Sphere Web Client extension for Tioli Storage Productiity Center by using the setup command in read-from-file mode. You can run the setup command with the option to accept the parameters from the properties file: On Windows operating systems: C:\Program Files\IBM\TPC\web\TPCVmwareVspherePlugin> setup -file filename On Linux operating systems: /opt/ibm/tpc/web/tpcvmwarevsphereplugin>./setup.sh -file filename where filename is the name of the properties file, including the path and the extension, that contains the parameters for the setup command. Sample properties file to register the Sphere Web Client extension To register the Sphere Web Client extension by using the setup command in read-from-file mode, create a properties file that contains the following parameters in key-alue pairs: -mode=register -password=password -user=administrator -websererpath=c:\\program Files\\VMware\\Infrastructure\\tomcat -tpcsereraddress=system1.tpc.example.com -tpcsererhttpsport=9569 Sample properties file to unregister the Sphere Web Client extension To unregister the Sphere Web Client extension by using the setup command in read-from-file mode, create a properties file that contains the following parameters in key-alue pairs: -mode=unregister -password=password -user=administrator -websererpath=c:\\program Files\\VMware\\Infrastructure\\tomcat Related tasks: Creating the setup command properties file on page 83 You can create a properties file to use for registering or unregistering the Sphere Web Client extension for Tioli Storage Productiity Center in read-from-file mode. Registering the Sphere Web Client extension for Tioli Storage Productiity Center on page 81 You can deploy the Sphere Web Client extension for Tioli Storage Productiity Center on a Center Serer so that you can use Tioli Storage Productiity Center Chapter 1. Configuring 91

102 with a Center Serer. Unregistering the Sphere Web Client extension for Tioli Storage Productiity Center You can remoe the Sphere Web Client extension for Tioli Storage Productiity Center as an extension on the Center Serer if you no longer want to use Tioli Storage Productiity Center with a Center Serer. Related reference: setup command for the Sphere Web Client extension on page 86 Use the setup command from the command line on a Center Serer system or Center Serer Appliance to install and register the Sphere Web Client extension for Tioli Storage Productiity Center. You can also use this command to unregister the extension on the Center Serer system or the Center Serer Appliance. Unregistering the Sphere Web Client extension for Tioli Storage Productiity Center You can remoe the Sphere Web Client extension for Tioli Storage Productiity Center as an extension on the Center Serer if you no longer want to use Tioli Storage Productiity Center with a Center Serer. When the extension is unregistered, you can no longer use Tioli Storage Productiity Center on any Sphere Web Client that connects to the same Center Serer. When you unregister the extension, the Tioli Storage Productiity Center VASA proider is not remoed from the Center Serer. If you want to remoe the VASA proider, you must remoe it manually. 1. From the command line on the Center Serer system or the Center Serer Appliance host machine, go to the directory where you copied the TPCVmwareVspherePlugin content. 2. To start the process to unregister the extension, run the deployment utility in the unregister mode by using one of the following methods: Run the deployment utility in command-line mode by issuing the setup command with the following parameters: On Windows operating systems: setup unregister -password password On Linux operating systems:./setup.sh unregister -password password This method unregisters the plug-in package by using the default alues for the command parameters. Run the deployment utility in read-from-file mode by issuing the setup command with the -file option to accept the parameters from a properties file: On Windows operating systems: setup -file filename On Linux operating systems:./setup.sh -file filename where filename is the name of the properties file, including the path and the extension, that contains the parameters for the setup command. To create the properties file, follow the instructions in Creating the setup command properties file on page IBM Tioli Storage Productiity Center: Administrator's Guide

103 Run the deployment utility in interactie mode by issuing the setup command and entering alues when you are prompted: On Windows operating systems: setup On Linux operating systems:./setup.sh Run the deployment utility in silent mode by using the -silent option. In silent mode, any output that is generated is saed to the log file on the disk. The log file, TPCDeploymentUtility.log, is in the following location: On Windows operating systems: %ALLUSERSPROFILE%\IBM\TPC For example, C:\Documents and Settings\All Users\IBM\TPC\ or %PROGRAMDATA%\IBM\TPC For example, C:\ProgramData\IBM\TPC\ On Linux operating systems: /opt/ibm/tpc The Sphere Web Client extension for Tioli Storage Productiity Center is remoed as an extension from the Center Serer system. The IBM Tioli Storage Productiity Center icon remains on the Sphere Web Client Home tab for the session. To remoe it, log out of the Sphere Web Client, and log in again. Related tasks: Registering the Sphere Web Client extension for Tioli Storage Productiity Center on page 81 You can deploy the Sphere Web Client extension for Tioli Storage Productiity Center on a Center Serer so that you can use Tioli Storage Productiity Center with a Center Serer. Unregistering a Tioli Storage Productiity Center VASA proider on page 77 Use the Sphere Client or the Sphere Web Client to unregister Tioli Storage Productiity Center as a VASA storage proider. Related reference: setup command for the Sphere Web Client extension on page 86 Use the setup command from the command line on a Center Serer system or Center Serer Appliance to install and register the Sphere Web Client extension for Tioli Storage Productiity Center. You can also use this command to unregister the extension on the Center Serer system or the Center Serer Appliance. Sample properties files for the Sphere Web Client extension on page 91 You can use a properties file to register or unregister the Sphere Web Client extension for Tioli Storage Productiity Center by using the setup command in read-from-file mode. Updating the Sphere Web Client extension for Tioli Storage Productiity Center To update the Sphere Web Client extension for Tioli Storage Productiity Center, you must redeploy the extension. To update the Tioli Storage Productiity Center serer configuration information for the extension, such as the serer host name, the ersion, or the build, you must also redeploy the extension. You can update the Sphere Web Client extension in one of the following ways: Redeploy the Sphere Web Client extension by using the web-based GUI for Tioli Storage Productiity Center. Chapter 1. Configuring 93

104 Redeploy the Sphere Web Client extension locally on the Center Serer system. When you redeploy the Sphere Web Client extension for Tioli Storage Productiity Center, the Tioli Storage Productiity Center serer credentials are not updated. Restriction: If you want to update the serer credentials, you can only do so when you sae the Tioli Storage Productiity Center serer configuration information in the Sphere Web Client extension. Related tasks: Saing the Tioli Storage Productiity Center serer configuration information on page 84 You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. Redeploying the Sphere Web Client extension from the Tioli Storage Productiity Center serer To install updates to the Sphere Web Client extension for Tioli Storage Productiity Center, redeploy the extension. To update the Tioli Storage Productiity Center serer configuration information for the Sphere Web Client extension, you must also reinstall the extension. Redeploy the extension by adding the Center Serer system as a data source in the web-based GUI. 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. 2. Click Add Hyperisor. 3. Select VMware Center and enter connection information about the Center Serer system. 4. Optional: To deploy the Sphere Web Client extension for Tioli Storage Productiity Center and register Tioli Storage Productiity Center as a VASA proider, in the Deploy Sphere extension page, enter your credentials. For VMware Center Serer, enter a user name and password for the Sphere administrator user. For Tioli Storage Productiity Center, enter a user name and password for a Tioli Storage Productiity Center user ID. You must hae Administrator, Monitor, or External Application authority to deploy the extension. If you entered a Sphere administrator user name and password for the Center Serer system, enter only the Tioli Storage Productiity Center credentials. 5. Schedule a probe for the hyperisors that were discoered. 6. Follow the instructions in the wizard to add the Center Serer system. Redeploying the Sphere Web Client extension locally for Tioli Storage Productiity Center To install updates to the Sphere Web Client extension for Tioli Storage Productiity Center, redeploy the extension. To update the Tioli Storage Productiity Center serer configuration information for the Sphere Web Client extension, you must also redeploy the Sphere Web Client extension. You can redeploy the extension by using the setup command on the Center Serer system. You can redeploy the Sphere Web Client extension without first unregistering the existing registration. To redeploy the Sphere Web Client extension for Tioli Storage Productiity Center, download and register the new package to the Center Serer system. 94 IBM Tioli Storage Productiity Center: Administrator's Guide

105 1. Run the deployment utility to register the Sphere Web Client extension without first unregistering the existing registration. To run the deployment utility, follow the instructions in Registering the Sphere Web Client extension for Tioli Storage Productiity Center on page 81. The Tioli Storage Productiity Center registration information is updated. 2. To download the new Sphere Web Client extension, log on to the Sphere Web Client. Tip: When you log on to the Sphere Web Client for the first time, the Sphere Web Client extension for Tioli Storage Productiity Center is downloaded to the Sphere Web Client computer. As a result, the logon process can take seeral minutes to complete. The new Sphere Web Client extension is downloaded to the Sphere Web Client packages location on the Sphere Web Client computer, for example, %ProgramData% \VMware\Sphere Web Client\c-packages\sphere-clientserenity. Tip: Alternatiely, to update the Sphere Web Client extension for Tioli Storage Productiity Center, unregister the extension and then register a new Sphere Web Client extension. Related tasks: Unregistering the Sphere Web Client extension for Tioli Storage Productiity Center on page 92 You can remoe the Sphere Web Client extension for Tioli Storage Productiity Center as an extension on the Center Serer if you no longer want to use Tioli Storage Productiity Center with a Center Serer. Saing the Tioli Storage Productiity Center serer configuration information on page 84 You can sae the configuration information for the Tioli Storage Productiity Center serer in the Sphere Web Client extension. The information includes the serer credentials and connection information, which enable the Sphere Web Client extension to connect to Tioli Storage Productiity Center. Related reference: setup command for the Sphere Web Client extension on page 86 Use the setup command from the command line on a Center Serer system or Center Serer Appliance to install and register the Sphere Web Client extension for Tioli Storage Productiity Center. You can also use this command to unregister the extension on the Center Serer system or the Center Serer Appliance. Sample properties files for the Sphere Web Client extension on page 91 You can use a properties file to register or unregister the Sphere Web Client extension for Tioli Storage Productiity Center by using the setup command in read-from-file mode. Deploying Storage Resource agents You can manage your Storage Resource agent deployments. Deploy Storage Resource agents through the user interface rather than a separate installation wizard. You can hae only one agent per host that points to the same Tioli Storage Productiity Center serer. Chapter 1. Configuring 95

106 Before you begin: Before you deploy Storage Resource agents, see Deployment guidelines and limitations for Storage Resource agents for a list of considerations. You can deploy a Storage Resource agent on a single serer or you can deploy Storage Resource agents on multiple serers at the same time. If you deploy Storage Resource agents on multiple serers, a time span is calculated during which the agents are deployed. The Storage Resource agents are deployed at regular interals during the time span to aoid excessie load on the Tioli Storage Productiity Center serer. If you deploy Storage Resource agents on multiple computers at the same time, the computers must hae the same administratie user ID and password. Tioli Storage Productiity Center uses these user credentials to log on to the computers when the Storage Resource agents are deployed. To deploy Storage Resource agents, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. Click Add Serer. 3. Select Deploy an agent for full serer monitoring. 4. Select one of the following methods for adding a serer: Add a serer by manually entering information about the serer and the Storage Resource agent. Add one or more serers by importing configuration information from a comma-delimited file. 5. Configure deployment information for the Storage Resource agents. 6. Schedule the agent deployment and the data collection for the serers. 7. Click Finish to deploy the Storage Resource agents. Deployment guidelines and limitations for Storage Resource agents You must consider the following guidelines and limitations when you manage Storage Resource agents in your enironment. Capacity guidelines for Storage Resource agents: For the capacity guidelines for Storage Resource agents by Tioli Storage Productiity Center ersion, see Use the following information when you deploy Storage Resource agents: Multiple Storage Resource agents that are probing or scanning the same storage resources Platforms that support the deployment of Storage Resource agents Product functions that are not aailable for storage deices monitored by Storage Resource agents Required authority for deploying Storage Resource agents Orphan zones Firewalls and Storage Resource agents deployments Deploying Storage Resource agents on multiple computers Communication between the Tioli Storage Productiity Center serer and a Storage Resource agent Daemon and non-daemon serices 96 IBM Tioli Storage Productiity Center: Administrator's Guide

107 Authentication between the Tioli Storage Productiity Center serer and a Storage Resource agent Replacing default SSL certificates Storage Resource agents on the same computer Time zones for computers monitored by Storage Resource agents Connections for Linux and AIX operating systems by using Remote Shell protocol (RSH) Deployments on Windows - NetBIOS setting Deployments on Windows - User Account Control (UAC) remote restrictions Multiple Storage Resource agents that are probing or scanning the same resources If multiple Storage Resource agents are set up to probe or scan the same storage resources, the Storage Resource agents that was added to Tioli Storage Productiity Center first is used for the probe or scan. Therefore, only data that is gathered by the first Storage Resource agent is shown. Platforms that support the deployment of Storage Resource agents For a list of platforms on which you can deploy Storage Resource agents, see the Tioli Storage Productiity Center interoperability matrix and go to the Agents, Serers and Browsers section. Product functions that are unaailable for resources that are monitored by Storage Resource agents Before you deploy a Storage Resource agent, ensure that the product functions you want to use on the monitored resources are aailable for those agents. The following functions are not aailable for resources that are monitored by Storage Resource agents: Certain relational database monitoring. For list of relational databases that can be monitored by Storage Resource agents, see the Tioli Storage Productiity Center interoperability matrix and go to the Agents, Serers and Browsers section. The reporting of HBA, fabric topology, or zoning information for fabrics that are connected to hosts that are running Linux on IBM System z hardware. These limitations also apply to Storage Resource agents on all guest operating systems for VMware configurations. Required authorities for deploying and running Storage Resource agents Before you can create deployment schedules and deploy Storage Resource agents on target computers, you must meet the following requirements: To create deployment schedules, you must be logged in to Tioli Storage Productiity Center with a user ID that has the Administrator role. For information about user roles, see Authorizing users on page 12. To deploy Storage Resource agents on target computers, you must proide a user ID that has administratie rights on those computers. You enter this ID when you create a deployment schedule. Tioli Storage Productiity Center uses this ID to log on to the target computers and install and configure the necessary runtime files for the agents. The user under which a Storage Resource agent (daemon or non-daemon) runs must hae the following authorities on the target computers: On the Linux or AIX operating systems, the user must hae root authority. By default, an agent runs under the user 'root'. Chapter 1. Configuring 97

108 On the Windows operating systems, the user must hae Administrator authority and be a member of the Administrators group. By default, a Storage Resource agent runs under the 'Local System' account. Orphan zones Storage Resource agents do not collect information about orphan zones. An orphan zone is a zone that does not belong to at least one zoneset. Firewalls and Storage Resource agent deployments Before you can deploy a Storage Resource agent on a computer, you must turn off the firewall on that computer. If you do not turn off the firewall, the deployment fails. To turn off the firewall on a Windows 2008 computer, complete the following steps: 1. Open Administratie Tools. For information about how to open Administratie Tools, see Accessing administration tools on page Click Windows Firewall with Adanced Security. 3. Click Windows Firewall Properties. 4. Change the Firewall state field to Off on the following tabs: Domain Profile Priate Profile Public Profile 5. Click OK to accept the changes and exit. 6. Deploy a Storage Resource agent to the Windows 2008 computer. Deploying Storage Resource agents on multiple computers If you deploy Storage Resource agents on multiple computers at the same time, the computers must hae the same administratie user ID and password. Tioli Storage Productiity Center uses these user credentials to log on to the computers when you install Storage Resource agents. Tip: When you deploy Storage Resource agents on multiple computers, a globally unique identifier (GUID) is created for each computer (if one does not exist). Communication between the Tioli Storage Productiity Center serer and a Storage Resource agent The Tioli Storage Productiity Center serer connects to a monitored computer when a Storage Resource agent is deployed and wheneer a data collection schedule runs against that agent. During deployment, the serer communicates with the target computer by using one of the following protocols: Windows serer message block protocol (SMB) Secure Shell protocol (SSH) Remote execution protocol (REXEC) Remote shell protocol (RSH) After deployment, the type of communication between the serer and agent on that computer depends on whether you deployed the agent as daemon serice or non-daemon serice. Daemon and non-daemon serices You can deploy a Storage Resource agent as a daemon or non-daemon serice: 98 IBM Tioli Storage Productiity Center: Administrator's Guide

109 A Storage Resource agent that is deployed as a daemon serice runs in the background on the monitored computer and listens for requests from the Tioli Storage Productiity Center serer. Connectiity between the serer and agent is established by using SSL. The serer and agent hae their respectie certificates and no additional information is required besides those certificates and the security that is proided by the SSL protocol. A Storage Resource agent deployed as a serice on demand (non-daemon serice) runs as a stand-alone executable file on the monitored computer. Communication from the serer to the agent uses the same protocol that was used during the deployment of the agent. Communication from the agent to the serer uses SSL. Authentication between the Tioli Storage Productiity Center serer and a Storage Resource agent Tioli Storage Productiity Center requires the correct authentication information (user name, password, port, certificate location, or passphrase) for monitored computers each time it communicates with Storage Resource agents on those computers. If the authentication information changes for a host computer on which a Storage Resource agent is deployed, the authentication information for that agent must be updated by using the Modify Agents > Update Credentials action on the Serers page in the web-based GUI. Replacing default SSL certificates Tioli Storage Productiity Center proides default SSL certificates for communication between the Data serer and Storage Resource agent. Tioli Storage Productiity Center Version uses SSL certificates with 2048-bit encryption keys whereas preious ersions of Tioli Storage Productiity Center used 1024-bit encryption keys. If you upgrade Tioli Storage Productiity Center from a ersion earlier than 5.2.2, your SSL certificates are not updated automatically. If you want to use 2048-bit encryption keys with preious ersions of Tioli Storage Productiity Center, you must replace the default SSL certificates with custom SSL certificates. For information about how to replace SSL certificates, see Replacing custom SSL certificates on page 107. Storage Resource agents on the same computer You cannot deploy a Storage Resource agent on a computer where a Storage Resource agent is already installed and pointing to the same Data serer. You can deploy a Storage Resource agent on the same computer as another Storage Resource agent if those agents communicate with different Data serers and use different ports when you listen for requests. Time zones for computers that are monitored by Storage Resource agents The time zones of computers that are monitored by Storage Resource agents are shown as Greenwich mean time (GMT) offsets in Tioli Storage Productiity Center reports. For example, a computer in Los Angeles shows the following time zones in the By Computer report in Asset reporting: (GMT-8:00) GMT-8:00 Connections for Linux and AIX operating systems by using Remote Shell protocol (RSH) If RSH is configured to use a user ID and password, the connection fails. To successfully connect to a system by using RSH, you must set up the Chapter 1. Configuring 99

110 .rhosts file (in the home directory of the account). RSH must be configured to accept a login from the system that is running your application. Deployments on Windows operating systems - NetBIOS setting To install a Storage Resource agent on Windows targets, the Enable NetBIOS oer TCP/IP option must be selected in the Control Panel settings for the computer's network connections properties. To set this option, complete the following steps: 1. Open Windows Control Panel. For information about how to open Windows Control Panel, see Accessing administration tools on page Select Network and Dial-Up Connections > some_connection > Properties > Internet Protocol (TCP/IP) > Adanced > WINS > Enable NetBIOS oer TCP/IP. To determine whether these ports are not blocked for inbound requests, see the documentation for your firewall. To determine whether security policies are blocking the connection ports, open Administratie Tools. For information about how to open Administratie Tools, see Accessing administration tools on page 267. Depending on whether your policies are stored locally or in Actie Directory, follow these directions: Policies that are stored locally For policies that are stored locally, complete the following steps: 1. Open Windows Administratie Serices. 2. Click Local Security Policy > IP Security Policies on Local Computer. Policies that are stored in Actie Directory For policies that are stored in Actie Directory, examine the IP security policies and edit or remoe filters that block the ports: Click Administratie Tools > Default Domain Security Settings > IP Security Policies on Actie Directory. Click Administratie Tools > Default Domain Controller Security Settings > IP Security Policies on Actie Directory. For all Windows systems, the Serer serice must be running to connect to a Windows system by using the Windows protocol. The following table lists the ports that are resered for NetBIOS. Ensure that these ports are not blocked. Port Description 135 NetBIOS Remote procedure call. (Not currently used.) 137 NetBIOS name serice. 138 NetBIOS datagram. (Not currently used.) 139 NetBIOS session (for file and print sharing). 445 CIFS (on Windows XP). For Windows Serer 2008, shares must be shared for the Guest or Eeryone accounts, and password protected sharing must be disabled. To disable password protected sharing, follow these steps: 100 IBM Tioli Storage Productiity Center: Administrator's Guide

111 1. Click Control Panel > Networking and Sharing Center. 2. Click the down arrow next to Password protected sharing. 3. Click Turn off password protected sharing. 4. Click Apply. 5. Exit from the Control Panel. Deployments on Windows User Account Control (UAC) remote restrictions To install Storage Resource agents remotely on a Windows 2008 operating system, you must disable the User Account Control (UAC) remote restrictions on the Windows operating system. User Account Control is a security component on Windows operating systems. Tip: To disable UAC restrictions, you must modify the computer registry. Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if problems occur. For information about how to back up and restore the registry, see To disable UAC remote restrictions, follow these steps: 1. Open the Windows Run window. For information about how to open the Run window, see Accessing administration tools on page Enter regedit and click OK. 3. Locate and click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System 4. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps: a. On the Edit menu, click New > DWORD Value. b. Enter LocalAccountTokenFilterPolicy as the name for the DWORD alue and click Enter. c. Click LocalAccountTokenFilterPolicy, and click Modify. d. In the Edit DWORD Value window, enter 1, then click OK. This alue can be 0 or 1: 0 This alue builds a filtered token. This alue is the default alue. The administrator credentials are remoed. 1 This alue builds an eleated token. e. Exit the registry editor. Creating a certificate for SSH protocol Before you install the Storage Resource agents by using the SSH protocol, create a certificate. Note: The Storage Resource agent only supports either DES-EDE3-CBC encryption or no encryption for the priate key used in SSH protocol communication between the serer and agent. The default encryption that is used in the ssh-keygen command on UNIX is always DES-EDE3-CBC. Howeer, with Windows Cygwin, the ssh-keygen command generates a key with AES-128-CBC encryption if a passphrase is specified. If there is no passphrase, the priate key is generated without encryption. For more information about encryption, see Chapter 1. Configuring 101

112 Creating a certificate for SSH protocol (non-windows) The Storage Resource agent only supports either DES-EDE3-CBC encryption or no encryption for the priate key used in SSH protocol communication between the serer and agent. The default encryption used in ssh-keygen command on UNIX is always DES-EDE3-CBC but with Windows Cygwin, it is using AES-128-CBC encryption if a passphrase is specified. If there is no passphrase, the priate key is generated without encryption. To create a certificate for SSH protocol, complete the following steps: 1. Telnet to the remote machine using the root user ID. 2. To create an SSH certificate on AIX, you must first install the following packages (if not already installed): openssl.base.openssh.base.client openssh.base.serer 3. Go to the directory where you want to create the certificate: cd to ~/.ssh 4. Enter ssh-keygen. Accept the default names (for example, id_rsa). 5. Enter the passphrase. 6. Two files are created: id_rsa The priate key. id_rsa.pub The public key. 7. Create an authorized_key file in the same location as id_rsa.pub by entering the following command: cat id_rsa.pub >> authorized_keys 8. Copy the id_rsa (priate key) to your serer machine. For example, to copy the id_rsa file to :\keys\id_rsa on the IBM Tioli Storage Productiity Center serer (user responses are in boldface type): # ssh-keygen Generating public/priate rsa key pair. Enter file in which to sae the key (//.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: You identification has been sae in //.ssh/id_rsa. Your public key has been sae in //.ssh/id_rsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@serer # cat id_rsa >> authorized_keys # ls -l total 24 -rw-r r 1 root system 1743 Oct 15 09:40 authorized_keys -rw-- 1 root system 1743 Oct 15 09:39 id_rsa -rw-r r 1 root system 399 Oct 15 09:39 id_rsa.pub # Note: You must copy the file in binary mode. 9. To connect to the remote system by using the priate key, enter the following information in the web-based GUI when you install the Storage Resource agent: User Certificate Location (c:\keys\id_rsa) Passphrase 102 IBM Tioli Storage Productiity Center: Administrator's Guide

113 Setting up an SSH daemon on Windows On Windows Serer 2003, Windows XP, Windows Serer 2008, or Windows Vista, you must run the ssh-host-config command. Note: Cygwin is not a prerequisite for the Storage Resource agent on Windows. To use the SSH protocol on Windows, an SSH software program must be used because Windows does not come with an SSH serice. Cygwin is a free software program proiding SSH access to a Windows serer. Cygwin can be used if you want to run the Storage Resource agent by using the SSH protocol. You must be in a Cygwin window or be an X term user to create the sshd serice. In most cases, you click the cygwin.bat file to start the Bash shell. Complete the following steps: 1. Install Cygwin. 2. Set up your sshd serice in Cygwin. 3. Create the certificate. Installing Cygwin To install Cygwin, go to This page contains a link that displays help for the setup program and a link to download the setup program. Read the help before running the setup program. Then download the Cygwin program by clicking the Install Cygwin now link. Start the setup program on your computer by running the setup.exe program. Select the appropriate download option (Install from Internet, Download from Internet, orinstall from Local Directory ) as described in the help files. If you are upgrading from an older ersion of Cygwin to a newer ersion, you need to remoe the sshd serice before installing the new ersion of Cygwin. Accept the default installation options as they are presented to you (Root Directory, Install For, Default Text File Type, and so on). Select a download mirror that is geographically close to your location. Some sites require an FTP account before you can install Cygwin. You can either request an account or simply select another mirror. During the installation process, a Select Packages list is displayed. Expand the plus sign (+) next to the Admin category and select cygrunsr and the Bin check box. Expand the plus sign (+) next to the Net category and select openssh. Expand the plus sign (+) next to the Util category and select diffutils. Click Next to resume the setup program. The time required to download the packages depends on how busy the mirror is, and on the speed of your internet connection. With openssh and cygrunsr, the downloaded files require approximately 70 MB of disk space. Allow 20 minutes to 30 minutes for the download and installation to complete. Setting up your sshd serice in Cygwin Here is an example of the sequence of steps and responses. The responses to the prompts are in boldfaced type. 1. Run the ssh-host-config command. Note: With Cygwin, you might experience permission problems when running the ssh-host-config command. If you hae permission problems, run these commands: Chapter 1. Configuring 103

114 chmod +r /etc/passwd chmod +r /etc/group chmod 777 /ar $ ssh-host-config Generating /etc/ssh_host_key Generating /etc/ssh_host_rsa_key Generating /etc/ssh_host_dsa_key Generating /etc/ssh_config file Should priilege separation be used? (yes/no) no Generating /etc/ssh_config file Warning: The following functions require administrator priileges! Do you want to install sshd as serice? yes (If sshd is already installed as a serice, answer no.) You appear to be running Windows 2003 Serer or later. On 2003 and later systems, it s not possible to use the LocalSystem account, if sshd should allow passwordless logon (e. g. public key authentication). If you want to enable that functionality, it s required to create a new account sshd_serer with special priileges, which is then used to run the sshd serice under. Should this script create a new local account sshd_serer which has the required priileges? (yes/no) yes Please enter a password for new user sshd_serer. Please be sure thatthis password matches the password rules gien on your system. Entering no password will exit the configuration. PASSWORD=password (Specify a password for the sshd_serer account.) User sshd_serer has been created with password password. If you change the password, please keep in mind to change the password for the sshd serice, too. Also keep in mind that the user sshd_serer needs read permissions on all users.ssh/authorized_keys file to allow public key authentication for these users. (Re-)running ssh-user-config for each user will set the required permissions correctly. Which alue should the enironment ariable CYGWIN hae when sshd starts? It s recommended to set at least "ntsec" to be able to change user context without password. Default is "ntsec". CYGWIN=ntsec The serice has been installed under sshd_serer account. To start the serice, call net start sshd or cygrunsr -S sshd. Note! If the serice doesn t start because of a login failure Host configuration finished. Hae fun! 104 IBM Tioli Storage Productiity Center: Administrator's Guide 2. Start the sshd serice: a. Open a command prompt window. b. Enter net start sshd or in a Bash prompt, enter cygrunsr -start sshd. c. Verify that the daemon is running. d. Enter ps -a. Examine the output to see if /usr/sbin/sshd is contained in the list of running processes.

115 To stop the serice from a Windows command prompt, enter net stop sshd. Alternatiely, you can change to the C:\cygwin\bin directory (or open a Bash shell) and enter cygrunsr -stop sshd. 3. When you hae started the sshd serice, test it by entering the following command from a Bash shell prompt: ssh localhost -l user_id or ssh host_name -l user_id If localhost does not work, use the short host name. If you receie a message indicating that the authenticity of localhost cannot be established, answer Yes to the question "Are you sure you want to continue connecting?" When prompted for your account password on localhost, enter the password you use when logging in to the computer. 4. Create the accounts that can log in to the computer: a. Create the Windows accounts. Click Start > Settings > Control Panel > User Accounts. Make each user a member of the Administrators group. Perform this operation for each user you want to add before you create the corresponding Cygwin accounts. b. Make a backup copy of the /etc/passwd file. c. To create the Cygwin user accounts, run the following command: mkpasswd -l>/etc/passwd d. Verify that a home directory has been created for each account that you hae added. Change the ownership of the home directory to its owner (run the chown command). If a home directory for the user does not exist, create one. For example, enter the following command: mkdir home/account_name;chown account_name/home/account_name e. When you add users, you need to stop and start sshd before that account is recognized because sshd only reads the file /etc/passwd when the serice starts. f. If you need to create groups of accounts, create the Windows groups first, then create the Cygwin groups. After creating the Windows groups, run the following command: mkgroup -l>/etc/passwd When you add groups, you also need to stop and start sshd before the new group is recognized. 5. Set the TEMP enironment ariable. For information about setting the enironment ariable, see setup-en.html. Here is an example of setting the enironment ariable: a. Click My Computer > Properties > Adanced > Enironment Variables. b. Under System ariables, find out the alue of TEMP. For example, "C:\WINNT\TEMP" c. Set the TEMP enironment ariable to point to the Cygwin format of TEMP in the ~/.bashrc file. For example run the following command: export TEMP=/cygdrie/c/WINNT/temp Chapter 1. Configuring 105

116 Uncomment and modify this line in the ~/.bashrc file from the default: # export TEMP=/tmp to export TEMP=/cygdrie/c/WINNT/temp The Cygwin sshd serice must be added as a serice that starts automatically. To erify this step, click Start > Settings > Control Panel > Administratie Tools > Serices. Look for CYGWIN sshd in the name list. Verify that it is started and configured to start automatically. Creating the certificate To create a certificate for SSH protocol, complete the following steps: 1. Run this command: cd to ~/.ssh 2. Generate the public and priate keys with a passphrase. The passphrase is required.from the Bash shell prompt, here is an example of the input and output (user responses are in boldface type): Administrator: ~/.ssh $ openssl genrsa -des3 -out key 1024 Response: Generating RSA priate key, 1024 bit long modulus e is (0x10001) Enter pass phrase for key: (enter pass phrase for key) Verifying - Enter pass phrase for key: (enter pass phrase for key again) Administrator: ~/.ssh $ chmod 600 ~/.ssh/key ~/.ssh $ ssh-keygen Generating public/priate rsa key pair. Enter file in which to sae the key (/home/administrator/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saed in /home/administrator/.ssh/id_rsa. Your public key has been saed in /home/administrator/.ssh/id_rsa.pub. The key fingerprint is: 15:aa:f7:fe:28:4a:f9:fc:59:49:e4:b5:b2:ee:a2:d4 Administrator@ serer Administrator: ~/.ssh $ cat id_rsa.pub >> authorized_keys 3. Copy the id_rsa (priate key) to the IBM Tioli Storage Productiity Center serer. 4. To connect to the remote system by using the priate key, enter the following information in the web-based GUI when you install the Storage Resource agent: User Certificate Location (c:\keys\id_rsa) Passphrase 106 IBM Tioli Storage Productiity Center: Administrator's Guide

117 Replacing custom SSL certificates IBM Tioli Storage Productiity Center proides default SSL certificates for communication between the Data serer and Storage Resource agent. You can replace your custom certificates with the default certificates. Oeriew of replacing a custom certificate for SSL protocol Tioli Storage Productiity Center uses SSL certificates for communication between the Data serer and Storage Resource agent (daemon serice). Storage Resource agents that are deployed as non-daemon serices also use SSL for communication between the Storage Resource agent and the Data serer. Tioli Storage Productiity Center proides default SSL certificates for this communication. If you want to use your own certificates, you can replace the default certificates with your custom certificates. Serer certificate The Tioli Storage Productiity Center Data serer uses the TPCDataSerer.jks and serer.pwd files for communication with the Storage Resource agents. If you are using custom certificates, you must replace these files. There are two ways you can replace these certificates: Before installation of the Data serer After installation of the Data serer Storage Resource agent certificate The Storage Resource agent uses the certificate files sra.pem and sra.pwd for communication with the Data serer. These two files are compressed into the certs.zip file on the serer system for deployment purposes. If you are using custom certificates, you must replace these files. There are two ways you can replace the certificates: Before deployment of the agent After deployment of the agent The general steps for replacing custom certificates are: 1. Generate the custom certificates. 2. Stop the Data serer (and the Storage Resource agent, if the agent is already deployed). 3. Replace the custom certificates on the Data serer and Storage Resource agent or on the disk 1 or Storage Resource Agent installation image. 4. Start the Data serer (and the Storage Resource agent, if the agent is already deployed). Note: When you generate custom SSL certificates, the certificates hae a start date, end date, and time when they are alid. These dates and times are related to the system where these custom certificates were generated (which is usually the serer system). When you install a Storage Resource agent on a remote system, you must check the date and time on the Storage Resource agent system. If the serer and agent systems are in the same time zone, they must hae the same date and time. Otherwise, the time zone difference should be set. For example, if the serer system is 8:00 PM, the agent system should also be 8:00 PM. If the agent system is set at a different time (for example, 6:00 PM) at the time Chapter 1. Configuring 107

118 the SSL custom certificates are generated on the serer system with a time of 8:00 PM, the deployment of the Storage Resource agent fails. How to generate custom certificates The script file createsracerts.sh (for Linux or UNIX) or createsracerts.bat (for Windows) is in the following directory: TPC_install_directory/data/sra/tools/certs TPC_install_directory is where the IBM Tioli Storage Productiity Center serers are installed. The default directory is /opt/ibm/tpc for Linux or UNIX or C:\Program Files\IBM\TPC for Windows. To generate custom certificates, follow these steps: 1. Create the custom certificates. The createsracerts script creates the custom certificates. The syntax is: createsracerts output_directory rootcapassword serer_key_password serer_store_password agent_password output_directory Directory where the certificates are created. rootcapassword Root CA password (root common authority password). The default non-encrypted password is: s5umeapr6cafruhustu. serer_key_password Serer key password. The default non-encrypted password is: drutaxahaswefraf9uth. serer_store_password Serer store password. The default non-encrypted password is: wr4d5xekaqafehet5u2a. agent_password Agent password. The default non-encrypted password is: jawuchezuthew6azejef. Note: You are prompted for the password when the script is run. Proide the alue of the rootcapassword on the command line (if specified on the command line). Otherwise, use the default alues in the createsracerts.sh or createsracerts.bat script when prompted for the password (twice). The following example creates the SSL certificate by using the default output directory and default passwords. createsracerts The following examples create the SSL certificates by using the directory /tmp on UNIX and C:\temp on Windows. These examples use the default passwords. The certificate files are created in the following directory: Windows C:\temp\sra_certs_out Here is an example: 108 IBM Tioli Storage Productiity Center: Administrator's Guide

119 createsracerts C:\temp UNIX or Linux /tmp/sra_certs_out Here is an example:./createsracerts.sh /tmp The following examples create SSL certificates in the directory /tmp on UNIX and C:\temp on Windows. These examples use non-default passwords for root CA and serer key. The certificate files are created in the following directory: Windows C:\temp\sra_certs_out Here is an example of creating a non-default password for the root CA password and serer key password: createsracerts C:\temp newpasswordforrootca newpasswordforserer UNIX or Linux /tmp/sra_certs_out Here is an example of creating a non-default password for the root CA password and serer key password: createsracerts.sh /tmp newpasswordforrootca newpasswordforserer 2. Regenerate the certificates again if you hae a failure. Delete the files in the output directory before you rerun the createsracerts script. 3. Stop the Storage Resource Agents (if any are deployed and running) and the Data Serer. To remotely stop agents from the Data or Storage Resource agents table, complete one of the following steps: For Storage Resource agents that are running as a daemon serice, in the Select Action menu, select Shutdown. For Storage Resource agents that are running as non-daemon agents, you do not need to stop the agent. Non-daemon processes do not need to be started or stopped. Note: For Storage Resource agents that are running as a non-daemon serice, search the Tioli Storage Productiity Center information center for agent.sh command. At the command prompt, enter the following command: "Storage_Resource_Agent_installation_directory/agent/bin/agent.[sh bat] stop" This command must be run locally on each system where an agent is running. On the Linux and UNIX operating systems, enter the agent.sh command, and on the Windows operating system, enter the agent.bat command. For more information about starting or stopping Tioli Storage Productiity Center serices, see Starting and stopping the Tioli Storage Productiity Center serers on page Replace the certificates. There are four scenarios: Replacing the certificates after the serer is installed. Replacing the certificates before the serer is installed. Replacing the certificates after the agent is installed. Replacing the certificates before the agent is locally. Replacing the certificates after the serer is installed Chapter 1. Configuring 109

120 The new serer certificates are created in the following directory: output_directory/sra_certs_out/serer By default output_directory is the directory where the createsracerts script is run: TPC_install_directory/data/sra/tools/certs These files are the serer certificate files: TPCDataSerer.jks serer.pwd For the serer certificate, copy the serer certificate files to the following directory: TPC_install_directory/data/sra/certs The serer certificate files are created in the certs.zip file in the following directory: output_directory/sra_certs_out/agent Copy the certs.zip file into each agent directory: TPC_install_directory/data/sra/agent_operating_system TPC_install_directory/data/sra/serer_operating_system Extract the certs.zip file into the following directory: TPC_install_directory/data/sra/serer_operating_system agent_operating_system is the operating system of an agent that is remotely deployed. serer_operating_system is the operating system on which the Data serer is installed. Replacing the certificates before the serer is installed By default, the output directory is the directory where the createsracerts script is run. The createsracerts script is extracted in the disk1 image in the following directory: disk1_image_install_directory/data/sra/tools/certs Restriction: The following process applies to only extracted images. If you are installing by using a DVD, see the Replacing the certificates after the serer is installed procedure. The new serer certificate files are created in the following directory: output_directory/sra_certs_out/serer By default, output_directory is the directory where the createsracerts script is run: disk1_install_image_directory/data/sra/tools/certs/ The following files are the serer certificate files: TPCDataSerer.jks serer.pwd The disk1 image is in the disk1_image_install_directory directory. Copy the serer certificate files into the following directory: disk1_image_install_directory/data/sra/certs The agent certificates are created in the certs.zip file in the following directory: 110 IBM Tioli Storage Productiity Center: Administrator's Guide

121 output_directory/sra_certs_out/agent Copy the certs.zip file into each agent directory: disk1_image_install_directory/data/sra/agent_operating_system Extract the certs.zip file into the following directory: disk1_image_install_directory/data/sra/serer_operating_system serer_operating_system is the operating system on which the Data serer is installed. Replacing the certificates after the agent is installed The new agent certificates were created on the serer in the following directory: output_directory/sra_certs_out/agent By default, output_directory is: TPC_install_directory/data/sra/tools/certs You must copy the certs.zip file to the agent system before you extract it in the storage_resource_agent_install_directory/certs directory. The Storage Resource agent is installed in the storage_resource_agent_install_directory directory. Replacing the certificates before the agent is installed locally Restriction: This process assumes that the Storage Resource agent disk image can be modified. If you are installing from a DVD, you must copy the installation files to a writable location before proceeding. Before the agent can be installed locally, the custom certificate must be copied to the agent system. Copy the certs.zip Storage Resource agent certificate file from the output_directory/sra_certs_out/agent directory on the Tioli Storage Productiity Center serer to the agent system. By default, the output_directory is where the createsracerts script was run. An example of this directory path is: TPC_installation_directory/data/sra/tools/certs/ a. On the agent system, extract the Storage Resource agent installation image in the SRA_image_install_directory. b. Extract the custom certs.zip file in the following directory: storage_resource_agent_install_directory/agent/certs directory. Note: SRA_image_install_directory is the directory where the Storage Resource agent image was extracted. agent_operating_system is the directory that is named for the operating system where the agent is installed. c. Install the Storage Resource agent with the wanted option. 5. Start the Data serer and the Storage Resource agent. If the Data serer is stopped for replacement of the certificates, start the Data serer after the replacement of the certificates. If the Storage Resource agent is stopped for replacement of certificates, start the Storage Resource agent after the replacement of the certificates. Chapter 1. Configuring 111

122 Configuration guidelines for 500 or more agents You can use this information to help you manage 500 or more agents in Tioli Storage Productiity Center. If you hae 500 or more agents for the Data Serer, complete the following steps: 1. Probe the machines at least once a day or more, depending on when you want to test for alert conditions. This action applies to alert conditions other than directory alerts, quotas, or constraints. 2. If you use anything but the "ALL" groups (ALL file systems, ALL computers), you need to manually populate the groups. 3. Always run a probe before a scan. Set the following parameters in the serer.config file: MaxConnections=1200 The default is 500. Agents can hae multiple connections to the serer. routerthreads=3 (max) Incoming connections need to be routed to the correct Data Manager "serice" queue and can stack up behind this thread. You can watch this behaior by watching the connections in the "serer serice" and the "agent serice" in the GUI. The serer serice runs the router and the agent serice is where the connections are queued once routed and saed by any of three threads here to the repository. 4. Set the following parameter in the Scheduler.config file: MaxSubmitthreads=8 Tells how many threads are used to tell the agents to start a job. Agent connections can queue up the scheduler serice. After a job is run, the agent makes a connection to communicate with this thread to gie it the job status. Including a Storage Resource agent with a serer master image If you use a master operating system image to deploy new serers in your enironment, you can include the Storage Resource agent on that master image. The master image enables the agents to start and register with the Tioli Storage Productiity Center serer automatically upon deployment. This support applies only to Storage Resource agents running in daemon mode. The default agent directory is: For Windows: C:\Program Files\IBM\TPC\agent For UNIX: /opt/ibm/tpc/agent Follow these instructions to include the Tioli Storage Productiity Center agent on a master image. 1. Install the Storage Resource agent in daemon mode on the master image system. 2. Stop the Storage Resource agent on the master image system. For the Windows system: Click Start > Settings > Control Panel > Administratie Tools > Serices. Stop the following serice: IBM Tioli Storage Resource Agent - directory. directory is where the Storage Resource agent is installed. The default directory is TPC_installation_directory\agent. For the UNIX or Linux system, run the following commands: 112 IBM Tioli Storage Productiity Center: Administrator's Guide

123 cd /opt/ibm/tpc/agent/bin/./agent.sh stop 3. Create one of the following files in the root directory for the agent. These files can be empty. Any content in these files is ignored. REGISTERSRA The file name must be uppercase with no file extension. This file causes the agent to run a probe and then register with the serer. This file will use the existing Globally Unique Identifier (GUID). REGISTERSRA_REGENGUID The file name must be uppercase with no file extension. This file causes the agent to regenerate a new Globally Unique Identifier (GUID), run a probe, and then register with the serer. 4. Delete the contents of the agent_installation_directory/logs directory. This clears any existing log messages so that you can iew new messages that are logged. 5. Create the master image copies of this system. 6. When a new system is preinstalled from this image and then started, the REGISTERSRA or REGISTERSRA_REGENGUID file is run. The Storage Resource agent automatically registers with the new Tioli Storage Productiity Center serer. You can then use the web-based GUI to manage the Storage Resource agent deployment. For example, to confirm that the Storage Resource agent was deployed successfully, go to the Serers page and refresh the list. Configuring LUN proisioning for Oracle Solaris Tioli Storage Productiity Center for Data proides a file system extension feature that can be used to automatically increase file system capacity for managed hosts when utilization reaches a specified leel. This function allows for the automatic proisioning of (TotalStorage Enterprise Storage Serer, DS6000, DS8000) LUNs when there is not enough space aailable in a olume group to extend a file system. There is also information about LUN proisioning for Solaris. LUNs can be proisioned for file system hosts that run Solaris, but you must configure the hosts must to aoid a restart after proisioning. Before you install the Storage Resource agent, complete the following steps: 1. Assign TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUNs to Solaris Host Bus Adapters (HBAs). 2. Modify the HBA configuration file to include persistent name binding. 3. Modify the SCSI Disk configuration file to allow the maximum number of LUNs. 4. If you are using multipathing, ensure that TotalStorage Enterprise Storage Serer, DS6000, or DS8000 multipaths are detected by the Veritas Dynamic Multipathing (VxDMP) utility. This section proides basic instructions for performing these configuration steps. For detailed information, see the HBA and VxDMP documentation. Assigning TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUNs to Oracle Solaris HBAs This section proides information about assigning TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUNs to Solaris HBAs. Chapter 1. Configuring 113

124 You must assign at least one TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUN to each HBA on the Solaris host. If you are using multipathing, there are different ways to configure either the host and TotalStorage Enterprise Storage Serer, DS6000, or DS8000. For example: For an TotalStorage Enterprise Storage Serer, DS6000, or DS8000 without internal multipath configuration, assign the same LUNs to the World Wide Port Node (WWPN) of each HBA. For an TotalStorage Enterprise Storage Serer, DS6000, or DS8000 with internal multipath configuration, assign the LUNs to the WWPN of one HBA or assign the same LUNs to the WWPNs of two or more HBAs. Modifying the HBA configuration file The HBA configuration file must be modified to include Persistent Name Binding on HBAs and targets so that both the controller and target numbers remain the same across system reboots. This section proides information about what to modify in the configuration file. The HBA configuration file (for example, qla2200.conf) must be modified to include Persistent Name Binding on HBAs and targets so that both the controller and target numbers remain the same across system reboots. You must reboot the system with the new configuration for the changes to take effect. QLogic QLA2200 and QLA2300 HBAs hae been tested for use with IBM Tioli Storage Productiity Center. You can use the QLogic SANblade Control FX (scfx) application to modify the configuration file for these HBAs. The scfx application is included as part of the deice drier installation package. The scfx application is installed in the /opt/qlogic_corporation/sanblade_control_fx directory. To configure newer models of the QLogic HBAs, use the QLogic SANSurfer software, which is included with the deice drier installation package for newer QLogic models. Consult the QLogic support documentation to be sure you are using the appropriate configuration software. Setting Persistent Name Binding for QLogic HBAs by using the appropriate software This section describes how to set Persistent Name Binding in the HBAs by using the scfx command for LUN proisioning under Oracle Solaris. To configure newer models of the QLogic HBAs, use the QLogic SANSurfer software, which is included with the deice drier installation package for newer QLogic models. Consult the QLogic support documentation to be sure you are using the appropriate configuration software. Follow these steps: 1. Install the QLogic HBA Drier, Common API Library, and QLogic SANblade Control FX (scfx) application if you hae not already done so. For installation instructions, see the SANblade 2200 Series User's Guide or SANblade 2300 Series User's Guide. After these packages are installed successfully, restart and reconfigure the system by using the reboot -- -r command. 2. After the system is rebooted, use scfx to configure Persistent Bind on HBAs and Targets in the /kernel/dr/qla2xxx.conf file. a. Start the scfx application. For example: # /opt/qlogic_corporation/sanblade_control_fx/scfx 114 IBM Tioli Storage Productiity Center: Administrator's Guide

125 The main window of the scfx application consists of three sections: Menu Bar The menu bar proides three options: File, Tools, and Help. HBA Tree The HBA Tree displays the host with its connected adapters (HBAs), deices and LUNs. The HBAs are displayed with a model name and instance number. For example, Adapter 2200 (Instance #0). If a deice is connected to an HBA, it has a plus sign (+) by the HBA, which can be expanded to iew the list of attached deices. The deices are listed with their World Wide Port Names (WWPN). Click the plus sign next to a deice to expand the tree to show all the LUNs in that deice. For a RAID deice, such as an TotalStorage Enterprise Storage Serer, DS6000, or DS8000, there are multiple LUNs per deice. Note: Expand all the deices to search the TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUNs assigned to the system and note the WWPN of the target deice. This information is required to identify the SCSI Target ID assigned or specified for the Persistent Bind Targets Setting. Tabbed Pages The contents of the Tabbed Pages changes depending on what is currently selected in the HBA Tree. b. Select an HBA. Select an adapter in the HBA Tree. The Tabbed Pages show the HBA Information, HBA Options, Target Settings, Boot Deice, Diagnostics, and Utilities tabs. c. Select the Persistent Bind HBA Setting. Click the HBA Options tab. In the Select Parameter Section drop-down list, select Adanced Host Parameters. Select the check box for Persistent Bind HBA. Click Sae. d. Select the Persistent Bind Target Setting. Click the Target Settings tab. Select the check box for each target in the Bind column. If the check boxes are already checked and disabled, proceed to the next step. In the Target ID column, you can either accept the pre-selected SCSI Target ID or change to a different alue. Each SCSI target ID must be unique and range from 0 to 255. Note: Write down the selected Target ID for each TotalStorage Enterprise Storage Serer subsystem deice. Click Sae. e. Repeat Steps b through d for the next HBA. f. Exit the scfx application. From the Menu Bar, select File Exit. A Reboot Reminder dialog is displayed. Click OK to exit. 3. Restart and reconfigure the system by using the reboot -- -r command. Modifying the SCSI disk configuration file You must configure the SCSI disk configuration file for the maximum number of LUNs per target for LUN proisioning for Oracle Solaris. Chapter 1. Configuring 115

126 You must configure the SCSI disk (sd.conf) configuration file for the maximum number of LUNs (256) per target. The system must then be rebooted with the new configuration for the changes to take effect. Follow these steps: 1. Identify the SCSI Target ID assigned to the TotalStorage Enterprise Storage Serer. 2. Edit the /kernel/dr/sd.conf file to include all the possible target and LUN mappings for the RAID deice. For example, assume the SCSI Target ID assigned for an TotalStorage Enterprise Storage Serer is 2. You can allow up to 256 LUNs (0-255) for this target: name="sd" class="scsi" target=0 lun=0; name="sd" class="scsi" target=1 lun=0; name="sd" class="scsi" target=2 lun=0; name="sd" class="scsi" target=2 lun=1; name="sd" class="scsi" target=2 lun=2; : : name="sd" class="scsi" target=2 lun=253; name="sd" class="scsi" target=2 lun=254; name="sd" class="scsi" target=2 lun=255; name="sd" class="scsi" target=3 lun=0; name="sd" class="scsi" target=4 lun=0; : : name="sd" class="scsi" target=253 lun=0; name="sd" class="scsi" target=254 lun=0; name="sd" class="scsi" target=255 lun=0; In this example, the system can detect up to 256 targets with 1 LUN (for example, multiple RAID deices with a total of 256 LUNs) and up to 256 LUNs for target 2 (for example, a RAID deice with a total of 256 LUNs). 3. Restart and reconfigure the system by using the reboot -- -r command. Checking for TotalStorage Enterprise Storage Serer, DS6000, or DS8000 multipaths in VxDMP If you are using IBM TotalStorage Enterprise Storage Serer, DS6000, or DS8000 LUNs with multipaths, you must ensure that all the paths are detected by Veritas Dynamic Multipathing (VxDMP) utility. This section proides information about how to check for multipathing in the VxDMP utility. The VxDMP utility is an administratie interface to the Veritas Volume Manager (VxVM) Dynamic Multipathing (DMP) facility. It lists the paths under a DMP deice, gets the DMP deice corresponding to a path, lists all the disk controllers on the system, lists all the paths through a host disk controller, lists all the DMP nodes through a disk array, and enables or disables a host disk controller on the system. For more information, and detailed instructions, see the VxDMP documentation. To list all disk controllers on the system, enter the following command: # xdmpadm listctlr all The following sample output shows that controllers c3 and c4 are connected to the IBM TotalStorage Enterprise Storage Serer with an Enclosure Type of IBM_SHARK and an Enclosure Name of IBM_SHARK IBM Tioli Storage Productiity Center: Administrator's Guide

127 CTLR-NAME ENCLR-TYPE STATE ENCLR-NAME ===================================================== c1 Disk ENABLED Disk c3 IBM_SHARK ENABLED IBM_SHARK0 c4 IBM_SHARK ENABLED IBM_SHARK0 To list all subpaths for controller c3, enter the following command: # xdmpadm getsubpaths ctlr=c3 The following sample output shows that the DMPNODENAME is the same as the deice name for each TotalStorage Enterprise Storage Serer LUN: NAME STATE PATH-TYPE DMPNODENAME ENCLR-TYPE ENCLR-NAME ====================================================================== c3t4d0s2 ENABLED - c3t4d0s2 IBM_SHARK IBM_SHARK0 c3t4d1s2 ENABLED - c3t4d1s2 IBM_SHARK IBM_SHARK0 To list all subpaths for controller c4, enter the following command: # xdmpadm getsubpaths ctlr=c4 The following sample output shows that the DMPNODENAME for each TotalStorage Enterprise Storage Serer LUN is from controller c3. This means that VxDMP refers to the TotalStorage Enterprise Storage Serer, DS6000 or DS8000 LUNs as deices from controller c3 and mask deices on controller c4 from VxVM: NAME STATE PATH-TYPE DMPNODENAME ENCLR-TYPE ENCLR-NAME ====================================================================== c4t4d0s2 ENABLED - c3t4d0s2 IBM_SHARK IBM_SHARK0 c4t4d1s2 ENABLED - c3t4d1s2 IBM_SHARK IBM_SHARK0 Checking for a fully qualified host name IBM Tioli Storage Productiity Center requires fully qualified host names. Some machines might be configured to return a short host name, such as system1 instead of a fully qualified host name, such as system1.tpc.example.com. This topic proides information on how to check for a fully qualified host name. Checking for a fully qualified host name for AIX systems This topic proides information on how to erify a fully qualified host name for AIX. The default domain name search order is as follows: 1. Domain Name System (DNS) serer 2. Network Information Serice (NIS) 3. Local /etc/hosts file. If the /etc/resol.conf file does not exist, the /etc/hosts file is used. If only the /etc/hosts file is used, the fully qualified computer name must be the first one that is listed after the IP address. Verify that the /etc/resol.conf file exists and contains the appropriate information, such as: domain mydiision.mycompany.com nameserer If NIS is installed, the /etc/irs.conf file oerrides the system default. It contains the following information: hosts = bind,local Chapter 1. Configuring 117

128 The /etc/netsc.conf file, if it exists, oerrides the /etc/irs.conf file and the system default. It contains the following information: hosts = bind,local If the NSORDER enironment ariable is set, it oerrides all of the preceding files. It contains the following information: export NDORDER=bind,local Checking for a fully qualified host name for Linux systems This topic proides information on how to erify a fully qualified host name for Linux. Linux uses a resoler library to obtain the IP address corresponding to a host name. The /etc/host.conf file specifies how names are resoled. The entries in the /etc/host.conf file tell the resoler library what serices to use, and in what order, to resole names. Edit the host.conf file using the i editor to add the following lines: # Lookup names through DNS first then fall back to /etc/hosts. order bind,hosts # Machines with multiple IP addresses. multi on # Check for IP address spoofing. nospoof on The order option indicates the order of serices. The sample entry specifies that the resoler library should first consult the name serer to resole a name and then check the /etc/hosts file. It is recommended to set the resoler library to first check the name serer, bind file, and then the hosts file (hosts) for better performance and security on all your serers. You must hae the DNS and BIND software installed for this configuration to work. The multi option determines whether a host in the /etc/hosts file can hae multiple IP addresses. Hosts that hae more than one IP address are said to be multihomed, because the presence of multiple IP addresses implies that the host has seeral network interfaces. The nospoof option takes care of not permitting spoofing on this machine. IP-Spoofing is a security exploit that works by tricking computers into a trust relationship that you are someone that you really are not. In this type of attack, a machine is set up to look like a legitimate serer and then issue connections and other types of network actiities to legitimize end systems, other serers, or large data repository systems. This option must be set ON for all types of serers. Checking for a fully qualified host name for Oracle Solaris This topic proides information about how to erify a fully qualified host name for Oracle Solaris systems. Verify that the /etc/resol.conf file exists and contains the appropriate information, such as: domain mydiision.mycompany.com nameserer A short name is used if the /etc/nsswitch.conf file contains a line that begins as follows and if the /etc/hosts file contains the short name for the computer: hosts: files 118 IBM Tioli Storage Productiity Center: Administrator's Guide

129 To correct this problem, follow these steps: 1. Change the line in the /etc/nsswitch.conf file to the following: hosts: dns nis files 2. Enter the following command to stop the inet serice: /etc/init.d/inetsc stop 3. Enter the following command to restart the inet serice: /etc/init.d/inetsc start Checking for a fully qualified host name for Windows systems Verify the fully qualified host name on Windows operating systems. 1. Choose one of these options: Option Windows Serer 2012 Windows 7, Windows 2008 Windows XP, Windows Vista Description 1. On the Dashboard page, hoer the mouse oer the lower left corner of the page next to the Serer Manager taskbar button, and then click Start. 2. Click Control Panel, and then click System. 3. Click Change Settings, click Change, and then click Change again. 1. Click Start > Control Panel > System and Security. 2. Click System, and then click Change Settings. 3. On the Computer Name tab, click Change. 1. On the desktop, right-click My Computer, and then click Properties. 2. On the Computer Name tab, click Change.. 2. In the Computer name field, enter the fully qualified host name, and then click More. 3. Verify that the Primary DNS suffix field contains a domain name, and then click OK. Importing authentication information for a Storage Resource agent The Storage Resource agent is installed as a non-daemon or daemon process. Tioli Storage Productiity Center stores the authentication information to connect to the host on which the Storage Resource agent has installed for the non-daemon agent. This authentication information can be changed depending on the enironment. To change the authentication information for a Storage Resource agent for non-daemon serice, follow these steps: 1. Export the authentication information for a Storage Resource agent. 2. The data file exported contains information such as the host name, user ID, password, certificate location, and passphrase for eery agent selected. The information is separated by the pipe character ( ). For example, Chapter 1. Configuring 119

130 agent_host user password certificate passphrase You can update the password or passphrase in encrypted format or plain text format. If you want to update the password or passphrase in encrypted format, then you can use the tpctool. For example, go to this directory and run the tpctool: cd TPC_install_directory/cli tpctool encrypt string_to_be_encrypted This generates an encrypted string. Place this string in the data file to be imported and add to the end of the encrypted string. For example, agent_host usera certificate encrypted_password is the encrypted string for the password and encrypted_passphrase is the encrypted string for the passphrase. 3. Import the data file. Configuring Jazz for Serice Management for DS8000 LDAP authentication You must configure Jazz for Serice Management for LDAP authentication for IBM System Storage DS8000 R4.2. You must also configure Tioli Storage Productiity Center to use LDAP for single sign-on support for the DS8000 R4.2. Oeriew Configuring Jazz for Serice Management and DS8000 for LDAP authentication inoles this process: For Jazz for Serice Management 1. Extract the certificate. This certificate is used for securing communication between the Authentication Client on the Hardware Management Console (HMC) and the Authentication Serice (serer component) on Jazz for Serice Management. 2. Create a truststore that includes the certificate from step Know the Authentication Serice web address. For DS Create a Storage Authentication Serice (SAS) policy with information that is collected from Jazz for Serice Management and the LDAP serer. 2. Test the Storage Authentication Serice policy by using a alid LDAP user that is mapped to a DS8000 user role in the policy. 3. Actiate the Storage Authentication Serice policy by using a alid LDAP user that is mapped to the DS8000 administratie user role in the policy. Determining port numbers for the Authentication Serice web address To determine the port numbers for the Authentication Serice web address and the IBM console: 1. Open the JazzSM_directory/profile/properties/portdef.props file. 120 IBM Tioli Storage Productiity Center: Administrator's Guide

131 2. The port number is the alue that is assigned to one of the following keys: For the protocol: WC_defaulthost used for the authentication serice web address WC_adminhost used for IBM console For the protocol: WC_defaulthost_secure used for authentication serice web address WC_adminhost_secure used for IBM console Configuring Jazz for Serice Management This procedure assumes that Jazz for Serice Management is configured with an LDAP repository for authentication. To configure Jazz for Serice Management, complete the following steps: 1. Know the Authentication Serice web address. Tip: The following text is an example of the Authentication Serice web address: The following text is an example of the web address that you enter: The port for the Authentication Serice is one plus the default Jazz for Serice Management port. The port numbers for Jazz for Serice Management can ary. Contact your Tioli Storage Productiity Center administrator to erify the Jazz for Serice Management port. For more information about determining the ports, see Open a web browser and enter one of the following addresses in the Address field to access the WebSphere Integrated Solutions Console: where hostname is the serer that is running IBM WebSphere Application Serer such as the serer name or IP address and port is the port number for WebSphere Application Serer. The port number differs depending on the protocol that you use (http or https) and the options that you selected during the installation of Jazz for Serice Management. On the WebSphere Integrated Solutions Console, log on using the appropriate user ID and password. 3. Create the truststore in WebSphere Integrated Solutions Console. In the WebSphere Integrated Solutions Console naigation tree, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal Certificates. Select the default certificate and click Extract. On the next page, enter the following information: Certificate file name Enter a file name for the extracted certificate. This file automatically is created in the JazzSM_Directory/profile/etc/ directory. On the Windows operating system, the default directory is C:\JazzSM_Directory\profile\etc\. Accept and select the default data type and click OK. 4. Create the truststore file and import the certificate into the truststore file by using the ikeyman tool. Chapter 1. Configuring 121

132 a. Start the ikeyman tool. For example, on the Windows operating system, run the following command: C:\Program Files\IBM\WebSphere\AppSerer\jaa\jre\bin b. Click Key Database File > New. On the New panel, enter the following information and click OK: Key database type Select JKS. File Name Enter a file name. For example, enter tpc_ess.jks. Location Enter a location. For example, enter C:\tpc\ and click OK. Tip: The default location is C:\Program Files\IBM\WebSphere\AppSerer\ jaa\jre\bin. c. When prompted to specify a password for this truststore, enter a password that you can remember, and click OK. d. On the main Key database information panel, in the Key database content section, select Signer Certificates and click Add. On the Open page, click Browse and select the certificate file that you created in step 3 on page 121. Click Open and OK. Note: Look for the certificate file, change the Files of Type to All files and click Open. e. When prompted to specify a label, enter a label, and click OK. For example, you can enter ESS_Cert. f. The ESS_Cert is now one of the listed Signer Certificates. g. Exit the ikeyman tool and locate the truststore file that you created in step 4b (for this example, tpc_ess.jks). You need this truststore file and the password to configure the LDAP-based policy on the DS8000 system. h. You are now finished with WebSphere Integrated Solutions Console and the truststore setup. 5. Find the user ID and password that is used in LDAP and that will also be used on the DS8000 Storage Authentication Serice policy configuration page. This user ID is used for authenticating with the Authentication Serice. It can be any user ID in LDAP, or a user ID that is also used by Jazz for Serice Management. This user ID is used as the Application Client User ID for a Storage Authentication Serice policy on DS Find the name of a group in LDAP with which you can log on to Jazz for Serice Management and DS8000. You use this LDAP group on DS8000 to map to DS8000 roles. To find the LDAP group name, open the WebSphere Integrated Solutions Console for Jazz for Serice Management and click Users and Groups > Manage Groups. The information that is gathered in steps 1, 3, 4, 5, and 6 is used on the DS8000 Storage Authentication Serice policy creation page. 7. Configure DS8000 R 4.2. Configuring DS8000 for LDAP authentication To configure DS8000 for LDAP authentication, complete these steps: 122 IBM Tioli Storage Productiity Center: Administrator's Guide

133 1. Add the IP address of the DS8000 Hardware Management Console to the Internet Explorer list of trusted sites by completing the following steps: a. Open the Internet Explorer by clicking the Internet Explorer icon on the Quick Launch toolbar. b. From the Internet Explorer toolbar, click Tools > Internet options. c. Click the Security tab, click the Trusted sites icon, and click Sites. d. In the Add this web site to the zone field, type the IP address of the DS8000 HMC. Click Add to add the IP address to the Websites field. e. Click Close and click OK to exit the Internet Options window, and close the Internet Explorer. 2. To access the DS8000 GUI, complete the following steps: a. In the Tioli Storage Productiity Center web-based GUI, click Storage Resources > Storage Systems. b. Click Add Storage System. c. In Type, select DS8000. d. On the Discoer page, enter the following information: Primary HMC host name or IP address User name Password e. Click Next and wait for the discoery to finish. f. Click Configure, and when the configured dialog has finished, click Close. g. Select the DS8000 system that you just added. h. Right-click on DS8000 and select Open Storage System GUI. 3. On the DS8000Storage Manager Welcome page, click Access > Remote Authentication manager. 4. On the User and Authentication Policy Administration Summary page, select a Complex Name. Under the Select action menu, select Create Storage Authentication Serice Policy. 5. On the Authentication Serice Configuration page, enter the following information: Policy Name Authentication Serice URL (primary) Authentication Serice Client User ID Authentication Serice Client Password Confirm Authentication Serice Client Password Click Next. Tip: The following text is an example of an authentication web address: The following text is an example of the web address you enter: The port for the Authentication Serice is one plus the default Jazz for Serice Management port. The port numbers for Jazz for Serice Management can ary. Contact your Tioli Storage Productiity Center administrator if you need to erify the Jazz for Serice Management port. For more information about determining the ports, see Determining port numbers for the Authentication Serice web address. Chapter 1. Configuring 123

134 6. On the Truststore file Information page, enter the following information: Truststore File Location Truststore File Password Confirm Truststore File Password 7. On the Map External Users and User Groups to DS8000 User Roles page, enter the following information: External Entity Name External Entity Type DS8000 User Role Click Add. The entry is entered in the table on this page. Select the entry that you created and click Next. 8. On the Verification page, erify the information and click Next. 9. On the Summary page, to actiate the policy immediately, click Actiate the Policy. To test the policy before actiating it, do not select Actiate the Policy and click Finish to create the policy. This scenario assumes that you want to test the policy before actiating it. A message indicates whether the policy was successfully created. If the policy was successfully created, you can close the message dialog. 10. On the Manage Authorization Policy page, select a policy. Under the Select action menu, click Test Authentication Policy. 11. On the Test Storage Authentication Serice Policy page, enter the following information: External User Name External User Password Proide an LDAP user ID and password for External User Name and External User Password. The user ID must already be mapped to a alid DS8000 user role in the Storage Authentication Serice policy. This user ID does not hae to be in the Administrator group. Click OK. 12. On the Manage Authentication Policy page, select a policy. Under the Select action menu, click Actiate Authentication Policy. 13. On the Actiate Storage Authentication Serice Policy page, enter the following information, and click OK: External User Name External User Password Proide an LDAP user ID and password for External User Name and External User Password. The user ID must already be mapped to a alid DS8000 user role in the Storage Authentication Serice policy. This user ID must be in the Administrator group. The policy is now actiated. 14. To access the DS8000 GUI again from Tioli Storage Productiity Center, update the user name and password: a. In the web-based GUI, click Storage Resources > Storage Systems. b. Click DS8000. c. In the content panel, select DS8000 that you configured. d. Right-click on DS8000 and click Connections > Update Credentials. e. Change the user name and password to the External User Name and External User Password that were preiously used to configure DS IBM Tioli Storage Productiity Center: Administrator's Guide

135 Configuring multiple Jazz for Serice Management serers with one DS8000 R4.2 You can configure multiple Jazz for Serice Management serers to use LDAP authentication for the IBM System Storage DS8000 R4.2. Configuring multiple Jazz for Serice Management serers To configure multiple Jazz for Serice Management serers, complete the following steps: 1. Configure one serer as described in Configuring Jazz for Serice Management for DS8000 LDAP authentication on page 120. This serer is called JazzSM_serer1. 2. Install a second Jazz for Serice Management serer and configure it with the same LDAP repository information as the first Jazz for Serice Management serer. The second serer is called JazzSM_serer2. 3. Open a command prompt window on JazzSM_serer2. 4. Run the wsadmin command to export LTPA keys from JazzSM_serer1 into a file on JazzSM_serer2. wsadmin -user Jazz_admin_ID -password Jazz_admin_password -lang jython -port Jazz_SOAP_port -host JazzSM_serer1_hostname_or_IP_address -f "TPC_install_image_on_JazzSM_serer2/scripts/tip/exportLTPAKeys.py" "LTPA_keys_file_name" LTPA_keys_password The following text is an example of this command: C:\Program Files\IBM\Jazzsm\profile\bin>wsadmin -user tpcsuperuser -password tpcsuperuser -lang jython -port host f "c:/tpc52installimage/scripts/tip/exportltpakeys.py" "c:/share/ltpakeys_ser1" ltpa123 This creates a file on JazzSM_serer2 named ltpakeys_ser1 that contains the LTPA keys of JazzSM_serer1. Note: Use forward slashes. 5. In the same command window, run the following command to import the LTPA keys into Jazz for Serice Management on JazzSM_serer2. wsadmin -user JazzSM_admin_ID -password JazzSM_admin_password -lang jython -f "TPC_install_image_on_JazzSM_serer2/tscripts/tip/importLTPAKeys.py" "LTPA_keys_file_name" LTPA_keys_password. The following text is an example of this command: C:\Program Files\IBM\JazzSM\profile\bin>wsadmin -user tpcsuperuser -password tpcsuperuser -lang jython -f "c:/tpc52installimage/scripts/tip/importltpakeys.py" "c:/share/ltpakeys_ser1" ltpa123 Note: Use forward slashes. 6. The LTPA keys in JazzSM_serer1 and JazzSM_serer2 are now synchronized. You can complete a successful single sign-on launch from JazzSM_serer2 to DS8000 R4.2. DS8000 uses the same policy that was set up when you set up JazzSM_serer1. Chapter 1. Configuring 125

136 The same steps can be used to start the same DS8000 from any number of Tioli Storage Productiity Center serers. This setup is not a high-aailability setup because the policy in DS8000 still points to the Embedded Security Serice in JazzSM_serer1. Note: Use forward slashes. Setting up dual Jazz for Serice Management serers for high aailability Set up dual Jazz for Serice Management serers to proide high aailability of LDAP authentication and single sign-on authentication for Tioli Storage Productiity Center. Procedure Follow these steps: 1. Configure one Jazz for Serice Management serer as described in Configuring Jazz for Serice Management for DS8000 LDAP authentication on page 120. In this example, this serer is called JazzSM_serer1. 2. Install a second Jazz for Serice Management serer with the same LDAP information as the first serer. In this example, this serer is called JazzSM_serer2. 3. Open a command prompt window and go to the following directory: JazzSM_install_directory/bin 4. On JazzSM_Serer2, run the following WebSphere command to export the LTPA keys from JazzSM_serer1 into a file on JazzSM_serer2: wsadmin -user JazzSM_admin_ID -password JazzSM_admin_password -lang jython -port JazzSM_SOAP_port -host JazzSM_serer1_hostname_or_IP_address -f "TPC_install_image_on_JazzSM_serer2/scripts/tip/exportLTPAKeys.py" "LTPA_keys_file_name" LTPA_keys_password Here is an example on a Windows system that uses the default Tioli Storage Productiity Center installation file path: C:\Program Files\IBM\JazzSM\profile\bin>wsadmin -user tpcsuperuser -password tpcsuperuserpassword -lang jython -port host f "c:/tpc52installimage/scripts/tip/exporttpakeys.py" "c:/share/ltpakeys_ser1" ltpa123 This step creates a file named ltpakeys_ser1 that contains the LTPA keys of JazzSM_serer1. The LTPA keys are imported into JazzSM_serer2. Note: Use forward slashes with the -f parameter. 5. In the same command window, run the following WebSphere command to import the LTPA keys into Jazz for Serice Management: wsadmin -user JazzSM_admin_ID -password JazzSM_admin_password -lang jython -f "TPC_install_directory_on_JazzSM_serer2/scripts/tip/importTPAKeys.py" "LTPA_keys_file_name" LTPA_keys_password 126 IBM Tioli Storage Productiity Center: Administrator's Guide

137 Here is an example on a Windows system by using the default Jazz for Serice Management installation file path: C:\Program Files\IBM\JazzSM\profile\bin>wsadmin -user tpcsuperuser -password tpcsuperuserpassword -lang jython -f "c:/tpc52installimage/scripts/tip/importtpakeys.py" "c:/share/ltpakeys_ser1" ltpa123 Note: Use forward slashes with the -f parameter. 6. Synchronize the second authentication serice (on JazzSM_serer2) with the correct LTPA keys: C:\Program Files\IBM\JazzSM\profile\bin>wsadmin -user tpcsuperuser -password tpcsuperuserpassword -lang jython -c "AdminTask.importESSLTPAKeys ( [-pathname c:/share/ltpakeys_ser1 -password ltpa123] )" Restart the second Jazz for Serice Management serer (on JazzSM_serer2). The LTPA keys in JazzSM_serer1 and JazzSM_serer2 are now synchronized. 7. If you are using the Jaa client, add the SSL certificates for all serers to the truststore file: a. Log on to Jazz for Serice Management on JazzSM_serer1 and extract the certificate. In this example, the certificate is named cert1.cer. b. Log on to Jazz for Serice Management on JazzSM_serer2 and extract the certificate. In this example, the certificate is named cert2.cer. c. On JazzSM_serer1, take the cert1.cer and cert2.cer certificates at one location and use the Jaa keytool command to create a truststore. d. Go to C:\Program Files\IBM\JazzSM\profile\jaa\bin and add these two certificates: keytool -import -alias JazzSMSerer1 -file c:\cert1.cer -keystore c:\ess.truststore.jks -storetype jks -storepass password keytool -import -alias JazzSMSerer2 -file c:\cert2.cer -keystore c:\ess.truststore.jks -storetype jks -storepass password e. Verify that the two certificates exist in the keystore by running this command: keytool -list -keystore c:\ess.trustore.jks -storepass password This command must list the two aliases (JazzSMSerer1 and JazzSMSerer2) in the keystore. f. Copy the ess.trustore.jks keystore to c:\program Files\IBM\TPC\deice\ conf on JazzSM_serer1 and JazzSM_serer2. Chapter 1. Configuring 127

138 Configuring SAN Volume Controller or Storwize V7000 with LDAP authentication To use one user ID and password to access multiple application, which is also called single sign-on, you must configure Jazz for Serice Management and SAN Volume Controller or Storwize V7000 for LDAP authentication. Oeriew Configuring Jazz for Serice Management and SAN Volume Controller or Storwize V7000 for LDAP authentication inoles these general tasks: Tioli Storage Productiity Center and Jazz for Serice Management Tioli Storage Productiity Center and Jazz for Serice Management must be configured with LDAP and set up for single sign-on. For information about setting up single sign-on, see Adding an LDAP repository to the federated repositories and Configuring Tioli Storage Productiity Center and Jazz for Serice Management for single sign-on. Restriction: To ensure that single sign-on works in IBM System Storage DS8000, Storwize V7000and SAN Volume Controller, you must configure LDAP in Tioli Storage Productiity Center and Jazz for Serice Management. Jazz for Serice Management You must know the web address for the Authentication Serice and the HTTP basic authentication user name and password. SAN Volume Controller or Storwize V7000 You must configure the remote authentication serice of the cluster. Determining port numbers for the Authentication Serice web address You must determine the port numbers for the Authentication Serice web address before you configurejazz for Serice Management for LDAP authentication. To configure Jazz for Serice Management for LDAP authentication, complete the following steps: 1. Open the JazzSM_directory/profile/properties/portdef.props file. 2. The port number is the alue that is assigned to one of the following keys: For the protocol: WC_defaulthost is used for the authentication serice web address WC_adminhost is used for IBM console For the protocol: WC_defaulthost_secure is used for authentication serice web address WC_adminhost_secure is used for IBM console Authentication Serice web address The web address for the Authentication Serice helps you to configure Jazz for Serice Management for LDAP. 128 IBM Tioli Storage Productiity Center: Administrator's Guide

139 Tip: The following web addresses are examples of Authentication Serice web addresses: :WC_defaulthost_secure/TokenSerice/serices/Trust :WC_defaulthost/TokenSerice/serices/Trust The following text is an example of the web address that you enter: Configuring SAN Volume Controller or Storwize V7000 for remote authentication serice You can use either the SAN Volume Controller or Storwize V7000 Management GUI or the command-line interface (CLI) to configure the remote authentication of a cluster. To configure remote authentication serice on SAN Volume Controller or Storwize V7000, you must hae the Security Administrator role. To use the SAN Volume Controller Console Version 5.1 (or later) to configure remote authentication of a cluster: 1. Log on to the SAN Volume Controller Management GUI and select Launch the SAN Volume Controller Console for the particular cluster. 2. From the main menu, select Manage Authentication > Remote Authentication. 3. Check Enabled to enable remote authentication. 4. Enter the following information: Remote serice user name Remote serice password Protocol: HTTP HTTPS Remote serice web address 5. Click OK. 6. From the main menu, click Manage Authentication > User Groups. 7. Select Create a Group and then click Go. 8. Enter a Name, for example, TPCSuperuserGroup. The name of the group you create in the SAN Volume Controller GUI must be identical to the name of a group in the LDAP repository, which is also used by Jazz for Serice Management. The members of this LDAP group must be the LDAP users who use single sign-on between Jazz for Serice Management and the SAN Volume Controller cluster. 9. Select a Role. 10. Select the Enable this user group to be isible to the remote authentication serice check box. 11. Click OK. 12. Repeat steps 6-11tocreate another group in the SAN Volume Controller Management GUI that corresponds to another group in the LDAP repository that is also used by Jazz for Serice Management. Chapter 1. Configuring 129

140 To use the SAN Volume Controller Management GUI Version 6.1 or later or Storwize V7000 Management GUI to configure remote authentication of a cluster, follow these steps: 1. In a browser, enter the following IP address for the Management GUI: or IP_address 2. Log on to the Management GUI with your user name and password. 3. In the naigation portion of the Management GUI, click Settings > Directory Serices. 4. On the Directory Serices panel click Global Actions > Enable Remote Authentication. 5. After successfully enabling remote authentication, click Global Actions > Configure Remote Authentication. 6. Select IBM Tioli Integrated Portal and click Next. 7. Enter information in the following fields: Remote Serice Credentials Name, for example: TPCSuperuser Remote Serice Credentials Password, for example: ********** Web address for the remote authentication serice, for example: 8. Click OK. 9. If you are using the encrypted authentication serice (HTTPS), you see a message that the SSL certificate is automatically retrieed from the web address. 10. Click OK. 11. In the naigation portion of the Management GUI, click Access > Users. 12. Click New User Group. 13. Enter a Group Name, for example, TPCSuperuserGroup. The name of the group that you create in the Management GUI must be identical to the name of a group in the LDAP repository that is also used by Jazz for Serice Management. The members of this LDAP group must be the LDAP users that use single sign-on between Jazz for Serice Management and the cluster. 14. Select a Role. 15. Under Remote Authentication (IBM Tioli Integrated Portal), select the Enable for this group check box. 16. Click Create. 17. Repeat steps to create another group in the Management GUI that corresponds to another group in the LDAP repository that is also used by Jazz for Serice Management. Configuring Tioli Storage Productiity Center and Jazz for Serice Management for single sign-on To configure single sign-on, both Tioli Storage Productiity Center and Jazz for Serice Management must be configured with Lightweight Directory Access Protocol (LDAP). These additional steps must be completed in multiple-serer enironments where Tioli Storage Productiity Center and Jazz for Serice Management serers are installed on separate computers. 130 IBM Tioli Storage Productiity Center: Administrator's Guide

141 The location of the IBM WebSphere Application Serer directory is different for Tioli Storage Productiity Center and Jazz for Serice Management. The WebSphere Application Serer directory for Jazz for Serice Management is in JAZZSM_INSTALL_DIR/profile. The WebSphere Application Serer directory for Tioli Storage Productiity Center is in TPC_INSTALL_DIR/ewas/profiles/WebSererProfile. To configure Tioli Storage Productiity Center and Jazz for Serice Management for single sign-on, complete the following steps: 1. To access the WebSphere Integrated Solutions Console, open a web browser and enter one of the following web addresses: The hostname is the serer that is running WebSphere Application Serer, such as the serer name or IP address, and port is the port number for the WebSphere Application Serer. The port number can differ, depending on which protocol you used (http or https) and the options that you selected when you installed Tioli Storage Productiity Center. To determine the port number, complete the following steps: a. Open the WebSphere_Directory/properties/portdef.props file. b. The port number is the alue that is assigned to one of the following keys: For protocols, WC_adminhost. For protocols, WC_adminhost_secure. 2. Log in to the WebSphere Integrated Solutions Console for Jazz for Serice Management. To complete this procedure, your user name must hae Administrator authorization in the WebSphere Integrated Solutions Console. 3. In the WebSphere Integrated Solutions Console naigation tree, click Security > Global security. 4. On the Global security page, in the User account repository section, click LTPA under Authentication mechanisms and expiration. Chapter 1. Configuring 131

142 Figure 12. Global Security page 5. Under Cross-cell single sign-on, enter a new password (for example, ltpa123) for the certificate and the fully qualified key file name. 6. Click Export Key. 132 IBM Tioli Storage Productiity Center: Administrator's Guide

143 Figure 13. Exporting the LTPA key 7. Log in to the WebSphere Integrated Solutions Console for Tioli Storage Productiity Center. To complete this procedure, your user name must hae Administrator authorization in the WebSphere Integrated Solutions Console. 8. On the Global security page, in the User account repository section, click LTPA under Authentication mechanisms and expiration. Chapter 1. Configuring 133

144 Figure 14. Global Security page 9. Under Cross-cell single sign-on, enter the password that you used to create the certificate in step 5 and the fully qualified key file name. 10. Click Import Key. 134 IBM Tioli Storage Productiity Center: Administrator's Guide

145 Figure 15. Importing the LTPA key 11. In the Messages section at the top of the Global security page, click Sae. Related tasks: Adding an LDAP repository to the federated repositories on page 28 You can configure Tioli Storage Productiity Center and Jazz for Serice Management to communicate with an external Lightweight Directory Access Protocol (LDAP) repository, such as IBM Tioli Directory Serer or Microsoft Actie Directory. When you change the authentication configuration, Tioli Storage Productiity Center is aailable to users and groups in other repositories. Configuring and controlling the Tioli Storage Productiity Center Monitoring Agent You can configure the Tioli Storage Productiity Center Monitoring Agent to change the Tioli Enterprise Monitoring Serices connection, log path, or authentication parameters. You can also start and stop the Tioli Storage Productiity Center Monitoring Agent. Chapter 1. Configuring 135

146 Configuring the Tioli Storage Productiity Center Monitoring Agent on Windows You can configure the Tioli Storage Productiity Center Monitoring agent on the Windows operating system. To configure the Tioli Storage Productiity Center Monitoring agent on Windows, complete the following steps: 1. Log on to the system with administrator authority on Windows. 2. Open the Tioli Enterprise Monitoring Serices Console. Click Start > All Programs > IBM Tioli Monitoring > Manage Tioli Monitoring Serices. Tip: Depending on how you hae your Tioli Monitoring Serices components distributed across your enterprise, you will see different types of Tioli Enterprise Monitoring Serices components displayed. 3. On the Manage Tioli Enterprise Monitoring Serices window, select Monitoring Agent for TPC. 4. Click Monitoring Agent for TPC and click Reconfigure. 5. For information about the different parameters to change, go to the product documentation at SSNE44_5.2.4/com.ibm.tpc_V524.doc/ fqz0_t_installing_itm_agent_windows.html. Configuring the Tioli Storage Productiity Center Monitoring Agent on AIX or Linux You can configure the Tioli Storage Productiity Center Monitoring Agent on the AIX or Linux operating systems. To configure the Tioli Storage Productiity Center Monitoring agent on the AIX or Linux operating systems, complete the following steps: 1. Log on to the system with the root user ID or a user ID that has root access rights. 2. Open the Tioli Enterprise Monitoring Serices Console. 3. Open a terminal session window and go to the Tioli Monitoring Serices bin installation directory. The default directory is: /opt/ibm/itm/bin 4. Run the following command:./itmcmd manage Tip: Depending on how you hae your Tioli Monitoring Serices components distributed across your enterprise, you will see different types of Tioli Enterprise Monitoring Serices components displayed. 5. On the Manage Tioli Enterprise Monitoring Serices window, select Monitoring Agent for TPC. 6. Click Monitoring Agent for TPC and click Configure. 7. For information about the different parameters to change, go to the product documentation at SSNE44_5.2.4/com.ibm.tpc_V524.doc/fqz0_t_installing_itm_agent_unix.html. 136 IBM Tioli Storage Productiity Center: Administrator's Guide

147 Starting and stopping the Tioli Storage Productiity Center Monitoring Agent You can start and stop the Tioli Storage Productiity Center Monitoring Agent. To start or stop the Tioli Storage Productiity Center Monitoring agent on the Windows operating systems, complete the following steps: 1. Open the Tioli Enterprise Monitoring Serices Console. Click Start > All Programs > IBM Tioli Monitoring > Manage Tioli Monitoring Serices. 2. On the Manage Tioli Enterprise Monitoring Serices window, select Monitoring Agent for TPC. 3. Click Monitoring Agent for TPC. 4. Click Start to start the agent, Stop to stop the agent, or Recycle to recycle the agent. 5. Wait for the agent to start, stop, or recycle. To start or stop the Tioli Storage Productiity Center Monitoring agent on the AIX or Linux operating systems, complete the following steps: 1. Open the Tioli Enterprise Monitoring Serices Console. 2. Open a terminal session window and go to the Tioli Monitoring Serices bin installation directory. The default directory is: /opt/ibm/itm/bin 3. Run the following command:./itmcmd manage 4. On the Manage Tioli Enterprise Monitoring Serices window, select Monitoring Agent for TPC. 5. Click Monitoring Agent for TPC. 6. Click Start Serice to start the agent, Stop Serice to stop the agent, or Recycle Serice to recycle the agent. 7. Wait for the agent to start, stop, or recycle. Installing and configuring the Tioli Storage Productiity Center serer with multiple NIC cards If your Tioli Storage Productiity Center serer has multiple network interface cards (NIC), install the Tioli Storage Productiity Center serer using a fully qualified hostname that resoles to the IP address of NIC card you want to use. After you install the Tioli Storage Productiity Center serer, all incoming and outgoing communication are successfully handled. Installing Tioli Storage Productiity Center for a multiple network configuration If the Tioli Storage Productiity Center serer you are installing has multiple NIC, and is configured to use multiple network addresses, ensure that you use the fully qualified hostname that resoles to the appropriate IP address during installation. You can either setup the HOSTS file or the DNS to resole the fully qualified host names to appropriate IP addresses. Chapter 1. Configuring 137

148 Outgoing communication initiated by the Tioli Storage Productiity Center serer All the outgoing communication that is initiated by the Tioli Storage Productiity Center serer is not affected if the serer is configured for a multiple network enironment. For example, if you hae a Tioli Storage Productiity Center serer with two IP addresses: and , and is used during installation, all outgoing transmissions can be sent to the deices and agents in both networks. The following list includes examples of outgoing communication that is initiated by the Tioli Storage Productiity Center serer: Storage systems using natie interfaces Run probe, performance management, and proisioning jobs, and collect data eents (SAN Volume Controller, Storwize V7000 Unified, Storwize V7000, and XIV Systems) Switches (SNMP) Run SNMP discoery and probe jobs CIM agents Run discoery, probe, and performance management jobs, and proisioning jobs VMware Sphere or Center Run discoery and probe jobs Agents (Storage Resource agents) Deploy agents, run probe, discoery, scan, and batch report jobs, and run scripts Tioli Storage Productiity Center serers Run probe jobs Incoming communication that is initiated by the deices, agents, and GUI Incoming communication that is initiated by the deices or agents can work with only the IP address that is specified during the installation with the exception of DS8000 eents. For DS8000 eents, the Tioli Storage Productiity Center serer must initiate and establish a socket connection directly with the Hardware Management Console (HMC) to receie eents. The DS8000 HMC uses that socket connection to send eents. As long as the Tioli Storage Productiity Center serer can initiate the communication to the HMC, DS8000 eents can be receied. Tioli Storage Productiity Center informs deices and agents to initiate communication to the IP address proided during the installation. This example uses the IP address Howeer, depending on the communication, you might be able to change the IP address. For example, Tioli Storage Productiity Center does not configure SAN switches to send SNMP traps to Tioli Storage Productiity Center, so you can use either or The following list includes examples of incoming communication that are initiated by the deices, agents, and the GUI: 138 IBM Tioli Storage Productiity Center: Administrator's Guide

149 DS8000 eents Eents sent by the HMC to the Tioli Storage Productiity Center serer SNMP trap notifications SNMP traps sent from the switches and other deices CIM indications Indications sent by the CIM agents Serers (agents) Job results and registration Tioli Storage Productiity Center GUI Any request. CIM indications A CIM indication is an eent that occurs on a managed object, for example, the completion or failure of an operation. The CIM indications are managed by the CIM object manager. Tioli Storage Productiity Center uses the CIM agents for the managed objects to gather information about the deice. Manually customize CIM indications on a Tioli Storage Productiity Center system that has multiple IP addresses. To configure Tioli Storage Productiity Center to receie CIM indications in an IP4, IP6, and dual stack (IP4 and IP6) enironment, see Configuring Tioli Storage Productiity Center with multiple IP addresses on page 74. The manual customization task does not apply to storage deices that use the natie interfaces. Creating an SSH certificate for the root user ID You can create a Secure Shell (SSH) certificate for authentication for the Virtual I/O Serer. Follow the certificate-generation instructions. Howeer, if you want to use Telnet to connect to the Virtual I/O Serer using the padmin user ID, you must follow this procedure. To create an SSH certificate using the padmin user ID, follow these steps: 1. Telnet to the remote system using the padmin user ID. 2. Set up the AIX enironment. Run the following command: oem_setup_en 3. Change to the following /.ssh directory. 4. Enter ssh-keygen. Accept the default names (for example, id_rsa). 5. Enter the passphrase. Two new files are created: id_rsa This is the priate key. id_rsa.pub This is the public key. 6. Create an authorized_key file in the same location as the id_rsa.pub file. Enter the following command: cat >> id_rsa.pub >> authorized_keys The following example shows the command input and output (the commands are in bold): Chapter 1. Configuring 139

150 # ssh-keygen Generating public/priate rsa key pair. Enter file in which to sae the key (//.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: You identification has been sae in //.ssh/id_rsa. Your public key has been sae in //.ssh/id_rsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx # cat id_rsa >> authorized_keys #ls-l -rw-r r 1 root system 1743 Oct 15 09:40 authorized_keys -rw-- 1 root system 1743 Oct 15 09:39 id_rsa -rw-r r 1 root system 399 Oct 15 09:39 id_rsa.pub 7. Copy the id_rsa (priate key) to your serer machine. Note: You must copy the file in binary mode. 8. To connect to the remote system by using the priate key, enter the following information in the web-based GUI when you install the Storage Resource agent: User Certificate Location (c:\keys\id_rsa) Passphrase Configuring DB2, AIX, and Linux for IP6-only enironment Use this information to configure DB2, AIX, and Linux for an IP6-only enironment. Configuring the AIX system for IP6 only For IP6 support, the AIX operating system must hae leel TL installed. To configure the AIX operating system for IP6, complete the following steps: 1. Obtain the most recent ersions of openssh and openssl packages for AIX and install them. Some older ersion of openssh does not work in an IP6-only enironment. 2. Change sshd (Secure Shell Daemon) on AIX system to accept IP6 connections. a. In the /etc/ssh/sshd_config file, uncomment the line "ListenAddress:". b. Restart sshd with the following commands: stopsrc -g ssh startsrc -g ssh c. From another IP6 system, erify that you contact AIX oer IP6 (by using ssh). 3. In SMIT, set the IP4 address to for all interfaces. Sae the file. 4. Edit the /etc/resol.conf file to use IP6 DNS serer or serers. Configuring DB2 on AIX for IP6 systems To get DB2 on AIX operating systems to work on IP6 systems, complete the following steps: 1. Identify the host name that is used by DB2 in the db2nodes.cfg file: 140 IBM Tioli Storage Productiity Center: Administrator's Guide

151 # cat ~db2inst1/sqllib/db2nodes.cfg 0 myhost 0 # 2. Edit the /etc/hosts file and make sure that the host name found in the db2nodes.cfg file resoles to an IP6 address. Use the i editor to erify that the host name is not on any line with an IP4 address. In particular, ensure that the host name is not listed as an alias for the IP4 loopback address # i /etc/hosts loopback localhost ::1 localhost 2001:db8:0:0:209:6bff:fe09:63fa myhost.mydomain myhost 3. Stop DB2 and set DB2 to use IP6 addressing. Restart DB2. a. Source the DB2 profile:. ~db2inst1/sqllib/db2profile b. Stop DB2: db2stop c. Configure DB2 to use IP6. db2set An example of the output is: DB2FCMCOMM=TCPIP6. d. Start DB2. db2start In some installations, the AIX serer does not hae a graphical console that is attached to the serer. In this situation, you can select another system with an X11 serer to display the Tioli Storage Productiity Center installation and Tioli Storage Productiity Center application. The X11 serer must hae IP6 configured and an SSH client installed. Open an SSH connection from a shell on the X11 serer desktop with the -X option to permit forwarding of X11 applications from the remote AIX serer. Start the Tioli Storage Productiity Center installation program or application from the SSH shell. ssh -X my_ip6_host /opt/ibm/tpc/gui/tpcd.sh Configuring DB2 on Linux for IP6-only systems To get DB2 on Linux systems to work in an IP6-only enironment, follow these steps: 1. Install DB2 in dual-stack configuration. 2. Stop DB2 and set DB2 to use IP6 addressing: a. As the root user from the Linux command-line, run this command: su - db2inst1 b. Stop DB2 by running this command: db2stop c. Configure DB2 to use IP6 by running this command: db2set An example of the output is: DB2FCMCOMM=TCPIP6. The host name in the db2nodes.cfg file resoles to an IP6 address. This action can require you to change the domain or search directie in the /etc/resol.conf file to specify a domain in which the host name can resole to IP6. You can also edit the /etc/hosts file so that the host name resoles to an IP6 address. Chapter 1. Configuring 141

152 d. Start DB2 by running this command: db2start 142 IBM Tioli Storage Productiity Center: Administrator's Guide

153 Chapter 2. Administering Administer Tioli Storage Productiity Center and its components to ensure that your storage enironment is being monitored as intended. Some administering tasks include stopping and starting product serices, increasing memory allocation, monitoring the health of product components, and managing storage resources and data sources. You can use the DB2 command-line interface or IBM Data Studio to administer DB2. Administering resources and data sources Administer monitored resources and the data sources that are associated with those resources. Data sources can be agents that manage resources or VMware Center serers. An agent might be a CIM agent or a Storage Resource agent. Use the following table as a roadmap to the functions for administering resources that are aailable in each GUI: Table 10. Tasks for administering resources in each GUI Tasks Web-based GUI Stand-alone GUI Adding resources for monitoring Remoing resources (data sources) Viewing information about the data sources that manage resources You can add the following resources: Storage systems Serers Hyperisors Fabrics Switches You can remoe the following resources: Storage systems Serers Hyperisors Fabrics Switches NAS filers You can iew a list of the resources that are managed by Storage Resource agents. You can add Tioli Storage Productiity Center serers as subordinate serers: You can remoe the following resources: CIM agents VMware data sources Tioli Storage Productiity Center serers that are subordinate serers You can iew a list of the resources that are managed by the following data sources: CIM agents SNMP agents VMware Center Serer Appliances and Center Serer systems TPC serers Copyright IBM Corp

154 Table 10. Tasks for administering resources in each GUI (continued) Tasks Web-based GUI Stand-alone GUI Testing connections Updating user credentials Administering Storage Resource agents that are deployed on serers You can test the connections of all monitored resources to ensure that Tioli Storage Productiity Center is communicating with those resources. Restriction: You cannot use this GUI to test the connection of Tioli Storage Productiity Center serers that are subordinate serers. Update the credentials for a resource when you want to change the user name and password that Tioli Storage Productiity Center uses to communicate with that resource. You can test the connection of the following resources: Storage systems Tioli Storage Productiity Center serers that are subordinate serers Not aailable You can take the following actions: Not aailable View information about an agent Deploy an agent Update user credentials and certificate location Test connection Enable and disable Enable and disable fabric functions Enable and disable the running of scripts Upgrade an agent View a log of actions that were taken by an agent Collect serice logs Modify ports Register an agent with a different Tioli Storage Productiity Center serer Checking the status of data sources Check the status of data sources in the stand-alone GUI. 1. In the naigation tree of the stand-alone GUI, expand Administratie Serices > Data Sources. 2. Click any of the following nodes to iew the status of the related data sources: CIMOM Agents Out of Band Fabric Agents Storage Subsystems TPC Serers VMware VI Data Source 3. For CIMOM Agents and Storage Subsystems, iew the icon in the Connection Status column. For other data sources, iew the icon in the State column. If the data sources are up and running, a green health status icon is displayed. 144 IBM Tioli Storage Productiity Center: Administrator's Guide

155 For information about how to iew the status of resources in the web-based GUI, go to the product documentation at knowledgecenter/ssne44_5.2.4/com.ibm.tpc_v524.doc/ fqz0_t_wg_monitoring_status_resource_types.html. Storage systems Administer the storage systems that are monitored by IBM Tioli Storage Productiity Center. Administering actions include adding and remoing storage systems, updating credentials, and testing connections. Adding storage systems To monitor a storage system, configure a connection to the storage system and schedule the collection of data. To add a storage system, you must hae Administrator priileges. Use the web-based GUI to add the following types of storage systems for monitoring: DS8000 XIV system DS6000 ESS SAN Volume Controller Storwize V3500 Storwize V3700 Storwize V5000 Storwize V7000 Storwize V7000 Unified DS4000 DS5000 IBM SONAS GPFS clusters and GSS systems IBM FlashSystem V840 Enterprise Performance Solution All others (managed by CIM agents) For a complete list of the ersions of storage systems and CIM agents that you can add, see the Tioli Storage Productiity Center interoperability matrix and go to the Storage section. 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. 2. Click Add Storage System. 3. Click the icon for the type of storage system that you want to add. Tip: Click Storwize Family to add the following storage systems: IBM Storwize V3500 Storwize V3700 Storwize V5000 Storwize V Complete the connection information for the storage system and schedule the collection of data. Chapter 2. Administering 145

156 The storage system is added for monitoring by Tioli Storage Productiity Center. A probe is automatically run to collect status and asset information about the monitored resource. Storage systems can be configured for block storage, file storage, or a combination of block and file storage. The method that a storage system uses for managing data determines the internal resources that are monitored. When the collection of data is complete, you can iew status information and capacity data about the storage system on the Storage Systems page. Viewing information about storage systems View detailed information about storage systems that are monitored by Tioli Storage Productiity Center. To iew information about storage systems, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. Click the Block Storage or File Storage tab. Depending on how a storage system is configured, information about that storage system might be shown in one or both of these tabs: Block Storage tab only Storage systems that are configured for storing or retrieing data only in block format include System Storage DS series, SAN Volume Controller, Storwize V7000, and other SAN-based storage systems. File Storage tab only Storage systems that are configured for storing or retrieing data only in file format include IBM SONAS and other network-attached storage (NAS) based storage systems. Block Storage and File Storage tabs Storage systems that can be configured for both file and block data include Storwize V7000 Unified and NetApp Filers. 3. Right-click a storage system and select View Properties to iew the key properties for the system. Viewing information about the data sources for storage systems View information about the data sources that are associated with monitored storage systems. Tioli Storage Productiity Center communicates with data sources to collect information about certain storage systems and configure storage. Data sources can be CIM agents that manage storage systems or HMCs that manage DS8000 storage systems. If Tioli Storage Productiity Center communicates directly with a storage system rather than through a separate data source, that storage system is not shown on the Data Sources window in the web-based GUI. For storage systems that are managed by a data source, you can iew the following information: The status of the connection between Tioli Storage Productiity Center and a data source. You can use this information to determine if there are any communication problems with the data source. For example, if information is not being collected about a monitored storage system, it might indicate a communication problem between Tioli Storage Productiity Center and the data source that manages the storage system. The IP address or host name of the data source. 146 IBM Tioli Storage Productiity Center: Administrator's Guide

157 The name of the storage systems that are managed by data sources. If a data source manages more than one storage system, the number of managed storage systems is proided. To iew information about the data sources for storage systems, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. A list of monitored storage systems is shown. 2. Click Manage Data Sources. 3. On the Data Sources window, iew information about the data sources that manage storage systems. Help tips in the GUI: To iew descriptions of the information that is displayed for a data source, hoer the mouse pointer oer the column headings on the Data Sources window. 4. Optional: To iew more information about a specific data source, including a list of the storage systems that it manages, right-click the data source and select View Properties. 5. Optional: Click the Managed Resources tab to iew the storage systems that are managed by the data source. Updating the credentials for storage systems Change the credentials that Tioli Storage Productiity Center uses to authenticate to a storage system or the CIM agent that manages a storage system. If the storage system is managed by multiple data sources, for example multiple CIM agents, the menu is displayed as Connections > Update Credentials > data_sources. Select the data source for which you want to update the credentials. The type of storage system determines the credentials that you can update. Updating the credentials for a System Storage DS8000 storage system: Change the credentials that Tioli Storage Productiity Center uses to authenticate to a System Storage DS8000 storage system. To update the credentials for a System Storage DS8000 storage system, complete the following steps. You can update the IP address or host name for the secondary HMC that is used to manage the storage system, the user name, and the password. 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. Right-click a storage system and click Connections > Update Credentials. 3. Change the secondary HMC host name or IP address, the user name, or the password, and then click OK. Updating the credentials for an XIV system: Change the credentials that Tioli Storage Productiity Center uses to authenticate to an XIV system. To update the credentials for an XIV system, complete the following steps. You can update the user name and the password. 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. Chapter 2. Administering 147

158 2. Right-click a storage system and click Connections > Update Credentials. 3. Change the user name or password, and then click OK. Updating the credentials for a SAN Volume Controller or Storwize family storage system: Change the credentials that Tioli Storage Productiity Center uses to authenticate to a SAN Volume Controller or Storwize family storage system. To update the credentials for a SAN Volume Controller or Storwize family storage system, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. Right-click a storage system and click Connections > Update Credentials. 3. Update the following credentials as required and then click OK: Authentication You can use a user name and password or a priate Secure Shell (SSH) key to log on to the storage system. The authentication method that you select determines the options that are displayed. User name/password The user name and password for logging on to the storage system. Secure Shell (SSH) Use an existing SSH key or upload a new key to the storage system. Select one of the following actions: Use an existing SSH key Use an SSH key that was uploaded to the storage system by using a method other than through Tioli Storage Productiity Center, such as the storage system web interface. SSH key The location of the SSH key. The default location is ${deice.conf}\ tpc_sc.pem, which represents the Tioli Storage Productiity Center default key file tpc_sc.pem. The tpc_sc.pem file is in the conf directory where the Deice serer is installed. You can enter another location or select Browse to search for a key file. If you select Browse, the following fields are displayed: Select file The location of the SSH key file. You can click Browse to search for a file. Passphrase The passphrase for the SSH key pair. If you do not hae a passphrase, leae this field blank. The SSH key file is transferred from the computer where the web browser is located to 148 IBM Tioli Storage Productiity Center: Administrator's Guide

159 the computer where the Tioli Storage Productiity Center serer is located. Upload a new SSH key Proide the following information to upload an SSH key to the storage system: SSH key The location of the SSH key. The key must exist on the system where you are running the Tioli Storage Productiity Center user interface. The SSH key must be in OpenSSH format or in PuTTY (.ppk) format that is not password protected. Passphrase The passphrase for the SSH key pair. If you do not hae a passphrase, leae this field blank. User name, Password The name and password for a user that belongs to the storage system Security Administrator role for the cluster that contains the storage system. Tioli Storage Productiity Center uses this alue to configure the SSH key for the user that is entered in the Associate user field. The user name that is entered in the User name field must hae priileges to modify other user accounts, otherwise Tioli Storage Productiity Center cannot configure the SSH key. Associate user The user that is associated with the SSH key. If the user name does not exist, it is created and assigned to the storage system Administrator role. You can click Get Users to retriee all of the existing users from the storage system. You must select a user that belongs to the storage system Administrator role. The SSH key file is transferred from the computer where the web browser is located to both the computer where the Tioli Storage Productiity Center serer is located and to the storage system. Updating the credentials for a Storwize V7000 Unified storage system: Change the credentials that Tioli Storage Productiity Center uses to authenticate to a Storwize V7000 Unified storage system. To update the credentials for a Storwize V7000 Unified storage system, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. Right-click a storage system and click Connections > Update Credentials. Chapter 2. Administering 149

160 3. Update the following credentials as required, and then click OK: Authentication You can use a user name and password or a priate Secure Shell (SSH) key to log on to the storage system. The authentication method that you select determines the options that are displayed. User name/password The user name and password for logging on to the storage system. Secure Shell (SSH) Use an existing SSH key or upload a new key to the storage system. Select one of the following actions: Use an existing SSH key Use an SSH key that was uploaded to the storage system by using a method other than through Tioli Storage Productiity Center, such as the storage system web interface. SSH key The location of the SSH key. The default location is ${deice.conf}\ tpc_sc.pem, which represents the Tioli Storage Productiity Center default key file tpc_sc.pem. The tpc_sc.pem file is in the conf directory where the Deice serer is installed. You can enter another location or select Browse to search for a key file. If you select Browse, the following fields are displayed: Select file The location of the SSH key file. You can click Browse to search for a file. Passphrase The passphrase for the SSH key pair. If you do not hae a passphrase, leae this field blank. The SSH key file is transferred from the computer where the web browser is located to the computer where the Tioli Storage Productiity Center serer is located. Upload a new SSH key Proide the following information to upload an SSH key to the storage system: SSH key The location of the SSH key. The key must exist on the system where you are running the Tioli Storage Productiity Center user interface. The SSH key must be in OpenSSH format or in PuTTY (.ppk) format that is not password protected. 150 IBM Tioli Storage Productiity Center: Administrator's Guide

161 Passphrase The passphrase for the SSH key pair. If you do not hae a passphrase, leae this field blank. User name, Password The name and password for a user that belongs to the storage system Security Administrator role for the cluster that contains the storage system. Tioli Storage Productiity Center uses this alue to configure the SSH key for the user that is entered in the Associate user field. The user name that is entered in the User name field must hae priileges to modify other user accounts, otherwise Tioli Storage Productiity Center cannot configure the SSH key. Associate user The user that is associated with the SSH key. If the user name does not exist, it is created and assigned to the storage system Administrator role. You can click Get Users to retriee all of the existing users from the storage system. You must select a user that belongs to the storage system Administrator role. The SSH key file is transferred from the computer where the web browser is located to both the computer where the Tioli Storage Productiity Center serer is located and to the storage system. Use different authentication credentials for file storage Storwize V7000 Unified contains block-leel and file-leel data. If the credentials are different for block storage and file storage, select this check box to define the credentials for file storage. The options and fields that are displayed are described preiously under Authentication. Tip: If you use an SSH key to log on to the file module, the user that you associate with the key must exist on the Storwize V7000 File Module. Updating the credentials for an IBM SONAS storage system: Change the credentials that Tioli Storage Productiity Center uses to authenticate to an IBM SONAS storage system. To update the credentials for an IBM SONAS storage system, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. On the File Storage tab, right-click a storage system and click Connections > Update Credentials. 3. Update the following credentials as required, and then click OK. Chapter 2. Administering 151

162 Authentication You can use a user name and password or a priate Secure Shell (SSH) key to log on to the storage system. The authentication method that you select determines the options that are displayed. User name, Password The user name and password for logging on to the storage system. Secure Shell (SSH) Use an existing SSH key or upload a new key to the storage system. Select one of the following actions: Use an existing SSH key Use an SSH key that was uploaded to the storage system by using a method other than through Tioli Storage Productiity Center, such as the storage system web interface. SSH key The location of the SSH key. The default location is ${deice.conf}\ tpc_sc.pem, which represents the Tioli Storage Productiity Center default key file tpc_sc.pem. The tpc_sc.pem file is in the conf directory where the Deice serer is installed. You can enter another location or select Browse to search for a key file. If you select Browse, the following fields are displayed: Select file The location of the SSH key file. You can click Browse to search for a file. Passphrase The passphrase for the SSH key pair. If you do not hae a passphrase, leae this field blank. The SSH key file is transferred from the computer where the web browser is located to the computer where the Tioli Storage Productiity Center serer is located. User name, Password The name and password for a user that belongs to the storage system Security Administrator role for the cluster that contains the storage system. Tioli Storage Productiity Center uses this alue to configure the SSH key for the user that is entered in the Associate user field. The user name that is entered in the User name field must hae priileges to modify other user accounts, otherwise Tioli Storage Productiity Center cannot configure the SSH key. Associate user The user that is associated with the SSH key. 152 IBM Tioli Storage Productiity Center: Administrator's Guide

163 You must create the user on the storage system before you add the storage system. You can click Get Users to retriee all of the existing users from the storage system. You must select a user that belongs to the storage system Administrator role. Upload a new SSH key Proide the following information to upload an SSH key to the storage system: SSH key The location of the SSH key. The key must exist on the system where you are running the Tioli Storage Productiity Center user interface. The SSH key must be in OpenSSH format or in PuTTY (.ppk) format that is not password protected. Passphrase The passphrase for the SSH key pair. If you do not hae a passphrase, leae this field blank. User name, Password The name and password for a user that belongs to the storage system Security Administrator role for the cluster that contains the storage system. Tioli Storage Productiity Center uses this alue to configure the SSH key for the user that is entered in the Associate user field. The user name that is entered in the User name field must hae priileges to modify other user accounts, otherwise Tioli Storage Productiity Center cannot configure the SSH key. Associate user The user that is associated with the SSH key. You must create the user on the storage system before you add the storage system. You can click Get Users to retriee all of the existing users from the storage system. You must select a user that belongs to the storage system Administrator role. The SSH key file is transferred from the computer where the web browser is located to both the computer where the Tioli Storage Productiity Center serer is located and to the storage system. Updating the credentials for a storage system that is managed by a CIM agent: Change the credentials that Tioli Storage Productiity Center uses to authenticate to a CIM agent. Tioli Storage Productiity Center communicates with CIM agents to collect information about the following resources: Chapter 2. Administering 153

164 IBM TotalStorage Enterprise Storage Serer IBM System Storage DS4000 IBM System Storage DS5000 Storage Manager IBM System Storage DS6000 Non-IBM storage systems that are managed by SMI-S certified Common Information Model Object Manager (CIMOM), such as EMC, Hitachi, and NetApp Switches: Brocade, Cisco, QLogic To update the credentials for a CIM agent, complete the following steps. You can update the user name and the password. 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. Right-click a storage system and click Connections > Update Credentials. 3. Change the user name or password, and then click OK. Testing the connection to a storage system Verify that Tioli Storage Productiity Center can communicate with a monitored storage system. For storage systems that are managed by a CIM agent or Storage Resource agent, the connection to the agent is tested. To test the connection to a storage system, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. On the Block Storage or File Storage tab, right-click a storage system and click Connections > Test Connection. A message that shows the results of the test is displayed. Remoing storage systems Remoe storage systems that you no longer want to monitor with Tioli Storage Productiity Center. To remoe a storage system, complete the following steps: 1. In the menu bar in the web-based GUI, go to Storage > Storage Systems. Information about monitored storage systems is displayed. 2. On the Block Storage or File Storage tab, right-click a storage system and click Remoe. 3. Click Remoe to confirm that you want to remoe the storage system. Hyperisors and VMware data sources Administer the hyperisors, Center Serer Appliance systems and Center Serer systems that are monitored by Tioli Storage Productiity Center. Center Serer Appliance systems and Center Serer systems are data sources that can monitor multiple hyperisors. A hyperisor can be an ESX or ESXi host. Each hyperisor can host multiple irtual machines. Adding ESX and ESXi hyperisors Add ESX and ESXi hyperisors for monitoring by Tioli Storage Productiity Center. 154 IBM Tioli Storage Productiity Center: Administrator's Guide

165 You can add an ESX or ESXi hyperisor by specifying connection information for that hyperisor. For a complete list of hyperisors that you can add, see the Agents, Serers and Browsers section in the Tioli Storage Productiity Center interoperability matrix. 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors.. 2. Click Add Hyperisor. 3. Select ESX/ESXi and enter connection information about the hyperisor. 4. Schedule a probe of the hyperisor. 5. Follow the instructions in the wizard to add the hyperisor. After a hyperisor is added, a probe collects status and asset information about that hyperisor. You can iew detailed information about the hyperisor in the web-based GUI and in the stand-alone GUI. Related tasks: Adding Center Serer systems on page 80 For Tioli Storage Productiity Center to monitor multiple hyperisors, you must first add a Center Serer system. Adding Center Serer systems For Tioli Storage Productiity Center to monitor multiple hyperisors, you must first add a Center Serer system. When you add Center Serer ersion 5.1 or later, you can deploy the Sphere Web Client extension for Tioli Storage Productiity Center and register the latter as a VASA proider. You can then proision storage, iew reports, and publish alerts in the Sphere Web Client about storage that is monitored by Tioli Storage Productiity Center. You can add multiple hyperisors by specifying connection information for a Center Serer system. For a complete list of hyperisors and Center Serers that you can add, see the Agents, Serers and Browsers section in the Tioli Storage Productiity Center interoperability matrix. 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. 2. Click Add Hyperisor. 3. Select VMware Center and enter connection information about the Center Serer system. 4. Optional: To deploy the Sphere Web Client extension for Tioli Storage Productiity Center and register Tioli Storage Productiity Center as a VASA proider, in the Deploy Sphere extension page, enter your credentials. For VMware Center Serer, enter a user name and password for the Sphere administrator user. For Tioli Storage Productiity Center, enter a user name and password for a Tioli Storage Productiity Center user ID. You must hae Administrator, Monitor, or External Application authority to deploy the extension. If you entered a Sphere administrator user name and password for the Center Serer system, enter only the Tioli Storage Productiity Center credentials. 5. Schedule a probe for the hyperisors that were discoered. 6. Follow the instructions in the wizard to add the Center Serer system. After a Center Serer system is added, probes collect status and asset information about the hyperisors. You can iew detailed information about the hyperisors in the web-based GUI and in the stand-alone GUI. Chapter 2. Administering 155

166 Related tasks: Adding ESX and ESXi hyperisors on page 154 Add ESX and ESXi hyperisors for monitoring by Tioli Storage Productiity Center. Checking permissions to browse data stores Determine if the user name that you specified for a VMware data source has permission to browse through the data stores on a hyperisor. Checking permissions to browse data stores Determine if the user name that you specified for a VMware data source has permission to browse through the data stores on a hyperisor. When you add a VMware data source in Tioli Storage Productiity Center, the user name that you specify must hae permission to browse through the data stores on VMware. Tioli Storage Productiity Center must browse through the data stores to collect information from the hyperisors. Howeer, the "Read Only" role as defined by VMware does not allow Tioli Storage Productiity Center to browse the data stores. You can use the "Virtual Machine Power User" role if you do not want to use the Administrator role, or you can create a custom role with the required permissions. To erify that a VMware user is assigned the correct role and priileges to monitor VMware data sources, follow these steps: 1. Ensure that the user role has the required VMware datastore permissions by completing the following steps: a. Connect the Sphere Web Client to the VMware data source. The data source can be an ESX serer, a Center Serer Appliance, or a Center Serer. b. From the Inentories iew, select Hosts and Clusters. c. Select a host, and click the Related Objects tab. d. View the datastores by clicking the Datastores tab. e. Right-click a datastore, and select File Browser. If you can iew the Files tab for the datastore, your browse permission is working correctly. 2. Determine the role that is assigned to the user by logging in to the Sphere Web Client by using the administrator user ID. From the Administration iew, select Roles. Verify the role name that is assigned to the user. 3. Determine the priileges that are assigned to the role by selecting the user's role and clicking Priileges. Expand the priilege groups to iew the specific priileges. 4. Optional: If you must edit the priileges for the role, select the role and click the Edit role action icon. Select priilege groups or expand to select specific priileges. For more information about VMware user roles, go to the VMware documentation center and search for Sphere users and permissions. Viewing information about hyperisors View detailed information about hyperisors that are monitored by Tioli Storage Productiity Center. Use the following locations in the Tioli Storage Productiity Center GUIs to iew information about hyperisors and Center Serer systems. 156 IBM Tioli Storage Productiity Center: Administrator's Guide

167 Web-based GUI To iew information about hyperisors, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. Information about monitored hyperisors is displayed. 2. On the resource list page, right-click a hyperisor and select View Properties to iew the key properties of a hyperisor. Stand-alone GUI Hyperisors and Center serers are displayed in the stand-alone GUI under the following conditions: If you add hyperisors in the web-based GUI by discoering them through a Center Serer, only information about the Center Serer is displayed in the stand-alone GUI. Information about the hyperisors is displayed in the web-based GUI. If you add a hyperisor as a data source in the web-based GUI, information about that hyperisor is also displayed in the stand-alone GUI. To iew information about hyperisors and Center Serer systems, complete the following steps: 1. In the naigation tree of the stand-alone GUI, expand Administratie Serices > Data Sources. 2. Click VMware VI Data Source. Information about monitored hyperisors and Center Serer systems is displayed. To iew more information about a specific hyperisor or Center Serer, click the magnifying glass that is displayed on its row. Viewing information about the data sources for hyperisors View information about the data sources that manage hyperisors. Tioli Storage Productiity Center communicates with data sources to collect information about certain hyperisors. Data sources that manage hyperisors can be VMware Center Serer Appliances and Center Serer systems. If Tioli Storage Productiity Center communicates directly with a hyperisor (such as an ESXi host) rather than through a separate data source, that hyperisor is not shown on the Data Sources window in the web-based GUI. For hyperisors that are managed by a data source, you can iew the following information: The status of the connection between Tioli Storage Productiity Center and a data source. You can use this information to determine if there are any communication problems with the data source. For example, if information is not being collected about a monitored hyperisor, it might indicate a communication problem between Tioli Storage Productiity Center and the data source that manages the hyperisor. The IP address or host name of the data source. The names of the hyperisors that are managed by data sources. If a data source manages more than one hyperisor, the number of managed hyperisors is proided. To iew information about the data sources for hyperisors, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. A list of monitored hyperisors is shown. 2. Click Manage Data Sources. Chapter 2. Administering 157

168 3. On the Data Sources window, iew information about the data sources that manage hyperisors. Help tips in the GUI: To iew descriptions of the information that is displayed for a data source, hoer the mouse pointer oer the column headings on the Data Sources window. 4. Optional: To iew more information about a specific data source, including a list of the hyperisors that it manages, right-click the data source and select View Properties. 5. Optional: Click the Managed Resources tab to iew the storage systems that are managed by the data source. 6. Optional: To iew the hyperisors that are managed by data sources in the stand-alone GUI, go to Administratie Serices > Data Sources > VMware VI Data Source and click Show Managed Deices. A list of the hyperisors that are managed by a VMware Center Serer Appliance or Center Serer system. Updating the credentials for a hyperisor Change the user name and password that Tioli Storage Productiity Center uses to log in to a hyperisor. 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. 2. Right-click a hyperisor and select Connections > Update Credentials. 3. Update the user name and password for the hyperisor. The user name and password for a hyperisor must contain alid characters. You can enter the following characters when you update user credentials: A through Z (uppercase characters) a through z (lowercase characters) 0 through 9 (numeric characters) Special characters:!#%&*+-/=?^_{}()., Restrictions: User names and passwords cannot contain spaces and must hae at least one character. The maximum length of a user name or password is 128 characters. The user name must hae permission to browse the data stores on a hyperisor. For more information about permissions, see Checking permissions to browse data stores on page Click OK to apply the changes. Remoing hyperisors and VMware data sources Remoe hyperisors and VMware Center serers that you no longer want to monitor with Tioli Storage Productiity Center. You can use the web-based GUI and stand-alone GUI to remoe hyperisors and Center Serer systems. The type of resource that you want to delete determines which GUI to use: To remoe hyperisors, use the web-based GUI. To remoe Center Serer systems, use the stand-alone GUI. Tips: When a Center Serer manages hyperisors, Tioli Storage Productiity Center considers that Center Serer to be a data source for the hyperisors. In V5.2 and earlier, use the stand-alone GUI when remoe these data sources. 158 IBM Tioli Storage Productiity Center: Administrator's Guide

169 When you remoe a resource, it is only remoed from Tioli Storage Productiity Center; it is not physically deleted from a storage enironment. Remoing hyperisors To remoe a hyperisor in the web-based GUI, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Hyperisors. 2. Right-click a hyperisor and select Remoe. The hyperisor and all its data are remoed from Tioli Storage Productiity Center immediately. Any data collection jobs and alerts are also remoed. Restriction: If the data source for a hyperisor is a Center serer, you must use the stand-alone GUI to remoe that serer from Tioli Storage Productiity Center. Remoing Center Serer systems To remoe a Center Serer, complete the following steps: 1. In the naigation tree of the stand-alone GUI, expand Administratie Serices > Data Sources. 2. Click VMware VI Data Source. 3. Select the row of the Center Serer that you want to remoe. 4. Click Remoe VMware VI Data Source. 5. In the confirmation dialog window, click OK. When you remoe a Center Serer, the hyperisors that it manages are also remoed from Tioli Storage Productiity Center. Howeer, information about the hyperisors is not remoed immediately, but is retained according to the Data for missing resources setting on the History Retention page in the web-based GUI. The default setting is 14 days. If the default setting is used, all information about the hyperisors is deleted 14 days after the related Center Serer was remoed. Tips: After a Center Serer is remoed, but before its managed hyperisors are remoed according to the retention settings, the following conditions occur: Any data collection jobs that are scheduled for the hyperisors fail. Because data is no longer collected, any alerts that were based on that data are not generated. Switches and fabrics Administer the switches and fabrics that are monitored by IBM Tioli Storage Productiity Center. Administering actions include adding and remoing switches and fabrics, updating credentials, and testing connections. Adding fabrics and switches Add fabrics and switches for monitoring. For a switch to successfully receie and respond to queries from Tioli Storage Productiity Center, the following basic requirements must be met: Tioli Storage Productiity Center uses SNMP1 to probe switches and fabrics, and uses SNMP2 to collect performance data. Tioli Storage Productiity Center does not support SNMP3. Switches that Tioli Storage Productiity Center probes must use the SNMP1 protocol. Switches that Tioli Storage Productiity Center collects performance data from must use the SNMP2 protocol. Some switches are configured to use SNMP3 by default. Chapter 2. Administering 159

170 The switch must be configured to receie SNMP1 queries and respond in SNMP1. Some switches are configured to use SNMP2 or SNMP3 by default. The Fibre Alliance FC Management MIB and Fibre Channel FE MIB must be enabled on the switch. The community string that is configured in Tioli Storage Productiity Center must match one of the community strings that are configured on the switch with read access. Cisco switches must additionally hae a community string match for write access. The default community strings in Tioli Storage Productiity Center are "public" for read access and "priate" for write access. Other community strings can be defined on the switches, but are not used. SNMP access control lists must include the Tioli Storage Productiity Center system. Some lists automatically include all hosts while others exclude all by default. In the web-based GUI, you can add switches and fabrics for monitoring at the same time. You can add the following types of switches: Brocade Cisco QLogic For a complete list of the switches and their ersions that you can add, check the switches and directors information in the Tioli Storage Productiity Center interoperability matrix. Help tips in the GUI: To iew descriptions of the information that you must enter for a fabric or switch, hoer the mouse pointer oer the related help icons in the wizard. 1. In the menu bar in the web-based GUI, go to Network > Switches. 2. Click Add Switch. 3. Determine how to discoer the switch and connected fabric. Select Use CIM agent as data source to use a CIM agent as the data source. Tioli Storage Productiity Center automatically discoers the switches that are managed by the agent. After this step, you can also select to use Simple Network Management Protocol (SNMP) agents for the switches. Do not select Use CIM agent as data source to skip the use of a CIM agent as a data source. If you skip the use of a CIM agent as a data source, you are prompted to add switches and their fabrics through SNMP agents. The type of switch and functions that you want to enable on that switch and connected fabric determine the agent to use for monitoring. For example, to monitor the performance of a switch, you must use either a CIM agent or an SNMP agent. For example, to monitor the performance of a switch, you must use a CIM agent. To ensure full monitoring and functions for fabrics, you must also install Storage Resource agent on a serer that is connected to the fabric. For more information about agent types and the fabric and switch functions that they enable, see Agent types for switch and fabric functions on page Specify the display name and location of the switches and fabrics that are discoered. For switches that were discoered through a CIM agent, you can also select to monitor them through SNMP. 5. Schedule data collection for the switches and fabric. The type of resource determines the data collection jobs that you can schedule: Fabrics: probes Switches: probes, performance monitors 160 IBM Tioli Storage Productiity Center: Administrator's Guide

171 Probes collect status and asset information. Performance monitors collect metrics that measure performance. 6. Complete the wizard. After a switch or fabric is added, data collection jobs gather information about them. When data collection is complete, you can iew detailed information about the switch or fabric in the web-based GUI and stand-alone GUI. Agent types for switch and fabric functions: Depending on the functions that you want to enable, you can use a CIM agent, SNMP agent, or Storage Resource agent to monitor switches and fabrics. The endors of switches can help you determine which agents to use. Table 11. Agent types for switch and fabric functions Function > Switch Brocade Cisco 1 QLogic Switch Performance Monitoring CIM agent or SNMP agent CIM agent CIM agent or SNMP agent CIM agent QLogic switches cannot be used for performance monitoring.cim agent Switch and switch port information collected Recommended: CIM agent Also supported: SNMP agent or Storage Resource agent Recommended: CIM agent Also supported: SNMP agent or Storage Resource agent SNMP agent or Storage Resource agent Topology connectiity information collected Recommended: CIM agent SNMP agent or Storage Resource agent SNMP agent or Storage Resource agent Also supported: SNMP agent or Storage Resource agent Zoning information collected 2 Tioli Storage Productiity Center Alerts Hosts, endpoint deices, deice-centric and host-centric information collected Switch Sensors and Eents Recommended: CIM agent Recommended: CIM agent Also supported: SNMP agent A Storage Resource agent is required in each VSAN 345 SNMP agent Storage Resource agent SNMP agent Storage Resource agent Storage Resource agent Storage Resource agent SNMP agent SNMP agent SNMP agent Chapter 2. Administering 161

172 Table 11. Agent types for switch and fabric functions (continued) Function > Switch Brocade Cisco 1 QLogic Tips: 1. The Storage Resource agent collects the information about a VSAN basis. Each VSAN is iewed as an indiidual SAN. The SNMP agent and CIM agent get the physical fabric information and can correlate the VSAN information to a physical infrastructure. The SNMP agent also collects some VSAN information. 2. Zone information collected indicates that information about the actie zone set and the inactie zoning library is collected during a fabric probe. 3. For many Cisco proprietary zone members, the alues are displayed as zeros. 4. If a zoning configuration has Cisco proprietary zone members, then you cannot modify the zoning for that configuration through Tioli Storage Productiity Center. You must use the element manager to remoe proprietary zone members or do zoning. 5. Orphan Cisco zones are not reported. Viewing information about switches and fabrics View detailed information about switches and fabrics that are monitored by Tioli Storage Productiity Center. To iew information about switches and fabrics, complete the following steps: 1. In the menu bar in the web-based GUI, go to Network > Switches or Network > Fabrics. Information about monitored switches or fabrics is displayed. 2. Right-click a switch or fabric and click View Properties to iew the key properties for the switch or fabric. Viewing information about the data sources for fabrics and switches View information about the data sources that manage the switches in monitored fabrics. Tioli Storage Productiity Center communicates with data sources to collect information about the switches and fabrics and to configure zoning. Data sources can be SNMP agents, CIM agents, or Storage Resource agents that can detect the fabrics in an enironment. Tip: In large enironments, there might be many Storage Resource agents that can detect a fabric. Howeer, only the Storage Resource agent that manages the fabric is shown as a data source. On the Data Sources window in the web-based GUI, you can iew the following information about the data sources that manage switches and fabrics: The status of the connection between Tioli Storage Productiity Center and a data source. You can use this information to determine if there are any communication problems with the data source. For example, if information is not being collected about a monitored switch, it might indicate a communication problem between Tioli Storage Productiity Center and the data source that manages the switch. The IP address or host name of the data source. The names of the switches that are managed by data sources. If a data source manages more than one switch, the number of managed switches is proided. The data that is collected about a switch, such as performance data, information about switch ports, and information about the switch port connections to serers, storage, and other switches. The functions that are aailable for a fabric, such as zone control and zone alias control. 162 IBM Tioli Storage Productiity Center: Administrator's Guide

173 To iew information about the data sources for fabrics and switches, complete the following steps: 1. In the menu bar in the web-based GUI, go to Network > Switches or Network > Fabrics. Information about monitored fabrics or switches is displayed. 2. Click Manage Data Sources. 3. On the Data Sources window, iew information about the data sources that manage the fabrics or switches. Help tips in the GUI: To iew descriptions of the information that is displayed for a data source, hoer the mouse pointer oer the column headings on the Data Sources window. 4. Optional: To iew more information about a specific data source, including a list of the switches that it manages, right-click the data source and select View Properties. 5. Optional: Click the Managed Resources tab to iew the switches that are managed by the data source. Updating the credentials for switches and fabrics Change the credentials that Tioli Storage Productiity Center uses to authenticate to a data source that manages a switch or fabric. Depending on the functions that you want to enable, you can use a CIM agent, Storage Resource agent, or SNMP agent to manage switches. You can use a CIM agent or Storage Resource agent to manage fabrics. If the switch or fabric is managed by multiple data sources, for example multiple CIM agents, the menu is displayed as Connections > Update Credentials > data_sources. Select the data source for which you want to update the credentials. The type of data source for the fabric or switch determines the credentials that you can update. Updating the credentials for a switch: Change the credentials that Tioli Storage Productiity Center uses to authenticate to a data source that manages a switch. The data source can be a CIM agent, Storage Resource agent, or SNMP agent. To update the credentials for a switch, complete the following steps: 1. In the menu bar in the web-based GUI, go to Network > Switches. Information about monitored switches is displayed. 2. Right-click a switch and click Connections > Update Credentials. 3. Update the following credentials as required and then click OK. The credentials that are displayed depend on the data source. CIM agent Change the user name or password for the CIM agent. Storage Resource agent Change the user name or password for the Storage Resource agent. You can also change the certificate location and the passphrase for the agent. Certificate location The fully qualified path of the certificate file for the Storage Resource agent. For example, TPC_install_directory/data/ Chapter 2. Administering 163

174 sra/operating_system/certs/sra.pem. This file is on the computer where the Tioli Storage Productiity Center Data serer is located. Passphrase The passphrase for the certificate file. The passphrase was created when the certificate was generated. SNMP agent Change the SNMP community string. The default is public. Updating the credentials for a fabric: Change the credentials that Tioli Storage Productiity Center uses to authenticate to a data source that manages a fabric. The data source can be a CIM agent or Storage Resource agent. To update the credentials for a fabric, complete the following steps: 1. In the menu bar in the web-based GUI, go to Network > Fabrics. Information about monitored fabrics is displayed. 2. Right-click a fabric and click Connections > Update Credentials. 3. Update the following credentials as required and then click OK. The credentials that are displayed depend on the data source. CIM agent Change the user name or password for the CIM agent. Storage Resource agent Change the user name or password for the Storage Resource agent. You can also change the certificate location and the passphrase for the agent. Certificate location The fully qualified path of the certificate file for the Storage Resource agent. For example, TPC_install_directory/data/ sra/operating_system/certs/sra.pem. This file is on the computer where the Tioli Storage Productiity Center Data serer is located. Passphrase The passphrase for the certificate file. The passphrase was created when the certificate was generated. Testing the connection to a switch or fabric Verify that Tioli Storage Productiity Center can communicate with the data source that manages a switch or fabric. To test the connection to the data source that manages a switch or fabric, complete the following steps: 1. In the menu bar in the web-based GUI, go to Network > Switches or Network > Fabrics. Information about monitored fabrics or switches is displayed. 2. Right-click a switch or fabric and click Connections > Test Connection. A message that shows the results of the test is displayed. Remoing a switch or fabric Remoe a switch or fabric that you no longer want to monitor with Tioli Storage Productiity Center. 164 IBM Tioli Storage Productiity Center: Administrator's Guide

175 To remoe a switch or fabric, complete the following steps: 1. In the menu bar in the web-based GUI, go to Network > Switches or Network > Fabrics. Information about monitored fabrics or switches is displayed. 2. Right-click a fabric or switch and select Remoe. 3. Follow the directions that are presented in the information message. Serers and Storage Resource agents Administer serers and the Storage Resource agents that collect asset, fabric, file, and file system information about serers. Storage Resource agents can also gather information about database managers installed on the serer, and NAS deice information. You can create ping, probe, and scan jobs to run against the serers that hae Storage Resource agents installed. Use the web-based GUI to deploy and administer Storage Resource agents. For information about deploying Storage Resource agents, see Deployment guidelines and limitations for Storage Resource agents on page 96. Adding serers with Storage Resource agents Use the web-based GUI to add serers by deploying Storage Resource agents. Deploy Storage Resource agents if you want to enable full serer monitoring. To add a serer, you must hae Administrator priileges. For each installation of Tioli Storage Productiity Center, you can deploy only one Storage Resource agent on each serer. If you attempt to deploy additional Storage Resource agents on a serer, the deployments fail. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. Click Add Serer. 3. Select Deploy an agent for full serer monitoring. 4. Select a method for adding a serer. You can choose one of the following methods: Add a serer by manually entering information about the serer and the Storage Resource agent. Add one or more serers by importing configuration information from a comma-delimited file. 5. On the Deploy Agent page, configure deployment information for the Storage Resource agents. If you add multiple serers with different operating systems, separate configuration pages are displayed for agents that are deployed on Windows serers and agents that are deployed on UNIX serers. 6. On the Configure page, schedule the deployment of the Storage Resource agents. If you are deploying agents on multiple serers, a time span is calculated during which the agents are deployed. The agents are deployed at regular interals during the time span to aoid excessie load on the Tioli Storage Productiity Center serer. 7. Schedule the time and frequency that probes are run for the serers. If you add multiple serers, a time span is calculated during which the serers are probed. Chapter 2. Administering 165

176 8. To add the serers, click Finish. A probe is automatically run for a serer after the agent is successfully deployed. Use the Status column on the Serers page to monitor the status of the agent deployment. File List: Add one or more serers with Storage Resource agents by importing the configuration information from a comma-delimited file. The web-based GUI guides you through the following steps for adding serers: Select the input file. Configure deployment information. Schedule the agent deployment and data collection for the serers. The comma-delimited file that you use to import the configuration information for serers can contain entries for a single serer or multiple serers. Each line in the file represents a serer that you want to add. The information about each serer must be organized in the following format: host name or IP address,os type,location,custom tag 1,custom tag 2,custom tag 3 where: host name or IP address is required for each serer entry. An IP address can be in an IP4 or IP6 format. A host name or IP address can contain the following characters or symbols: A - Z (uppercase characters) a - z (lowercase characters) 0-9 (numeric characters) Symbols: -.:_ OS type is required and represents the operating system of the serer. The OS type for a serer must be one of the following alues: Windows Linux AIX Solaris HP-UX location is optional and represents the physical location of the serer. The location alue can be up to 64 characters in length. If the length exceeds 64 characters, the location alue is truncated when the serer is added. custom tag 1, custom tag 2, and custom tag 3 are optional and represent any additional information that you want to proide about the serer. The custom tag alues can be up to 64 characters in length. If the length exceeds 64 characters, the custom tag alue is truncated when the serer is added. Tip: The custom tags can be displayed on the Serers page or can be included as report columns when you generate reports for the serer. 166 IBM Tioli Storage Productiity Center: Administrator's Guide

177 Example host1,windows,san Jose,Accounting department host5,linux,london,finance department ,HP-UX,,Computing department 2001:DB8:0:0:0:0:0:0,Windows,Tokyo Tips: If the comma-delimited file contains entries for multiple serers, it might take some time to add the serers. To confirm that the serers are added, check the Status column on the Serers page. To comment out a line, enter a "#" at the beginning of the line. The serer on that line is not added when the list is imported. Example: # host1,windows,san Jose,Accounting department If there are syntax problems in the file, none of the serers in the file are added. Fixing deployments Use the Serers page in the web-based GUI to monitor serers that are added to Tioli Storage Productiity Center by deploying a Storage Resource agent. You can identify agents that failed to deploy, inestigate and resole the problems that caused the deployment failure, and deploy the agents again. To use the Fix Deployment action, you must hae Administrator priileges. When you use the Fix Deployment action, the existing agent deployment on the serer is automatically oerwritten when the agent is deployed again. Use the following steps to identify and fix Storage Resource agents that failed to deploy: 1. Use the Status column on the Serers page to identify agents that failed to deploy. A status of Failed deployment indicates that an error occurred when the agent was deployed. 2. Use the deployment log to inestigate the problems that preented the agent from deploying. Tip: The Open Logs action is not aailable if you select multiple serer rows. The Fix Deployment action is aailable if you select a single serer row or multiple serer rows. 3. Use the Fix Deployment action to change the deployment settings for the agents and deploy the agents again. The following examples show some of the problems that cause agent deployments to fail and the actions that you might take to resole the problems: Errors that do not require changes to the deployment settings The log message indicates that the DB2 database or the Data serer is not running. Start the serice that is not running and use the Fix Deployment action to deploy the agent. You do not need to change the deployment settings. Errors that require changes to the deployment settings The log message indicates that the port number on which the agent listens for requests from Tioli Storage Productiity Center is in use by another serice. Use the Fix Deployment action to change the setting for the Port field and to deploy the agent. Chapter 2. Administering 167

178 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. Locate the serers with failed agent deployments that you want to fix. 3. For each serer with a status of Failed deployment, complete the following steps: a. To iew the error messages, right-click the serer row and click Open Logs. b. Inestigate and resole the errors. 4. Click a single or multiple serers with a status of Failed deployment and click Actions > Fix Deployment. 5. On the Deploy Agent page, change the settings that caused the deployment errors. For example, if the deployment fails because there is not enough disk space at the location that is specified in the Installation path field, you might change the installation location for the agents. If you selected multiple serers with different operating systems, separate configuration pages are displayed for agents that are deployed on Windows serers and agents that are deployed on UNIX serers. Tip: If you select multiple serers, the following rules are used to determine the settings for the agent deployment fields: a. If the serers use different authentication methods, you cannot change the authentication settings. Keep current settings is displayed in the Authentication field and the fields that are used to configure the authentication settings are hidden. b. If the serers are configured with different daemon modes, you can specify the daemon mode to apply to all the selected serers. c. For other fields, if the serers hae the same alue for the field, the alue is displayed. If the serers hae different alues for the field, the field is blank. 6. On the Configure page, if the setting for the Location field caused a deployment error, change the field setting. 7. Schedule the deployment of the Storage Resource agents. If you are fixing the agent deployment for multiple serers, a time span is calculated during which the agents are deployed. The agents are deployed at regular interals during the time span to aoid excessie load on the Tioli Storage Productiity Center serer. 8. Schedule the time and frequency that probes are run for the serers. If you are fixing the agent deployment for multiple serers, a time span is calculated during which the serers are probed. 9. Click Finish to deploy the agents. The changes are applied to the serers that hae a status of Failed deployment. If you select serers that hae other statuses, for example, Pending deployment, those serers are not affected by the action. A probe is automatically run for a serer after the agent is successfully deployed. To monitor the status of the agent deployment, use the Status column on the Serers page. Canceling deployments Use the Serers page in the web-based GUI to cancel the deployment of Storage Resource agents. 168 IBM Tioli Storage Productiity Center: Administrator's Guide

179 To use the Cancel Deployment action, you must hae Administrator priileges. Use the Status column on the Serers page to identify the agent deployments that you can cancel. You can cancel the agent deployment for serers with a status of Failed deployment or Pending deployment. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. Locate the serers with the agent deployments that you want to cancel. 3. Click a single or multiple serers with a status of Failed deployment or Pending deployment, and then click Actions > Cancel Deployment. The agent deployment is canceled for the serers with a status of Failed deployment or Pending deployment. If you select serers that hae other statuses, for example, Deploying, those serers are not affected by the action. When you cancel the agent deployments, the serers are remoed from Tioli Storage Productiity Center. To add the serers again, use the Add Serer wizard. Modifying deployment schedules Use the Serers page in the web-based GUI to modify deployment schedules for Storage Resource agents. To use the Modify Deployment Schedule action, you must hae Administrator priileges. Use the Status column on the Serers page to identify the agent deployments that you can modify. You can modify the deployment schedules for serers that hae a status of Pending deployment. The Modify Deployment Schedule action is aailable if you click a single serer row or multiple serer rows. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. Locate the serers with the agent deployments that you want to modify. 3. Click a single or multiple serers with a status of Pending deployment, and then click Actions > Modify Deployment Schedule. 4. On the Modify Deployment Schedule window, the current schedule alues for the agent deployments are shown. You can change the date and time that agents are deployed. If you are modifying the deployment schedule for multiple agents, a time span is calculated during which the agents are deployed. The agents are deployed at regular interals during the time span to aoid excessie load on the Tioli Storage Productiity Center serer. Tips: If you select multiple serers and the serers hae the same alue for a field, the alue is displayed. For example, if the selected serers hae the same deployment date, the date is displayed. If the serers hae different alues for the field, the field is blank. The scheduled time for an agent deployment is based on the time zone of the Tioli Storage Productiity Center serer, not the time zone of the serer where the agent is deployed. 5. Click Sae. Chapter 2. Administering 169

180 The deployment schedules are modified for the serers that hae a status of Pending deployment. If you select serers that hae a status other than Pending deployment, the changes to the deployment schedule are not applied to those serers. Viewing information about Storage Resource agents View detailed information about the Storage Resource agents that are deployed on monitored resources. To iew information about a Storage Resource agent, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed and select View Properties. 3. In the properties notebook, click the Agent tab. Detailed information about the agent is shown, such as the agent state and ersion, and the date and time when the agent was last updated. If the Storage Resource agent has a state of Upgrade needed, the agent must be upgraded to the same ersion leel as the Tioli Storage Productiity Center serer to which it is communicating. Viewing Storage Resource agent log files The log files for a Storage Resource agent contain informational, warning, and error messages for the actions that were taken by the agent. You can use the content of the log files to troubleshoot any errors that might occur when a Storage Resource agent is started, processing data, or shut down. By default, the log files are located in the following directories on the serer where an agent is deployed: Windows C:\Program Files\IBM\TPC\agent\log\SRV1\agent.log Linux, UNIX, and AIX /opt/ibm/tpc/agent/log/computer_name/agent.log where computer_name represents the name of the serer where Tioli Storage Productiity Center is installed. If an agent communicates with more than one installation of Tioli Storage Productiity Center, a subfolder is created for each installation. For example, if the agent communicates with serers named SRV1 and SRV2, the following folders are created: C:\Program Files\IBM\TPC\agent\log\SRV1\agent.log C:\Program Files\IBM\TPC\agent\log\SRV2\agent.log To iew the log file for a Storage Resource agent, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, locate the serer that contains the Storage Resource agent that you want to analyze. 3. Right-click the serer row and select Logs > View Agent Log. 4. Optional: To iew only the log entries that hae a Warning or Error status, select an option from the Show all list. You can choose to iew only entries that hae the following statuses: Only error entries 170 IBM Tioli Storage Productiity Center: Administrator's Guide

181 Only warning entries Error and warning entries 5. Optional: To iew an explanation of the message that is associated with a log entry, click the link in the ID column. Upgrading Storage Resource agents Upgrade Storage Resource agents to ensure that they are at the same release leel as the Tioli Storage Productiity Center serer. When you apply maintenance to Tioli Storage Productiity Center, you can upgrade Storage Resource agents immediately or at a later time. To ensure that all your agents are at the current release leel and to manage your network load, schedule upgrades regularly. If a Storage Resource agent is not at the same leel as the Tioli Storage Productiity Center serer, the following limitations occur: New functions in the current release might not be aailable for the resources that are monitored by the agent. Problem fixes are not applied to the agent. You can upgrade Storage Resource agents by using the following methods: Use the Modify Agents > Upgrade action on the Serers page in the web-based GUI. Use a Storage Resource agent command. To determine if a Storage Resource agent must be upgraded, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. View the alues in the Agent State column. If the state of the agent is Upgraded needed, the Storage Resource agent for the related serer must be upgraded. Starting agent upgrades: Upgrade a Storage Resource agent to the same release leel as the Tioli Storage Productiity Center serer. The ability to start the upgrade process for a Storage Resource agent is aailable when the following conditions are met: A Storage Resource agent must be deployed on the serer that you want Tioli Storage Productiity Center to monitor. An agent upgrade is not currently running for the serer. The ersion of the agent that is deployed on the serer is earlier than the Tioli Storage Productiity Center serer ersion. To upgrade a Storage Resource agent that was not upgraded at maintenance time, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer that contains the Storage Resource agent to upgrade and select Modify Agents > Upgrade. 3. Select Immediate from the Agent Upgrade list on the Upgrade Agent window. Chapter 2. Administering 171

182 4. Click Upgrade to start the upgrade process. Scheduling agent upgrades: Schedule the upgrade process for a Storage Resource agent. You can schedule the upgrade process for a Storage Resource agent when the following conditions are met: A Storage Resource agent must be deployed on the serer that you want Tioli Storage Productiity Center to monitor. An agent upgrade is not currently running for the serer. The ersion of the agent that is deployed on the serer is earlier than the Tioli Storage Productiity Center serer ersion. Tips: To manage the workload for a serer and the network, schedule the agent upgrade for a time when the serer and network are not busy. The scheduled time for an agent upgrade is based on the time zone of the Tioli Storage Productiity Center serer, not the time zone of the serer where the Storage Resource agent is installed. For example, if an agent is installed on a serer in the Central (CST) time zone, but the Tioli Storage Productiity Center serer is in the Pacific (PST) time zone, the time that is shown in the web-based GUI when you schedule the upgrade is PST. To schedule the upgrade of a Storage Resource agent that was not upgraded at maintenance time, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer that contains the Storage Resource agent to upgrade and select Modify Agents > Upgrade. 3. Select Scheduled from the Agent Upgrade list on the Upgrade Agent window. 4. Select the date and time and click Upgrade to schedule the agent upgrade. Upgrading Storage Resource agents by using a command: You can manually upgrade Storage Resource agents. To manually upgrade the Storage Resource agent, complete the following steps: 1. Go to the DVD location of the installation program (by using the Storage Resource Agent image) and go to the bin directory: cd DVD_image_location/data/sra/operating_system_name Where DVD_image_location is the location of the installation image for the Storage Resource agent. 2. Run the upgrade command: bin/agent -upgrade -installloc agent_install_directory -commtype Daemon (1) 172 IBM Tioli Storage Productiity Center: Administrator's Guide

183 Notes: 1 Parameter when the agent is run as a daemon serice. The parameters are: -installloc "agent_install_directory" Location where the agent is installed. Enclose the directory name in quotation marks, for example, "C:\Program Files\IBM\TPC_SRA\". -commtype Daemon If the agent is run as a daemon serice, then this parameter must be specified. Here is an example for a daemon-based serice by using the default location: bin/agent -upgrade -installloc "/opt/ibm/tpc/" -commtype Daemon Here is an example for a non-daemon serice by using a non-default location: bin/agent -upgrade -installloc "C:\Program Files\IBM\TPC_SRA\" Tip: If you run the upgrade program outside of the DVD_image_location installation directory, then you must specify the full path. Disabling Storage Resource agents Disable Storage Resource agents so that they no longer collect data or run Tioli Storage Productiity Center jobs. You might want to disable a Storage Resource agent under the following conditions: The monitored serer is undergoing maintenance and is unaailable. This action preents Tioli Storage Productiity Center from flagging the agent as "down" if it cannot reach the agent. The number of times that the serer tries to contact the agent is defined by the agenterrorlimit parameter in the serer.config file. The monitored serer is busy with resource-intensie processing and you do not want to add any Tioli Storage Productiity Center jobs to that processing load. To disable a Storage Resource agent, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed and select Modify Agents > Disable. 3. Click OK to confirm that you want to disable the agent. The state of the agent is changed to Disabled and remains in that state until it is enabled again. You can disable agents on multiple serers at the same time. When you disable a Storage Resource agent that is deployed as a daemon serice, the serice is shut down, and the agent is disabled. Tioli Storage Productiity Center no longer sends requests to the agent or contacts it for job processing. A Storage Resource agent that is deployed as a non-daemon agent runs as a stand-alone process. Because a serice is not required for this type of agent, it is not necessary to shut down the agent before it is disabled. Enabling Storage Resource agents You can enable Storage Resource agents that are in a Disabled or Down state. After an agent is enabled, the Tioli Storage Productiity Center serer resumes communication with that agent. Chapter 2. Administering 173

184 If the Tioli Storage Productiity Center serer cannot contact an agent, the agent is automatically flagged as "down". You can use the Enable action to reestablish communication between the agent and the Tioli Storage Productiity Center serer. The number of times that the Tioli Storage Productiity Center serer tries to contact the agent is specified in the agenterrorlimit parameter in the serer.config file. The default alue for the agenterrorlimit parameter is 3. By default, the serer.config file is located in the following directory: Windows C:\Program Files\IBM\TPC\Data\config Linux or UNIX /opt/ibm/tpc/data/config 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed and select Modify Agents > Enable. You can enable agents on multiple serers at the same time. 3. Click OK to confirm that you want to enable the agent. 4. If the agent is running as a daemon serice, enter the user ID, password, and other credentials for the serer where the agent is deployed. Click OK to start the serice and enable the agent. The agent is enabled and the state of the agent is updated to reflect its current condition, such as Up or Upgrade needed. If the agent is deployed as a daemon serice, the serice is started when you enable the agent. Testing the connection with a Storage Resource agent Verify that the Tioli Storage Productiity Center serer can communicate with the serer where a Storage Resource agent is deployed. Use the Test Connection action in the web-based GUI to erify the state of the Storage Resource agent. For example, if the agent has a state of Down or Unreachable on the Serers page, you can test the connection to erify the state of the agent. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the Storage Resource agent is deployed and select Modify Agents > Test Connection. 3. Optional: If the process is slow, click Close in the Testing Agent Connection window to run the operation in the background. When the operation is complete, the serer status and the agent state are automatically updated on the Serers page. Changing credentials for Storage Resource agents You can change Storage Resource agent credentials, such as the user name and password that Tioli Storage Productiity Center uses for logging on to the serer where the agent is deployed. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed and select Modify Agents > Update Credentials. 3. In the Enter User Credentials window, change the credentials for logging on to the serer where the agent is installed. You can change the following credentials: 174 IBM Tioli Storage Productiity Center: Administrator's Guide

185 User name, Password The user name and password that Tioli Storage Productiity Center uses for logging on to the serer where the Storage Resource agent is deployed. The user name must hae administratie or root priileges on the serer. This action is aailable only for Storage Resource agents that were deployed as non-daemon serices. The user name and password must contain alid characters. You can enter the following characters: A - Z (uppercase characters) a - z (lowercase characters) 0-9 (numeric characters) Series of punctuation marks or special characters:!#%&*+-/=? ^_{}()., Restrictions: User names and passwords cannot contain spaces and must hae at least one character. The maximum length of a user name or password is 128 characters. Certificate location The fully qualified path of the certificate file for the Storage Resource agent, for example, TPC_install_directory/data/sra/ operating_system/certs/sra.pem. This file is on the computer where the Tioli Storage Productiity Center serer is installed. If the agent uses Secure Shell (SSH) protocol for communication, the certificate location field is displayed. Passphrase The passphrase for the certificate file. The passphrase was created when the certificate was generated. 4. Click OK to sae the changes. For more information about using certificates after you install a Storage Resource agent, go to the product documentation at knowledgecenter/ssne44_5.2.4/com.ibm.tpc_v524.doc/ fqz0_r_planning_agent_protocols.html. Collecting serice data Collect serice data about the selected Storage Resource agent. Serice data includes diagnostic information such as logs, trace files, configuration information, and computer details. Use this information to troubleshoot any errors that might occur during startup, processing, or shutdown of a Storage Resource agent. To collect serice data for a Storage Resource agent, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. Right-click a serer and select Logs > Collect Agent Logs. A message is displayed that shows the location where the serice file is stored on the Tioli Storage Productiity Center serer. 3. In a command line or other naigation tool, go to the directory where the serice file is located and unpack its contents. Chapter 2. Administering 175

186 If the collection of serice data is successful, a message is displayed that shows the location of the resulting serice file (.zip). The file is stored in a directory on the same computer as the Tioli Storage Productiity Center serer. The file is in the following default directories: Windows operating system: C:\Program Files\IBM\TPC\data\log\SRATraces\ agent_computer_name\tpcsericeinfo.zip UNIX or Linux operating system: /opt/ibm/tpc/data/log/sratraces/ agent_computer_name/tpcsericeinfo.zip Where agent_computer_name represents the name of the serer on which a Storage Resource agent is deployed. If an agent communicates with more that one installation of Tioli Storage Productiity Center, a subfolder is created for each installation. If the collection of serice data fails, an error message is displayed. For more information about why a data collection failed, see the serer log file or the serices script. These files are in the following default directories: Serer log file (on the computer where the Tioli Storage Productiity Center serer is installed): Windows operating system: c:\program Files\IBM\TPC\data\log UNIX or Linux operating system: /opt/ibm/tpc/data/log Serices script file (on the serer where the Storage Resource agent is deployed): Windows operating system: C:\Program Files\IBM\TPC\agent\serice\ agent_computer_name\tpcsericeinfo.html UNIX or Linux operating system: /opt/ibm/tpc/agent/serice/ agent_computer_name/tpcsericeinfo.html Where agent_computer_name represents the name of the serer on which the Storage Resource agent is deployed. Enabling or disabling scripts for Storage Resource agents You can enable or disable scripts that are sent from the Tioli Storage Productiity Center serer to Storage Resource agents. If you enable scripts to run, the Storage Resource agent runs the scripts that are sent from the Tioli Storage Productiity Center serer. If you disable scripts from running, the Storage Resource agent only runs the scripts that are stored on the serer where the agent is deployed. The agent does not run scripts that are sent from the Tioli Storage Productiity Center serer. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed. Select Modify Agents > Enable running scripts on agent or Modify Agents > Disable running scripts on agent to enable or disable scripts from running. Enabling or disabling the monitoring of fabrics by Storage Resource agents You can enable or disable fabric monitoring by Storage Resource agents. Fabric monitoring is enabled by default. When you enable fabric monitoring, the agent collects information about fabrics that the serer is connected to. After you install a Storage Resource agent on a serer, you can enable or disable the monitoring of fabrics that the serer is connected to. If you enable fabric monitoring, the agent collects information about the SAN and zoning. 176 IBM Tioli Storage Productiity Center: Administrator's Guide

187 If you disable fabric monitoring, the agent cannot collect fabric information or monitor fabrics that the serer is connected to. If the agent is the only data source that is managing the fabric, the fabric is no longer managed. A state of Unreachable is shown for the fabric on the Fabrics page. 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed. Select Modify Agents > Enable Fabric Functions or Modify Agents > Disable Fabric Functions to enable or disable fabric monitoring. Using the help command for Storage Resource agents The help command for Storage Resource agents proides information about the parameters for installing, uninstalling, and upgrading Storage Resource agents. For information about the Storage Resource agent commands, run the help command. Follow these steps: 1. Go to the installation location for the Storage Resource agent: cd <installation_location> 2. Run the following command: bin/agent -help 3. The output from the help command is as follows: Usage: Agent -INSTALL [-COMMTYPE DAEMON -AGENTPORT portnumber] [-FORCE] -INSTALLLOC pathname -SERVERIP address[,address,...] -SERVERPORT portnumber [-USERID username -PASSWORD password -CERT file -PASSPHRASE phrase] Agent -UNINSTALL [-FORCE] -SERVERNAME serername Agent -UPGRADE -INSTALLLOC pathname Remoing serers Remoe serers that you no longer want to monitor with Tioli Storage Productiity Center. You can use the web-based GUI to remoe serers. If a Storage Resource agent is deployed to the serer, the agent is uninstalled. When the serer is remoed, it is no longer monitored by Tioli Storage Productiity Center. All the data that was collected about the serer is remoed from the database repository. Tip: When you remoe a serer, it is only remoed from Tioli Storage Productiity Center. The serer is not physically deleted from the storage enironment. To remoe a serer, complete the following steps: 1. In the menu bar in the web-based GUI, go to Serers > Serers. 2. On the Serers page, right-click the serer where the agent is deployed and select Remoe. Chapter 2. Administering 177

188 3. Click Remoe to confirm that you want to remoe the serer. Registering a Storage Resource agent with a different Tioli Storage Productiity Center serer You can register a Storage Resource agent with a different Tioli Storage Productiity Center serer. A Storage Resource agent is registered with Tioli Storage Productiity Center serer A. You want the Storage Resource agent to point instead to Tioli Storage Productiity Center serer B. 1. From serer B, in the menu bar in the web-based GUI, go to Serers > Serers. Click Add Serer, select Deploy an agent for full serer monitoring, and click Manually. 2. On the Deploy Agent page, configure deployment information for the Storage Resource agent. Specify the same port number and installation location that are used for the Storage Resource agent on serer A. Select Oerwrite preiously installed agents. 3. On the Configure page, schedule the deployment of the Storage Resource agent and click Finish. When the deployment job completes, the Storage Resource agent is registered with serer B. Serer A can no longer communicate with the Storage Resource agent. To remoe the Storage Resource agent from serer A, on the Serers page in the web-based GUI, right-click the serer that the Storage Resource agent is deployed on and click Remoe. Manually changing the Windows serice logon Change the Windows serice logon for a Storage Resource agent. To change the Windows serice logon for a Storage Resource agent, complete the following steps: 1. Start Windows Serices. 2. On the Serices window, right-click IBM Tioli Storage Resource agent - 'C:\Program Files\IBM\TPC\'. 3. Select Properties. 4. Click the Log On tab. 5. Change the alues for This account, Password, and Confirm password to the login credentials that you want to use. If your Tioli Storage Productiity Center serer is part of a Windows domain, change this logon to <domain>\<account>. For example: mydomain\myaccount. Important: The Storage Resource agent requires that the domain account has local administrator priileges and the "Log on as a serice" and "Act as part of the operating system" user rights. 6. Click Apply and then OK to sae your changes. Managing the daemon Storage Resource agent serice on the Virtual I/O Serer Use this information to start and stop the daemon Storage Resource agent serice for the Virtual I/O Serer. 178 IBM Tioli Storage Productiity Center: Administrator's Guide

189 Starting and stopping the daemon Storage Resource agent serice To start or stop the daemon serice, follow these steps: 1. Log in to the Virtual I/O Serer using the padmin user ID. 2. Run the following command to set up the AIX enironment: oem_setup_en 3. Change to the base directory where the Storage Resource agent is located. For example: To stop the serice, run this command: /SRA_install_directory/agent/bin/agent.sh stop To start the serice, run this command: /SRA_install_directory/agent/bin/agent.sh start Deployment guidelines and limitations for Storage Resource agents You must consider the following guidelines and limitations when you manage Storage Resource agents in your enironment. Capacity guidelines for Storage Resource agents: For the capacity guidelines for Storage Resource agents by Tioli Storage Productiity Center ersion, see Use the following information when you deploy Storage Resource agents: Multiple Storage Resource agents that are probing or scanning the same storage resources Platforms that support the deployment of Storage Resource agents Product functions that are not aailable for storage deices monitored by Storage Resource agents Required authority for deploying Storage Resource agents Orphan zones Firewalls and Storage Resource agents deployments Deploying Storage Resource agents on multiple computers Communication between the Tioli Storage Productiity Center serer and a Storage Resource agent Daemon and non-daemon serices Authentication between the Tioli Storage Productiity Center serer and a Storage Resource agent Replacing default SSL certificates Storage Resource agents on the same computer Time zones for computers monitored by Storage Resource agents Connections for Linux and AIX operating systems by using Remote Shell protocol (RSH) Deployments on Windows - NetBIOS setting Deployments on Windows - User Account Control (UAC) remote restrictions Multiple Storage Resource agents that are probing or scanning the same resources If multiple Storage Resource agents are set up to probe or scan the same storage resources, the Storage Resource agents that was added to Tioli Chapter 2. Administering 179

190 Storage Productiity Center first is used for the probe or scan. Therefore, only data that is gathered by the first Storage Resource agent is shown. Platforms that support the deployment of Storage Resource agents For a list of platforms on which you can deploy Storage Resource agents, see the Tioli Storage Productiity Center interoperability matrix and go to the Agents, Serers and Browsers section. Product functions that are unaailable for resources that are monitored by Storage Resource agents Before you deploy a Storage Resource agent, ensure that the product functions you want to use on the monitored resources are aailable for those agents. The following functions are not aailable for resources that are monitored by Storage Resource agents: Certain relational database monitoring. For list of relational databases that can be monitored by Storage Resource agents, see the Tioli Storage Productiity Center interoperability matrix and go to the Agents, Serers and Browsers section. The reporting of HBA, fabric topology, or zoning information for fabrics that are connected to hosts that are running Linux on IBM System z hardware. These limitations also apply to Storage Resource agents on all guest operating systems for VMware configurations. Required authorities for deploying and running Storage Resource agents Before you can create deployment schedules and deploy Storage Resource agents on target computers, you must meet the following requirements: To create deployment schedules, you must be logged in to Tioli Storage Productiity Center with a user ID that has the Administrator role. For information about user roles, see Authorizing users on page 12. To deploy Storage Resource agents on target computers, you must proide a user ID that has administratie rights on those computers. You enter this ID when you create a deployment schedule. Tioli Storage Productiity Center uses this ID to log on to the target computers and install and configure the necessary runtime files for the agents. The user under which a Storage Resource agent (daemon or non-daemon) runs must hae the following authorities on the target computers: On the Linux or AIX operating systems, the user must hae root authority. By default, an agent runs under the user 'root'. On the Windows operating systems, the user must hae Administrator authority and be a member of the Administrators group. By default, a Storage Resource agent runs under the 'Local System' account. Orphan zones Storage Resource agents do not collect information about orphan zones. An orphan zone is a zone that does not belong to at least one zoneset. Firewalls and Storage Resource agent deployments Before you can deploy a Storage Resource agent on a computer, you must turn off the firewall on that computer. If you do not turn off the firewall, the deployment fails. To turn off the firewall on a Windows 2008 computer, complete the following steps: 1. Open Administratie Tools. For information about how to open Administratie Tools, see Accessing administration tools on page Click Windows Firewall with Adanced Security. 180 IBM Tioli Storage Productiity Center: Administrator's Guide

191 3. Click Windows Firewall Properties. 4. Change the Firewall state field to Off on the following tabs: Domain Profile Priate Profile Public Profile 5. Click OK to accept the changes and exit. 6. Deploy a Storage Resource agent to the Windows 2008 computer. Deploying Storage Resource agents on multiple computers If you deploy Storage Resource agents on multiple computers at the same time, the computers must hae the same administratie user ID and password. Tioli Storage Productiity Center uses these user credentials to log on to the computers when you install Storage Resource agents. Tip: When you deploy Storage Resource agents on multiple computers, a globally unique identifier (GUID) is created for each computer (if one does not exist). Communication between the Tioli Storage Productiity Center serer and a Storage Resource agent The Tioli Storage Productiity Center serer connects to a monitored computer when a Storage Resource agent is deployed and wheneer a data collection schedule runs against that agent. During deployment, the serer communicates with the target computer by using one of the following protocols: Windows serer message block protocol (SMB) Secure Shell protocol (SSH) Remote execution protocol (REXEC) Remote shell protocol (RSH) After deployment, the type of communication between the serer and agent on that computer depends on whether you deployed the agent as daemon serice or non-daemon serice. Daemon and non-daemon serices You can deploy a Storage Resource agent as a daemon or non-daemon serice: A Storage Resource agent that is deployed as a daemon serice runs in the background on the monitored computer and listens for requests from the Tioli Storage Productiity Center serer. Connectiity between the serer and agent is established by using SSL. The serer and agent hae their respectie certificates and no additional information is required besides those certificates and the security that is proided by the SSL protocol. A Storage Resource agent deployed as a serice on demand (non-daemon serice) runs as a stand-alone executable file on the monitored computer. Communication from the serer to the agent uses the same protocol that was used during the deployment of the agent. Communication from the agent to the serer uses SSL. Authentication between the Tioli Storage Productiity Center serer and a Storage Resource agent Tioli Storage Productiity Center requires the correct authentication information (user name, password, port, certificate location, or passphrase) for monitored computers each time it communicates with Storage Resource Chapter 2. Administering 181

192 agents on those computers. If the authentication information changes for a host computer on which a Storage Resource agent is deployed, the authentication information for that agent must be updated by using the Modify Agents > Update Credentials action on the Serers page in the web-based GUI. Replacing default SSL certificates Tioli Storage Productiity Center proides default SSL certificates for communication between the Data serer and Storage Resource agent. Tioli Storage Productiity Center Version uses SSL certificates with 2048-bit encryption keys whereas preious ersions of Tioli Storage Productiity Center used 1024-bit encryption keys. If you upgrade Tioli Storage Productiity Center from a ersion earlier than 5.2.2, your SSL certificates are not updated automatically. If you want to use 2048-bit encryption keys with preious ersions of Tioli Storage Productiity Center, you must replace the default SSL certificates with custom SSL certificates. For information about how to replace SSL certificates, see Replacing custom SSL certificates on page 107. Storage Resource agents on the same computer You cannot deploy a Storage Resource agent on a computer where a Storage Resource agent is already installed and pointing to the same Data serer. You can deploy a Storage Resource agent on the same computer as another Storage Resource agent if those agents communicate with different Data serers and use different ports when you listen for requests. Time zones for computers that are monitored by Storage Resource agents The time zones of computers that are monitored by Storage Resource agents are shown as Greenwich mean time (GMT) offsets in Tioli Storage Productiity Center reports. For example, a computer in Los Angeles shows the following time zones in the By Computer report in Asset reporting: (GMT-8:00) GMT-8:00 Connections for Linux and AIX operating systems by using Remote Shell protocol (RSH) If RSH is configured to use a user ID and password, the connection fails. To successfully connect to a system by using RSH, you must set up the.rhosts file (in the home directory of the account). RSH must be configured to accept a login from the system that is running your application. Deployments on Windows operating systems - NetBIOS setting To install a Storage Resource agent on Windows targets, the Enable NetBIOS oer TCP/IP option must be selected in the Control Panel settings for the computer's network connections properties. To set this option, complete the following steps: 1. Open Windows Control Panel. For information about how to open Windows Control Panel, see Accessing administration tools on page Select Network and Dial-Up Connections > some_connection > Properties > Internet Protocol (TCP/IP) > Adanced > WINS > Enable NetBIOS oer TCP/IP. To determine whether these ports are not blocked for inbound requests, see the documentation for your firewall. 182 IBM Tioli Storage Productiity Center: Administrator's Guide

193 To determine whether security policies are blocking the connection ports, open Administratie Tools. For information about how to open Administratie Tools, see Accessing administration tools on page 267. Depending on whether your policies are stored locally or in Actie Directory, follow these directions: Policies that are stored locally For policies that are stored locally, complete the following steps: 1. Open Windows Administratie Serices. 2. Click Local Security Policy > IP Security Policies on Local Computer. Policies that are stored in Actie Directory For policies that are stored in Actie Directory, examine the IP security policies and edit or remoe filters that block the ports: Click Administratie Tools > Default Domain Security Settings > IP Security Policies on Actie Directory. Click Administratie Tools > Default Domain Controller Security Settings > IP Security Policies on Actie Directory. For all Windows systems, the Serer serice must be running to connect to a Windows system by using the Windows protocol. The following table lists the ports that are resered for NetBIOS. Ensure that these ports are not blocked. Port Description 135 NetBIOS Remote procedure call. (Not currently used.) 137 NetBIOS name serice. 138 NetBIOS datagram. (Not currently used.) 139 NetBIOS session (for file and print sharing). 445 CIFS (on Windows XP). For Windows Serer 2008, shares must be shared for the Guest or Eeryone accounts, and password protected sharing must be disabled. To disable password protected sharing, follow these steps: 1. Click Control Panel > Networking and Sharing Center. 2. Click the down arrow next to Password protected sharing. 3. Click Turn off password protected sharing. 4. Click Apply. 5. Exit from the Control Panel. Deployments on Windows User Account Control (UAC) remote restrictions To install Storage Resource agents remotely on a Windows 2008 operating system, you must disable the User Account Control (UAC) remote restrictions on the Windows operating system. User Account Control is a security component on Windows operating systems. Tip: To disable UAC restrictions, you must modify the computer registry. Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore Chapter 2. Administering 183

194 the registry if problems occur. For information about how to back up and restore the registry, see To disable UAC remote restrictions, follow these steps: 1. Open the Windows Run window. For information about how to open the Run window, see Accessing administration tools on page Enter regedit and click OK. 3. Locate and click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System 4. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps: a. On the Edit menu, click New > DWORD Value. b. Enter LocalAccountTokenFilterPolicy as the name for the DWORD alue and click Enter. c. Click LocalAccountTokenFilterPolicy, and click Modify. d. In the Edit DWORD Value window, enter 1, then click OK. This alue can be 0 or 1: 0 This alue builds a filtered token. This alue is the default alue. The administrator credentials are remoed. 1 This alue builds an eleated token. e. Exit the registry editor. CIM agents Administer CIM agents that are associated with storage resources that are monitored by Tioli Storage Productiity Center. Common Information Model (CIM) agents proide a CIM interface for collecting information about certain types of storage systems and switches. Tioli Storage Productiity Center communicates with CIM agents to collect information about the following resources: IBM TotalStorage Enterprise Storage Serer IBM System Storage DS4000 IBM System Storage DS5000 Storage Manager IBM System Storage DS6000 Non-IBM storage systems that are managed by SMI-S certified Common Information Model Object Manager (CIMOM), such as EMC, Hitachi, and NetApp Switches: Brocade, Cisco, QLogic Tioli Storage Productiity Center communicates directly with the following storage systems and does not require CIM agents: System Storage DS8000 SAN Volume Controller The XIV system Storwize V7000 Storwize V3500 Storwize V3700 Storwize V7000 Unified 184 IBM Tioli Storage Productiity Center: Administrator's Guide

195 IBM SONAS GPFS clusters and GSS systems Adding a CIM agent Use the web-based GUI to add storage systems and switches that are managed by CIM agents. When you enter information about a storage system or switch, you must enter connection information for the CIM agent that manages it. You must specify connection information for CIM agents when you add the following resources: IBM TotalStorage Enterprise Storage Serer IBM System Storage DS4000 IBM System Storage DS5000 Storage Manager IBM System Storage DS6000 Non-IBM storage systems that are managed by SMI-S certified Common Information Model Object Manager (CIMOM), such as EMC, Hitachi, and NetApp Switches: Brocade, Cisco, QLogic Tips: In 5.2 and later, the ability to add CIM agents as data sources was moed from the stand-alone GUI to the web-based GUI. You define a connection to a CIM agent when you add resources that are managed by that agent. If a CIM agent manages multiple resources, all the resources that it manages are added to Tioli Storage Productiity Center. CIM agents must comply with SMI-S standards. For a complete list of resources and their CIM agents that you can add, see the Switches & Directors and Storage sections in the Tioli Storage Productiity Center interoperability matrix. To add storage system or switch that is managed by a CIM agent, complete the following steps: 1. In the menu bar in the web-based GUI, go to the resource that you want to add. To add a storage system, go to Storage > Storage Systems. To add a switch, go to Network > Switches. 2. Click Add resource, where resource represents the type of resource that you want to add. To add a storage system, click Add Storage System and select the type of storage system that you want to add. To add a switch, click Add Switch. 3. Specify information about the CIM agent that manages the resource. Help tips in the GUI: To iew descriptions of the information that you must enter for a CIM agent, hoer the mouse pointer oer the related help icons in the wizard. 4. Complete the wizard. This procedure does not physically add a CIM agent, but enables Tioli Storage Productiity Center to communicate with that agent and collect data about its managed resources. Chapter 2. Administering 185

196 Viewing information about a CIM agent View detailed information about CIM agents that manage the resources that are monitored by Tioli Storage Productiity Center. Use the following locations in the Tioli Storage Productiity Center GUIs to iew information about a CIM agent: Web-based GUI To iew information about a resource that is managed by a CIM agent, complete the following steps: 1. In the menu bar, go to the type of resource that you want to iew. To iew a storage system that is managed by a CIM agent, go to Storage > Storage Systems. To iew a switch that is managed by a CIM agent, go to Network > Switches. 2. On the resource list page, right-click a storage system or switch that is managed by a CIM agent and select View Properties. The key properties of the resource and its CIM agent is displayed. Stand-alone GUI To iew information about a CIM agent, use either of the following methods: In the naigation tree of the stand-alone GUI, expand IBM Tioli Storage Productiity Center > Reporting > Data Source Reports > CIMOM Agents and click By CIMOM Agent or By Managed Deice. In the naigation tree, expand Administratie Serices > Data Sources and click CIMOM Agents. A list of CIM agents is displayed. Click the magnifying glass icon next to a CIM agent to iew the following information about that agent: Serice URL The serice URL of a CIM agent that contains its IP address, the port on which a CIM agent is listening, and the protocol that is used for communication. This URL has a protocol [http https], an IP address or host name, and a port number. Display Name The name of the CIM agent as specified by the CIM proider. Description The optional description that was entered when the CIM agent was added. Username The user ID that is used for authentication when Tioli Storage Productiity Center logs in to a CIM agent. Interoperability Namespace Enter the interoperability namespace of a CIM agent. This namespace within the CIMOM allows for accessing a CIM Interop Schema (including the class instances of the Serer Profile) and determines how Tioli Storage Productiity Center interacts with the CIM agent when it retriees information. Truststore Location The location (path on this computer) of a certificate file for certificate-based authentication in the https protocol. 186 IBM Tioli Storage Productiity Center: Administrator's Guide

197 User Interface Description The name of the Human Interface Serice (if any) supported by this CIM agent. Software Leel The software ersion leel of the CIM agent. Protocol Version The ersion of the cim-xml protocol. Authentication Mechanism The authentication mechanism that is supported by a CIM agent. This field can contain the following alues: Unknown, None, Other, Basic, Digest. Protocol The communication protocol that is used for the CIM agent. Possible alues are http and https. SLP Attributes The standard set of attributes for this CIM agent. The attributes are retrieed ia SLP. Connection Status The status of a CIM agent as it relates to Tioli Storage Productiity Center. Possible alues are SUCCESS, UNCONFIGURED, UNKNOWN, INVALID_NAMESPACE, TIMEOUT, REFUSED, LOGIN_FAILED, SSL_HANDSHAKE_ERROR, SSL_REGISTRATION_INVALID, CIMCLIENT_ERROR. Status Timestamp The date and time when the Connection Status information was last collected. Viewing the resources that are managed by a CIM agent View the resources that are managed by a CIM agent. A CIM agent can manage multiple storage systems or switches at the same time. To iew the resources that are managed by a CIM agent, complete the following steps: 1. In the naigation tree of the stand-alone GUI, expand Administratie Serices > Data Sources. 2. Click CIMOM Agents to iew a list of agents that are monitored by Tioli Storage Productiity Center. 3. Select a CIM agent. 4. Click Show Managed Deices. A list of managed resources is displayed. Updating the credentials for a CIM agent Change the credentials that Tioli Storage Productiity Center uses to authenticate to a CIM agent. To update the credentials for a CIM agent, complete the following steps: 1. In the menu bar in the web-based GUI, go to the resource that is managed by a CIM agent. To update the credentials of a CIM agent that manages a storage system, go to Storage > Storage Systems. To update the credentials of a CIM agent that manages a switch, go to Network > Switches. Chapter 2. Administering 187

198 2. Right-click the storage system or switch that is managed by a CIM agent and select Connections > Update Credentials. If a resource is managed by multiple CIM agents, the menu is displayed as Connections > Update Credentials > data sources. Select the data source for which you want to update the credentials. 3. Update the user name and password for a CIM agent. The following information is shown for a CIM agent: CIM agent host name or IP address The host name or IP address for the computer on which the CIM agent that manages the resouce is installed. Depending on what is supported in your enironment, you can enter an Internet Protocol ersion 4 (IP4) or IP6 address. If you enter an IP6 address, the preferred representation is written as eight groups of four hexadecimal digits. Example: 2001:DB95:0000:1234:0000:0000:5678:ABCD. User name, password The user name and password that are used to authenticate to the CIM agent. 4. Click OK to apply the changes. Testing the connection to a CIM agent Ensure that Tioli Storage Productiity Center is communicating properly with a CIM agent. To test the connection between Tioli Storage Productiity Center and a CIM agent, complete the following steps: 1. In the menu bar of the web-based GUI, select the resource that is managed by a CIM agent. To test the connection of a CIM agent that manages a storage system, go to Storage > Storage Systems. To test the connection of a CIM agent that manages a switch, go to Network > Switches. 2. Right-click the storage system or switch that is managed by a CIM agent and select Connections > Test Connection. If a resource is managed by multiple CIM agents, the menu is displayed as Connections > Test Connection > data sources. Select the data source for which you want to test the connection. This process might take some time to complete. In this case, you can choose to continue the operation in the background. The status of the resource is automatically updated when the process is complete. Remoing a CIM agent Remoe a CIM agent from Tioli Storage Productiity Center. Data that was discoered by a CIM agent is not remoed from the database repository. To remoe a CIM agent, complete the following steps: 1. In the naigation tree of the stand-alone GUI, expand Administratie Serices > Data Sources. 2. Click CIMOM Agents to iew a list of agents that are monitored by Tioli Storage Productiity Center. 3. Select a CIM agent. 4. Click Remoe CIMOM. 5. Click OK to confirm the remoal of the CIM agent. Collecting CIM agent logs You can collect logs for certain IBM CIM agents using the command line interface. 188 IBM Tioli Storage Productiity Center: Administrator's Guide

199 Remember: Storage systems that use the natie interfaces (for example, DS8000, the XIV system, SAN Volume Controller, and Storwize V7000) do not use CIM agents. 1. Change to the directory where the CIM agent is installed. On Linux operating systems, DS3000, DS4000, DS5000, DS6000 are installed at /opt/ibm/cimagent/cimom On Windows operating systems, DS3000, DS4000, DS5000, DS6000 are installed at C:\Program Files\IBM\cimagent\cimom 2. Run one of the following commands: On Linux operating systems collectlogs.sh On Windows operating systems collectlogs.bat A collectedlogs.zip file is created. Important: This file is oerwritten if you run the script again. Verifying that a CIM agent is running You can erify that a CIM agent is running from the command line interface. To erify that a CIM agent is up and running, run the following command: telnet <IP> <port> Where <IP> is the IP address of the system where the CIM agent is installed, and <port> is the port number. By default, this is 5989 for a secure connection and 5988 for an unsecure connection. Out-of-band fabric agents Out-of-band agents are switches and directors that communicate with Tioli Storage Productiity Center through SNMP. In Tioli Storage Productiity Center V5.2, the functions for adding and administering out-of-band fabric agents were moed to the web-based GUI. When you add a switch as an SNMP agent in the web-based GUI, it is displayed as out-of-band fabric agent in the stand-alone GUI. In the stand-alone GUI, you can delete and iew information about those agents. For information about adding switches in the web-based GUI, go to the product documentation at SSNE44_5.2.4/com.ibm.tpc_V524.doc/tpch_t_wz_adding_resources.html. Displaying information about an out-of-band agent You can iew information about an out-of-band agent including the IP address, status, and SNMP community. To display information about an out-of-band agent, follow this procedure: 1. In the naigation tree, expand Administratie Serices > Data Sources. Click Out of Band Fabric Agents. 2. In the content pane, click the icon to the left of the agent for which you want information. In the content pane, a notebook window opens. On the General Information page, the following information is displayed: Chapter 2. Administering 189

200 Status The status of the agent. Host Name The host name of the system on which the agent is installed. IP Address The IP address of the system on which the agent is installed. This column displays Internet Protocol Version 4 (IP4) and Internet Protocol Version 6 (IP6) addresses as appropriate. SNMP Community Read The name of the Simple Network Management Protocol (SNMP) community to which the agent belongs. The SNMP community name acts as a password that is shared by one or more SNMP hosts. The community name is used to authenticate messages being receied by this SNMP host. This field is optional and might be blank if the SNMP community has not been set. Note: The default SNMP community is public. If the community name is not the correct community name for your enironment, the out-of-band agent might not be able to properly perform scans. SNMP Community Write The community string for SNMP writes. Tioli Storage Productiity Center uses the write community string to refresh information for the Out of Band Fabric Agent. The default is priate. This alue is used for Cisco switches only. Deleting an out-of-band agent You can remoe an out-of-band agent from the naigation tree and the database. Data discoered by the agent is not remoed from the database repository. To remoe an out-of-band agent, follow this procedure: 1. In the naigation tree, expand Administratie Serices > Data Sources. Left-click Out of Band Fabric. 2. In the content pane, select an agent and click Delete. Tioli Storage Productiity Center serers Use the Administratie Serices > Data Sources > IBM Tioli Storage Productiity Center Serers > function to manage the relationships between a master Tioli Storage Productiity Center serer and its subordinate Tioli Storage Productiity Center serers. By creating master and subordinate relationships between Tioli Storage Productiity Center serers, you can then use a single interface to generate reports that are based on data and metrics that were collected by multiple serers in a storage enironment: A master serer is a serer that does standard monitoring and reporting of storage resources, but also gathers the storage information (with Tioli Storage Productiity Center serer probes) that was collected by subordinate serers. A subordinate serer is a serer that monitors and reports on storage resources like a standard serer, but also communicates with the master serer during Tioli Storage Productiity Center serer probes. During these probes, the master serer collects the storage information that was gathered by the agents of a subordinate serer and stores that information in its own database repository. 190 IBM Tioli Storage Productiity Center: Administrator's Guide

201 Figure 16. Master and subordinate serer architecture The rollup reports that reflect the storage information that is collected by the master serer from subordinate serers are aailable in the Tioli Storage Productiity Center > Rollup Reports node. This node is aailable in the naigation tree for the master serer. If the master serer is on an IP6 only serer, it can communicate with existing subordinate serers under the following conditions: The subordinate serers are upgraded to Tioli Storage Productiity Center V5.1 or later The IP6 protocol is enabled on the computers where they are located. Before you can configure and manage subordinate serers, keep in mind the following items: The master serer must be up and running. You must be log on to the user interface as an Tioli Storage Productiity Center administrator or superuser It is recommended that the master serer monitors no more than 500 unique data sources. This number includes subordinate serers, Storage Resource agents, CIMOM agents, and VM serers (VMWare). It is recommended that a subordinate serer monitors no more than 1200 unique data sources. This number includes Storage Resource agents, CIMOM agents, and VM serers (VMWare). After this threshold is met for a serer, a new serer is deployed and all new agents point to it. After you upgrade to Tioli Storage Productiity Center 5.1, you must run probes against the monitored storage resources for the master serer to display information about them in Tioli Storage Productiity Center > Reporting > Rollup Reports. Chapter 2. Administering 191