IS1200 Web-Admin User and Configuration Guide, Version 4.3.2

Title Page
Kazeon IS1200
™
Web-Admin User and Configuration Guide
Version 4.3.2
Last updated October 13, 2009
Copyright Information
Kazeon Systems
1161 San Antonio Road
Mountain View, CA 94043
Kazeon IS1200 Web-Admin User Guide
Version 4.3.2, 2009
Copyright © 2009 Kazeon Systems, Inc. All Rights Reserved.
This notice is intended as a precaution against inadvertent publication and does not imply any waiver of
confidentiality. Information in this document is subject to change without notice. No part of this document may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or information storage or retrieval systems, for any purpose without the express written permission of
Kazeon Systems.
The software described in this document is furnished under a license agreement or nondisclosure agreement. It is
against the law to copy the software onto any medium except as specifically allowed in the license or nondisclosure
agreement.
Kazeon™ is the trademark of Kazeon Systems, Inc. All other trademarks and copyrights referred to are the property
of their respective owners.
The text and drawings set forth in this document are the exclusive property of Kazeon Systems. Unless otherwise
noted, all names of companies, products, street addresses, and persons contained in the scenarios are designed solely
to document the use of Kazeon System products.
The Kazeon Information Server software is based in part on software licenses from the following:
Outside In® Content Access © 1991-2009, Chicago, Inc.
The software is based in part on the work of the Independent JPEG Group.
Code from Inxight Software, Inc. Copyright © 1996-2009. All rights reserved. www.inxight.com.
Certain icons used by the Kazeon Web applications come from the Silk Icon set
(http://www.famfamfam.com/lab/icons/silk/)
licensed under the Creative Commons Attribution 2.5 license
(http://creativecommons.org/licenses/by/2.5/).
IS1200-UG v4.3.2
Last updated October 13, 2009
Table of Contents
Title Page......................................................................................................... i
List of Tables.............................................................................................. xix
Preface......................................................................................................... xxi
Audience.................................................................................................................................................xxi
What This User Guide Does and Does Not Cover .................................................................................xxi
Customer Support...................................................................................................................................xxi
CLI Syntax Notation............................................................................................................................. xxii
Related Documentation ........................................................................................................................ xxii
Chapter 1:
Introduction.................................................................................................... 1
About the Kazeon Information Server ......................................................................................................2
Benefits...............................................................................................................................................2
Key Concepts .....................................................................................................................................2
Optional Add-on Modules..................................................................................................................4
GSA (Google Search Appliance) ................................................................................................4
EV (Enterprise Vault) .................................................................................................................4
SS (Snapshot Search) ..................................................................................................................4
NRM (NetApp Retention Manager) ...........................................................................................4
TheKazeon Information Server -ECS ................................................................................................4
Chapter 2:
Installing License Keys: Administration ..................................................... 7
Licensing Requirements and Limitations..................................................................................................8
Licensing and Job Scheduling............................................................................................................8
License Expiration Dates ...................................................................................................................8
Capacity Based Licensing ..................................................................................................................9
Obtaining Server License Keys ...............................................................................................................10
Using the getkazkeyinfo Command .................................................................................................10
Requesting License Keys .................................................................................................................11
Installing Server License Keys................................................................................................................11
Installing License Keys from the Command Line Interface (CLI) ..................................................11
Using the show license command.....................................................................................12
Using the add license command .......................................................................................12
Using the remove license <component> command ...................................................13
Installing License Keys from Web-Admin ......................................................................................13
The Licensing Pane .................................................................................................................................15
Reading the Licenses displays: ........................................................................................................15
Procedures ........................................................................................................................................16
To add a license key:.................................................................................................................16
To remove all license keys:.......................................................................................................16
To remove all license keys:.......................................................................................................16
Using the Refresh toolbar button: .............................................................................................16
Kazeon IS1200 Web-Admin User Guide
iii
Contents
Chapter 3:
Initial Configuration Overview, Options and Outlines ..............................17
Overview................................................................................................................................................. 18
Basic Configuration ......................................................................................................................... 18
Advanced Configuration.................................................................................................................. 19
Configuration for File Archival ....................................................................................................... 21
Graphic User Interfaces and the Command Line Interface .................................................................... 21
Chapter 4:
The Graphic User Interfaces........................................................................23
GUIs Overview ....................................................................................................................................... 24
The Manager Page .................................................................................................................................. 24
Launching the Manager Page ................................................................................................... 24
The Web-Admin GUI ............................................................................................................................. 26
Supported Browsers......................................................................................................................... 26
Launching Web-Admin ................................................................................................................... 27
Web-Admin Navigation................................................................................................................... 28
Page Header and Login Header................................................................................................ 28
Navigation Pane........................................................................................................................ 28
The Web Search GUI.............................................................................................................................. 29
The Web Reports Application ................................................................................................................ 29
Chapter 5:
The Command Line Interface (CLI) .............................................................31
Using the Kazeon Command-Line Interface .......................................................................................... 32
Accessing the CLI from the network........................................................................................ 32
Accessing the CLI from a Serial port ....................................................................................... 33
Common CLI Commands................................................................................................................ 33
Usage Tips ................................................................................................................................ 35
Viewing Command Keywords .......................................................................................... 35
Completing a Command.................................................................................................... 35
Moving Between Commands ............................................................................................ 36
Troubleshooting SSH Connections .......................................................................................... 36
Chapter 6:
Role Based Administration..........................................................................37
Introduction............................................................................................................................................. 38
Roles and Privileges Overview............................................................................................................... 38
Roles and Cases ............................................................................................................................... 39
Roles and External Authentication ......................................................................................................... 39
Using External Authentication Groups with IS1200 Roles............................................................. 39
Detailed Role Privileges ......................................................................................................................... 40
Using the CLI For Role Maintenance..................................................................................................... 42
To list role entitlements:........................................................................................................... 42
To add a user to a role .............................................................................................................. 42
To add a group to a role............................................................................................................ 42
To add all users to a role........................................................................................................... 43
To remove a user from a role ................................................................................................... 43
To remove a group from a role................................................................................................. 44
To remove all users from a role................................................................................................ 44
To display a user’s roles ........................................................................................................... 44
iv
Kazeon IS1200 Web-Admin User Guide
Chapter 7:
Creating and Managing Clusters................................................................ 45
About Nodes and Clusters .......................................................................................................................46
Cluster and Node Setup Guidelines .................................................................................................46
Starting a Cluster .....................................................................................................................................47
Exporting the Cluster Key.........................................................................................................47
Starting a Cluster the First Time ......................................................................................................47
Managing a Cluster..................................................................................................................................48
To start a cluster or export Cluster keys ...................................................................................49
To stop a cluster ........................................................................................................................50
To add nodes to a cluster...........................................................................................................50
To remove nodes from a cluster................................................................................................50
To rename a cluster ...................................................................................................................51
To migrate nodes between clusters ...........................................................................................51
The Intelligent Platform Management Interface (IPMI) .........................................................................51
IPMI vs. DRAC................................................................................................................................52
Cluster Leadership............................................................................................................................52
The Split Brain Situation..................................................................................................................52
Chapter 8:
Configuring External Authentication ......................................................... 53
Overview of External Authentication......................................................................................................54
The Authentication Services Listing Display...................................................................................54
Managing Authentication for Network Information Services.................................................................55
To configure NIS external authentication using Web-Admin ..................................................55
To remove external authentication for NIS using Web-Admin ................................................55
To configure NIS external authentication using the CLI ..........................................................55
Configuration Differences Between Installing and Upgrading ...............................................................56
Managing Authentication for Active Directory ......................................................................................56
Specifying AD Server Identities ......................................................................................................57
Active Directory Server Protocols Supported ..................................................................................58
Determining Which Protocol is Used to Communicate with AD Servers ................................58
Additional Requirements for AD Kerberos Authentication.............................................................59
Active Directory Authentication Procedures ...................................................................................60
To configure AD external authentication using Web-Admin...................................................60
To configure AD external authentication using the CLI...........................................................61
Verifying Active Directory Configuration................................................................................61
Verifying Advanced AD and Kerberos Protocol ...............................................................61
Verifying NTLMv2 and NTLM Protocol ..........................................................................62
Troubleshooting Adding Authentication Errors .......................................................................63
Policy Manager Debugging ...............................................................................................66
To remove AD external authentication using Web-Admin ......................................................67
Overriding the current AD communication protocol using Linux............................................67
Checking the current AD communication protocol using Linux..............................................67
Checking, removing, or changing the current AD authentication server using the CLI...........67
Configuration Issues with Multiple Domain Controllers.................................................................68
Support for Multiple Organization Units (OUs) ..............................................................................69
Organizational Unit Persistence................................................................................................70
Kazeon IS1200 Web-Admin User Guide
v
Contents
Chapter 9:
The Identity Vault..........................................................................................73
Identities Purpose and Usage .................................................................................................................. 74
Using an Identity with External Authentication .............................................................................. 74
Adding Identities to the Identity Vault ................................................................................................... 74
To add an identity from Web-Admin ....................................................................................... 75
To add an identity from the Command Line ............................................................................ 75
To view identities from Web-Admin ....................................................................................... 76
To view identities from the Command Line............................................................................. 76
To remove an identity from Web-Admin................................................................................. 77
To remove an identity from the Command Line ...................................................................... 77
Using Identities to Configure Report and Services Notifications........................................................... 77
Using the CLI to Set Email Parameters.................................................................................... 77
Chapter 10:
Repository Registration and Management ................................................79
Introduction to Registration .................................................................................................................... 80
Repository Registration: Rules and Guidelines ...................................................................................... 82
Directory, File, and Filepath Limitations ........................................................................................ 82
Metadata Repositories Requirements .............................................................................................. 82
Data Repository Requirements and Recommendations .................................................................. 83
Permissions for NFS and CIFS Data Repositories .......................................................................... 83
Addressing Requirements for VMware Repositories ...................................................................... 84
CIFS Server, Laptop, and Desktop Setup Requirements................................................................. 84
Primary Metadata Repositories............................................................................................................... 84
Requirements and Preparations for Metadata Repositories .................................................................... 85
Preparing an NFS Metadata Repository Share Overview ............................................................... 85
Preparing a CIFS Metadata Repository Share Overview ................................................................ 85
Local Metadata Repository (localkazfs) Requirements................................................................... 86
Registering NFS or CIFS Metadata Repositories............................................................................ 86
To register metadata repositories.............................................................................................. 87
Adding an NFS Metadata Repository: ..................................................................................... 87
Adding a CIFS Metadata Repository: ...................................................................................... 88
Adding a Local Metadata Repository (localkazfs):.................................................................. 89
The Discovery Process............................................................................................................................ 90
Discovery Overview ........................................................................................................................ 90
Discovering Laptops and Desktops ................................................................................................. 91
Discovery Methods.......................................................................................................................... 91
Scheduling a Discovery Service ...................................................................................................... 92
Running Environment Discovery Jobs Again ................................................................................. 95
Registering Data Repositories ................................................................................................................ 95
Registering Discovered Repositories............................................................................................... 95
Registering Data Repositories ......................................................................................................... 99
To register a Known Data Repository ...................................................................................... 99
Adding an NFS Repository: ................................................................................................... 100
Adding a CIFS Repository: .................................................................................................... 102
Adding a Laptop or Desktop Repository:............................................................................... 105
Adding a Local Data Repository (localdatafs) ....................................................................... 107
Adding a Local USB Drive as a Data Repository .................................................................. 108
Removing a Local USB Drive/Data Repository .................................................................... 109
Adding an Enterprise Vault, MS Exchange, SharePoint, or Lotus Domino Repository........ 109
vi
Kazeon IS1200 Web-Admin User Guide
Managing Repositories..........................................................................................................................109
Repository Listings and Status.......................................................................................................109
The Repository Filters.............................................................................................................110
The Repository Toolbar ..........................................................................................................110
The Repository Listing............................................................................................................110
Editing and Viewing Registered Repositories ...............................................................................111
Importing Data and Metadata Repositories....................................................................................112
To import a metadata repository .............................................................................................113
To import a data repository .....................................................................................................114
Removing Repositories ..................................................................................................................114
To remove a repository ...........................................................................................................115
Removing all repositories .......................................................................................................115
Moving Metadata Repositories ......................................................................................................115
Managing Repository States..................................................................................................................116
To change the state of a data repository..................................................................................117
Chapter 11:
Policies: Classification Extraction and Assignment Rules ................... 119
Classifying Files Using Classification Rules ........................................................................................120
Basic Classification ........................................................................................................................121
Deep Classification ........................................................................................................................121
Kazeon Object Data Model.....................................................................................................121
Metadata Classification ..................................................................................................................122
Metadata Extracted by Classification Service................................................................................123
Classification Service Management ...............................................................................................124
Optimizing Classification of Large Files .......................................................................................124
Limiting the Size of Extracted Full-text .................................................................................124
Partial Classification ...............................................................................................................125
Classifying Index Text Header ...............................................................................................125
Computing Partial Hash ..........................................................................................................125
Resetting Minimum/Maximum file classification time-outs ..................................................126
Specifying a Kazeon URL ......................................................................................................126
About Classification Rules and rule sets ...............................................................................................126
Named Rule Sets.....................................................................................................................127
Default Rule Sets ....................................................................................................................127
Initial Rule Sets.......................................................................................................................128
Sample Extraction Rule Set ....................................................................................................128
Using Extraction Rules...................................................................................................................128
Using Assignment Rules ................................................................................................................129
When to Use Extraction or Assignment Rules...............................................................................130
Creating and Managing Rule Sets and Rules ........................................................................................131
To create a rule set ..................................................................................................................131
To delete a rule set ..................................................................................................................132
Creating an Extraction Rule ...........................................................................................................132
Using Regular Expressions in Extraction Rules ............................................................................133
Using RegEx to Set Configuration Properties from the GUI.........................................................133
Creating Full-text Indexes with the Optional Parser...............................................................134
Creating an Assignment Rule.........................................................................................................134
Creating KQL Queries ............................................................................................................135
KQL Query Format.................................................................................................................135
KQL Examples........................................................................................................................136
Moving Rules Between Rule Sets..................................................................................................137
Changing the Listing Order of Rules in Rule Sets .........................................................................138
Kazeon IS1200 Web-Admin User Guide
vii
Contents
Chapter 12:
Policy Groups: Authorization Policies .....................................................141
About Policies and Policy Groups ........................................................................................................ 142
Authorization Policies ................................................................................................................... 143
Maintaining Policy Groups ................................................................................................................... 143
To create a policy group ......................................................................................................... 144
To remove a policy group....................................................................................................... 144
Authorization Policies........................................................................................................................... 145
Resolving Permission Conflicts..................................................................................................... 145
Maintaining Policies ............................................................................................................................. 145
To add an Access or Logging policy...................................................................................... 145
To view, edit, or delete a policy ............................................................................................. 146
Chapter 13:
Custodian Mapping ....................................................................................147
Overview............................................................................................................................................... 148
Using Global Mappings ........................................................................................................................ 149
Adding a Global Rule .................................................................................................................... 149
Modifying a Global Rule ............................................................................................................... 150
Deleting a Global Rule .................................................................................................................. 150
Using the Exceptions Pane ................................................................................................................... 150
Adding an Exception ..................................................................................................................... 151
Modifying an Exception ................................................................................................................ 151
Deleting an Exception.................................................................................................................... 152
Chapter 14:
Working With PST Files ............................................................................153
How the IS1200 Provides World Class Searching ............................................................................... 154
How PST Files Fit In The Picture ................................................................................................. 157
Failures Encountered with Open PST Files .......................................................................................... 157
PST Failure Solutions .................................................................................................................... 158
Reprocessing PST Files in Another Location....................................................................................... 158
Identifying Live-Locked Errors During Processing ...................................................................... 158
Reprocessing Files with Live-Locked Failures ............................................................................. 160
Processing PST Files in Their Original Location Using OFM ............................................................. 160
How OFM Manager Works ........................................................................................................... 160
Using OFM for Collections and Reclassifications ........................................................................ 161
Using OFM for In-Place Processing.............................................................................................. 161
Installing OFM .............................................................................................................................. 161
Basic OFM Installation Overview ................................................................................................. 162
Detailed OFM Installation ............................................................................................................. 162
Using the IS1200 With OFM Installed.......................................................................................... 164
viii
Kazeon IS1200 Web-Admin User Guide
Chapter 15:
Job Scheduling and Classification Services .......................................... 165
Job Scheduling Overview......................................................................................................................166
Basic and Deep Classifications Compared.....................................................................................167
Selective Classifications.................................................................................................................168
Incremental and Differential Crawls ..............................................................................................168
Incremental Crawls .................................................................................................................168
Differential Crawls..................................................................................................................168
Choosing Between Incremental and Differential Crawls .......................................................169
Metadata Repositories ....................................................................................................................169
Factors Affecting Job Scheduling, Completion, and Speed ..................................................................170
Licensing and Job Scheduling........................................................................................................170
Repository Status and Availability.................................................................................................170
Ensuring Complete Classifications ................................................................................................170
Computing File Hash Values .........................................................................................................171
Other Types of Classifications and Services .........................................................................................172
Metadata Classifications ................................................................................................................172
Synchronizing Metadata Repositories............................................................................................172
Single-Step Collections ..................................................................................................................173
Job Editing.............................................................................................................................................173
The Job Manager page...........................................................................................................................174
Opening the Page ...........................................................................................................................174
The Jobs Manager Pane Interface ..................................................................................................174
The Job List Tab .....................................................................................................................174
The Tool-bar ...........................................................................................................................176
The Job Listing........................................................................................................................177
Managing Jobs................................................................................................................................177
Deleting a Job..........................................................................................................................177
Editing a Job From Web-Admin.............................................................................................177
Editing a Job From The Command Line Interface .................................................................178
Viewing or Reprocessing Job Failures from Web-Admin......................................................179
Viewing Job Failures From The CLI ......................................................................................179
Starting, Stopping, Suspending, or Resuming a Job ...............................................................180
Refresh Job Listings................................................................................................................180
Job Details...............................................................................................................................180
Scheduling Jobs .....................................................................................................................................181
Job Scheduling Overview...............................................................................................................181
Submitting or Scheduling Jobs.......................................................................................................182
Using job Scheduling Options: ......................................................................................................183
Run Now Jobs .........................................................................................................................183
Run Once Jobs ........................................................................................................................183
Recurring Jobs.........................................................................................................................184
Run Forever Jobs ....................................................................................................................185
Job Scheduling Procedures....................................................................................................................186
Scheduling Classification Services ................................................................................................186
Scheduling a Basic Crawl .......................................................................................................187
Scheduling a Deep Crawl........................................................................................................192
Scheduling a Metadata Classification .....................................................................................199
Scheduling a Metadata Synchronization.................................................................................201
Scheduling a Single-Step® Collection....................................................................................203
Optimizing a Single-Step® Collection ............................................................................203
Scheduling In-place Processing ..............................................................................................213
Kazeon IS1200 Web-Admin User Guide
ix
Contents
Chapter 16:
System Administration, BackUp, and Health...........................................215
Backing up System Configuration ........................................................................................................ 216
Best Practices: ........................................................................................................................ 216
Back Up Procedure................................................................................................................. 216
Restoring System Configuration........................................................................................................... 217
Restore Procedure................................................................................................................... 217
Cluster Disaster Recovery Best Practices ............................................................................................. 219
Preparing to Avoid Disaster........................................................................................................... 219
Start With a System in Good Operating Condition ................................................................ 219
Follow up with Regular Backups ........................................................................................... 220
General Backup Procedures ................................................................................................... 220
Detailed Backup Procedures................................................................................................... 221
What to Do When Disaster Strikes ....................................................................................................... 222
Possible Disaster Scenarios ........................................................................................................... 223
Steps to Restore Cluster Nodes...................................................................................................... 223
Verifying the Restore Operation.................................................................................................... 224
Health Info ............................................................................................................................................ 226
Chapter 17:
Managing Error Logging and Debugging................................................227
About Subsystems................................................................................................................................. 228
Managing Syslog .................................................................................................................................. 229
To view Syslog status............................................................................................................. 229
To view Syslog contents......................................................................................................... 229
To add a remote Syslog server ............................................................................................... 229
To turn off system logging to a remote machine.................................................................... 230
Managing Debug Level Logging for Subsystems ......................................................................... 230
To view the debug level logging ............................................................................................ 230
To turn on debug level logging .............................................................................................. 230
To turn off debug level logging.............................................................................................. 231
Chapter 18:
Managing the Search Index .......................................................................233
Manipulating the Search Index Size ..................................................................................................... 234
Creating a Search Index for a File Set .................................................................................................. 235
Deleting and Rebuilding the Search Index .................................................................................... 236
To delete the Search index from the CLI: .............................................................................. 236
To rebuild the Search index from the CLI.............................................................................. 236
Chapter 19:
Managing the Database .............................................................................239
Why Databases Need Maintenance ...................................................................................................... 240
Database Vacuuming ..................................................................................................................... 240
The Database Maintenance Tool ................................................................................................... 241
Monitoring and Scheduling Database Maintenance ............................................................................. 241
x
Kazeon IS1200 Web-Admin User Guide
Chapter 20:
Kaz Schema and Tag Management.......................................................... 243
About Kaz Schema ................................................................................................................................244
The fulltext Metadata Field ............................................................................................................244
Default Kaz Schema Fields ............................................................................................................244
Viewing Kaz Schema .....................................................................................................................245
How Metadata Tags Are Defined in Kaz Schema.................................................................................246
Metadata Tag Attributes.................................................................................................................246
Metadata Tag Types .......................................................................................................................248
Fully Qualified Tag Names ............................................................................................................248
Metadata Tag Namespaces.............................................................................................................248
Standard Installation Name Spaces.........................................................................................248
Using ‘set schema’ to Add Tags to Kaz Schema ..................................................................................250
Deleting a Field from Kaz Schema ................................................................................................250
Other CLI Commands for Tag Maintenance.........................................................................................250
Creating New Namespaces.............................................................................................................251
Editing Tags ...................................................................................................................................251
Un-hiding Tags...............................................................................................................................251
Listing Name Spaces......................................................................................................................251
Listing Tags in a Specific Name Space..........................................................................................251
Listing the Indexed Tags in a Name Space ....................................................................................252
Listing the Details of a Specific Fully Qualified Tag ....................................................................252
Synchronizing Tag Management with Database............................................................................252
Best Practices.........................................................................................................................................252
Customizing Kaz Schema for Web-Search Preview .............................................................................252
Customizing the Search Schema for DICOM Data...............................................................................253
Chapter 21:
Auditing and Data Verification ................................................................. 255
Auditing Overview ................................................................................................................................256
Auditing and Legal eDiscovery......................................................................................................257
Data Verification Overview ..................................................................................................................258
Auditing Storage Requirements and Management................................................................................258
Auditing Storage Requirements .....................................................................................................259
Managing Auditing ........................................................................................................................259
Audit Pruning Settings ............................................................................................................259
Enabling or Disabling Global Auditing ..................................................................................260
Enabling or Disabling Auditing by Component: ....................................................................260
Displaying Auditing Status .....................................................................................................260
Enabling or Disabling Auditing by Event:..............................................................................261
Audit Event Types ..................................................................................................................262
Data Verification Management .............................................................................................................263
Data Verification Storage Requirements........................................................................................263
Enabling the Data Verification Checkbox .....................................................................................263
Audit and Data Verification Reporting .................................................................................................263
Audit Reports .................................................................................................................................263
Drill-down...............................................................................................................................264
View History ...........................................................................................................................264
Data Verification Reports...............................................................................................................265
Drill-Down ..............................................................................................................................266
Kazeon IS1200 Web-Admin User Guide
xi
Contents
Chapter 22:
eMail Solutions ...........................................................................................267
eMail Management and Regulatory Requirements .............................................................................. 268
Kazeon Standard Solutions................................................................................................................... 268
Kazeon Optional Solutions ................................................................................................................... 269
The Enterprise Vault Optional Module ......................................................................................... 269
How the IS1200 Works with Symantec EV .................................................................................. 269
Use Cases .............................................................................................................................................. 270
Legal Discovery............................................................................................................................. 270
Administrators ........................................................................................................................ 270
Auditors .................................................................................................................................. 270
Data Privacy................................................................................................................................... 270
Administrators ........................................................................................................................ 270
Auditors .................................................................................................................................. 271
Chapter 23:
Encrypted Files...........................................................................................273
EFS Overview....................................................................................................................................... 273
Impersonation Complications........................................................................................................ 274
Roaming Profiles .................................................................................................................... 275
Delegation Issues.................................................................................................................... 276
Basic Steps for Classifying Encrypted Files......................................................................................... 276
Encrypting Files and Folders on Windows Machines .......................................................................... 277
Granting Additional Users Permissions to Access Encrypted Files.............................................. 278
Obtaining and Registering Valid EFS Certificates ............................................................................... 280
Obtaining and Registering EFS Certificates Using MMC ............................................................ 280
Verifying a User Certificate Was Added to Active Directory....................................................... 281
Adding an EFS Remote Server as a Registered Repository ................................................................. 281
Setting up Delegation for Users and Remote Filers ...................................................................... 282
PGP Encryption ............................................................................................................................. 282
Chapter 24:
Administrators Responsibilities for Legal Hold ......................................283
Legal Hold and eDiscovery .................................................................................................................. 284
Administrator’s Responsibilities ................................................................................................... 284
Types of Legal Hold ...................................................................................................................... 285
Standard Legal hold................................................................................................................ 285
Security hold:.......................................................................................................................... 285
The “enable deletion on hold” Option............................................................................. 285
Legal Hold Limitations.................................................................................................................. 285
Configuring Legal Hold................................................................................................................. 287
Setting the Legal Hold Owner ....................................................................................................... 287
Setting Security or Legal Hold ...................................................................................................... 288
Setting the “enable deletion on hold” Option ................................................................................ 288
Using Legal Hold in Searches and Reports .......................................................................................... 288
xii
Kazeon IS1200 Web-Admin User Guide
Appendix A:
Best Practices ............................................................................................ 291
Best Practices.........................................................................................................................................292
Maximum Number of Concurrent Services ...................................................................................292
Avoiding Naming Conflicts with External Metadata (CSV) Files ................................................292
Managing Extended Attributes with Extraction Rules...................................................................292
Managing Metadata Repositories...................................................................................................293
Routine Password Expiration Exceptions ......................................................................................293
Choosing a Leader Node ................................................................................................................293
Maintaining Consistent Hash Values .............................................................................................293
Post Upgrade Cleanup....................................................................................................................293
Database Maintenance....................................................................................................................294
Best Browser Settings for GUIs .....................................................................................................294
Other Considerations .............................................................................................................................296
Turning Search Access Checks ON or OFF...................................................................................296
Date Format Requirements.............................................................................................................296
General Considerations ..................................................................................................................297
Appendix B:
Troubleshooting ........................................................................................ 299
Terminal ................................................................................................................................................300
Clusters and Nodes ................................................................................................................................300
Cluster Node SCSI Failures...................................................................................................................304
Authentication Problems .......................................................................................................................305
File Systems...........................................................................................................................................306
Extraction Rules ....................................................................................................................................308
Data Classification Errors......................................................................................................................308
Search ....................................................................................................................................................311
Reporting ...............................................................................................................................................312
System ...................................................................................................................................................312
System Response Problems...................................................................................................................313
Diagnostics ............................................................................................................................................314
Appendix C:
Configuration Files and Utilities............................................................... 315
Editing System Parameters and Configuration Files Overview ............................................................317
Parser Configuration ......................................................................................................................317
Parser Timeouts..............................................................................................................................317
Skipping File Classification by Type or Category .........................................................................317
Skipping JAR File Classifications ..........................................................................................318
Setting iNode Limits ......................................................................................................................319
SIDs and UID/GID Resolution ......................................................................................................319
Controlling ACL Checking ............................................................................................................319
Configuring Actionable Services for Search Tab Visibility ..........................................................320
Preserving File atimes After Opening Search Results ...................................................................321
Kazeon IS1200 Web-Admin User Guide
xiii
Contents
Setting the Orphan Cleanup Parameter.......................................................................................... 321
Setting Email Alerts for Scheduled Jobs and Database Maintenance ........................................... 322
Setting Human Readable Filenames in Database: preserve_hierarchy ......................................... 322
Changing the Default Permissions for Actionable Services.......................................................... 322
Automatically Bypassing Offline Repositories During Crawls..................................................... 323
Setting Thread View Options Using LDAP .................................................................................. 324
Setting Whether to Show Email Attachments ........................................................................ 324
Setting Whether to Show Attachments Search Hits ............................................................... 324
Setting Whether to Show Threads for Email With No Subjects ............................................ 325
Setting the Mail Direction Parameter ............................................................................................ 325
Setting the XML Export Format.................................................................................................... 325
Setting Subobject Checkpointing .................................................................................................. 326
Configuring Batch Sizes ................................................................................................................ 326
Changing chunksize for Local Device Collections.................................................................. 327
Changing Admin, Root, or IPMI Passwords ................................................................................. 327
Changing the Root Password.................................................................................................. 328
Changing the Admin Password .............................................................................................. 328
Changing the IPMI Password................................................................................................. 328
Utilities.................................................................................................................................................. 329
Using the IPMI Utility ................................................................................................................... 329
Recreating Snapshot Catalog......................................................................................................... 330
Appendix D:
Error Tables, Kazpartial .............................................................................331
Job Status Listings and Kazpartial Reports .......................................................................................... 332
Kazpartial Errors Table......................................................................................................................... 332
Appendix E:
Installation and Configuration Checklists................................................335
Site Requirements ................................................................................................................................. 336
Rack Space ............................................................................................................................. 336
Tools & Accessories............................................................................................................... 336
Power and heat constraints ..................................................................................................... 336
Network Connections ............................................................................................................. 336
Software.................................................................................................................................. 336
Primary Data........................................................................................................................... 336
Storage for Kazeon Metadata ................................................................................................. 336
Best Practices.......................................................................................................................... 337
System Installation and Configuration ................................................................................................. 337
External Authentication Configuration................................................................................................. 339
File System Registration ....................................................................................................................... 339
Kazeon Information Server Regulatory Certifications ......................................................................... 341
xiv
Kazeon IS1200 Web-Admin User Guide
Appendix F:
Kazeon Query Language (KQL)................................................................ 343
Classification Rule (Assignment) overview..........................................................................................344
Using KQL Queries with Assignment Rules.........................................................................................345
KQL Query Format ........................................................................................................................345
KQL Functions...............................................................................................................................346
KQL Examples...............................................................................................................................348
Adding KQL Search Results to the Search Index ..........................................................................348
Appendix G:
Regular Expressions (RegEx) .................................................................. 351
Regular Expressions Overview .............................................................................................................352
RegEx Syntax Basics.............................................................................................................................352
Quantifier Summary.......................................................................................................................352
Meta-Characters .............................................................................................................................353
Escape Characters ..........................................................................................................................353
Alternation......................................................................................................................................354
Grouping with Parentheses.............................................................................................................354
Kazeon RegEx Examples ......................................................................................................................354
Confidential....................................................................................................................................354
Social Security Numbers................................................................................................................355
Master Card Credit Card Numbers.................................................................................................356
Individual Taxpayer Identification Numbers .................................................................................357
Appendix H:
Default Metadata Tags / Search Schema................................................. 359
Default Metadata Tags ..........................................................................................................................360
Mail File Metadata .........................................................................................................................363
Microsoft Office File Metadata:.....................................................................................................364
Music File Metadata.......................................................................................................................365
Graphic File Metadata....................................................................................................................365
Appendix I:
Using DICOM Tags .................................................................................... 367
Using DICOM File Attributes as Metadata...........................................................................................368
Enabling DICOM File Recognition ...............................................................................................368
Selecting the DICOM Properties to Extract...................................................................................368
Adding DICOM File Attributes to the Search Schema..................................................................369
DICOM Properties That Can Be Extracted As Extended Attributes ....................................................370
Kazeon IS1200 Web-Admin User Guide
xv
Contents
Appendix J:
Server Security Certificates.......................................................................381
Why Security Certificates are Used on the IS1200 .............................................................................. 382
Security Certificate Warning Messages......................................................................................... 382
Security Options ................................................................................................................................... 382
Installing SSL and a New Certificate on the IS1200 ............................................................................ 383
Turning SSL Off on the IS1200............................................................................................................ 386
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers ....389
Overview of Setup Requirements for Laptops and Desktops............................................................... 390
WINS Setup Requirements............................................................................................................ 390
File Access Requirements.............................................................................................................. 391
Windows Operating System Requirements ................................................................................... 391
WINS Setup Procedures ....................................................................................................................... 392
WINS Setup for Laptops and Desktops......................................................................................... 392
WINS Setup for the IS1200........................................................................................................... 392
Verifying WINS Server and DHCP-Prefix Configuration ............................................................ 395
Laptop/Desktop Setup Procedures for XP and Vista............................................................................ 396
Windows XP Settings .................................................................................................................... 396
Window Vista Settings .................................................................................................................. 400
Enabling the Administrator Account...................................................................................... 400
Enable File Sharing ................................................................................................................ 401
Opening Firewall Settings ...................................................................................................... 402
Active Directory Settings for Windows XP .................................................................................. 406
AD Group Policy.................................................................................................................... 406
Creating a Group Policy on the Domain ................................................................................ 406
Customize the Windows firewall Group Policy Settings ....................................................... 409
References for Windows Servers 2008 and Windows Vista.................................................. 411
Preparing Laptops and Desktops To Access Open Files ...................................................................... 412
Registering and Classifying USB Repositories .................................................................................... 412
Classifying a USB Drive: Overview.............................................................................................. 412
Share the USB drive on the network. ..................................................................................... 412
Register the USB drive with the IS1200 ................................................................................ 413
Registering a USB Drive Share Using Its Host’s NetBIOS Name ................................. 413
Discovering and Registering a USB Drive ..................................................................... 414
Schedule a Classification on the USB drive........................................................................... 416
Appendix L:
Supported File Formats .............................................................................419
Word Processing Formats ..................................................................................................................... 420
Generic Text ........................................................................................................................... 420
DOS Word Processors............................................................................................................ 420
Windows Word Processors ................................................................................................................... 421
Macintosh Word Processors ................................................................................................... 421
Presentation Formats............................................................................................................................. 422
Graphics Formats .................................................................................................................................. 423
Compressed Formats............................................................................................................................. 425
Database Formats.................................................................................................................................. 425
xvi
Kazeon IS1200 Web-Admin User Guide
Appendix M:
Supported Time Zones.............................................................................. 427
Appendix N:
DRAC Card Installation (Optional) ........................................................... 441
Introduction ...........................................................................................................................................441
DRAC Card ....................................................................................................................................441
The DRAC and IPMI Cards Compared .........................................................................................441
Installation .............................................................................................................................................442
Installation Pre-requisite ................................................................................................................442
Installation Post-requisite ...............................................................................................................442
Installation Instructions ..................................................................................................................442
DRAC Configuration .....................................................................................................................445
Glossary ..................................................................................................... 447
Index ........................................................................................................... 449
Kazeon IS1200 Web-Admin User Guide
xvii
Contents
xviii
Kazeon IS1200 Web-Admin User Guide
List of Tables
Chpt/
Apdx
4:
4:
5:
6:
6:
6:
6:
8:
9:
11:
11:
15:
18:
20:
20:
E:
E:
E:
E:
H:
H:
H:
Title............................................................................................................................................. Page
GUI Platform Requirements ........................................................................................................... 24
Supported Web-Search Environments ........................................................................................... 26
Common CLI Commands .............................................................................................................. 34
What Roles Are Allowed to Log Into What Web Applications ..................................................... 40
How Roles Interact with Active Case Login Header Display ........................................................ 40
How Roles Determine the Active Case Display ............................................................................ 41
How Roles Control The Tagging Options ...................................................................................... 41
Active Directory Ports Required to be Open for IS1200 Communications .................................. 57
Adding User Credentials for CIFS- Keywords and Values ........................................................... 76
Types of Classification Services ................................................................................................. 123
Native Metadata Supported in Assignment Rules ........................................................................ 129
Job Editing Attributes, Conditions, and States. ............................................................................ 173
Rebuild Search Index - Keywords ............................................................................................... 236
Types of Attributes for ‘set_schema’ CLI Command. ................................................................. 246
Standard or Default Name Spaces ................................................................................................ 248
System Installation and Configuration Checklist ......................................................................... 338
External Authentication Checklist ............................................................................................... 339
NFS File System Registration Information .................................................................................. 339
CIFS File System Registration Information ................................................................................. 340
Default File System Metadata Tags / Search Schema ................................................................. 360
Default Kazeon-configured Metadata Tags / Search Schema ...................................................... 361
Default Kazeon Internal Metadata Tags / Search Schema .......................................................... 362
Kazeon IS1200 Web-Admin User Guide
xix
Contents
xx
Kazeon IS1200 Web-Admin User Guide
Preface
The Kazeon Information Server Configuration and User Guide describes how to
setup, configure, and use the Kazeon Information Server IS1200 to classify, manage,
and retrieve information across your enterprise.
You can use the Kazeon Command Line Interface (CLI) or the Kazeon Graphical User
Interfaces (GUIs) to perform these tasks. See “GUIs Overview” on page 24 for an
details on these GUIs. Although this guide describes how to use both Web-Admin and
the CLI for administration, the primary focus is on performing administration tasks
through Web-Admin. Some tasks are currently not supported through Web-Admin and
must be performed through the CLI.
Audience
This guide is intended for Administrators, Business Analysts, and Compliance
Auditors.
What This User Guide Does and Does Not Cover
This guide is intended as a reference guide for Administrators who are administrating
the IS1200 on a day to day basis. It assumes the IS1200 is already installed and
operational. While is does cover initial configuration, it does not cover hardware or
software installation.
Refer to the Kazeon Installation and Quickstart Guide for details on installing the
IS1200.
Refer to the appropriate version of the Kazeon IS1200 Release Notes when upgrading
to new versions. Release Notes are posted on the Kazeon Support site as they become
available.
Customer Support
You can contact Kazeon with questions or comments at support@kazeon.com, or call
1-877-kazeon1.
Kazeon IS1200 Web-Admin User Guide
xxi
Preface
CLI Syntax Notation
This guide uses the following conventions to describe the syntax of CLI commands:
Command Elements
Example
Convention
Keyword
type
Items that you do not replace are in
code type style.
Values
serverName
Items that you replace with an
appropriate name or values are in
bold italic type style.
Optional Items
[]
Optional items are enclosed by square
brackets. Do not type the brackets.
Choices
read|write
Choices are separated by vertical
lines; choose one if desired.
Related Documentation
Kazeon Information Server IS1200 Installation and Quick Start Guide - provides a
quick introduction to installing, configuring, and using the Kazeon Information
Server.
Kazeon Information Server IS1200 Web-Admin User and Configuration Guidedescribes how to use the Web-based Administration Interface to setup and manage
Kazeon clusters.
Kazeon Information Server IS1200 Web-Search User Guide- describes how to use the
Web-based Search Interface to perform basic and advanced search.
Kazeon Information Server IS1200 Web-Reports User Guide- describes how to use the
Web-based Reports Interface to perform basic and advanced reports.
Kazeon Information Server IS1200 Legal eDiscovery Guide- for legal representatives,
a primer of all the web-based Interfaces above for performing eDiscovery.
Kazeon Information Server IS1200 Command Reference Guide - describes the Kazeon
Command Line Interface.
xxii
Kazeon IS1200 Web-Admin User Guide
Chapter 1:
Introduction
The Kazeon Information Server is comprised of a hardware platform and the Kazeon
Server software.
The Kazeon Information Server can be installed in any of the following
configurations, each tailored to a different set of user needs.
z
The Kazeon Information Server -ECS (Enterprise Content System appliance) is
the ideal base for attacking information governance issues related to data privacy,
security and compliance. Its content-aware approach to policy-based automated
file management enables companies to quickly identify potential exposures and
automate policy enforcement around issues such as encryption and retention.
z
The Kazeon Information Server -SA (Search Appliance) is focused on storage
search solutions such as backup search and recovery, legal discovery and archive
search.
z
The Kazeon Information Server -FRM (File, Reporting, Migration appliance) is
tuned for optimizing your file servers and network attached storage resources by
efficiently leveraging file attribute information.
This guide describes the installation and use of the Kazeon Information Server -ECS.
This chapter describes the features and capabilities of all Kazeon Information Server
configurations.
Chapter topics include:
z
“About the Kazeon Information Server” on page 2
z
“TheKazeon Information Server -ECS” on page 4
Kazeon IS1200 Web-Admin User Guide
1
Chapter 1:
Introduction
About the Kazeon Information Server
The Kazeon Information Servers are integrated hardware and software appliances that
provide information management solutions enabling organizations to efficiently and
cost effectively classify, manage, and retrieve data. They provide consistent
information visibility and control across distributed files, minimizes the risk of unmanaged files, integrate seemlessly with existing infrastructure, and scale to support
billions of files for searching, reporting, backup search and recovery, and file
migration and archiving.
Benefits
The Kazeon Information Server saves time and money by:
z
Quickly finding files distributed across storage volumes using the web-based,
user-oriented, Web-Search GUI.
z
Simplifying and speeding responses to legal discovery or compliance audits
z
Efficiently classifying files based on file metadata and file content
z
Providing ad hoc or scheduled file migration to tiered storage
z
Providing hardware scalability—supporting from 1 to 16 server nodes with
dynamic node addition and removal—across billions of files
z
Integrating seemlessly into current network infrastructure
Key Concepts
Organizations store a wide variety of data. An increasing percentage of this data is
unstructured and inefficiently managed. Unstructured data refers to the burgeoning
gigabytes of word processing documents, memos, slideshows, spreadsheets, projectmanagement charts, and other file types produced daily by organizations members.
These files are generally stored in non-standardized filing systems that make sense
only to the person who created them. Gaining a better understanding of this
unstructured data helps organizations meet litigation and compliance requirements,
retrieve information quickly, and optimize storage space and storage costs. The
Kazeon Information Server provides a single solution to classify unstructured data and
enable organizations to meet their information storage and retrieval objectives.
The Kazeon Information Server can provide the following functionalities:
Data Classification: To avoid the time consuming and tedious repetition of searching
all your file systems individually each time you need to find something, the Kazeon
Information server classifies your data and stores it in a central repository.
Classifications (or crawls) are performed by a fast, efficient search engine that opens
every file in your file systems and inspects them for file-attributes and user-specified
criteria. Crawls generate file abstracts stored in a metadata repository. The single
metadata repository can then be searched quickly and efficiently whenever you need
to find something.
Metadata is data about data. Kazeon metadata is data about file data. Kazeon metadata
can be about files of any type or size including text files, spreadsheets, slideshows,
pictures, etc. Metadata includes both file system metadata and custom metadata.
2
Kazeon IS1200 Web-Admin User Guide
About the Kazeon Information Server
File system metadata includes both the native file attributes found in a file’s directory
listing (such as file name, filePath, creation time, etc.) and application-specific
document-properties. Document-properties include both predefined properties (for
example in an MS Word file properties dialog: title, subject, and author) and custom
properties (for example in an MS Word file properties dialog: editor, mailstop, or
owner). Native file attributes are always collected during a basic classification (or
crawl). Application-specific document-properties are collected during deep
classifications (crawls) but only if they are specifically required by variables set in the
system configuration files.
Custom metadata is user-defined and is used to capture common data types like social
security numbers, dates, and email addresses, or organization-specific data like
account or product numbers. Custom metadata is collected during deep classifications.
For information, see “Classifying Files Using Classification Rules” on page 120.
Metadata is stored in a metadata repository that must be registered with the IS1200
before classifications can begin. The metadata repository share must have read/write
permissions and the share must not be deactivated while the metadata repository is
being actively used by the IS1200, otherwise database corruption may occur.
Similarly, it a metadata repository loses power, active crawls OR reports may halt or
hang until the metadata repository is running normally.
The Kazeon Information Server supports NFS and CIFS file systems. Optionally—
using various optional add-on modules and licenses—the Kazeon Information Server
can work with Network Appliance Snapshot and SnapLock systems, including
FPolicy.
Searches: After data classification has produced a metadata repository, the Kazeon
Information Server can provide quick efficient searches of any one, or all, of your file
systems. Searches can be as simple as looking for a single keyword, like “personnel”,
or searches that look for multiple criteria with conditionals like AND, OR, and NOT
between them. Searches return a list of files. Files can then be opened directly, or
acted on with actionable services.
Actionable Services allow the results of searches—a list of files—to be immediately
copied, moved, deleted, archived, or otherwise managed. Actionable Service requests
can be run once, or saved and scheduled for regular, automated use. For more
information about actionable services, see the Kazeon IS1200 Web-Search User Guide
or the Kazeon IS1200 Web-Reports User Guide.
Reports: Reports provide visibility into unstructured data and help manage storage
distribution and satisfy compliance requirements. Reports can be created about file
history (creation, modification, deletions, etc.), file distribution across storage tiers,
file duplication, storage utilization, and other areas designed for Storage managers.
Kazeon provides a few default reports, however new reports can be defined based on
your unique requirements. Default reports display metadata such as file path and
access type. When new reports are created, you specify company-specific metadata to
define unique subsets of the files to base reports on.
Reports can run immediately, or scheduled to run automatically at specified times.
After a report is generated, results can be viewed and saved. The results of reports—a
list of files—can also be acted upon via actionable services.
Kazeon IS1200 Web-Admin User Guide
3
Chapter 1:
Introduction
Data Management: With the IS1200, organizations can implement policies to
address data migration, protection, retention, and access control. The IS1200 helps
define and enforce policies to ensure efficient data management, compliance with
government laws, and prevention of unauthorized access to information.
Data migration is implemented through the actionable services feature.
Data Retrieval: After using either the searching or reporting features of the Kazeon
Information Server, actionable services can be used to both copy, move, or archive
files from standard storage, or recall migrated files from secondary archival storage.
Optional Add-on Modules
Licenses for the following optional add-on modules can be purchased and are
available for various versions of the Kazeon Information Server:
GSA (Google Search Appliance)
For clients that already own a Google Search Appliance, this module allows combined
searches by the Kazeon search appliance and the Google Search Appliance in a single
interface and display.
EV (Enterprise Vault)
The Enterprise Vault Connector bridges Symantec Enterprise Vault and Kazeon
Systems enabling the Kazeon IS1200 System to handle an EV archive as a directory.
SS (Snapshot Search)
Integrates Snapshot volumes into searches allowing the following results to appear in
a single display, all unique files—originals and all subsequent modifications—and any
Snapshot duplicates of those unique files.
NRM (NetApp Retention Manager)
Working with NetApp software, this module allows organizations to proactively
manage unstructured data and meet increasingly stringent compliance and legal
discovery requirements. It is integrated with NetApp SnapLock to satisfy strict
records-retention regulations.
User Guides for all optional modules are included on the Documentation CD that
comes with the base server license, and may also be found by following the
Kazeon Documentation link on the Manager page. See “Launching the Manager
Page” on page 24 for details on opening the Manager page.
TheKazeon Information Server -ECS
The Kazeon Information Server -ECS—or Enterprise Content System appliance—is a
highly available, integrated system providing content-aware indexing, classification
(both basic and deep), search, reporting, and migration capabilities. It is ideally suited
for insuring organizational data privacy, security compliance required by
governmental regulations, and data retention.
4
Kazeon IS1200 Web-Admin User Guide
About the Kazeon Information Server
It includes both web-based Search and Reporting GUIs—for regular users—and an
administration GUI for administrative functions. It provides advanced file reporting
capabilities with a well-designed suite of reports created with IT needs in mind, as
well as the ability to customize reports and layouts as needed.
Classifying, managing, and retrieving files is the essence of business-centric file
management. The Kazeon Information Server provides these services enabling a
corporation to know what is stored on it’s network and ensure that the network is
managed to meet the needs of the business.
Kazeon IS1200 Web-Admin User Guide
5
Chapter 1:
6
Introduction
Kazeon IS1200 Web-Admin User Guide
Chapter 2:
Installing License Keys: Administration
License keys are required to enable all functionalities on the Kazeon Information
Server.
This chapter discusses obtaining and installing license keys—both installing the initial
license keys and installing license keys for optional add-on modules after initial setup.
License keys may be installed from either the Command Line Interface (CLI) or from
Web-Admin.
Topics are as follows:
z
“Licensing Requirements and Limitations” on page 8
|
z
“Licensing and Job Scheduling” on page 8
“Licensing Requirements and Limitations” on page 8
|
“Using the getkazkeyinfo Command” on page 10
z
“Installing License Keys from the Command Line Interface (CLI)” on page 11
z
“Installing License Keys from Web-Admin” on page 13
z
“The Licensing Pane” on page 15
|
“Using the remove license <component> command” on page 13
Kazeon IS1200 Web-Admin User Guide
7
Chapter 2:
Installing License Keys: Administration
Licensing Requirements and Limitations
License keys are needed to enable all functionalities of the Kazeon Information
Server. Individual license keys are needed for the basic system and all optional
modules. Additionally, unique keys—for both basic and module functionalities—are
required for each node in the cluster.
Note:
Because individual license keys are required for each node of a cluster, adding a
new node (without it’s own unique keys) will disable all licensed functionalities
for the entire cluster until keys are obtained and installed for the new node.
Additionally, if any individual node’s licenses expire, the entire cluster loses the
functionality of the expired license key.
When optional modules are purchased at the same time as the basic Kazeon
Information Server, the single license key supplied by Kazeon activates both the basic
functionality and the additional modules simultaneously. If you obtain the server, and
add-on modules at different times, you will to need to obtain and install separate
module license keys.
Licensing and Job Scheduling
Jobs that require optional modules, for instance classifying NetApp Snapshots (which
requires the SnapSearch optional module), can only be scheduled if the required
license is currently installed and valid on all nodes of the cluster. Scheduled jobs will
fail if a required license is removed or expires, from any node in the cluster, before the
job executes.
Additionally, for recurring jobs, a job requiring a license that is in-progress when the
key is removed or expires will complete, but its next recurrence will fail.
License Expiration Dates
All nodes require a base license to function. Some base licenses have expiration dates
and are called time based licenses. Prior to v4.2.0 time based licenses had a 7 day
grace period. When a license expired, users were warned for seven days, after the
expiration, and then the node would not start again. One node clusters would not start
at all.
In v4.2.0 and higher, when a time based base license expires:
z
The node (and the cluster too for one node clusters) shuts down at the beginning
of the day the license expires (12AM).
z
Seven days before the base license expires, the IS1200 begins sending email
notifications every 12 hours to licensing@kazeon.com to notify Kazeon Support
of the impending license expiration. The following is a sample email text sent out
for a license expiration.
OpenKaz license will expire on 2009-04-10 on node with
systemid 11ZWY71 ethernet address 00:13:20:54:A2:62 platform
Dimension 3000. Please contact Kazeon support at
licensing@kazeon.com to purchase a license.
8
Kazeon IS1200 Web-Admin User Guide
Licensing Requirements and Limitations
Capacity Based Licensing
Whereas prior versions had “suggested” limitations for the amount of storage (for
ECS clusters), or files (for FRM), that could be processed per node during certain
services, version 4.2.2 and above actively monitors for specific storage and file
number limitations. The services that have been limited are basic and deep
classifications and actionable copies with target indexing.
Services are suspended when processing exceeds these limits—this allows them to be
restarted if or when capacity licenses are increased. Even if services are suspended
before completion, searches, reports, and other actionable services may still be applied
to the files that have been serviced.
Licenses are issued on a per node basis up to certain fixed maximums:
z
For ECS Systems: If the per node limit is 6 terabytes, classifications can process
up to 6 active terabytes per node. For example, in a 3 node cluster, a classification
will be suspended after metadata has been extracted on 18 terabytes of data on
registered repositories. Classifications can be re-run but will always suspend after
18 terabytes have been processed.
z
For ECR (ECS for Legal Service Provider) Systems: If the per node limit is 6
terabytes, classifications can process up to 6 cumulative terabytes per node. For
example, in a 3 node cluster, all classifications will stop permanently after
metadata has been extracted on 18 terabytes of registered repositories. No more
classifications are allowed until the capacity license is increased.
z
For FRM Systems: If the per node limit is 50 million files, classifications can
process up to 50 million files per node. For example, in a 4 node cluster, a
classification will stop after metadata has been extracted from 200 million files on
registered repositories.
Once the limitations are exceeded, a new node (or a better license) must be added to
the cluster to handle the extra load.
The following additional considerations are also in effect:
z
Licenses do NOT have to be for the maximum limitation. In a one-node cluster, if
a six terabyte limitation is exceeded because an additional two terabytes of
repositories are registered over the original six, a second node with a 2 terabyte
license may be purchased.
z
4.2.2 DOES NOT honor keys generated for any prior releases. All new license
keys must be obtained to upgrade to 4.2.2!
z
Each node may have only one valid basic license, and only one valid license for
each optional module, regardless of whether the keys are in single or mutliple
licenses. In other words, a basic license (or a basic license that includes other
optional module licenses) and other individual licenses (for modules such as
Google Search or Federations) can coexist so long as no individual license key
(basic or optional) is duplicated anywhere in the set.
z
License limitations are checked and enforced during basic or deep classifications
as well as copy (with target indexing) jobs.
z
If a data repository is offlined, its capacity is still included when calculating
capacity limitations. If a data repository is removed, its capacity is not included in
calculations for ECS, but are still included for ECR.
Kazeon IS1200 Web-Admin User Guide
9
Chapter 2:
Installing License Keys: Administration
z
z
z
z
If the metadata for a repository is removed, it is not used in calculations for ECS
but is still used for ECR.
If metadata for a repository is offlined, the last saved capacity of the
corresponding data repositories is still used in calculations in both ECS and ECR.
If a metadata repository is removed, its storage is not used in calculations for ECS
but is still used for ECR.
If a node is deliberately removed from a cluster, its capacity is deducted from the
cluster’s capacity. If a node dies (accidentally), the dead node capacity is retained
until the next cluster restart.
Obtaining Server License Keys
Each server node must have a licensed copy of the Kazeon Information Server
software installed on it. Before you can start your cluster, you need license keys—for
the basic server and each add-on module you wish to use—for each server node in the
cluster. All licensed copies of the Kazeon Information Server come with the software
authorization number that is required to obtain the license key for the server node it
will be installed on.
To obtain a license key you need the following information for each installed node:
z
The system serial number, also called the system ID or Asset Tag.
z
The server ethernet MAC address
z
A separate software authorization number for each server node
If this information is not readily available, the system can provide it from the
Command Line Interface (CLI) after the software is installed using the
getkazkeyinfo command.
Using the getkazkeyinfo Command
To obtain the required licensing information from the CLI, do the following:
1. Install the Kazeon Information Server software as described above
2. Login to the appliance as root
3. From the shell prompt, enter:
getkazkeyinfo
The system responds with the System ID, Platform, and Ethernet (MAC) address.
10
Kazeon IS1200 Web-Admin User Guide
Installing Server License Keys
Requesting License Keys
Once you have the required licensing information, send the System ID, MAC address,
and a separate software authorization number for each server appliance, with a request
for license keys to Kazeon support at licensing@kazeon.com.
If you have purchased optional add-on modules, request keys for them as well.
Kazeon generates and returns the key(s) within 24 hours.
Kazeon support can be contacted:
|
By sending an e-mail to support@kazeon.com (response within 24 hrs.)
|
If the license keys are needed immediately, call 1-877-Kazeon8
Installing Server License Keys
License keys are required on each node before a cluster may be started, you cannot
start a cluster until all nodes have valid license keys installed.
License keys are typically added immediately after server software installation, or
when installing optional add-on modules not included in the original installation.
License keys are 172 characters long, and so difficult and tedious to enter correctly by
hand. However, license key strings can be cut and pasted into both Web-Admin, and
the CLI entry points when needed. A time saving step before using either entry
method is to copy the license key string (for example the text of the license key email
received from Kazeon) onto the computer the key will be entered from. Then, you can
simply open the text file, copy the license key, and paste it into the appropriate spot,
when installing the license key as described below.
License keys may be installed from the CLI or from Web-Admin.
Installing License Keys from the Command Line Interface (CLI)
After receiving license keys from Kazeon support, on each node of the cluster, use the
following steps to add, and confirm, the license(s) using the CLI.
1. Copy the text of the license key email received from Kazeon onto the computer
the key will be installed from, then from that computer, open the text and copy the
license key to the clipboard.
2. Log in to the node as admin. See “Using the Kazeon Command-Line Interface”
on page 32 for more information.
3. Use the CLI command show license to check if licenses are already installed.
See “Using the show license command” on page 12 for more detail.
4. If no licenses are installed, use the command add license <licenseNumber>
to install your key.
Enter the <licenseNumber> by pasting the license key (from the clipboard) or
enter it by hand. See “Using the add license command” on page 12 for more
detail.
Kazeon IS1200 Web-Admin User Guide
11
Chapter 2:
Note:
Installing License Keys: Administration
If you are upgrading (from -SA or -FRM to -ECS), first, use the command
remove license all to remove all previous version licenses (you must add a
completely new set of licenses to upgrade to -ECS), then use the command add
license <licenseNumber> to install the new -ECS key
5. Use the CLI command show license again to confirm license key installation.
You can now start the cluster, set system parameters, and continue setting up or using
the Kazeon Information Server.
Using the show license command
To display all licenses currently installed on the node logged into,
enter show license from the CLI.
If you have no valid licenses the system responds “invalid”:
If you have valid licenses, the system responds:
The Component list always includes at least the base system license. Additional
licenses display depending on your add-on modules.
Using the add license command
To add a license to the node currently logged into,
enter add license <licenseNumber> from the CLI,
where <licenseNumber> is the license number Kazeon sends in response to your
license key request. See “Licensing Requirements and Limitations” on page 8 for
information on requesting a license key. The key can be typed in, or copied from the
license-key-response email from Kazeon.
When the key is added the system responds with:.
The response indicates the key was validated and it’s expiration date.
12
Kazeon IS1200 Web-Admin User Guide
Installing Server License Keys
Using the remove license <component> command
Licenses may be removed all at once, or individually under certain conditions.
To remove all licenses enter the command:
remove license all from the CLI.
When the licenses are removed, the systems responds:.
The response indicates the success or failure of the removal.
To remove individual licenses use the command:
remove license <component> from the CLI,
where <component> is the license identifier string for any license component
stored as an individual separate license key.
WARNING!
Components that are part of a license key that contains the basic license as well as
other component licenses (embedded in a single key) can not be deleted.
For example, to remove an Exchange license, use the command:
remove license EXC
License identifier strings may be displayed using the show licenses command.
This command allows short term evaluation keys for Optional Module components to
be added and deleted at will so they can be permanently removed or replaced with real
keys when purchased.
Installing License Keys from Web-Admin
After you receive license keys from Kazeon support, use the following steps to add,
and confirm, the license keys using the Licenses page in Web-Admin. See “The
Licensing Pane” on page 15 for detailed information on using the Licensing page.
1. Copy the email (containing the license key) received from Kazeon to the
computer the key will be installed on, then from that computer, open the email
text and copy the license key to the clipboard.
2. Login to Web-Admin as admin
See “Launching Web-Admin” on page 27 for more information.
Kazeon IS1200 Web-Admin User Guide
13
Chapter 2:
Installing License Keys: Administration
3. If the cluster has already been started, click Licensing under the Administration
heading in the Navigation pane, the Licensing page opens.
Otherwise—the cluster has not been started —you are taken directly to the Cluster
page under Administration.
Click Licenses to open the Licenses page.
Review the page to see what licenses—if any—are installed.
4. Click Add License in the toolbar to install
your license key, the Add License dialog
box apppears.
Paste the license key in the empty field (on
clipboard from step 1), and click Add.
Notes:
If upgrading from -SA or -FRM to -ECS, first use Delete all licenses in the
toolbar to remove all previous version licenses (you must add a completely new
set of licenses to upgrade to -ECS), then use the Add License to install the new ECS key.
Web-Admin must be restarted before the new -ECS features become available.
Additionally, see “Upgrading to -ECS from -SA or -FRM” on page 43 for more
information on completing an upgrade to -ECS.
5. Click Refresh in the License page toolbar to refresh the page and confirm installation.
You can now start the cluster, set system parameters, and begin using the Kazeon
Information Server.
14
Kazeon IS1200 Web-Admin User Guide
The Licensing Pane
The Licensing Pane
Access the Licenses pane by clicking Licenses in the Web-Admin left-navigation pane.
The Licenses pane appears:
A variety of licenses are shown above, including many for optional add-on modules,
your page may not show all the same licenses.
The Licenses pane is used to:
z
Display licensing status for the current node and the cluster
z
Add license keys to the current cluster node
z
Delete license keys from the current cluster node
All cluster nodes must have a basic license key installed, and each node must have a
license key for each add-on module used by the cluster.
The Licenses pane performs operations only on the current node—the node WebAdmin is launched from. To perform an operation—such as adding license keys for an
optional add-on module—you must launch the Web-Admin repeatedly from each node
you wish to perform the operation on.
Reading the Licenses displays:
Node License Each line of the Node License area displays the type of license
registered on the left, followed to the right by license status and expiration date.
Cluster License Each line of the Cluster License area displays the type of license on
the left, followed by the cluster status for that license (if all nodes have a valid license
for that module, the license is Enabled for the cluster), and followed further by a list of
the IP addresses for each node in the cluster the license is valid for.
Kazeon IS1200 Web-Admin User Guide
15
Chapter 2:
Installing License Keys: Administration
Procedures
Use the following procedures to change licenses on the Licenses page.
To add a license key:
1. Click Add License in the License pane
toolbar. The Add License dialog appears:
2. Enter any license key received from
Kazeon support. You may cut and paste it
from the email you received it in. See
“Licensing Requirements and Limitations” on page 8 for more information on
obtaining a license key.
3. Click Add to add the license key, or Cancel to cancel adding.
To remove all license keys:
You may need to remove ALL license keys if upgrading from one version to
another—from -SA or -FRM to -ECS.
Before removing all license keys completely, you must stop the cluster, see “To stop a
cluster” on page 50 for more information.
Note:
Cluster licensing defaults to the privileges of the least-privileged node. For
example, in a five node cluster, if only four nodes have an NRM license, the
cluster is not licensed for NRM. This can be useful if a license needs to be
removed and you don’t want to stop the cluster. Instead, simply remove one node
from the cluster, remove a license from that node, add the node back to the cluster,
and the module (whose license was deleted from the removed node) will no longer
be active for the cluster.
1. Click the Delete All Licenses button in the
Licenses pane toolbar. A confirmation dialog box
appears.
2. Click OK to delete all licenses, or No to cancel.
To remove all license keys:
You can also remove individual license keys, but only if they are stand alone licenses
and are not contained in a basic license.
1. Select the license key listing to delete by clicking it.
2. Click the Delete License button in the Licenses
pane toolbar. A confirmation dialog box appears.
3. Click OK to delete the license, or No to cancel.
Using the Refresh toolbar button:
After making changes to any screen element, click Refresh on the toolbar to see the
updated values or to sync the screen data with the backend after changes are made
through the Command Line Interface.
16
Kazeon IS1200 Web-Admin User Guide
Chapter 3:
Initial Configuration Overview, Options and Outlines
This chapter presents an overview of the basic and advanced configuration tasks
required to configure the Kazeon Information Server for initial use.
Topics are as follows:
z
“Overview” on page 18
z
“Basic Configuration” on page 18
z
“Advanced Configuration” on page 19
z
“Configuration for File Archival” on page 21
z
“Graphic User Interfaces and the Command Line Interface” on page 21
Note: Network connectivity must be configured before configuring the Kazeon
Information Server.
See “Configuring Server Network Connectivity” on page 36 for information
on network configuration, and
See “Installation and Configuration Checklists” on page 335 for site
requirements and other configuration information needed for each node
before starting server installation.
Kazeon IS1200 Web-Admin User Guide
17
Chapter 3:
Initial Configuration Overview, Options and Outlines
Overview
The Kazeon Information Server can be setup with a basic or advanced configuration.
If necessary, complete the basic configuration tasks first and the advanced
configuration tasks at a later date.
Basic Configuration
Basic configuration consists of creating a Kazeon Information Server cluster,
registering your network file systems (to make them available to the cluster for data
classification), and scheduling a classification service (to classify data on those file
systems). Reports and Searches are available only after a first classification is run.
Figure 1 illustrates the workflow for basic configuration.
Figure 1
Kazeon Information Server Basic Configuration Process
1. Start Cluster.
Install the IS1200 hardware and software (if it did not come installed on your
server), see the Kazeon IS1200 Installation and Quickstart Guide for details. Start
the Kazeon Information Server cluster with one or more nodes. The cluster may
be started from the Command Line Interface (CLI, see “Using the Kazeon
Command-Line Interface” on page 32 for more information) or from Web-Admin,
see “Starting a Cluster” on page 47. Changes made to one node in the cluster take
effect on all nodes in the cluster.
2. Add (Register) File Systems.
File systems cannot be registered until there are metadata repositories available to
store the file system’s search data. Register at least one metadata repository, and
then register your network file systems with the Kazeon Information Server for
data classification. Data file systems and metadata repositories cannot share the
same volume, and each file system must have a metadata repository associated
with it. However, one or more file systems can be associated with a repository.
See “Repository Registration and Management” on page 79 for more information.
3. Schedule a Basic Classification Service.
Schedule a basic or deep classification service to classify data and build the initial
metadata repository.
See “Classifying Files Using Classification Rules” on page 120 for more
information.
18
Kazeon IS1200 Web-Admin User Guide
Overview
The first file classification service must be completed before searching or creating
reports because searches and reports are derived from the file system metadata created
by the basic classification service.
Advanced Configuration
Advanced configuration requires the following additional optional tasks.
Figure 2 illustrates the workflow for advanced configuration.
Figure 2
Kazeon Information Server Advanced Configuration Process
1. Start Cluster.
Start a cluster of (one or more) Kazeon Information Server nodes. Login to any
node to start the cluster. Changes made to one node in the cluster effect all nodes
in the cluster.
See “Starting a Cluster” on page 47 for more information.
2. Set up Authentication.
Configuring external Authentication using AD or NIS allows adding additional
users to access the Kazeon Information Server. Without Authentication, only the
user admin can access the server, Web-Admin, Web-Search, or Web-Reports in any
way. After Authentication is in place, additional users may be added to the
following roles: enduser, auditor, and admin.
See “Configuring External Authentication” on page 53 for more information.
Kazeon IS1200 Web-Admin User Guide
19
Chapter 3:
Initial Configuration Overview, Options and Outlines
3. Add File Systems (and metadata repositories).
Register at least one metadata repository, and then register your network file
systems with the Kazeon Information Server for data classification. Data file
systems cannot share volumes with metadata repositories, and each file system
must have a metadata repository associated with it. However, one or more file
systems can be associated with a repository.
See “Repository Registration and Management” on page 79 for more information.
4. Define Policies
Define Policy Groups, Classification rules, Tiered Storage, or Security policies to
expand the control the IS1200 can provide for files on registered filers.
Policy Groups include authorization and logging policies allow adding to, or
overriding, the privileges the searcher ordinarily has to view or access files on the
filer(s) being searched. See “Policy Groups: Authorization Policies” on page 141
for more information.
Classification rules include assignment and extraction rules to create custom
metadata tags that allow fast, efficient searches for your organization’s unique
search and information requirements. See “Policies: Classification Extraction and
Assignment Rules” on page 119 for more information.
5. Customize Search Schema.
Customize the default Search schema to add the additional metadata fields created
by your custom classification rules. This allows quick and efficient searches of
your custom metadata. Or, delete “default” metadata fields you don’t use from the
search schema.
See “Using ‘set schema’ to Add Tags to Kaz Schema” on page 250 for more
information.
Note: If you intend to classify DICOM files, see “Using DICOM File Attributes
as Metadata” on page 368 for information about adding the standard
DICOM metadata tags to the search schema.
6. Schedule Deep Classification service.
Schedule a deep classification service to crawl your filers and add the custom
metadata defined in your classification polices to your metadata repositories. Only
after a deep classification is complete, can searching and reports be done using
your custom metadata.
See “Classifying Files Using Classification Rules” on page 120.
7. Manage Data and Metadata.
Besides simply searching and creating reports, you can perform ad hoc actions on
the results of searches or reports. For instance, you could search or create reports
for all files that haven’t been accessed or modified for two years and move them
to secondary storage using Actionable Services.
For more information about actionable services, see the Kazeon IS1200 WebSearch User Guide or the Kazeon IS1200 Web-Reports User Guide.
20
Kazeon IS1200 Web-Admin User Guide
Graphic User Interfaces and the Command Line Interface
Configuration for File Archival
With the Kazeon Information Server, you can manually migrate inactive production
files onto a fully searchable and manageable archive by doing the following:
1. Register the source file systems (where the original data is located), as well as the
target file system (where the data will be stored) with the IS1200. During
registration, ensure you grant read/write permission to the Kazeon Information
Server to allow data migration.
See “Repository Registration and Management” on page 79 for more information.
2. Define a search or report to locate the data you wish to migrate.
See the Kazeon IS1200 Web-Search User Guide and the
Kazeon IS1200 Web-Reports User Guide for details.
3. Use Actionable Services to copy or move the files to secondary storage.
For more information about actionable services, see the Kazeon IS1200 WebSearch User Guide or the Kazeon IS1200 Web-Reports User Guide.
Graphic User Interfaces and the Command Line Interface
Kazeon provides a variety of resources for accomplishing the configuration tasks
detailed above, and for general administration of the IS1200.
The Command Line Interface (CLI) is available for system administrators, or those
more familiar with system level scripting and administration environments. It should
not be used by those new to computers or networking. The CLI is a Unix-like shell
allowing direct access to setup, administration, and management services built into the
IS1200. Refer to “The Command Line Interface (CLI)” on page 31 for details on
using the CLI.
There are also several Graphical User Interfaces available, each provides different
levels of administration, management, and configuration capabilities for the IS1200.
z
Web-Admin is a graphic user interface providing a user friendly interface to the
vast majority of routine administration, management, and configuration
requirements also available through the CLI. A very few controls, affecting
system operations that only experienced administrators should change, are
available only through the CLI. Web-Admin is designed primarily for use by
knowledgeable system administrators.
z
Web-Search provides access to both simple and advanced searching, and allows
Actionable Services to be applied to search results. For more information about
actionable services, see the Kazeon IS1200 Web-Search User Guide.
z
Web-Reports provides access to report creation, scheduling, and viewing, and
allows Actionable Services to be applied to report results. For more information
about actionable services, see the Kazeon IS1200 Web-Reports User Guide.
See “The Graphic User Interfaces” on page 23 for detailed information on accessing
and using the various GUIs.
Kazeon IS1200 Web-Admin User Guide
21
Chapter 3:
22
Initial Configuration Overview, Options and Outlines
Kazeon IS1200 Web-Admin User Guide
Chapter 4:
The Graphic User Interfaces
Kazeon provides a variety of resources for configuring, using, and the general
administration of the IS1200. The resources are provided in the form of graphic user
interfaces, or GUIs. This chapter lists and describes those graphic user interfaces and
how to launch and use them.
Topics include:
z
“GUIs Overview” on page 24
z
“The Manager Page” on page 24
z
“The Web-Admin GUI” on page 26
z
“The Web Search GUI” on page 29
z
“The Web Reports Application” on page 29
Kazeon IS1200 Web-Admin User Guide
23
Chapter 4:
The Graphic User Interfaces
GUIs Overview
The Kazeon Information Server provides three Graphical User Interfaces (GUIs) for
administering and using the server. The GUIs are:
Note:
z
The Web-Admin GUI: A web application used by IT personnel to administer the
server itself, and when the Kazeon Information Server is used to help administer
other IT resources. The is the preferred interface for administering the server.
z
The Web-Search GUI: A web application that provides basic, advanced, and
specialized email searches against Kazeon metadata. See “The Web Search GUI”
on page 29 for more information.
z
The Web-Reports GUI: A web application that provides advanced reporting
capabilities based on Kazeon metadata. See “The Web Reports Application” on
page 29 for more information.
The Kazeon Information Server software must be installed on a network available
platform before any of the GUIs can be launched. For information, see Kazeon
IS1200 Installation and Quickstart Guide.
Web-Admin is typically used by IT Storage, Security, Email, and Desktop
administrators.
Web-Search and Web-Reports are typically used by Legal-IT, para-legals, legal
officers, records managers, compliance officers, storage managers, security managers,
and Exchange or email administrators.
To use any of the GUIs,
your platform must be one of the following and have Javascript enable:.
Table 1
GUI Platform Requirements
Platform
Windows XP Professional
JRE Version
Microsoft Internet Explorer 6 or 7
Windows XP Home
Windows Vista
The Manager Page
All three GUIs (Web-Admin, Web-Reports, and Web-Search) may be accessed directly
or from the Manager page. The Manager page also provided links to other server
resources like Documentation, Support, Kazeon Connectors, and some server utilities.
Launching the Manager Page
1. Once the IS1200 server software has been installed and configured, open any
browser listed in “Table 1 GUI Platform Requirements” and enter the following
in the Address bar:
http://<nodeNameAddress>/manager
where <nodeNameAddress> is the name or IP address of any node in the
Kazeon Information Server cluster.
24
Kazeon IS1200 Web-Admin User Guide
The Manager Page
The Manager page displays.
Notes: The Manager page provides a variety of links, including:
z
Kazeon Web-Admin: see “The Web-Admin GUI” on page 26 for details.
z
Kazeon Web-Search: See “The Web Search GUI” on page 29 for details.
z
Kazeon Web-Reports: See “The Web Reports Application” on page 29.
z
Kazeon Connectors: A page with download links for all the Kazeon
“Connectors”, for example the Microsoft Exchange Connector which
allows the IS1200 to work directly with Microsoft Exchange servers.
z
Kazeon Documentation: a list of all Kazeon product User Guide pdfs
including guides for all optional modules, see “Optional Add-on
Modules” on page 4 for a list of the optional modules.
z
Kazeon Utilities: Opens a download page to various server utilities.
z
Kazeon Information Server Software: Opens the Kazeon Support page
where various server resources, support, and an FTP site are available.
z
Contact information and links to Kazeon Support.
Kazeon IS1200 Web-Admin User Guide
25
Chapter 4:
The Graphic User Interfaces
The Web-Admin GUI
Web-Admin is a web application designed to administer the IS1200.
The Web-Admin Graphic User Interface (GUI) provides a user-friendly interface to the
vast majority of routine administration, management, and configuration requirements
also available through the CLI. A very few controls, affecting system operations that
only experienced administrators should change, are available only through the CLI.
Web-Admin is designed primarily for use by knowledgeable system administrators.
Supported Browsers
To use Web-Admin you must use one of the following platforms:.
Table 2 Supported Web-Search Environments
Platform
Windows XP Professional
Browsers
Microsoft Internet Explorer 6 & 7
Windows XP Home
Windows Vista
Additionally:
JavaScript must be enabled with the following Internet Options:
z
Enable Active Scripting
z
Accept Cookies
z
Enable Native XMLHTTP support
z
Use JRE 1.x for <applet>
and your browser’s "check page for newer versions" option should be set to never, as
seen below.
Users are also advised to install a digital Security certificate on the IS1200, signed by
a well known Certificate Authority. See “Server Security Certificates” on page 381 for
details.
The default IS1200 software installation contains a self-signed (by Kazeon) digital
security certificate. However, because Kazeon is not included in the list of default
26
Kazeon IS1200 Web-Admin User Guide
The Web-Admin GUI
trusted entities on most desktops, this certificate generally results in the following
warning message from Internet Explorer.
"There is a problem with this website's security certificate".
If you cannot install your own security certificate, simply accept this certificate
warning and continue to connect to the IS1200 using the "Continue to this website"
option from the IE warning screen.
Launching Web-Admin
1. Install the Kazeon Information Server as described in the Kazeon IS1200
Installation and Quickstart Guide.
2. Open any browser from “Table 2 Supported Web-Search Environments” and
enter the following in the Address bar:
http://<nodeNameAddress>/admin
where <nodeNameAddress> is the name or IP address of any node in the
Kazeon Information Server cluster.
The Web-Admin login dialog displays.
Note:
If the browser displays a warning message such as “There is a problem with this
web-site’s security certificate”, you can safely select “Continue on to this website.”, or see “Server Security Certificates” on page 381 for details on installing an
appropriate security certificate.
3. Enter the following information:
|
Note:
If a fully-qualified domain name was entered for DNS Suffix when the cluster was
initially setup, just the short name (for example nodeName) may be used. See
“DNS Information:” on page 37 for more information.
|
Note:
Domain: This drop-down appears only if Active Directory authentication has
been setup on the IS12000. Select the domain name the node is in, or enter the
domain name directly into the drop-down field. This selects the appropriate
authentication server to use when validating the username.
Username: Your Kazeon user ID.
Login as root is not supported and may generate errors.
|
Password: Your Kazeon user password.
If you do not know your username and password, contact Customer Support.
Click Login to login to the Kazeon Information Server.
Kazeon IS1200 Web-Admin User Guide
27
Chapter 4:
The Graphic User Interfaces
The Cluster Management pane appears.
Note:
If warning messages appear that the cluster has not been started, see “To start a
cluster or export Cluster keys” on page 49 for help starting the cluster.
WARNING!
If cluster licenses have expired, or are due to expire within 2 weeks, an alert is
displayed immediately after the login screen. If licences have expired, Web-Admin
then aborts, if the license(s) are only due to expire, Web-Admin still opens, but the
licenses should be renewed immediately.
Web-Admin Navigation
Once launched, Web-Admin provides a general administrative interface for managing
all aspects of IS1200 operation. For example, the backup page is shown below.
All Web-Admin pages have a Header and Login Header, and a Navigation Pane.
Page Header and Login Header
The Page Header, containing the Kazeon logo, is located at the top of all Web-Admin
pages.
The Login Bar is located in the upper-right hand corner of the page and is circled
above. The Login Bar displays the name and domain of the user currently logged in,
and a Log Out link used to exit Web-Admin. Simply click the link to exit.
Navigation Pane
The Web-Admin navigation pane (far-left pane of the Web-Admin window) provides
access to all administration functions.
28
Kazeon IS1200 Web-Admin User Guide
The Web Search GUI
This guide’s remaining chapters detail these functions:
zJobs,
see “Chapter 15: Job Scheduling and Classification
Services” .
zRepositories,
see “Chapter 10: Repository Registration and
Management” .
zPolicies
& Rules, see “Chapter 12: Policy Groups:
Authorization Policies” or
see “Chapter 11: Policies: Classification Extraction and
Assignment Rules” .
zCluster,
see “Chapter 7: Creating and Managing Clusters” .
zAuthentication,
see “Chapter 8: Configuring External
Authentication” .
zIdentity
Vault, see “Chapter 9: The Identity Vault” .
zAdministration,
see “Chapter 16: System Administration,
BackUp, and Health” , and see “Chapter 2: Installing License
Keys: Administration” .
zReports,
Launches Web-Reports, see the Kazeon IS1200
Web-Reports User Guide for details.
zSearch,
Launches Web-Search, see the Kazeon IS1200
Web-Search User Guide for details.
The CLI Window (under Administration) opens a window running the Command
Line Interface, see the Command Line Interface Reference Guide for a list of the
commands that can be used from the CLI Window.
The Web Search GUI
Web-Search provides access to both simple and advanced searching, and allows
Actionable Services to be applied to search results. “GUI Platform Requirements” on
page 24 details the platform requirements necessary to use Web-Search.
Web-Search is launched by clicking the Kazeon Web-Search link at the bottom of the
same Manager page described on “The Manager Page” on page 24.
Alternately, see the Kazeon IS1200 Web-Search User Guide for details on launching
Web-Search directly.
After either method, the Web-Search login screen appears in your browser. See
Kazeon IS1200 Web-Search User Guide for detailed information on using the Web
Search GUI.
The Web Reports Application
The Web-Reports application provides access to report creation, scheduling, and
viewing, and allows Actionable Services to be applied to report results. “GUI
Kazeon IS1200 Web-Admin User Guide
29
Chapter 4:
The Graphic User Interfaces
Platform Requirements” on page 24 details the platform requirements necessary to use
Web-Reports.
Web-Reports is launched by clicking the Kazeon Web Reports link at the bottom of
the same Manager page described on “The Manager Page” on page 24.
Alternately, see the Kazeon IS1200 Web-Reports User Guide for information on
launching Web-Reports directly.
After either method, the Web-Reports login screen appears in your browser. See the
Kazeon IS1200 Web-Reports User Guide for detailed information on using the Web
Reports GUI.
30
Kazeon IS1200 Web-Admin User Guide
Chapter 5:
The Command Line Interface (CLI)
The Kazeon Command Line Interface is commonly referred to as the CLI.
This chapter describes the accessing—or launching—and general use of the Kazeon
CLI. For complete information about the CLI, see the Command Line Interface User
Guide.
Topics include:
z
z
“Using the Kazeon Command-Line Interface” on page 32
|
“Accessing the CLI from the network” on page 32
|
“Accessing the CLI from a Serial port” on page 33
“Common CLI Commands” on page 33
|
“Usage Tips” on page 35
Kazeon IS1200 Web-Admin User Guide
31
Chapter 5:
The Command Line Interface (CLI)
Using the Kazeon Command-Line Interface
Using the Command Line Interface (CLI) requires access to the Kazeon Information
Server. The server may be accessed by network or a serial port.
z
To use a serial port interface, use a terminal emulator such as HyperTerminal on
the client computer.
z
To use a network, the client computer needs an SSH client installed such as
PuTTY (on Microsoft Windows PCs).
To login to the any node on the server, a user ID and password is required. You can
login as either an administrator or a user. Kazeon provides a default administrator ID
(admin), stored on the system, for initial use. To login as a user, supply a valid user
ID currently existing on an Active Directory or NIS authentication server.
Once logged in, the CLI is available from either serial port or network access and may
be used to configure and manage the Kazeon Information Server.
Accessing the CLI from the network
1. Install a Secure Shell (SSH) client on the computer that will access the Kazeon
Information Server. Typically, the computer is a PC with Putty installed or a
Linux box with openSSH installed.
WARNING!
For security purposes, the IS1200 requires SSH version 2 ONLY. All SSH
clients used must support and use only SSH version 2. PuTTY (version 0.59)
has an SSHv2 ONLY option under Category > Connection > SSH as shown
in the right-hand screenshot below.
2. Use the SSH client to connect to a cluster node using the IP address or host name
for that node’s eth1 or eth2 port. An example PuTTY window is shown below:
For more information on eth1 and eth2, see “Configuring Server Network
Connectivity” on page 36.
Note: Do not use the Intelligent Platform Management Interface (IPMI) address.
32
Kazeon IS1200 Web-Admin User Guide
Using the Kazeon Command-Line Interface
3. Login as admin and enter the administrative password created when the system
was configured.
To login as a user, type a valid user name (from an NIS or Active Directory
server) and press Enter.
If the login is successful, the system displays the node name as the prompt, in the
example above the prompt is: techpubs1>
You are now logged into the Kazeon CLI. If the cluster is not already started, start
the cluster as described in the “Starting a Cluster” on page 47.
Use the exit command to log out.
Accessing the CLI from a Serial port
1. Install a VT100 or an ANSI terminal emulator on a local PC, laptop, or terminal
concentrator, and set the baud rate to 57600 8-N-1.
2. Login as admin and enter the administrative password created the system was
configured. To login as a user, type a valid user name (from an NIS or Active
Directory authentication server) and press Enter.
If the login is successful, the system displays the node name as the prompt, similar
to the example shown in step 3 of “Accessing the CLI from the network” above.
You are now logged into the Kazeon CLI. If the cluster is not already started, start
the cluster as described in the “Starting a Cluster” on page 47.
Use the exit command to log out.
Common CLI Commands
After logging in to the Kazeon CLI, you can view CLI commands and the available
options for each command. For general information on command syntax, see “CLI
Syntax Notation” on page xxii.
For a complete list of commands refer to the Kazeon Information Server IS1200
Command Reference Guide.
Kazeon IS1200 Web-Admin User Guide
33
Chapter 5:
The Command Line Interface (CLI)
Table 3 lists the more frequently used commands.
Note: Use lowercase characters when executing CLI commands.
Table 3
Common CLI Commands
CLI Command
Description
show commands syntax
Displays a list of all CLI commands.
add datafs + space + tab
Registers a file system. For more detail, see “Viewing Command
Keywords” on page 35, “The Discovery Process” on page 90.
add kazfs + space + tab
Adds a metadata repository. For more detail, see “Viewing Command
Keywords” on page 35 and “Repository Registration: Rules and
Guidelines” on page 82.
export cluster-key
Exports the cluster-key of one node to another node in the cluster. For
more information, see “Starting a Cluster” on page 47.
show fs
Displays all file systems added to the Kazeon cluster. For more
information, see “Viewing Command Keywords” on page 35.
remove fs + space + tab
Removes a file system. For more detail, see “Viewing Command
Keywords” on page 35, “To remove a repository” on page 115.
search
Searches file systems for a specified keyword. For more information
on searching, see the Kazeon IS1200 Web-Search User Guide.
show search status
Displays the Search index details such as the number of documents
searched and the size of the Search index.
add service + space + tab
Adds a classification or actionable service. For more detail, see
“Viewing Command Keywords” on page 35 and “Scheduling a Basic
Crawl” on page 187.
show services + space + tab
Displays information about all the classification or actionable
services in the system. For more detail, see “Viewing Command
Keywords” on page 35.
show hardware
Displays hardware information such as the system ID, chassis,
service tag, and the physical RAM available to the system.
start cluster + space + tab
Starts the cluster. For more detail, see “Viewing Command
Keywords” on page 35 and “To start a cluster or export Cluster keys”
on page 49.
show cluster + space + tab
Displays a list of all active and inactive nodes in the cluster. For more
information, see “Viewing Command Keywords” on page 35.
show history
Displays the commands previously used in the session, along with the
date and the time.
set timezone + space + tab
Displays a list of supported time zones.
34
Kazeon IS1200 Web-Admin User Guide
Using the Kazeon Command-Line Interface
Table 3
Common CLI Commands
CLI Command
Description
show terminal
Displays the state of the system such as the status of the cluster, the
management subsystems, and history size.
show version
Displays the Kazeon Information Server version number.
Usage Tips
The following tips allow viewing command keywords, completing a command, and
moving between recently used commands.
Viewing Command Keywords. To view the keywords for a command, enter the
command, enter a space and press the Tab key.
For example, to see the options for the set command, enter the following at the
command prompt:
Nodename> set <space><tab>
The system displays the options for the set command as follows:
cluster-name
current-assignment-rule-set
current-extraction-rule-set
date-time
file-attributes
fs
interface
nfs
password
search
timezone
Set a Cluster Name for this
cluster
Select an assignment-rule-set to
be 'current'
Select an extraction-rule-set to
be 'current'
Set the Date & Time of this
cluster
Set the attributes
(owner,mode,etc) of a file/dir
under /kazvfs
Change Filesystem state (Online/
Offline)
Configure Network interfaces
Turn NFS exports ON or OFF
Set this user's password
Set a search related property,
such as count or fields
Set the local timezone of nodes in
this cluster
Completing a Command. Speed up the process of entering commands by using the
Tab key.
For example, to use the remove policy-group command, do the following:
1. Enter remove policy
2. Press the Tab key.
The system adds -group to complete the command.
3. To view additional keywords, add a space and press the Tab key.
Kazeon IS1200 Web-Admin User Guide
35
Chapter 5:
The Command Line Interface (CLI)
The system displays additional keywords, if any.
Moving Between Commands. You can move back and forth between previouslyentered commands. To do this at the command prompt, use the Up and Down arrows
on your keyboard. Use the Up arrow to go back to the last used command and the
Down arrow to move forward to the current command.
Troubleshooting SSH Connections
When connecting to a cluster node, you may experience the following problems:
36
z
PuTTY Fatal Error:
SSH protocol version 1 required by user but not provided by the server.
Reconnect using an SSH client that supports version 2, see Warning on page 32
for more details.
z
Access denied:
Due to entering a wrong user-name/password at login, use a known good login
and password.
z
Failed command, report format/error messages etc
[380] Missing parameter data
OR
[380] Bad command
A non-existent CLI command was entered, or a correct command with incorrect
parameters. Check the CLI Reference Guide for correct command usage and
syntax.
z
Credential expired, enter password for "admin":
Too much time has expired since your last terminal communication, for security
reasons you must confirm your identity by entering the correct user password to
continue.
Kazeon IS1200 Web-Admin User Guide
Chapter 6:
Role Based Administration
This chapter describes how the IS100 uses Role Based Administration and External
Authentication services like NIS and AD to allow users registered with external
authentication services to login to, and use, the IS1200, and to control the privileges
those users have in the IS1200 user interfaces. Additionally, it describes using the
Command Line Interface (CLI) to maintain role members.
Topics are as follows:
z
“Introduction” on page 38
z
“Roles and Privileges Overview” on page 38
z
“Roles and External Authentication” on page 39
z
“Detailed Role Privileges” on page 40
z
“Using the CLI For Role Maintenance” on page 42
|
“To list role entitlements:” on page 42
|
“To add a user to a role” on page 42
|
“To add all users to a role” on page 43
|
“To remove a user from a role” on page 43
|
“To add all users to a role” on page 43
|
“To remove a user from a role” on page 43
|
“To remove a group from a role” on page 44
|
“To remove all users from a role” on page 44
|
“To display a user’s roles” on page 44
Kazeon IS1200 Web-Admin User Guide
37
Chapter 6:
Role Based Administration
Introduction
When the Kazeon Information Server is first installed, only a single user—admin —
exists. The admin user has all privileges and entitlements.
If NIS or AD Authentication services are added (see “Configuring External
Authentication” on page 53 for more information), then other users—any that are
already defined by, and can be authenticated by NIS or AD—can also access the
Kazeon Information Server.
Role based administration allows all “other” users to be assigned to “role” groups.
Group membership defines the administration privileges group members have.
Note:
The usernames and passwords of “other” users are defined by the AD or NIS servers
they were created on, and are changed or maintained only by those servers.
Roles and Privileges Overview
The following three predefined roles are available on all Kazeon Information Servers.
The role privileges described below are general overviews, for a detailed list of role
privileges, see “Detailed Role Privileges” on page 40.
z
admin: can launch Web-Admin, Web-Search, and Web-Reports and perform all
options, in other words, an admin has all privileges for these applications.
Additionally, only admins can log into and use the Command Line Interface (CLI)
commands
z
auditor: can only launch Web-Search and Web-Reports, do searches and reports,
and apply Actionable Services to search and report results
z
enduser: can only launch Web-Search and do searches, but cannot apply
Actionable Services
Any currently defined AD or NIS user can be assigned to any one of these roles.
Additionally, the eDiscovery Case Manager also adds the following three roles that
control various levels of access to the eDiscovery Case Manager:
z
Legal Administrators: Has complete access to the entire eDiscovery Case
Manager interface and can create, edit, and delete cases and see all details of all
cases. Additionally they can create, run, and view the results of reports.
z
Legal Supervisors: Can add new cases, assign reviewers to cases, and files to
reviewers, but are limited to seeing only the cases they are assigned to supervise.
z
Legal Reviewers: Can see only the cases and files they are assigned to.
All three roles have access to the Web-Search application to review, tag, copy, export,
download, or place responsive files on legal hold, but only Administrators can move
or delete original responsive files.
Note:
38
While users can be added to the Legal Supervisor and Reviewer roles automatically
using the eDiscovery Case Manager interface, users may only be assigned to the
Legal Administrator role using the Command Line Interface.
Kazeon IS1200 Web-Admin User Guide
Roles and External Authentication
Roles and Cases
With version 4.2.0 and later, the combination of a user’s login credentials (username
and password), their role, and their case assignment are used to determine:
z
What user interface options they see, for example only Legal Administrators can
create cases.
z
What cases they can see, Supervisors and Reviewers only see the cases they are
assigned to.
z
What results are shown in Web-Search. When an active case is set, results are only
shown for the active case.
Roles and External Authentication
If external authentication is enabled (see “Configuring External Authentication” on
page 53 for more details), when a user logs in to any Kazeon web application
(Web-Admin, Web-Search, or Web-Reports), the IS1200 first checks the username with
the registered NIS or AD server.
If the username is authenticated, the IS1200 then checks what roles the IS1200 admin
has assigned to that username and grants the privileges of those roles to that user.
If no roles are explicitly assigned, the user is automatically given the role enduser.
All users—except the default administrator (admin)—are automatically endusers,
unless that user is explicitly assigned to a different role using the CLI commands
described in “Using the CLI For Role Maintenance” on page 42.
Users can simultaneously be auditors or admins, and gain more entitlements.
Note:
The standard server installation effectively allows “anybody” to be an enduser if
external authentication is enabled. To configure only a limited set of endusers, see “To
remove all users from a role” on page 44 for more detail.
WARNING!
The standard IS1200 installation configures Web-Admin with a single initial user
named “admin” and allows both “root” and “admin” to login to the Command
Line Interface (CLI). Both “admin” and “root” have unlimited access privileges
and can see and alter all registered repositories. It is recommended that neither of
these two users be used for routine access of either Web-Admin or the CLI.
Using External Authentication Groups with IS1200 Roles
Both NIS and AD authentication servers allow the use of “groups” to make NIS and
AD access rights administration easier. NIS and AD groups may also be assigned to
IS1200 roles to make IS1200 role administration easier as well.
Assigning a group to an IS1200 role effectively grants all NIS or AD group members
the privileges of that IS1200 role.
Note:
AD and NIS group names and members are defined by the AD or NIS authentication
servers they were created on, and are changed or maintained only by those servers.
Kazeon IS1200 Web-Admin User Guide
39
Chapter 6:
Role Based Administration
Detailed Role Privileges
The following table summarizes the ability of each role.to log into the various IS1200
web applications.
Table 4
What Roles Are Allowed to Log Into What Web Applications
Legal App
(License
required)
User Role
Web-Search
Web-Admin
Web-Reports
without
Legal
License
with
Legal
License
without
Legal
License
with
Legal
License
without
Legal
License
with
Legal
License
Legal Admin
Yes
No
Yes
No
No
No
Yes
Legal Supervisor
Yes
No
Yes
No
No
No
Yes
Legal Reviewer
Yes
No
Yes
No
No
No
Yes
Admin
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Auditor
No
Yes
Yes
Yes
Yes
Yes
Yes
Enduser
No
Yes
Yes
Yes
No
Yes
Yes
The following table summarizes how roles interact with the various IS1200 web
applications when displaying the Active Case in the Login Header.
Table 5
User Role
How Roles Interact with Active Case Login Header Display
Legal App
(License
required)
Web-Search
Web-Admin
Web-Reports
without
Legal
License
with
Legal
License
without
Legal
License
with
Legal
License
without
Legal
License
with
Legal
License
Legal Admin
Display
active case
n/a
Display
active case
n/a
n/a
n/a
Display
active case
Legal Supervisor
Display
active case
n/a
Display
active case
n/a
n/a
n/a
Display
active case
Legal Reviewer
Display
active case
n/a
Display
active case
n/a
n/a
n/a
Display
active case
Admin
Display
active case
Do NOT
Do NOT
Do NOT
Do NOT
Do NOT
Do NOT
display
display
display
display
display
display
active case active case active case active case active case active case
Auditor
n/a
Do NOT
Do NOT
Do NOT
Do NOT
Do NOT
Do NOT
display
display
display
display
display
display
active case active case active case active case active case active case
Enduser
n/a
Do NOT
Do NOT
Do NOT
Do NOT
Do NOT
Do NOT
display
display
display
display
display
display
active case active case active case active case active case active case
40
Kazeon IS1200 Web-Admin User Guide
Detailed Role Privileges
The following table summarizes how roles interact with the Active Case display.
Table 6
How Roles Determine the Active Case Display
Legal App
(License
required)
Web-Search
Web-Reports
Legal Admin
None (or)
All Cases (or)
<Specific Case>
None (or)
All Cases (or)
<Specific Case>
None (or)
All Cases (or)
<Specific Case>
Legal Supervisor
All My Cases (or) All My Cases (or) All My Cases (or)
<Specific Case> <Specific Case> <Specific Case>
Legal Reviewer
All My Cases (or) All My Cases (or) All My Cases (or)
<Specific Case> <Specific Case> <Specific Case>
Admin
None (or)
All Cases (or)
<Specific Case>
n/a
n/a
Auditor
n/a
n/a
n/a
Enduser
n/a
n/a
n/a
User Role
The following table summarizes how roles determine what tagging options are
displayed. Tagging can be done in bulk, from Actionable Services (in both Web-Search
and Web-Reports) using Bulk Tagging, or from the Web-Search interactive-tagging
(IT) panel. Your role, combined with whether or not a legal-license is installed,
determines what tagging options are presented.
In the following table:
z
IT-L: is Interactive Tagging with a legal license installed
z
IT-nonL: is Interactive Tagging with no legal license installed
z
BU-L: is Bulk Tagging with a legal license installed
z
BU-nonL: is Bulk Tagging with no legal license installed.
Each option above presents a different set of tagging options.
Table 7
How Roles Control The Tagging Options
Legal
License
(installed)
Active Case
IT-Profile
(IT-L or IT-NonL)
Bulk-Profile
(BU-L or BU-NonL)
Legal Admin
n/a
n/a
IT-NonL
BU-NonL
Legal Supervisor
n/a
n/a
n/a
n/a
Legal Reviewer
No
n/a
n/a
n/a
Admin, Auditor
Yes
<Specific Case>
IT-L
BU-L
Enduser
Yes
All Cases (or)
All My Cases (or)
None
n/a
n/a
User Role
Kazeon IS1200 Web-Admin User Guide
41
Chapter 6:
Role Based Administration
Using the CLI For Role Maintenance
Role maintenance may not be done from Web-Admin. The following role maintenance
procedures may only be done from the Command Line Interface (CLI). See “The
Command Line Interface (CLI)” on page 31 for details on starting the CLI and its
general usage.
To list role entitlements:
At the command prompt, enter the following command:
nodeName> show role roleName entitlements
where
roleName is either admin, auditor, or enduser
The system responds as shown below.
To add a user to a role
At the command prompt, enter the following command:
nodeName> add user userName role roleName
where
userName is an authenticatible username
roleName is either admin, auditor, or enduser
The system responds as shown below.
To add a group to a role
Groups can also be added to roles just like users. After a group is added to a role, all
users in the group are granted the privileges of that role. Groups from both NIS and
AD servers may be added to roles.
At the command prompt, enter the following command:
42
Kazeon IS1200 Web-Admin User Guide
Using the CLI For Role Maintenance
nodeName> add group groupName role roleName
where
groupName is an existing authenticatible AD or NIS groupname
roleName is either admin, auditor, or enduser
To add all users to a role
The IS1200 allows a wildcard, the asterisk, to represent “all users”. For example, if
the asterisk is added to the role enduser, then any valid login name and password may
be used to access the web-applications available the to the enduser role.
Note:
Prior to version 4.3.0, the asterisk wildcard was automatically added to the enduser
role by default at installation time. Fresh installations of version 4.3.0 do not add the
wildcard asterish by default and require it to be manually added if required. However,
if older versions are upgraded to 4.3.0, and the wildcard asterisk was installed in the
pre-upgrade version, it is automatically added to the new 4.3.0 system’s enduser role
during the upgrade.
At the command prompt, enter the following command:
nodeName> add user * role roleName
where
* means all users
(this adds an asterisk to the role list, not each user’s actual username)
roleName is either admin, auditor, or enduser
The system responds as shown below.
To remove a user from a role
At the command prompt, enter the following command:
nodeName> remove user userName role roleName
where userName is an authentifiable username (or the wildcard asterisk)
and roleName is either admin, auditor, or enduser
The system responds as shown below.
Kazeon IS1200 Web-Admin User Guide
43
Chapter 6:
Role Based Administration
To remove a group from a role
Groups can also be removed from roles just like users. After a group is removed from
a role, all users in the group loose the privileges of that role. Groups from both NIS
and AD servers may be removed from roles.
At the command prompt, enter the following command:
nodeName> remove group groupName role roleName
where groupName is an existing authenticatible AD or NIS groupname (or “*”)
and roleName is either admin, auditor, or enduser
To remove all users from a role
The IS1200 allows a wildcard, the asterisk, to represent “all users”.
At the command prompt, enter the following command:
nodeName> remove user * role roleName
where
* means all users
(this removes the asterisk from the role list, not any user’s actual username)
roleName is either admin, auditor, or enduser
The system responds as shown below.
To display a user’s roles
At the command prompt, enter the following command:
nodeName> show user userName role
where
userName is an authentifiable username
The system responds as shown below.
44
Kazeon IS1200 Web-Admin User Guide
Chapter 7:
Creating and Managing Clusters
This chapter discusses creating and managing Kazeon Information Server clusters.
Topics are as follows:
z
“About Nodes and Clusters” on page 46
z
“Starting a Cluster” on page 47
|
z
z
“Starting a Cluster the First Time” on page 47
“Managing a Cluster” on page 48
|
“To start a cluster or export Cluster keys” on page 49
|
“To stop a cluster” on page 50
|
“To add nodes to a cluster” on page 50
|
“To remove nodes from a cluster” on page 50
|
“To rename a cluster” on page 51
|
“To migrate nodes between clusters” on page 51
“The Intelligent Platform Management Interface (IPMI)” on page 51
|
“IPMI vs. DRAC” on page 52
|
“Cluster Leadership” on page 52
|
“The Split Brain Situation” on page 52
Kazeon IS1200 Web-Admin User Guide
45
Chapter 7:
Creating and Managing Clusters
About Nodes and Clusters
A single Kazeon Information Server appliance (or other approved server platform) is
called a node. Typically, the Kazeon Information Server is designed to work as an
expandable cluster to allow for scalability and to share workload, maximize
performance, and ensure uninterrupted operations. A cluster can contain from 1 - 4
nodes. A cluster must be started before the Kazeon Information Server can be used.
The Kazeon Information Server cluster is an active/active cluster. That is, all nodes
assigned to a cluster work concurrently to optimize performance. When a multi-node
cluster of more then three nodes is started, the node the cluster is started from becomes
the “leader” node and manages many synchronization issues between all nodes. One
node of the cluster should be chosen to be the leader node, and the cluster should
always be started, and administered, from this node. See “Choosing a Leader Node”
on page 293 for more details.
When necessary, nodes can be added to a cluster to improve performance. Nodes can
only be added to, or removed from, an active cluster. Therefore, a cluster must be
running to add or remove a node. Adding and removing nodes does not impact the
system configuration because system configuration is automatically replicated across
all nodes.
If any node fails, it is automatically removed from the cluster and its workload is
distributed to the remaining nodes. If the leader node fails, another node will assume
the leader position. The fail event is added to the Syslog file. For information on
Syslog, see “Managing Syslog” on page 229. After a failed node is restored, it can be
re-added to the cluster.
A cluster can be started with a minimum of one node and a maximum of 4 nodes. All
maintenance operations can be performed from any node in the cluster. When system
changes are made to one node, the system notifies all nodes in the cluster. System
information persists even if you stop the cluster and reboot the system.
Cluster and Node Setup Guidelines
46
z
Node names may only start with letters, numbers are not allowed.
z
Node names cannot be the same as the cluster name. Ideally they incorporate the
cluster name as a prefix or suffix. For example, a 3 node cluster named
Marketing, might use node names MktgNode_1, MktgNode_2, MktgNode_3.
z
A node can belong to only one cluster at a time.
z
All nodes must run the same version of the Kazeon Information Server software.
z
All nodes must have individual licenses for both the basic server software and the
optional modules that may be installed. See “Installing License Keys:
Administration” on page 7 for more information.
z
All nodes must be physically and logically configured to communicate with each
other. That is, each node must be able to reach the IP addresses of the other nodes.
z
All nodes must use the same cluster key. For information see “Exporting the
Cluster Key” on page 47.
Kazeon IS1200 Web-Admin User Guide
Starting a Cluster
Starting a Cluster
When a cluster is started, the startup procedure establishes secure links between all
member nodes using a cluster key that allows them to communicate and share the
workload. After startup, changes made to any node are replicated across, and affect
all, nodes in the cluster and are persistent across power cycles. Therefore, to start a
cluster, you must first login to the node you want to become the leader node (use
either the Command Line Interface (CLI) or the Administrative GUI) and specify all
other nodes that will become members of the cluster.
While the system name defaults to “cluster”, if your network will have multiple
clusters, each cluster should have a unique name for easy identification. Cluster
names, and cluster node names, may not be the same. For example, you may not name
both the cluster, and one of it’s nodes “marketing”, instead use a scheme that calls the
cluster “marketingCluster”, and the nodes “marketingNode1”, etc.
Cluster names should be set before starting a cluster because names can only be
changed when the cluster is stopped, or inactive. To change an active cluster name,
first stop the cluster, then rename it. For more information, see “To rename a cluster”
on page 51.
Although the Kazeon Information Controller allows using the same cluster name for
two or more clusters, it must manage them as separate clusters. Therefore, any attempt
to add a node from a different cluster with the same name will fail with an error
message.
Exporting the Cluster Key
For inter-node communication security purposes, the Kazeon Information Server
generates a unique encrypted key for each cluster. The cluster key enables each cluster
node to communicate securely with the others. Therefore, before starting a cluster the
first time, a unique cluster key must be exported to all nodes that will be part of the
cluster.
Cluster keys may be exported from any cluster node to all other nodes of the cluster
but can only be exported to one node at a time. New cluster keys can also be
regenerated from any node and exported to all other nodes.
WARNING! The cluster key is also used to encrypt identity passwords, see “The
Identity Vault” on page 73 for details on using identities. If the cluster
key is changed on an active cluster, all identities must be re-added
(using the force option) to re-save re-encrypted passwords with those
identities.
Starting a Cluster the First Time
After installing all node hardware and software (see the Kazeon IS1200 Installation
and Quickstart Guide for details) use the following general steps to start a cluster the
first time.
After initial installation (or any time the cluster has been stopped) Web-Admin
displays a special abbreviated interface designed just to start (or restart) the cluster.
Kazeon IS1200 Web-Admin User Guide
47
Chapter 7:
Creating and Managing Clusters
The (stopped cluster) Web-Admin interface looks like this:
Note:
Read “Choosing a Leader Node” on page 293 before starting a cluster the first time.
1. Determine how may clusters you will create, and how many nodes each will
contain and then define unique names for each cluster and cluster node.
2. If node names need to be changed, login to each node and run kaz_setup.pl
and change the hostname appropriately. See “Establish Network Connectivity” on
page 36 for details on using kaz_setup.pl.
3. From the CLI, login to any node from the cluster-being-setup and use the
following command to set the cluster name:
Nodename> set cluster-name clusterName
where clusterName is a string with a maximum length of 16 characters.
4. From that node, export the cluster key to all other nodes in the cluster. See “To
start a cluster or export Cluster keys” on page 49 for details.
5. Start the cluster. See “To start a cluster or export Cluster keys” on page 49 for details.
Managing a Cluster
Managing a cluster includes tasks like stopping, starting, and renaming clusters, as
well as adding, migrating, and removing nodes. Cluster management is done using the
Web-Admin Cluster sub-items, usually from the Cluster Dashboard.
48
Kazeon IS1200 Web-Admin User Guide
Managing a Cluster
When a cluster is stopped, the Kazeon Information Server and all its services are
disabled. You must stop the cluster to do any of the following:
z
To rename a cluster
When you rename a cluster, you must update the cluster name one node at a time.
You can also rename the cluster name for a node when you want to migrate the
node to a different cluster.
You can rename a cluster only through the CLI. For information on accessing the
CLI, see “Using the Kazeon Command-Line Interface” on page 32. For
information on renaming a cluster, see “To rename a cluster” on page 51.
z
To remove nodes from a cluster or migrate nodes to a different cluster
You can migrate nodes from one cluster to another to enhance performance.
Migrating nodes involves first removing them from their current cluster and then
assigning them to another.
z
To upgrade the system or to perform system maintenance tasks
z
To remove license keys from any or all nodes of the cluster
Use the following procedures to manage a cluster:
To start a cluster or export Cluster keys
Note:
Read “Choosing a Leader Node” on page 293 before starting a cluster the first time.
1. In the Web-Admin navigation pane, click Admin > Cluster (if the cluster is
stopped or has never been started, Admin should be the only heading showing in
the navigation pane). The Cluster Management page appears.
2. If the cluster has never been started, and will have more then one node, the Cluster
key will need to be exported to all nodes other then the node you are currently
logged into, and will start the cluster from.
To export a Cluster key to any node:
a. Click the Export Cluster Key button, the
Export Cluster License Key dialog opens:
b. Node hostname/IP: Enter the node
hostname, or IP address, of a node to
export the key to.
c. Root password: Enter the password of the root user for that node.
d. Click Export Key.
e. Repeat for all other nodes that will be part of the cluster.
Kazeon IS1200 Web-Admin User Guide
49
Chapter 7:
Creating and Managing Clusters
3. Node Names: Once all nodes that will be part of the cluster have had Cluster Keys
exported, enter a space separated list of nodes to add to the cluster. Use the node
hostnames or IP addresses.
4. Click the Start Cluster button.
The system starts the cluster and, once started, the screen changes to display the
standard (full) navigation bar, and lists the node names, status, IP address and
node IDs in the list below the toolbar in a new Cluster Management pane.
To stop a cluster
1. Under Cluster in the Web-Admin navigation pane click Stop Cluster to go directly
to the dialog in the step below, or from the Cluster Dashboard click the
Stop Cluster icon in the Cluster Management pane tool-bar.
2. From the Cluster Management pane, click
Stop Cluster in the Cluster Management pane
toolbar, The Stop Cluster dialog appears.
3. Click Yes.
After the system stops the cluster, the screen redraws with a new navigation pane
displaying only a limited set of Admin functions, and the Cluster Management
pane configured with options for restarting the cluster.
Note:
If the cluster has a large number of jobs running, or jobs that include a large
number of filers, cluster shut-down can take a minute or more. Cluster stop is
reported only when all job-related open databases are gracefully closed.
To add nodes to a cluster
1. Under Cluster in the Web-Admin navigation pane, click Add Server to open the
dialog in the step below, or from the Cluster Dashboard, click the Add Node icon
in the Cluster Management pane tool-bar.
2. Click Cluster Management. The Cluster Management page appears.
3. Click Add Node in the Cluster page toolbar,
The Stop Cluster dialog appears:
4. Enter the node name or IP address. This node
cannot be already assigned to any other cluster!
5. Click Add to add the node to the cluster.
The system displays the node name in the list below the toolbar.
To remove nodes from a cluster
1. Under Cluster in the Web-Admin navigation pane, click Cluster Dashboard to go
to the Cluster Management page.
2. In the Cluster Management pane, select a node from the list beneath the toolbar.
3. From the Cluster Management pane tool-bar, click Remove Node.
The system removes the node from the cluster.
50
Kazeon IS1200 Web-Admin User Guide
The Intelligent Platform Management Interface (IPMI)
To rename a cluster
1. Stop the cluster as described above.
2. Through the CLI, login to each node of the cluster and enter the following:
Nodename> set cluster-name clusterName
where clusterName is a string with a maximum length of 16 characters.
The system updates the cluster name for the node.
Or
1. Login to a node and stop the cluster as described above.
2. Remove all the nodes from the cluster except the node you are logged into.
3. Rename the cluster, as above, using the CLI command set cluster-name.
4. Add back the nodes previously removed from the cluster.
The system updates the cluster name when you start the cluster.
To migrate nodes between clusters
1. Remove the node from the cluster to which it currently belongs.
For information, see “To remove nodes from a cluster” above.
2. From the cluster you want to migrate the node to, export the cluster-key to the
node you wish to migrate. For more detail, see “To start a cluster or export Cluster
keys” on page 49.
3. Add the migrating node to the target cluster. For more detail see “To add nodes to
a cluster” on page 50.
The Intelligent Platform Management Interface (IPMI)
Kazeon Information Servers may contain more then one node. Normally each node
communicates with the others to share information and workload.
The Kazeon Information Server provides an Intelligent Platform Management
Interface (IPMI) to shut down nodes when individual nodes or software errors would
degrade the overall cluster performance. The IPMI, illustrated below, is an
autonomous micro-controller—installed in all cluster nodes—used by the cluster’s
“leader” node to power down nodes with errors or performance problems.
Figure 3
IPMI Connections
A link on the server manager page (see
“Kazeon Documentation: a list of all
Kazeon product User Guide pdfs
including guides for all optional
modules, see “Optional Add-on
Modules” on page 4 for a list of the
optional modules.” on page 25 for more
details) allows downloading an IPMI
utility program to remotely access and
manage clusters.
Kazeon IS1200 Web-Admin User Guide
51
Chapter 7:
Creating and Managing Clusters
IPMI vs. DRAC
The Dell Remote Access Controller (DRAC) card provides similar capabilities to the IPMI
but only works with Dell products and requires additional expense. Because the IPMI is an
industry standard, and is included at no extra cost on the standard server hardware
platforms, Kazeon chose to use the IPMI instead of the DRAC for cluster node control.
However, if your support organization would like to use a DRAC card in addition to
the IPMI card, instructions for installing the DRAC in an IS1200 are provided in
“DRAC Card Installation (Optional)” on page 441.
Cluster Leadership
When a cluster is started with two or more nodes, the node that starts the cluster
becomes the “leader” node and manages the IPMI interface. A second node is
designated the “backup leader”.
If the leader node of a cluster determines that any node in the cluster (including itself)
is not working correctly, it uses the IPMI to shut down the malfunctioning node.
If a cluster suddenly finds itself leaderless (the leader node has crashed—or all leader
node ethernet connections fail), the remaining nodes take the following action:
1. If there were two nodes in the original cluster, the remaining (backup leader) node
becomes the new leader.
2. If there were more than two nodes in the original cluster, the existing backup node
is promoted to be the new leader and a new backup leader is “elected” by the
remaining members of the cluster.
The Split Brain Situation
The “election” process described above can lead to problems if a two-node cluster
suddenly finds itself leaderless only because it can’t communicate with the leader, i.e.
the leader node’s ethernet connections fail—but the leader node is still otherwise
functional. This forces the remaining node to assume the leader has failed—because it
can’t communication with the leader any longer. By design, the remaining node
“elects” itself the new cluster leader. There are now two clusters with the same name
but with different leader nodes—although one cluster (the original leader node) is not
able to communication with the network. This is called a split-brain situation.
In the split-brain situation, the normal “election” process is problematic if the
communication links with the original leader node are later restored. Now there are
two functional and communicating clusters with the same name and different leaders.
When two clusters with the same name discover each other, they must recombine and
another “election” attempt is made to determine a single leader node.
Normally in an election, the cluster with the most nodes wins and it’s leader becomes
the new re-combined cluster leader. In the split-brain situation, this election process
fails because neither one-node-cluster can out-vote the other in the election. Because
there is no logical way to determine a new leader when a split-brain communication
error is corrected, newly “orphaned” single node clusters automatically shut
themselves down (via the IMPI) to prevent the split-brain election stalemate.
When this happens, the cluster has to be manually restarted by the administrator.
52
Kazeon IS1200 Web-Admin User Guide
Chapter 8:
Configuring External Authentication
This chapter discusses adding external authentication to allow users—other then the
default admin—to login and use the system.
External Authentication can be setup through Web-Admin and the CLI. Once set up,
administrators—and other users—signing in to Kazeon Information Server are
authenticated by an external service like Active Directory (AD) or Network
Information Services (NIS). This keeps the Kazeon Information Server secure when
multiple users access its services.
Topics are as follows:
z
“Overview of External Authentication” on page 54
z
“The Authentication Services Listing Display” on page 54
z
“Managing Authentication for Network Information Services” on page 55
z
|
“To configure NIS external authentication using Web-Admin” on page 55
|
“To remove external authentication for NIS using Web-Admin” on page 55
|
“To configure NIS external authentication using the CLI” on page 55
“Managing Authentication for Active Directory” on page 56
|
“To configure AD external authentication using Web-Admin” on page 60
|
“To remove AD external authentication using Web-Admin” on page 67
|
“To configure AD external authentication using the CLI” on page 61
|
“Overriding the current AD communication protocol using Linux” on page 67
|
“Checking the current AD communication protocol using Linux” on page 67
|
“Checking, removing, or changing the current AD authentication server using
the CLI” on page 67
|
“Configuration Issues with Multiple Domain Controllers” on page 68
|
“Support for Multiple Organization Units (OUs)” on page 69
Kazeon IS1200 Web-Admin User Guide
53
Chapter 8:
Configuring External Authentication
Overview of External Authentication
When the Kazeon Information Server is first installed, only two users—root and
admin—can login and use the system. In normal use, other users may need access to
the IS1200. Some authentication system is required to validate these other users.
Setting up external authentication ensures only authorized users and applications can
access the IS1200, and allows centralized management of the user database.
Besides controlling user login, external authentication can also control file access—
when displaying search results or applying actionable services—through policy
groups. To grant or deny file access privileges to a user, or group, the IS1200 needs to
be able to identify and authenticate them. For more information, see “Authorization
Policies” on page 145.
The Kazeon Information Server supports external authentication using:
z
Network Information Services (NIS)
z
Active Directory (AD) using NTLM, NTLM v2, Kerberos, or AdvancedAD
protocols
When external authentication is configured, the server does the following:
z
Checks the appropriate authentication server to validate all users that login.
z
If access checking is turned on (see “Controlling ACL Checking” on page 319
and “Turning Search Access Checks ON or OFF” on page 296 for more
information), the system filters search results based on the user login ID, the
policies you set, and the file permissions. For information on policies, see “About
Policies and Policy Groups” on page 142.
In addition, configuring external authentication enables you to view user and group
names when you create audit reports and coalescence reports.
Note:
Authentication configurations are not saved when server configuration is backed
up. After restoring a system configuration, you must reconfigure all external
authentication servers. See “System Administration, BackUp, and Health” on
page 215 for more information.
The Authentication Services Listing Display
To manage Authentication Services:
1. From the Web-Admin navigation pane under Authentication,
click Dir. Server Dashboard. The Authentication Manager page appears.
The listing below the toolbar displays the currently configured authentication services
and the following information for each:
54
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Network Information Services
Type. Displays authentication directory type (NIS or AD).
Server. The name of the NIS or AD server.
Domain. The NIS or AD domain.
Identity. The identity (from the Identity Vault) used to access this service.
Protocol. The type of authentication protocol used to communicate with the
authentication service. For example, ntlmv2, or Kerberos.
Realm. The Kerberos realm the authentication server applies to. This field is only
used for AdvancedAD and Kerberos protocols.
Managing Authentication for Network Information Services
Web-Admin can configure, view, and remove authentication for Network Information
Services (NIS). Only one NIS server may be added.
To configure NIS external authentication using Web-Admin
1. From the Web-Admin navigation pane, click Add NIS Server under
Authentication to go directly to the dialog in the next step, or click
Dir. Server Dashboard to open the Authentication Manager pane.
2. From the Authentication Manager pane, click Add in
the toolbar. The Add Authentication dialog opens.
3. In the Add Authentication dialog, select NIS from the
Server Type drop-down list
4. Specify values for the following fields:
Server. Enter the name of the NIS server.
Domain. Enter the name of the NIS domain.
5. Submit. Click to add the authentication service.
Any existing NIS external authentication configuration is overridden when a new
NIS authentication service is added.
To remove external authentication for NIS using Web-Admin
1. From the listing below the toolbar of the Authentication Manager page, select the
authentication configuration to remove.
2. From the tool bar, click Remove.
The system removes the authentication configuration.
To configure NIS external authentication using the CLI
1. Log in the CLI as admin.
Kazeon IS1200 Web-Admin User Guide
55
Chapter 8:
Configuring External Authentication
2. To add NIS authentication with a username, enter the following command:
add authentication nis domain <domainName> server <serverName>
Where:
<domainName> is the hostname or IPv4 address of the NIS domain
<serverName> is the hostname or IPv4 address of the server hosting the NIS service
Configuration Differences Between Installing and Upgrading
Pre-version 2.1.4 releases supported NTLM authentication only. Version 2.1.4
supported Kerberos, NTLMv2, and NTLM. Version 2.1.6 and later supports the same
as well as AdvancedAD. AdvancedAD authentication allows specifying only a
domain, and not a server name, when adding authentication services.
While AdvancedAD is the default protocol configured for new server installations,
AdvancedAD is not automatically configured when upgrading from prior versions.
Upgrades preserve the pre-upgrade protocol.
Generally, the following conditions apply:
z
Upgrading from a previous version (where AdvancedAD was not configured)
always configures Kerberos, NTLMv2, or NTLM. However, the upgraded system
may be converted to AdvancedAD using the specific procedure below.
z
If AdvancedAD is initially configured (in a fresh install) and initially fails, the
administrator may then configure Kerberos, NTLMv2, or NTLM and attempt
automatic protocol discovery. However, if AdvancedAD has ever succeeded on
the new installation, switching to any other protocol is not supported (unless
another fresh install is done).
z
If Kerberos, NTLMv2, or NTLM is initially configured (in a fresh install),
attempted, and fails, the administrator can configure AdvancedAD using the
general procedure above.
Specifically, to configure AdvancedAD after an upgrade
z
The upgraded AD configuration (the Kerberos, NTLMv2, or NTLM configuration
preserved from the previous version by the upgrade) should be removed
z
AdvancedAD should be configured using the set authentication command
(see “To configure AD external authentication using the CLI” on page 61)
z
AD authentication should be re-added for a server using AdvancedAD
Managing Authentication for Active Directory
Both Web-Admin and the CLI can be used to configure, view, and remove external
authentication for Active Directory (AD) services. The Kazeon Information Server
supports AD servers on Windows 2000 and Windows 2003. Use the following
guidelines to successfully configure authentication for AD:
z
56
There must be both an operating DNS server and an AD server. Typically, they are
the same server.
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
z
For Windows 2000, authorized users must either be members of the
Administrators group or have explicit rights to add clients to the domain.
z
The following ports must be open on the AD server to insure all the
communications necessary between the AD server and the IS1200.
Table 8
Active Directory Ports Required to be Open for IS1200 Communications
Service
Port
UDP
TCP
LDAP
389
X
X
Kerberos
88
X
X
KPassword
464
X
X
SNTP
123
X
DNS
53
X
SMB MS-RPC
445
X
SMB
139
X
HTTP
80
X
GC
3268
X
Comments
UDP – Get Site Info
TCP – Used for Big PACs
Optional Time Sync
X
X
TCP – Used for Big responses
Older NTLM pass-through authentication
Global catalog lookups
For Windows 2003, authorized users must either have explicit rights to add clients
to the domain, or they must be members of the Account Operators group, Domain
Power Users group, or Administrators group.
Only one AD server may be added. Any existing AD external authentication
configuration is overridden when a new AD authentication service is added.
Specifying AD Server Identities
When configuring Active Directory (AD) external authentication, an account (a
username and password from an AD server) must be provided to the Kazeon
Information Server to use when communicating with the AD server. That account
must have sufficient privileges to allow the Kazeon Information Server to join the AD
domain. Usually this means that account has administrator status.
Joining an AD domain enables the Kazeon Information Server to use the AD server to
authenticate other users that log in to the Kazeon Information Server to search for
information or create reports. It also allows the system to list user names in reports and
to filter search results based on authorization rules or file permissions.
AD authentication is configured from the CLI or Web-Admin using identities.
An identity is an AD account (user name and password) stored in the Kazeon
Information Server Identity Vault under an identity name. That identity supplies the
Kazeon Information Server with the necessary username and password whenever the
server accesses the AD server. Using identities is required for security reasons with
AD authentication. For information on how to set up an identity, see “Adding
Identities to the Identity Vault” on page 74.
Kazeon IS1200 Web-Admin User Guide
57
Chapter 8:
Configuring External Authentication
Note:
The system stores all identities in the Identity Vault in an encrypted form using the
cluster key. If the cluster is changed, all identities must be re-added.
Active Directory Server Protocols Supported
The Kazeon Information Server supports Windows domain AD authentication for
Windows operating systems using the following protocols:
z
Advanced AD - An implementation of AD using Kerberos that does not require
fully-qualified host names. When configured (along with the correct DNS
settings), it allows automatic server discovery when only the domain is provided
while adding new authentication servers.
z
Kerberos - The Kerberos version 5 authentication protocol is the default for
network authentication on Windows 2003 computers.
Kerberos uses fully-qualified domain names, while NTLM and NTLMv2 use
short domain names. If you join a domain using either NTLM or NTLMv2 and
specify a fully-qualified domain name, only the short portion of the domain name
is used, the remaining portion is ignored. For example, if you specify the domain
as mydomain.myorg.com, then both NTLM and NTLMv2 will strip off
myorg.com and use only mydomain, regardless of whether myorg.com is an
existing or non-existent domain.
Note:
To use Kerberos after a 2.1.6 upgrade (or install) run kaz_setup.pl
immediately after the upgrade/install and configure the fully-qualified host name
(kaz_setup.pl runs automatically the first time the administrator logs into a
CLI session after an installation) and then run kaz_updatehosts.pl (from /
opt/openkaz/bin) before configuring AD Authentication in Web-Admin or the
CLI. Not applicable to Advanced AD Kerberos.
z
NTLM (v1) or Windows NT LAN Manager - The NTLMv1 protocol was the
default for network authentication in the Windows NT® 4.0 operating system. It
is retained for Windows 2000 for backwards compatibility reasons. NTLM is also
used to authenticate log ons to standalone computers with Windows 2000.
z
NTLMv2 - This is the successor of NTLM which attempts to address some of the
security flaws present in the older protocol. It is a challenge-response protocol
intended as a cryptographically strengthened replacement for NTLMv1.
Windows 3.11, Windows 95, Windows 98, and Windows NT 4.0 use the NTLM
protocol for network authentication in Windows 2000 domains. Computers running
Windows 2000 use NTLM when authenticating with servers using Windows NT 4.0
and when accessing resources in Windows NT 4.0 domains. However, the protocol of
choice in Windows 2000 is Kerberos version 5.
Determining Which Protocol is Used to Communicate with AD Servers
How the IS1200 determines which protocol to use is initially determined by whether
or not the AdvancedAD is configured for use. If the IS1200 was originally installed
with v2.1.6 (or greater) then the AdvancedAD protocols are attempted first to
communicate with an AD server. If the attempts fail, an error is reported and trouble58
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
shooting procedures must be used to correct the failure. Optionally, through the CLI
and the set authentication command, the IS1200 can be set to attempt using other
protocols, see “To configure AD external authentication using the CLI” on page 61 for
details.
If the AdvancedAD is not configured, the first time the IS1200 attempts to
communicate with an AD server it goes through the following steps:
1. It attempts to connect using Kerberos, the most secure protocol. This ensures
Kerberos is used whenever possible.
2. If Kerberos fails, it tries the next most secure mechanism, NTLMv2.
3. If both Kerberos and NTLMv2 fail, it attempts to connect using NTLM (v1).
If any one of the previous communication steps succeed, the server stores the
successful type and uses it for all future authentication attempts.
Note:
Occasionally, in environments that should support Kerberos, the automatic AD
protocol discovery mechanism (described above) fails to select Kerberos and
defaults to NTLMv2 or NTLMv1. If this happens, see “Authentication Problems”
on page 305.
Additional Requirements for AD Kerberos Authentication
The AdvancedAD and Kerberos authentication have additional system requirements
beyond those required for NTLMv2 and NTLM. To correctly configure for
AdvancedAD and Kerberos the following is required:
For both AdvancedAD and Kerberos, one DNS server in your organization must
support reverse DNS lookups:
z
If a DNS server is already configured in your IS1200 /etc/resolv.conf DNS
name resolution file, the IS1200 uses this server. DNS settings should be preconfigured using the /sbin/kaz_setup.pl initialization script.
z
If the Windows AD server is itself a DNS server (supporting reverse DNS
lookups), the IS1200 adds an entry to /etc/resolv.conf for the Windows AD
server.
z
If neither a) nor b) above apply, then /etc/resolv.conf must have an entry
added for a DNS server that supports reverse DNS lookups.
The entry should be similar to the following. Substitute the IP address in the
following example with an IP address provided by your system administrator:
Example: nameserver 10.11.12.13
For Kerberos only, the IS1200 hostname must be a fully-qualified host name and its
domain name must match the Windows 2000 AD server domain name. (From the CLI,
type hostname -f to view the current IS1200 host name and ensure it is fully
qualified—for example g11.kazeon.local and not a short version like g11.) If the
IS1200 hostname is a short name, run the kaz_update.pl script to fix the host
name. See “Authentication Problems” on page 305 for more details on using
kaz_update.pl.
Kazeon IS1200 Web-Admin User Guide
59
Chapter 8:
Configuring External Authentication
Active Directory Authentication Procedures
The following procedures are available to manage AD authentication on the IS1200:
To configure AD external authentication using Web-Admin
1. From the Web-Admin navigation pane under Authentication,
click Add AD Server to go directly to the dialog box in the following step,
or click Dir. Server Dashboard to open the Authentication Manager pane.
2. Click Add in the toolbar. The Add
Authentication dialog opens.
3. Server type. Select Active Directory from
the drop-down menu.
4. Server. Enter the name of the Active
Directory server.
Required for Kerberos, NTLMv2 or NTLM. If AdvancedAD is configured, the
server name is optional, if omitted AdvancedAD attempts to automatically
discover the server name. The IP address of the DNS nameserver must be
correctly configured for this feature to function.
5. Domain. Enter the Active Directory domain name.
Note:
Under v2.1.6, either a short or fully-qualified domain name may be used. Under
v2.1.4, Kerberos requires fully-qualified domain names. If a fully-qualified name
is not supplied, Kerberos cannot access the AD server. NTLM and NTMLv2
automatically ignore fully-qualified names and extract the appropriate short name.
6. Identity. Select an identity from the drop-down menu for the IS1200 to use when
accessing the AD server. For information, see “The Identity Vault” on page 73.
Note:
That account stored in the identity must have sufficient privileges to allow the
Kazeon Information Server to join the AD domain. Usually this means that
account has administrator status.
7. Container. Optional, container name for the Active Directory organizational unit,
with hierarchical containers separated by slashes. See “Support for Multiple
Organization Units (OUs)” on page 69 for more detail.
8. Submit. Click to add the authentication service.
Note:
To replace an existing AD Authentication, you must first remove the current AD
Authentication and then add a replacement.
9. Proceed to “Verifying Active Directory Configuration” on page 61 and verify the
AD configuration.
60
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
To configure AD external authentication using the CLI
1. Log in to the CLI as admin.
2. Enter the following command:
add authentication active-directory domain <domainName>
[server <serverName>] identity <identityName>
Where:
<domainName> is the hostname of the AD domain
<serverName> is the hostname of the server hosting AD, [optional for
AdvancedAD]
<identityName> is an identity already stored in the IS1200 Identity Vault.
3. Proceed to “Verifying Active Directory Configuration” on page 61 and verify the
AD configuration.
Verifying Active Directory Configuration
After configuring AD authentication from either the Admin GUI or the CLI, you
should verify the configuration. In the examples below, the AD server name is
qa-winnas with IP address 10.10.140.3, and the domain name is
qalab.kazeon.local. The hostname for the IS1200 is myok1, and the IP address is
10.10.140.100. Identity is myidentity. The procedure used depends on the
authentication protocol required (Kerberos or NTLM). Refer to the appropriate
procedure below.
Verifying Advanced AD and Kerberos Protocol. To verify AdvancedAD using
Kerberos protocol, do the following:
1. (For AD Kerberos only)
Ensure the hostname -f command resolves to a fully qualified domain name
(FQDN) (if it does not, run kaz_updatehosts.pl to fix the host entry).
For example:
# hostname -f
myok1
# /opt/openkaz/bin/kaz_updatehosts.pl
Setting fully-qualified hostname as myok1.kazeon.local
# hostname -f
myok1.kazeon.local
2. Ensure the AD server is ping-able, using both the short domain name, the FQDN,
and that both ping to the same IP address. In the example below qa-winnas,
qa-winnas.qalab.kazeon.local, and 10.10.140.3 are all ping-able:
[root@myok1 root]# ping qa-winnas
PING qa-winnas.kazeon.local (10.10.140.3) 56(84) bytes of data.
64 bytes from qa-winnas.qalab.kazeon.local (10.10.140.3):
icmp_seq=1 ttl=127 time=0.145 ms
64 bytes from qa-winnas.qalab.kazeon.local (10.10.140.3):
icmp_seq=2 ttl=127 time=0.139 ms
--- qa-winnas.kazeon.local ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 999ms
Kazeon IS1200 Web-Admin User Guide
61
Chapter 8:
Configuring External Authentication
rtt min/avg/max/mdev = 0.139/0.142/0.145/0.003 ms
[root@myok1 root]# ping qa-winnas.qalab.kazeon.local
PING qa-winnas.kazeon.local (10.10.140.3) 56(84) bytes of data.
64 bytes from qa-winnas.qalab.kazeon.local (10.10.140.3):
icmp_seq=1 ttl=127 time=0.145 ms
64 bytes from qa-winnas.qalab.kazeon.local (10.10.140.3):
icmp_seq=2 ttl=127 time=0.139 ms
--- qa-winnas.kazeon.local ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.139/0.142/0.145/0.003 ms
3. Ensure the DNS server supports forward DNS lookups for both the short host
name and the fully-qualified host name and both resolve to the same IP address. In
the example below, using the DNS lookup command host for the AD server qawinnas and qa-winnas.qalab.kazeon.local both resolve to 10.10.140.3. In this
example that the short domain name may actually resolve to a different domain
(qa-winnas.kazeon.local instead of qa-winnas.qalab.kazeon.local),
but this is acceptable as long as the forward DNS lookup using the fully-qualified
host name of qa-winnas.qalab.kazeon.local also work:
[root@myok1 root]# host qa-winnas
qa-winnas.kazeon.local has address 10.10.140.3
[root@myok1 root]# host qa-winnas.qalab.kazeon.local
qa-winnas.qalab.kazeon.local has address 10.10.140.3
4. Ensure that the DNS server supports reverse DNS lookups for the IP address
obtained from the DNS forward name lookup in the previous step. In our example,
the forward DNS lookup in step 4 returns IP address 10.10.140.3, and so in this
step, using the host command for 10.10.140.3 should resolve to the fully-qualified
host name:
[root@ChyeLinok1 root]# host 10.10.140.3
3.140.10.10.in-addr.arpa domain name pointer qawinnas.qalab.kazeon.local.
It is important to ensure that the reverse DNS name lookups resolve to exactly the
above convention of <server>.<domain> where <server> is the name of
the AD server and <domain> is the name of the AD domain. Therefore, in this
example, if the reverse DNS lookup resolves to a different domain like
qa-winnas.kazeon.local or qa-winnas.kazeon.com, Kerberos will not
work. The DNS administrator should add the correct entry to the database and
before attempting AD configuration again.
5. Ensure the DNS Server is in the same AD domain as the AD server. Kerberos may
not accept DNS query results from a DNS server in another un-trusted domain.
Verifying NTLMv2 and NTLM Protocol. NTLMv2 and NTLM require only forward
DNS configuration. Only short domain names are used, if a FQDN is specified, it is
ignored by the Policy Manager. Configuring NTLMv2 and NTLM authentication has
a different set of issues compared to Kerberos authentication.
62
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
Troubleshooting Adding Authentication Errors
The following messages may be displayed in response to the add authentication
command:
Message
Description
Active Directory authentication service
enabled
Successfully joined the Kerberos realm, NTLMv2/NTLM domain. To view
details of which protocol is used, type show authentication details.
Active Directory domain join failed: the
server <server> is in domain <domain>
We managed to connect to the NTLMv2 or NTLM server <server> but the
specified user name and password combination belongs to the domain
<domain> rather than the one we specified.
Active Directory domain join failed:
unable to find an authentication server
Unable to find an authentication server. The most likely cause for this error
is that the server name specified in the command is invalid, or that the
server name is not specified for Kerberos, NTLMv2 or NTLM. Server
discovery is a feature for AdvancedAD only, and the server parameter is
mandatory for Kerberos, NTLMv2, and NTLM.
Active Directory domain join failed:
Remote service not running
The remote Kerberos service is not running. Check that you have
connected to a Windows Active Directory that supports Kerberos.
Active Directory domain join failed: User The user name specified in the identity is not found in the Kerberos
not found
domain. The most likely cause for this error is that an invalid or nonexistent user name is specified in the identity parameter of the add authentication command.
Active Directory domain join failed:
Invalid domain name
Used for AdvancedAD authentication only. The domain name is invalid.
Active Directory domain join failed:
Invalid domain specified
The domain is incorrect. Check to ensure that value entered in the domain
parameter is correct. Use the host command to see if the specified domain
can be resolved, and the ping command to see if it is accessible.
Active Directory domain join failed:
Invalid domain or server specified
The Kerberos realm does not exist. Check to ensure that value entered in
the domain parameter is correct. Use the host command to see if the
specified domain can be resolved, and the ping command to see if it is
accessible.
Active Directory domain join failed:
Invalid server name
The server name is invalid.
Active Directory domain join failed:
Cannot find domain
Used for AdvancedAD authentication only. The domain name cannot be
found for the specified server. Check to see if the correct server and/or
domain name is specified.
Active Directory domain join failed:
incorrect username or password
Incorrect user name or password specified. Verify that the information
given in the identity is correct. If the password for the identity is incorrect,
replace the identity using the force parameter and enter the correct
password before re-attempting the add authentication command.
Active Directory domain join failed:
Invalid user name
Used for AdvancedAD authentication only. The user name cannot be found
in the Kerberos database.
Kazeon IS1200 Web-Admin User Guide
63
Chapter 8:
Configuring External Authentication
Message
Description
Active Directory domain join failed:
Domain names do not match
Kerberos authentication failed. Type hostname -f to ensure that your
hostname is a fully-qualified name, e.g. myhost.abc.com, instead of the
short form such as myhost. If this is not the case, edit your /etc/hosts file to
change your host name to a fully-qualified domain name. Also ensure that
your domain name after the dot matches the DNS domain name as shown
with the dnsdomainname command.
Active Directory domain join failed: AD
Server LDAP signing not supported
Kerberos authentication failed. The AD Server is configured using high
security settings not supported by Kerberos. Upgrade to AdvancedAD
using the set authentication command and attempt the add authentication
command again.
Active Directory domain join failed: Host Kerberos authentication failed because the host name in /etc/hosts is not
name in /etc/hosts must be fullyfully-qualified. You can do one of the following:
qualified for Kerberos join
9. Fix the entry in /etc/hosts using the /opt/openkaz/bin/
kaz_updatehosts.pl script to make it fully-qualified, then
attempt the add authentication command again.
10. Upgrade to AdvancedAD using the set authentication command.
This does not require a fully-qualified host name in /etc/hosts.
11. Use NTLMv2 or NTLM authentication by using the set
authentication command to set the value to none, ntlmv2, or
ntlm. This does not require a fully-qualified name in /etc/hosts.
However, since NTLMv2 and NTLM is less secure than
Kerberos, the first two alternatives should be attempted first
before trying this alternative.
Active Directory domain join failed:
Domain names do not match
Kerberos authentication failed due to a disabled account error. Check to
ensure that the domain name matches exactly the domain name in the AD
server. For example, if the domain name in the AD server is corpjupiter.jupiter.com, you must specify your domain name as corpjupiter.jupiter.com, and not jupiter.com. The host command must also be able
to correctly resolve the server name. For example, if the server name is
adserver, the host command must correctly resolve adserver.corpjupiter.jupiter.com (and not another name like adserver.jupiter.com).
Active Directory domain join failed:
Clock skew too great
Kerberos authentication failed because the clock skew is too great. Verify
that the time on the IS1200 is within 5 minutes of the time on the AD
Server. If this is not the case, set the time on the IS1200 to match that of
the AD Server, or run NTP to synchronize the clock times.
Active Directory domain join failed:
Remote service not running
The AD server is not running on the specified server. Check to ensure that
the server name is correct, that it can be resolved using the host command
to the correct IP address, and that the AD server is running on the remote
node.
64
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
Message
Description
Active Directory domain join failed:
Failed to look up domain user
The Winbind (Kerberos, NTLMv2 or NTLM) domain join succeeded, but the
lookup of domain users failed. This error message is most likely displayed
for NTLMv2 and NTLM which allows the domain join but still needs further
external configuration to be corrected before allowing the user to login.
Examples would include the blocking of TCP port 137 on the AD server,
DNS server being on a different machine from the AD server, or DNS
configuration errors. If external configuration is correct, try authenticating
again using Kerberos or AdvancedAD using the fully-qualified domain
name.
Server name server must be fullyqualified.
Unable to obtain the fully-qualified server name for AdvancedAD authentication. The most likely cause for this error is that Centiry authentication is
attempted using a short domain name, and the DNS is not correctly
configured to resolve the short domain name to the fully-qualified one.
Ensure that the DNS settings are correct, and enter the fully-qualified
domain name.
Domain name domain must be fullyqualified
Unable to obtain the fully-qualified domain name for AdvancedAD authentication. The most likely cause for this error is that Centiry authentication is
attempted using a short domain name, and the DNS is not correctly
configured to resolve the short domain name to the fully-qualified one.
Ensure that the DNS settings are correct, and enter the fully-qualified
domain name.
Active Directory domain join failed
The add authentication command has failed for a reason other than those
listed above. To view the precise error message, use the command debug
subsystem authentication level debug to turn on debugging for the policy
management module, then execute the add authentication command
again. Detailed logs are in /var/openkaz/log/policy_mgmt.log.
Identity <identity> not found
The identity specified in identity keyword of the add authentication
command is not found. This error will most likely occur if you have
mistyped the identity name, or if you have not created the identity using the
add identity command.
You must first leave the <domain>
domain before joining this domain.
The add authentication command is attempted when the IS1200 is already
joined to another domain. The IS1200 can only be joined to one domain at
a time. Use the remove authentication command to leave the current
domain before joining the new one.
No identities found
There are no identities found. You have to create an identity using the add
identity command prior to using that identity in the add authentication
command.
Internal error getting identity information.
This signifies an internal error. Contact Kazeon support.
Kazeon IS1200 Web-Admin User Guide
65
Chapter 8:
Configuring External Authentication
The following messages may be displayed after a
remove authentication active-directory command:
Message
Description
Active Directory authentication
service disabled
Active directory authentication is successfully disabled as requested
Active Directory authentication
service already disabled
Active directory authentication is already disabled. The most likely cause for this
error is that the administrator typed the remove authentication active-directory
command when active directory authentication has already been disabled.
The following messages may be displayed after a
test authentication active-directory command:
Message
Description
Active Directory domain
membership valid: <domain>
We are currently a member of the <domain> domain or realm.
The system is not properly joined
to an Active Directory domain
We are currently not a member of any Kerberos realms or NTLMv2/NTLM
domains.
The following messages may be displayed after a set authentication command:
Message
Description
You must first remove AD authenti- The IS1200 is currently joined to an AD domain. The set authentication
command can only be used when the IS1200 is not currently joined to a domain.
cation before setting the protocol
Remove AD authentication using the remove authentication active-directory
command before re-attempting the set authentication command.
Error setting protocol:
AdvancedAD authentication in
effect
An attempt is made to set the AD protocol to kerberos, ntlmv2, or ntlm when
AdvancedAD authentication has succeeded at least once for the IS1200.
Currently only upgrade to AdvancedAD authentication is supported;
downgrading to Kerberos, NTLMv2, and NTLM is not.
An internal error has occurred:
unable to set AD Authentication.
An internal error has occurred. Contact Kazeon Technical Support for assistance.
Policy Manager Debugging. Error messages like "Active Directory domain join
failed" are used to present a more user-friendly version of the less commonly
encountered error messages to the user. To see the precise cause of the error, you can
turn on debugging to view the precise error message that is displayed by the policy
management module. For example, the following command in the CLI can be used to
turn on debugging for the policy manager:
prompt> debug subsystem authentication level debug
Enter the add authentication command again after turning on debugging. The
debugging messages from the policy manager can then be found in
/var/openkaz/log/policy_mgmt.log.
66
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
To remove AD external authentication using Web-Admin
1. From the list beneath the toolbar of the Authentication Manager page, select the
authentication configuration you want to remove.
2. From the tool-bar, click Remove.
The system removes the authentication configuration.
Overriding the current AD communication protocol using Linux
The set authentication command allows administrators to force authentication
communications to use a specific protocol, however, before using this command the
administrator must be completely familiar with the configuration limitations detailed
in “Configuration Differences Between Installing and Upgrading” on page 56 and
“Determining Which Protocol is Used to Communicate with AD Servers” on page 58.
Use the command as follows:
set authentication active-directory protocol <protocol>
Where:
<protocol> = advanced AD, kerberos, ntlmv2, ntlm, or none.
If the value is set to none, the server reverts to automatically determining the best
authentication protocol.
Checking the current AD communication protocol using Linux
Linux administrators may check the current AD protocol using the following
command.
sysprompt> show authentication protocol
System responds:
protocol
-------advanced AD
(or kerberos, etc)
Checking, removing, or changing the current AD authentication server using the CLI
To change the current authentication server to a different server, the existing AD
authentication must first be removed.
Do the following to change to a new AD server:
1. Log in to the server as admin.
2. To check the current authentication settings, enter:
show authentication details
The server responds:
type
domain
identity
server
protocol
realm
----
------
--------
------
--------
-----
AD
QALAB
id1
qa-winnas
Kerberos
qalab.kazeon.local
Kazeon IS1200 Web-Admin User Guide
67
Chapter 8:
Configuring External Authentication
3. To remove the current AD (or NIS) authentication, enter:
remove authentication active-directory (or nis)
The server responds:
OK
[220]
Active Directory authentication service disabled
4. To check that the AD (or NIS) service was removed, enter:
show authentication details
The server responds:
OK
[220]
No authentication servers configured.
5. To add the new AD (or NIS) authentication, see one of the following:
|
“To configure NIS external authentication using the CLI” on page 55.
|
“To configure AD external authentication using the CLI” on page 61
Configuration Issues with Multiple Domain Controllers
For installations using AdvancedAD in domains with multiple Domain Controllers
(DCs), procedures are available allowing administrators to limit the DCs the IS1200
uses for authentication. Errors may occur when a limited set of DCs have had “ports
opened” to allow IS1200 access, and the IS1200 has no way of knowing which DCs to
work with. Additionally, they occur on slow networks and when DCs are off-line for
maintenance or other issues.
Errors reported in these situations appear in log entries similar the following.
Jan 8 18:12:57 foo1 adclient[13601]: DEBUG <fd:17 get object>
base.bind.ad Connecting to dc3.testdomain.acme.com:389
Jan 8 18:12:57 foo1 adclient[13601]: DEBUG <fd:17 get object>
base.bind.ldap dc3.testdomain.acme.com:389 fetch dn=""
filter="(objectclass=*)"
Jan 8 18:13:02 foo1 adclient[13601]: DEBUG <fd:17 get object>
base.osutil fetch : Can't contact LDAP server (reference base/
ldapbind.cpp:151 rc: -1)
Jan 8 18:13:02 foo1 adclient[13601]: DEBUG <fd:17 get object>
base.bind.ad Failed to connect to dc3.testdomain.acme.com:389:
fetch : Can't contact LDAP server
Use the following steps to restrict the IS1200 to specific DCs in a given domain:
1. Suspend any current basic or deep crawls.
2. If authentication was previously added, remove it.
3. Login as root user to IS1200.
4. Change directory (cd) to /etc/centrifydc
5. Edit the centrifydc.conf file as follows:
You will find similar lines
#
68
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
# Specify dc and gc hostnames if your DNS isn't configured correctly
# for AD.
This is not recommended for production systems, since AD
# automatically updates DNS with failover and replica systems and optimizes
# for your site location.
This is provided mostly for evaluation systems
# which are using Unix DNS and can't add the _ldap and _gc service records
#
# dns.dc.<domain.name>: <hostname> [hostname] ...
# dns.gc.<domain.name>: <hostname> [hostname] ...
#
# Example:
# dns.dc.acme.com: anvil.acme.com coyote.acme.com
# dns.gc.acme.com: roadrunner.acme.com
#
# Note the hostname must resolve in DNS or be entered in /etc/hosts
#
To restrict DC’s host1.acme.com and host2.acme.com on a domain called
acme.com, add the following line to those above and save the file on all nodes:
dns.dc.acme.com: host1.acme.com host2.acme.com
Now add authentication using AdvancedAD protocol. (continued next page)
6. If user login (using AdvancedAD) takes a very long time and the user belongs to
large number of groups, do the following.
a. Login as root user.
b. Change directory (cd) to /opt/openkaz/etc/
c. Edit the file nsswitch.conf.centrifydc as follows:
Replace the line
group:
files centrifydc compat
With
group:
files compat
If AD authentication has already been added using AdvancedAD, then modify
one more file.
a. Change directory (cd) to /etc
b. Edit the file nsswitch.conf as follows:
Replace the line
group:
files centrifydc compat
With
group:
files compat
Support for Multiple Organization Units (OUs)
By default, a Windows Active Directory (AD) server responds to a client computer
log in request, by joining the client to the Organizational Unit (OU) under the
requested domain.
Kazeon IS1200 Web-Admin User Guide
69
Chapter 8:
Configuring External Authentication
A more complex organization may need to have a more sophisticated structure and
organize the computers into different domains, possibly in a hierarchy. For example, a
holding company (ACME Conglomerates) may have business units each with their
own domains (BusUnit1, BusUnit2, etc). Each business unit may also have it’s own
AD server and business hierarchy (with corresponding organizational units such as
Marketing, HR, Accounting, etc). When a marketing client computer requests
authentication from the BusUnit1 AD server, it may need to be placed in the
BusUnit1-Marketing domain, rather then just a BusUnit1 domain.
To do this, specify the container command to override the default OU. For example, to
join a client to the BusUnit1/Marketing domain, use the add authentication
command as follows:
add authentication active-directory
domain
The NIS or AD domain name. Specify the fully-qualified domain
name for Kerberos (if applicable)
server
IPv4 or hostname of system running the authentication service
(optional for AdvancedAD only)
user
User to connect to the domain as (active-directory requires either a
user or an identity)
identity
A case insensitive unique identifier for an identity
container
The optional container name for the AD organizational unit, with
hierarchical containers separated by slashes
For example, to join a client to the BusUnit1/Marketing domain using an identity:
add authentication active-directory domain adtest.com server
ad140 identity adtestid container BusUnit1/Marketing
Organizational Unit Persistence
Note the following Windows AD server behavior with respect to OU's:
70
z
After a client joins a certain domain (and OU), it will always rejoin the same
domain regardless of the OU specified, unless the AD Server OU registration
entry is specifically deleted. For example, if a client previously joined the
BusUnit1 domain, it will always rejoin the BusUnit1 domain on subsequent log
ins. Likewise, if a client joined the BusUnit1/Marketing domain, it will rejoin the
BusUnit1/Marketing domain on subsequent log ins even if the container option is
not specified in subsequent add authentication commands.
z
To force a client to join a different domain (different from its last log in), an
administrator must log in to the Windows AD Server and delete the registration
entry for the computer. For example, to join JohnSmith to the BusUnit1/
Kazeon IS1200 Web-Admin User Guide
Managing Authentication for Active Directory
Accounting domain after he has already joined BusUnit1/Marketing, delete the
BusUnit1/Marketing entry by selecting that entry and clicking Delete as follows:
Kazeon IS1200 Web-Admin User Guide
71
Chapter 8:
72
Configuring External Authentication
Kazeon IS1200 Web-Admin User Guide
Chapter 9:
The Identity Vault
This chapter discusses adding identities to the Identity Vault.
Topics are as follows:
z
“Identities Purpose and Usage” on page 74
z
“Adding Identities to the Identity Vault” on page 74
z
|
“To add an identity from Web-Admin” on page 75
|
“To add an identity from the Command Line” on page 75
|
“To view identities from Web-Admin” on page 76
|
“To view identities from the Command Line” on page 76
|
“To remove an identity from Web-Admin” on page 77
|
“To remove an identity from the Command Line” on page 77
“Using Identities to Configure Report and Services Notifications” on page 77
Kazeon IS1200 Web-Admin User Guide
73
Chapter 9:
The Identity Vault
Identities Purpose and Usage
Identities are username and password pairs stored in a secure (encrypted) database and
used by the Kazeon Information Server when it needs to access outside services
secured with passwords.
WARNING!
Identity passwords are encrypted using the cluster key, see “To start a cluster or
export Cluster keys” on page 49 for details on cluster keys. If the cluster key is
changed on an active cluster, all identities must be re-added (using the force
option) to re-save re-encrypted passwords with those identities.
The best example is accessing a CIFS file server—or data repository—for
classification. The IS1200 must have an administrative username and password,
stored as an identity, it can use to access the repository before it can classify files on
the repository. An identity with the same privileges is needed to discover, register, and
crawl individual user’s CIFS laptops and desktops as well.
WARNING!
Because CIFS users can change directory and file permissions on their user
directories, the AD identity associated with a registered CIFS filer must be a
member of the “backup operators” and “domain administrators” groups for the
filer, otherwise files “hidden” when users put exclusive privileges on their
directories will not be crawled or classified.
Identities are also used when communicating with authentication servers to validate
IS1200 Web-Admin, Web-Search, and Web-Reports user logins and as the user-sender
of various report results and other notifications. See “Using Identities to Configure
Report and Services Notifications” on page 77 for more details.
Using an Identity with External Authentication
A pre-existing identity is required to configure external authentication using AD. In
order for that identity to join the Kazeon Information Server to an AD domain, that
identity’s account must have permissions to join and make changes to the AD domain.
Usually this means the account has administrator’s privileges.
The Identity Vault enables you to change an account password in one place. The
system retrieves the updated password automatically whenever, and wherever, that
identity is used.
Security policies that require passwords to expire and be changed on a periodic basis
pose problems when the IS1200 uses Active Directory for authentication or to mount
CIFS shares. A best practice is to use an identity or user account that is excluded from
this policy, and store it in the Kazeon Identity Vault. If this is not feasible, the
administrator must change passwords in both locations (in the AD and the Identity
Vault) on a periodic basis.
Adding Identities to the Identity Vault
To set up an identity, you must know the username and password of an existing, active
AD account to be able to provide those when creating the identity.
74
Kazeon IS1200 Web-Admin User Guide
Adding Identities to the Identity Vault
To add an identity from Web-Admin
1. From the Web-Admin under Authentication, click Identity Vault,
the Identity Vault page appears.
2. From the Identity Vault page, click Add in
the toolbar
The Add Identity dialog opens:
3. Specify values for the following fields:
Identity Name. Enter a maximum of 24
alphanumeric characters, NO spaces.
User Name. The username of an existing,
active AD account, this can be in the form DOMAIN + user. However, if a
DOMAIN name is used, the name should be the short name of the AD server
active in the same domain as the filesystem (datafs, or kazfs) it will be used to
access or register. Other domain names, even fully qualified domain names, for
AD servers outside the filesystem domain are not supported, and attempts to use
identities with the longer names to register, or access the filesystems, will not
succeed.
WARNING!
Because CIFS users can change directory and file permissions on their user
directories, AD identities that will be associated with a registered CIFS filer must
be a member of the “backup operators” and “domain administrators” groups for
the filer, otherwise files “hidden” when users put exclusive privileges on their
directories will not be crawled or classified.
Password. Enter the username password, and enter it again in the confirm field.
Domain. Enter the domain name where the username can be authenticated.
Force. Select this option to overwrite an existing password.
4. Click Submit to add the identity to the identity vault.
To add an identity from the Command Line
1. At the command line prompt, type the following command and press Enter:
Nodename> add identity id_name user userName [force]
The system prompts you for a password.
2. Enter the password.
The system encrypts the password and stores it in the password vault along with
the user name.
Kazeon IS1200 Web-Admin User Guide
75
Chapter 9:
The Identity Vault
Table 9 describes the keywords and values.
Table 9
Adding User Credentials for CIFS- Keywords and Values
Keywords and Values
Datatype
Description
Alphanumeric (case-insensitive)
characters and the ‘-’ character.
identity
id_name
user userName
Maximum length=24 characters
The parameter and the
identity to associate with the
given credentials.
The name of a user or DOMAIN +
user where DOMAIN is a NETBIOS
domain name
The parameter and the
Active Directory domain to
which the identity belongs.
NetBIOS domain names can be up to
15 characters in length, and must not
contain the characters \ / : * ? " < > | .
Overwrites the old password
with the new one.
force
To view identities from Web-Admin
1. From the Web-Admin navigation pane under Authentication,
click Identity Vault, the Identity Vault pane appears.
All current identities are displayed below the toolbar.
To view identities from the Command Line
1. To view a particular identity, at the command line prompt, type the following
command and press Enter:
Nodename> show identity id_name
The system responds:
identity userName
-------- -------id_name usrName
authType
-------AD
domain status
------ -----domName
acls
---*
2. To view all identities, at the command line prompt, type the following command
and press Enter:
Nodename> show identity
The system responds:
identity
-------id_name1
id_name2
76
userName
-------usrName1
usrName2
authType
-------AD
AD
domain status
------ -----domName
domName
acls
---*
*
Kazeon IS1200 Web-Admin User Guide
Using Identities to Configure Report and Services Notifications
To remove an identity from Web-Admin
1. In Web-Admin, from the Identity Vault pane,
click to select any identity listed under the Identity Vault pane toolbar.
2. On the tool-bar, click Delete and confirm when the dialog appears.
The system removes the identity from the Identity Vault. Any service currently
referencing that identity will fail the next time it attempts to get the identity's
credentials from the vault.
To remove an identity from the Command Line
1. At the command line prompt, type the following command and press Enter:
Nodename> remove identity id_name
The system responds:
identity
-------id_name
userName
-------username
authType
-------AD
domain
status
-------------domainName
acls
---*
Using Identities to Configure Report and Services Notifications
Besides configuring external authentication, identities are also used to access email
servers to send notifications when reports and other services complete. Notifications
include successful completion or failure notices for services and reports, as well as
report or service status and results, as well as Legal Hold Notifications from the
eDiscovery Case Manager.
To send these notifications the system must have a valid username and password to
access the smtp mail server.
Note:
The smtp server will not list the identity username as the sender, notices will be
sent from root@yourDomain.com..
You tell the IS1200 what username and password to access the smtp server with using
a CLI command. The command specifies and (existing) identity containing a
username and password the local AD and smtp mail server already has configured.
Using the CLI to Set Email Parameters
The CLI command is:
set email smtp-server <serverName> identity <identityName>
maxsize <number> content-type <html/plain>
The CLI command is “set email” and it has the following parameters:
z
z
z
z
smtp-server: The smtp server name (IP or Host Name)
identity: An identity name currently installed in the Identity Vault
maxsize: The maximum size (in bytes) of the email to send. (If the actual email
size is larger than this limit a warning email is sent instead.)
content-type: Email type (plain or HTML) values: plain, html
Kazeon IS1200 Web-Admin User Guide
77
Chapter 9:
The Identity Vault
The following example commands the system to use the username and password
stored in the identity mailIDtoUse to contact the smtp-server companySMTPserver
and limits the email notification size to 10k and the email type to html.
set email smtp-server companySMTPserver identity mailIDtoUse
maxsize 10000 content-type html
WARNING!
78
The identity name specified in the set email command must already exist in the
identity vault before the command is issued.
Kazeon IS1200 Web-Admin User Guide
Chapter 10:
Repository Registration and Management
This chapter describes registering network file systems (NFS and CIFS) and laptop or
desktop shares as data repositories for data classification with the IS1200 using the
Web-Admin application and the CLI. Some tasks are only supported by the CLI.
Topics are as follows:
z
“Introduction to Registration” on page 80
z
“Repository Registration: Rules and Guidelines” on page 82
|
“CIFS Server, Laptop, and Desktop Setup Requirements” on page 84
z
“Requirements and Preparations for Metadata Repositories” on page 85
|
“Primary Metadata Repositories” on page 84
|
“Adding an NFS Metadata Repository:” on page 87
|
“Adding a CIFS Metadata Repository:” on page 88
|
“Adding a Local Metadata Repository (localkazfs):” on page 89
z
“The Discovery Process” on page 90
z
“Registering Data Repositories” on page 95
|
“Registering Discovered Repositories” on page 95
|
“Adding an NFS Repository:” on page 100
|
“Adding a CIFS Repository:” on page 102
|
“Adding a Laptop or Desktop Repository:” on page 105
|
“Adding a Local Data Repository (localdatafs)” on page 107
|
“Adding a Local USB Drive as a Data Repository” on page 108
|
“Adding an Enterprise Vault, MS Exchange, SharePoint, or Lotus Domino
Repository” on page 109
z
“Managing Repositories” on page 109
|
“Editing and Viewing Registered Repositories” on page 111
|
“Importing Data and Metadata Repositories” on page 112
|
“Removing Repositories” on page 114
|
“Moving Metadata Repositories” on page 115
z
“Managing Repository States” on page 116
Kazeon IS1200 Web-Admin User Guide
79
Chapter 10:
Repository Registration and Management
Introduction to Registration
To provide enterprise-wide file system search and file management the Kazeon
Information Server must first know what file systems to manage. Making the server
aware of what file systems, or repositories, to manage is called registering
repositories. Only registered repositories may be crawled or classified.
Network file servers, both NFS and CIFS, as well as laptops and desktops may be
registered and classified.
Note: Laptops and desktops require special setup to enable classification. This includes
special settings for Firewalls and File Sharing, as well as requirements for
registering their NETBIOS names with WINS. Further setup is required if
classification access is required for “open” files like PST files.
See “Setup Requirements for Windows Laptops, Desktops, and Servers” on
page 389 for all details.
If the appropriate optional modules are installed files from NetApp Snapshots,
NetApp SnapLock file systems, Microsoft Exchange servers, and Symantec
Enterprise Vaults may also be crawled and classified.
The Kazeon Information Server classifies file metadata and unstructured enterprise
content by crawling registered repositories and entering the file and custom metadata
found in metadata repositories. Each registered repository must have a metadata
repository mapped to it. The Kazeon Information Server uses metadata repositories to
store metadata extracted during classifications as well as to store the corresponding
indexes, databases, policies, classification rules, report definitions and results, and
other system management data.
A metadata repository is sometimes referred to as a kaz file system (kazfs), but this
guide will generally refer to it as a metadata repository. A metadata repository is a
network filesystem NFS mount-point, or CIFS share, exported from a qualified NAS
device or file server. The NFS mount-point or CIFS share must be dedicated
exclusively to metadata use.
Starting with version 3.0.2, a local metadata repository can be created directly on a
Kazeon appliance, but only on a single-node Kazeon cluster. This is sometimes called
a local kazfs. Local metadata repositories are not recommended for data repositories
with large amounts of data to classify because file access to the local directory takes
CPU resources away from the Kazeon server, and the Kazeon server’s response times
suffer when a local directory is used heavily. See “Local Metadata Repository
(localkazfs) Requirements” on page 86 for more information about local kazfs.
Using a network file server (instead of the Kazeon appliance) to store the metadata
allows flexibility in managing and moving the storage requirements. Before any
enterprise content can be classified, a metadata repository—a volume, qtree, or a
directory—must first be created on a file server with adequate space and file
resources, and then registered as a metadata repository with the Kazeon Information
Server. As many metadata repositories as needed can be created. Typically, a single
80
Kazeon IS1200 Web-Admin User Guide
Introduction to Registration
metadata repository is adequate for most purposes. Data repositories and metadata
repositories can be stored on separate file servers or on the same file server, as long as
they are in different volumes, qtrees, or directories. To enhance performance,
registered repositories, and their associated metadata repositories, should be located
on separate volumes or file servers.
Additionally, starting with version 4.1.0, the first metadata repository created is
designated the “primary” or “central” metadata repository, The primary metadata
repository becomes the home of the Report results database, Discovery results,
Auditing and Data Verification databases, and miscellaneous databases the cluster
requires for routine operation. The primary” metadata repository can be verified using
the show database CLI command. This command’s results include a “CLUSTER
DATABASE [CDB] INFORMATION” section that identifies the central metadata
repository. See “Primary Metadata Repositories” on page 84 for more information.
Up to 16 data repositories may be mapped to a single metadata repository. The
mapping is specified when a repository is registered. Specific metadata repositories
can be assigned to a registered repository, or the IS1200 can pick a repository
automatically.
Up to 16 data repositories can be registered per node in a cluster. When a data
repository is registered, a shorthand name—or nickname—is specified for that data
repository. That shorthand name must be unique in each cluster. These names are used
(instead of the cumbersome full network pathnames) by both the Command Line
Interface (CLI) and Web-Admin when setting up services like crawls. Clusters retain
repository information between restarts and share information between nodes, so a
new node added to a cluster discovers all repository registrations from the other nodes.
Note: If you are only enabling the reporting functionality, you can register a maximum
of 200 data repositories per cluster.
Storage tiers are a flexible, valuable way of identifying and ranking storage systems
based on user-defined parameters such as cost, reliability, or performance. Storage
tiers can be specified when registering data repositories or metadata repositories and
can be any number between 0 and 255. Tier numbers are used to organize service
actions (for example, move all files older then 30 days from tier 1 to tier 2 filers).
The Kazeon Information Server allows flexibility and control over the management of
your storage resources. After registering, data repositories and metadata repositories,
can be managed from the CLI and GUI, turned online or offline, and run high level
services such as classifications. Data repositories containing permanent archives need
only be classified once, and can be deleted (leaving the metadata for search).
Note: Data Repositories should never be powered-off, un-exported, or un-shared, while
they are online. See “Managing Repository States” on page 116 for details on
managing repository online/offline states.
Kazeon IS1200 Web-Admin User Guide
81
Chapter 10:
Repository Registration and Management
Repository Registration: Rules and Guidelines
The rules and guidelines below must be followed when registering data repositories
and metadata repositories with the Kazeon Information Server:
WARNING!
The standard IS1200 installation configures Web-Admin with a single initial user
named “admin” and allows both “root” and “admin” to login to the Command
Line Interface (CLI). Both “admin” and “root” have unlimited access privileges
and can see and alter all registered repositories. It is recommended that neither of
these users be used for routine access of either Web-Admin or the CLI.
See “Role Based Administration” on page 37 for details on limiting user roles.
Directory, File, and Filepath Limitations
z
No filepaths can be used that exceed the following:
(for all IS1200 services—classifications, searches, reports, etc),
|
4050 characters in filepath length
|
contains more then 200 sub-directories
z
Symbolic links (a special type of file that serves as a reference to another file or
directory, also called symlinks) are not supported
z
Distributed File Systems (DFS) filers are not supported
WARNING!
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
Metadata Repositories Requirements
z
Kazeon supports Network Appliance filers.
z
A metadata repository must be registered before registering its associated data
repositories. This means the repository registered must be a metadata repository.
z
Metadata repositories can NOT be sub-directories of their associated data
repositories.
Note: Kazeon does not support Samba servers as metadata repository servers.
z
82
Export or share all metadata repositories only from Kazeon-qualified file servers
offering non-volatile RAM and data reliability guarantees. This prevents possible
metadata corruption.
Kazeon IS1200 Web-Admin User Guide
Repository Registration: Rules and Guidelines
Data Repository Requirements and Recommendations
z
Kazeon supports Network Appliance filers.
z
While up to 16 data repositories can be registered per node, it is recommended
that the total number of registered data repositories does not exceed 10 per node.
That is, the number of data repositories divided by the number of nodes in the
cluster should not exceed 10 repositories per node.
z
Registered data repositories size should not exceed 10 TB.
z
The number of files on a registered data repository should not exceed 16 million.
z
To audit user access patterns on your file server, ensure to enable the option
(described immediately below) that updates the access time for the file server. The
system then updates the access time whenever a user accesses a file.
Note: A logging policy must be enabled to audit access patterns.
The Kazeon Information Server uses the registered data repository mount point
only to read and classify data files. While the IS1200 does not modify data
repository content, the data repository itself updates all file access times as the
IS1200 reads the files for classification. This prevents determining when a user
last accessed a file after a classification. To correct this, the Kazeon Information
Server can reset file access times after files are read. However, if you register data
repositories with Read-only permissions, the Kazeon Information Server is unable
to reset access times. Data repositories must be registered with Read-Write
permissions, to allow the Kazeon Information Server to revert access times.
z
Additionally, data repositories must also be registered with Read-Write
permissions to manage their files using actionable services.
Permissions for NFS and CIFS Data Repositories
z
For an NFS data-mount, grant all nodes of the Kazeon Information Server cluster
Read-Write permissions or Read-only permissions and root access
(no_root_squash option) to the data repository for data classification. For
mixed mode data repositories, ensure that a CIFS user with equivalent
permissions is mapped to user root in UNIX. For NetApp, this mapping is in
rdfile /etc/usermap.cfg.
z
For a CIFS data-share, use a valid username and password when registering a data
repository. The specified user must have read access to all files on the data share.
Generally, this username and password is pre-saved in the Identity Vault. See
“The Identity Vault” on page 73 for more information.
Typically, either the local administrator account (machine name/
Administrator) of the machine hosting the data repository or the AD domain
administrator account (AD domain/Administrator) has these privileges.
Alternatively, you can create a new user account with read access to all the data
repositories that the Kazeon Information Server needs to access.
z
When registering a CIFS share (from a NetApp filer) as a data repository, make
sure the security style of the qtree is set to NTFS.
Kazeon IS1200 Web-Admin User Guide
83
Chapter 10:
Repository Registration and Management
Addressing Requirements for VMware Repositories
If the data repositories you plan to classify are virtual servers (file servers hosted on a
VWware ESX or Workstation server) then each repository must be network
configured using Bridge Networking on the virtual host.
CIFS Server, Laptop, and Desktop Setup Requirements
Registering and classifying CIFS servers, desktops, or laptops requires specific
firewall configurations and identities. See “Setup Requirements for Windows
Laptops, Desktops, and Servers” on page 389 for complete details.
Primary Metadata Repositories
Starting with version 4.1.0, the first metadata repository created is designated the
“primary” or “central” metadata repository. The primary metadata repository is the
home of the Report results database, Discovery results, Auditing and Data Verification
databases, and miscellaneous databases the cluster requires for routine operation.
Special care must be taken to ensure the primary metadata repository is not taken
offline, otherwise cluster stability will suffer. If the primary metadata repository is
taken offline, the cluster attempts to move it to another metadata repository, but this
can take many hours and prevent, or halt, many other services.
To manually change the primary metadata repository, do the following
1. Identify the fsid of the current primary metadata repository (source). The CLI
command: sh fs detail all can be used to display the fsid of all
registered repositories.
2. Identify the fsid of new intended primary metadata repository (destination).
3. Toggle the current primary metadata repository offline (this will stop databases
and queues the customizer activity) see “Managing Repository States” on
page 116 for details.
4. Toggle the intended new primary metadata repository offline.
5. Migrate the application directory from the current to the intended.
a. Mount both current and intended new primary metadata repositories on the
IS1200 manually.
b. Copy the application directory from the current to the intended repository.
Alternatively other processes may be used to migrate the application directory.
6. Alter the system configuration to set the destination filesystem as the new primary
kazfs using the command:
set primary-kazfs value <filesystem id (fsid) of target kazfs>
for example: set primary-kazfs value 16809986
7. Toggle the new primary metadata repository online (this will bring up the CDB
database back up.
8. Toggle the previous primary metadata repository online.
84
Kazeon IS1200 Web-Admin User Guide
Requirements and Preparations for Metadata Repositories
Requirements and Preparations for Metadata Repositories
Before any data repository can be registered (or discovered) at least one file system
must be created and registered as a metadata repository.
Additionally, the primary metadata repository has increased storage requirements:
Space
Required
Application
Reports
Comment
10 GB
This is directly proportional to what reports are running and the size of the
metadata. Running very large detail reports require much more space
System / Data Audit
5 GB
Plan for a minimum of 5GB. Auditing is very space consuming. Estimate
about 2 GB per million objects per event (crawl, classification, copy, etc.)
Services (jobs) Data
5 GB
Uses much less, but in long life cycle, may consume as specified
File System Discovery
1 GB
Consumes negligible space
Do the following to prepare a NFS or CIFS metadata repository.
Preparing an NFS Metadata Repository Share Overview
1. Locate a file server or NAS device for the intended metadata repository.
2. Create or locate a disk/file-system volume containing about 30% of the storage
space of the data repositories the metadata repository will be mapped to (or 1 GB,
whichever is more). It should also have about 500 thousand free inodes or files.
3. Ensure the intended metadata repository has three times as many free inodes as
the number of data repositories on the associated data file server.
4. Export this volume using NFS assigning full root access with read-write
permissions to all the IP addresses configured for each node in the Kazeon cluster.
Note: For metadata repositories on Linux file servers, ensure that you export the
file system with the no_subtree_check option.
5. Ensure that the NFS server has the Network Lock Manager turned on.
Now you can register the metadata repository with the IS1200, see “Registering NFS
or CIFS Metadata Repositories” on page 86 for more detail.
Preparing a CIFS Metadata Repository Share Overview
1. Locate a file server or NAS on for the intended metadata repository.
2. Create or locate a disk/file-system volume with approximately 30% of the space
of the data repositories that will be mapped to it (or 1 GB, whichever is more). It
should also have about 500 thousand free inodes or files.
3. Share this volume using either CIFS or NFS protocol assigning full control (readwrite-execute) to a specific Active Directory (AD) user in your domain or
workgroup. You will specify this user for file system access when you register the
metadata repository. This gives the IS1200 full control of the volume.
4. Disable Oplocks on the volume.
Kazeon IS1200 Web-Admin User Guide
85
Chapter 10:
Repository Registration and Management
WARNING!
If OpLocks is left ON it can cause database corruptions and lead to other
problems. Do not assume that because there have been no problems leaving
Oplocks on in the past that Oplocks will not cause problems in the future!
Local Metadata Repository (localkazfs) Requirements
Starting with version 3.0.3, a “/localkazfs” directory is automatically installed on
all nodes during server software installation. The /localkazfs directory can be used
to store a local kazfs, instead of using a network share.
Local metadata repositories are not recommended for use with data repositories with
large amounts of data to classify because file access to the local directory takes CPU
resources away from the Kazeon server, and the IS1200’s response time will suffer
when a local directory is used heavily.
The following requirements and additional procedures must be in place before a local
metadata repository can be used by the IS1200.
z
The IS1200 must be a single-node cluster.
z
The /localkazfs directory must have at least 2 gigabytes available, after all
other Kazeon server storage requirements are accounted for.
z
The /localkazfs must be mounted by the Linux OS before it can be accessed.
For the standard /localkazfs, installed during server software installation, this
is done automatically by the Linux /etc/fstab file.
z
If an additional internal, or external, hard drive is available to use as a local kazfs,
it must be mounted as well. The mount name must start with localkazfs and be
suffixed with a unique identifier as shown below. The following command can be
issued as root to mount additional local kazfs’:
mount /dev/sdb1 /localkazfs-n
Where /dev/sdb1 refers to the partition of the drive being mounted, and
Where the suffix -n differentiates the new local kazfs from the standard
/localkazfs already installed and mounted. The new directory name must
begin with /localkazfs and be followed by a differentiating suffix such as
-2, or -drive2.
The mount command must be executed every time the server is booted, but can be
added to the Linux /etc/fstab file to automate it. See your system
administrator if you need help.
z
The Kazeon server must be restarted before it will recognize a newly added and
mounted local kazfs.
Now register the metadata repository, see below.
Registering NFS or CIFS Metadata Repositories
After creating and exporting appropriately sized shares (as described in “Preparing an
NFS Metadata Repository Share Overview” on page 85 or “Preparing a CIFS
Metadata Repository Share Overview” on page 85) do the following to register a
metadata repository.:
86
Kazeon IS1200 Web-Admin User Guide
Requirements and Preparations for Metadata Repositories
To register metadata repositories
1. From the Web-Admin navigation pane under Repositories,
click Metadata Repository to go directly to the dialog in the following step,
or click Repository View, the Repositories pane appears:
From the Repositories pane toolbar, click Add Metadata,
The Add Repositories tab opens:.
(Screen content differs based on the Repository Type drop-down menu selection.)
2. From the Repository Type drop-down menu, select NFS, CIFS, or LocalFS.
Depending on the repository type selected, use the appropriate following procedure:
Adding an NFS Metadata Repository:
In the Add Metadata tab, with NFS selected for Repository Type,
Kazeon IS1200 Web-Admin User Guide
87
Chapter 10:
Repository Registration and Management
Fill in the following fields:
Name. Enter a reference name. (The IS1200 uses this name in menus offered
when dialogs require users to choose a metadata repository).
Metadata repository names must be unique.
Note: For metadata repositories on Linux file servers, ensure file systems are
exported with the no_subtree_check option.
Server. Enter the NFS file server name that hosts the metadata repository.
Mount Path. Enter the metadata repository mount path on the host file server.
WARNING!
Metadata repositories may be registered in one cluster only, and only once per
cluster.
Mount Options: Select one of the following:
|
Auto Detect. Allow the system to automatically detect the mount option.
|
TCP. Specify TCP protocol as the access option.
|
UDP. Specify UDP protocol as the access option.
Storage Tier. Optionally, specify the storage tier where the repository is located.
The storage tier can be any number between 0 and 255. Default is 0.
Force add on errors. Select to force adding this device in spite of errors. Use
with caution! Generally used to overwrite an existing metadata repository.
Submit. Click to register the metadata repository.
Adding a CIFS Metadata Repository:
In the Add Repository tab, with CIFS selected,
Fill in the following fields:
Name. Enter a reference name (for the IS1200 to use when listing this CIFS
metadata repository in menus like the one used to associate metadata repositories
with data repositories when data repositories are registered).
Metadata repository names must be unique.
88
Kazeon IS1200 Web-Admin User Guide
Requirements and Preparations for Metadata Repositories
Note: For metadata repositories on Linux file servers, ensure repository is exported with
the no_subtree_check option.
Server. Enter the name of the CIFS file server hosting the mount point being
registered as a metadata repository.
Share Name. Enter the share name or mount point—from the CIFS Server
entered above—of the CIFS metadata repository to register.
WARNING!
Metadata repositories may only be registered in one cluster, and only once per
cluster.
WARNING!
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
Identity. Select a pre-defined user identity—from the drop-down list—to use
when the IS1200 accesses this metadata repository. If an appropriate identity is
not available, click the Create Identity button to add one. For more information on
identities, see “To add an identity from Web-Admin” on page 75.
WARNING!
Because CIFS users can change directory and file permissions on their user
directories, the AD identity associated with a registered CIFS filer must be a
member of the “backup operators” and “domain administrators” groups for the
filer, otherwise files “hidden” when users put exclusive privileges on their
directories will not be crawled or classified.
Storage Tier. Optionally, specify the storage tier where the metadata repository is
hosted. The storage tier can be any number between 0 and 255. Default is 0.
Force add on errors. Select to force adding this device in spite of errors. Use
with caution! Generally used to overwrite an existing metadata repository.
Submit. Click to register the metadata repository.
Adding a Local Metadata Repository (localkazfs):
Starting with version 4.3.2, all IS1200 installations allocate storage space for a local
metadata repository at the root level. The folder is named localkazfs.
To add the standard local metadata repository:
1. Click Metadata Repository in the Web-Admin left-navigation menu, the Add
Repository tab opens.
Kazeon IS1200 Web-Admin User Guide
89
Chapter 10:
Repository Registration and Management
2. From the Add Repository tab, select LocalFS from the Repository Type menu.
3. Fill in the following fields:
Name. Enter a reference name (for the IS1200 to use when listing this CIFS
metadata repository in menus like the one used to associate metadata repositories
with data repositories when data repositories are registered).
Note: Metadata repository names must be unique!
Node Name. Do not change the automatic entry. It should contain the name of the
node you are currently logged into.
Mount Path. Choose a local kazfs from the drop-down list. If the local kazfs you
are looking for is not listed, it may not be properly mounted. See “Local Metadata
Repository (localkazfs) Requirements” on page 86 for more information.
Force add on errors. Select to force adding this device to the registered list in
spite of errors.
Submit. Click to register the data repository.
The Discovery Process
Discovery Overview
Registering data repositories—as opposed to metadata repositories—allows
classification of the files on the registered repository. Data repositories can be servers
(like Windows File Servers, Microsoft Exchange Servers, Symantec Enterprise Vaults,
etc.), or shared directories from users laptops or desktop systems.
Data repositories can be registered manually or through an automated process that
discovers and then registers repositories. If you already know which file systems
require registration, you can manually register them using Web-Admin or the CLI as
described in “Registering Data Repositories” on page 95. To automatically find, or
discover, what servers, mounts or shares exist on your network so you can then
register them, use the IS1200’s automated Discovery process, see “Scheduling a
Discovery Service” on page 92 for details.
90
Kazeon IS1200 Web-Admin User Guide
The Discovery Process
Note: Before discovering or registering any data repository, at least one metadata
repository must be created and registered to record the discovered systems and to
store the metadata extracted when data repositories are classified. The metadata
repository must be registered first because it has to be available for mapping—to a
data repository—when a data repository is registered, or to record discovered
systems during discovery.
Discovering Laptops and Desktops
Special configurations and identities are required to discover CIFS servers generally
and laptops or desktops specifically (for example in eDiscovery situations). The
default Windows laptop or desktop system behavior exports all local drives as hidden
shares. Desktops export the C and D drives as network shares C$ and D$ for example.
Removable or plug-able devices (like USB thumb drives or Firewire drives) are not
automatically exported and must be deliberately shared. Refer to “CIFS Server,
Laptop, and Desktop Setup Requirements” on page 84 for configuration and identity
requirement details.
Using only the local administrator account, these exports can be discovered, mounted,
and crawled. If a laptop or desktop is a member of the Active Directory enterprise
infrastructure, the AD domain administrator account can be used to open all files on
these devices.
Before discovering, or registering, CIFS repositories, an appropriate administrative
user must be identified so that username and password can be associated with the
CIFS file system when it is registered. See “Overview of Setup Requirements for
Laptops and Desktops” on page 390 for more information. Generally, it’s best to have
these administrative users installed as identities in the Identity Vault, see “The Identity
Vault” on page 73 for more information.
This same administrative user (identity) is required for CIFS data repository
discovery.
Discovery Methods
You can discover repositories, both standard servers as well as shares from user
laptops and desktops, in the following ways:
z
Host/IP Address: Search for specific hostnames or IP addresses
z
IP Range: Search for repositories on a specific subnet or IP range
z
CIDR: Repositories that exist on a specified range of machines on your network
After discovery, the discovery results (and the discovery criteria used to obtain them)
can be reviewed in the discovery job listings. More importantly, discovered results—
mounts or shares—can also be registered for data classification.
Note: If Repository Discovery is attempted on Hostnames or IP Ranges containing
servers your stored identities cannot access—for example, user laptops with
shared files—the discovered filers list will be incomplete.
Kazeon IS1200 Web-Admin User Guide
91
Chapter 10:
Repository Registration and Management
Note: Firewalls enabled on individual servers—especially on laptops or desktop
computers—may also result in incomplete data repository discovery lists.
Additionally, servers should not have selective port blocking active– particularly
for ARP requests.
Note: To enable discovery of CIFS shares, ensure that the authenticating Active
Directory server is configured to allow anonymous access.
Note: Initialization must complete before you can successfully add classification
services or actionable services.
Note: If you use a CIFS metadata repository, you must monitor the inode levels of the
filer closely to ensure the repository does not run out of inodes
WARNING!
The discovery process fails if no metadata repository is available because
discovered repositories are saved in metadata storage.
Scheduling a Discovery Service
1. From the Web-Admin navigation pane under Repositories,
click Environment Discovery to go directly to the dialog in the following step,
or click Repository View to open the Repositories tab.
2. From the Repositories tab tool-bar,
click Discover to open the Discover Repositories tab.
Any previously run discovery jobs are listed below the toolbar. The page above shows
three previously completed jobs.
Note: You may need to wait as long a minute for previously saved jobs to open.
92
Kazeon IS1200 Web-Admin User Guide
The Discovery Process
3. From the page tool-bar, click New to start a new discovery job.
A drop-down menu opens:
Choose one of the following discovery methods:
|
Hostname/IP: to discover by host name or IP address.
|
IP Range: to discover within a range of IP addresses.
|
Subnet/Mask (CIDR): to discover using a Classless Inter-Domain Routing
address using subnets and masks.
4. Depending on the discovery method chosen in the preceding step,
complete one of the following dialog boxes:
|
Hostname/IP:
From the Discover by Hostname/IP tab
For each hostname or IP address to search for:
1.Enter a single IP address or hostname in the Hostname/IP Address field.
2.Click Add to add that IP address to the Added Hosts/IP list.
(Repeat as necessary to add multiple hostnames or IP addresses).
To remove entries, select an entry and click Remove.
3.Select NFS, CIFS, or ALL from the Repository Type drop-down menu.
This selection applies to all the entries in the Added Hosts/IP list.
4.If CIFS or ALL is selected above, select an identity (to access the CIFS
filers while searching) from the Identity drop-down menu.
Click the Create Identity button to add a new identity if necessary.
5.Click Discover when done adding all entries to search,
or click Cancel to exit without searching.
Kazeon IS1200 Web-Admin User Guide
93
Chapter 10:
Repository Registration and Management
|
IP Range:
From the Discover by IP Range tab:
For each IP range to search for:
1.Enter a single IP address in the IP Address: From field.
This is the lowest IP address to search from.
2.Enter a single IP address in the IP Address: To field.
This is the highest IP address to search to.
3.Click Add to append the IP range to the check list.
(Repeat steps 1-2-3 as necessary to add multiple ranges).
To remove a range, select the range and click Remove.
4.Select NFS, CIFS, or ALL from the Type drop-down menu. This selection
applies to all IP ranges in the check list.
5.If CIFS or ALL is selected above, select an identity (to access the CIFS
filers while searching) from the Identity drop-down menu.
Click the Create Identity button to add a new identity if necessary.
6.Click Discover when done adding all ranges to search,
or click Cancel to exit without searching.
|
By CIDR: (Classless Inter-Domain Routing)
From the Discover by CIDR tab
For each CIDR to search for:
1.Enter a single IP address in the IP Range: IP Address field.
2.Enter a single network mask number in the IP Range: Mask field.
The mask must be between 0 and 31.
3.Click Add to append the CIDR address and mask to the check list.
(Repeat steps 1-2-3 as necessary to add CIDRs).
To remove CIDRs from the check list, select an entry and click Remove.
94
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
4.Select NFS, CIFS, or ALL from the Type drop-down menu. This selection
applies to all IP addresses in the check list.
5.If CIFS or ALL is selected above, select an identity (to access the CIFS
filers while searching) from the Identity drop-down menu.
Click the Create Identity button to add a new identity if necessary.
6.Click Discover when done adding all CIDRs to search for,
or click Cancel to exit without searching.
7. Click OK to continue when the Added Discovery Job dialog appears.
The file discovery job is launched.
Running Environment Discovery Jobs Again
Once a Discovery job has run, and results are show in the Environment Discovery
page listing, the job may be run again if necessary. Simply select the completed
job in the listing and click the Run icon in the page tool-bar. The completed job
results will be deleted and replaced with status for a new job with the same
discovery criteria. If the new listings do not appear, use the Refresh icon in the
page tool-bar.
Registering Data Repositories
Once data repositories are discovered (servers, laptops, or desktops), or you have a
known list of data repositories to register, use the following directions to register data
repositories and metadata repositories.
Use the section immediately below to register discovered repositories. Skip to
“Registering Data Repositories” on page 95 to register known repositories as needed.
Registering Discovered Repositories
If you have run a discovery service and have a list of discovered servers, laptops or
desktops you want to register, you can register these discovered repositories by doing
the following:
1. From the Web-Admin navigation pane under Repositories,
click Repository View, the Repositories pane appears:
Kazeon IS1200 Web-Admin User Guide
95
Chapter 10:
Repository Registration and Management
2. From the Repositories pane tool-bar, click Discover.
The Repositories page Discover Repositories tab appears.
All previously run discovery jobs are listed below the toolbar. The page above shows
three previously completed jobs.
Note: You may need to wait as long a a minute for all previous Discovery jobs to appear.
3. The left-most icon of any Discovery listing is either a plus sign or minus sign.
Clicking a plus displays complete discovery job information, clicking a minus
collapses expanded information. The job expands to show the Servers discovered.
Use the “Prev 1 2 3 Next” links to move from page to page of discovered servers.
If small computer icon appears after the minus sign, the listing is a desktop or
laptop share with a DHCP assigned IP address.
If a computer icon (
) appears immediately after the plus/minus icon, the
discovered repository is a DHCP based system like a laptop or desktop system.
Notice that discovered share names reported in the Host column can have three
different forms, some shown below.
When a desktop or laptop is found, the IS1200 attempts to name it using the
following methods, in the following order:
a. looking it up in DNS and reporting its DNS name, as shown in the second
listing above
b. getting its NETBIOS name and reporting its workgroup and share name, as
shown in the first listing above
c. simply reporting its IP address, example not shown
96
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
Standard file servers, with fixed IP addresses, have their DNS names reported, as
shown in the third listing above
4. Click the plus sign next to any discovered listing (server or laptop/desktop) to
expand the shares it hosts.
The exported volumes of that server are displayed.
If a discovered desktop or laptop has no shares listed under it, as below,
then it either has no hidden shares, or the identity used to discover it did not have
sufficient access privileges to see the shares, check the identity used in the
discovery job to see if it has appropriate administrator or backup operator
privileges.
Kazeon IS1200 Web-Admin User Guide
97
Chapter 10:
Repository Registration and Management
5. To register a discovered share, check the box that precedes the listing,
and click Add Repository in the tool-bar, the Add Repository tab appears.
Many of the tab’s fields are already filled in with data automatically collected
from the discovered server, for instance the Repository Type will already be set.
6. Name Prefix: Discovered data repositories are usually added with a prefix
referencing the parent server. Replace “discovered()” with a prefix for the data
repository being added, usually this is a nickname for the parent server.
7. Enter the remaining fields as described in Registering Data Repositories below.
Note: The IS1200 does not support mixed volumes. NFS and CIFS volumes must be
added separately. Repeat this procedure as necessary.
98
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
Registering Data Repositories
If you have already discovered the data repositories you want to register (as described
above) and are already at the Add Repository tab, skip ahead to the following
procedures as appropriate:
“Adding an NFS Repository:” on page 100 or
“Adding a CIFS Repository:” on page 102
Otherwise, if you don’t need to discover your data repositories and already know
which repositories you need to register (as well as their host server names and share
names or mount paths) prepare to register those repositories by doing the following:
To register a Known Data Repository
1. From the Web-Admin navigation pane under Repositories,
click Repository View, the Repositories pane appears:
2. From the Repositories pane toolbar,
click Add Repository, the Add Repositories tab opens:
Screen content changes based on the Repository Type drop-down menu selection.
3. From the Repository Type drop-down, select NFS, CIFS, or Laptop/Desktop.
To register Microsoft Exchange Servers, refer to the Kazeon IS1200 Connector for
Microsoft Exchange Server User and Configuration Guide.
To register Enterprise Vault Servers, refer to the Kazeon IS1200 Connector for
Symantec Enterprise Vault User and Configuration Guide.
Kazeon IS1200 Web-Admin User Guide
99
Chapter 10:
Repository Registration and Management
Depending on the repository type selected, use the appropriate following procedure:
Adding an NFS Repository:
In the Add Repository tab, with NFS selected,
Fill in the following fields:
Name. Enter a reference name (for the IS1200 to use when listing this NFS filer in
menus, for instance when specifying classification targets). Data repository names
must be unique.
WARNING!
Do not register data repository names that have been previously used, and
removed, with out first removing the metadata repositories that were associated
with the removed filers. See the warning note in “To remove a repository” on
page 115 for more details.
Metadata File System Select a metadata repository from the drop-down menu to
associate with the NFS file system, or let the IS1200 auto select one.
Note:
A maximum of 16 data repositories can be mapped to a single metadata repository.
Server. Enter the name of the NFS file server hosting the repository to add. This
may already be entered (and unchangeable) if registering a “discovered” data
repository.
Mount Path. Enter the mount path of the data repository on the host file server.
Note: You can register the same data repository multiple times on a single cluster if you
use a different reference Name (see above) for each instance. Additionally, the
same data repository can be registered in multiple clusters.
100
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
Mount Options: Select one of the following:
|
Auto Detect. Allow the system to automatically detect the mount option.
|
TCP. Specify TCP protocol as the access option.
|
UDP. Specify UDP protocol as the access option.
Specify Use: Select one of the following:
|
Source Repository. Register this repository as a source, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a source, for example when doing a Collection in either
Web-Admin or the eDiscovery Case Manager.
|
Target Repository. Register this repository as a target, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a target.
|
Source and Target Repository. Register this repository as a both a source
and a target for dialogs.
Read Only. Check to indicate the filer being registered is Read Only to the
Kazeon Information Server. The option should be used if the repository (being
registered) is exported or shared as Read Only. If this option is not set, the IS1200
assumes the filer being added is Read Write.
Note: If Read Only is set (checked), then all classifications alter all file’s atime and
ctime on the crawled repositories, and the Preserve Access Time option—at the
bottom of the dialog box—is removed. Do not set this option if you need to use
Preserve Access Time (see below) to preserve atime.
WARNING!
If you do not check Read Only for a data repository that is read only, the IS1200
will produce errors whenever the data repository is accessed, requiring the data
repository to be edited and reset to Read Only.
Repository Vendor. When registering NetApp file systems, select NetApp.
Other Vendor Options: Refer to the Netapp Retention Manager, or Snap Search
Optional Module User Guides for details on setting NetApp options.
Storage Tier. Optionally, specify the storage tier where the data repository is
located. The storage tier can be any number between 0 and 255. Default is 0.
Force add on errors. Select to force adding this device to the registered list in
spite of errors.
Preserve Access Time. Select to have the original file access times saved during
crawls. This option applies only if the filer’s Read Only radio button (above) is
NOT checked. The following table describes the relationship between the source
Kazeon IS1200 Web-Admin User Guide
101
Chapter 10:
Repository Registration and Management
filer, it’s Read Only setting on the IS1200, and whether the IS1200 will attempt to
preserve file timestamps during services like classifications.
Actual Filer Setting
Filer IS1200 Read Only option
IS1200 attempts to preserve
timestamps
Read Write
- (not specified)
Yes
Read Write
Read Write
Yes
Read Write
Read Only
No
Read Only
- (not specified)
Yes
Read Only
Read Write
Yes
Read Only
Read Only
No
The 5th and 6th lines generate errors when the IS1200 accesses files on the actual
filer, see the Warning on page 101 for more detail.
Submit. Click to register the data repository.
Adding a CIFS Repository:
WARNING!
Special configurations are required to register and crawl CIFS servers, laptops, or
desktops. Be sure to note the “CIFS Server, Laptop, and Desktop Setup
Requirements” on page 84.
Note: When registering a CIFS share (from a NetApp filer) as a data repository, make
sure the security style of the qtree is set to NTFS.
In the Add Repository tab, with CIFS selected,
Fill in the following fields:
Name: Enter a reference name for the IS1200 to use when listing this CIFS filer in
menus, for instance as options for classification targets. Data repository names
must be unique.
102
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
WARNING!
Do not re-register data repository names that have been previously used, and
removed, with out first removing the metadata repositories that were associated
with the removed filers. See the warning note in “To remove a repository” on
page 115 for more details.
Metadata Repository: Select a metadata repository from the drop-down menu to
associate with the data repository.
Note: A maximum of 16 data repositories) can be mapped to a single metadata
repository.
Server: Enter the name of CIFS file server hosting the repository to register. If
registering a “discovered” data repository, this is auto-entered, and unchangeable.
Note: When registering CIFS Servers, and especially CIFS laptops or desktops,
ensure the device has:
z
Firewall ports open for TCP – 139, 445 and UDP – 137, 138, or
z
Allows traffic from the Kazeon Server IP address
Share Name: Enter the share name or mount point—from the CIFS Server
entered above—of the CIFS data repository to register.
Note: You can register the same data repository multiple times on a single cluster if you
use a different Name (see above) for each instance. Additionally, the same data
data repository can be registered in multiple clusters.
WARNING!
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as “wide symlink” or
“widelink enabled”) which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
Identity: Select a pre-defined user identity—from the drop-down list—to use
when the IS1200 accesses this filer. If an appropriate identity is not available,
click the Create Identity button to add one. For more information on identities, see
“To add an identity from Web-Admin” on page 75.
WARNING!
Because CIFS users can change directory and file permissions on their user
directories, the AD identity associated with a registered CIFS filer must be a
member of the “backup operators” and “domain administrators” groups for the
filer, otherwise files “hidden” when users put exclusive privileges on their
directories will not be crawled or classified.
Kazeon IS1200 Web-Admin User Guide
103
Chapter 10:
Repository Registration and Management
Specify Use: Select one of the following:
|
Source Repository: Register this repository as a source, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a source, for example when doing a Collection in either
Web-Admin or the eDiscovery Case Manager.
|
Target Repository: Register this repository as a target, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a target.
|
Source and Target Repository: Register this repository as a both a source
and a target for dialogs.
Read Only: Check to indicate the filer being registered is Read Only to the
Kazeon Information Server. The option should be used if the repository (being
registered) is exported or shared as Read Only. If this option is not set, the IS1200
assumes the filer being added is Read Write.
Note: If Read Only is set (checked), then all classifications alter all file’s atime and
ctime on the crawled repositories, and the Preserve Access Time option—at the
bottom of the dialog box—is removed. Do not set this option if you need to use
Preserve Access Time (see below) to preserve atime.
WARNING!
If you do not check Read Only for a data repository that is read only, the IS1200
may produce errors whenever the data repository is accessed, requiring the data
repository to be edited and reset to Read Only.
Repository Vendor: If registering a NetApp filer, select NetApp. Refer to the
Netapp Retention Manager, or Snap Search Optional Module User Guides for
details on setting NetApp options.
Other Vendor Options: Refer to the Netapp Retention Manager, or Snap Search
Optional Module User Guides for details on setting NetApp options.
Storage Tier: Optionally, specify the storage tier where the data repository is
located. The storage tier can be any number between 0 and 255. Default is 0.
Force add on errors: Select to force adding this device to the registered list in
spite of errors.
Preserve Access Time: Select to have the original file access times saved during
crawls. This option applies only if the filer’s Read Only radio button (above) is
NOT checked. The following table describes the relationship between the source
filer, it’s Read Only setting on the IS1200, and whether the IS1200 will attempt to
preserve file timestamps during services like classifications.
104
Actual Filer Setting
Filer IS1200 Read Only option
IS1200 attempts to preserve
timestamps
Read Write
- (not specified)
Yes
Read Write
Read Write
Yes
Read Write
Read Only
No
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
Actual Filer Setting
Filer IS1200 Read Only option
IS1200 attempts to preserve
timestamps
Read Only
- (not specified)
Yes
Read Only
Read Write
Yes
Read Only
Read Only
No
The 5th and 6th lines generate errors when the IS1200 accesses files on the actual
filer, see the Warning on page 104 for more detail.
Submit. Click to register the data repository.
Adding a Laptop or Desktop Repository:
Note: Laptops and desktops require special setup to ensure they can be classified.
Further setup is required if classification access is required on typically “open”
files like PST files. See “Setup Requirements for Windows
Laptops, Desktops, and Servers” on page 389 for details.
This section describes how to add a laptop or desktop as a data repository using the
hidden administrators share C$. If the laptop or desktop has shared USB drives that
need to be registered as data repositories, see “Registering and Classifying USB
Repositories” on page 412.
In the Add Repository tab, with Laptop/Desktop selected,
Fill in the following fields:
Name: Enter a reference name (for the IS1200 to use when listing this NFS filer
in menus, for instance when specifying classification targets). Data repository
names must be unique.
Kazeon IS1200 Web-Admin User Guide
105
Chapter 10:
Repository Registration and Management
WARNING!
Do not register data repository names that have been previously used, and
removed, with out first removing the metadata repositories that were associated
with the removed filers. See the warning note in “To remove a repository” on
page 115 for more details.
Metadata Repository: Select a metadata repository from the drop-down menu to
associate with the NFS file system, or let the IS1200 auto select one.
Note: A maximum of 16 data repositories can be mapped to a single metadata
repository.
Storage Access
NetBIOS or DNS Name. Enter the laptop or desktop’s NetBIOS or DNS name.
Share Name. Enter the name of the laptop or desktop share to register, for
example enter “C$” to register the “hidden” C directory share for administrators.
Identity. Select a pre-defined user identity from the drop-down list to use when
the IS1200 accesses this laptop or desktop. If an appropriate identity is not
available, click the Create Identity button to add one. For more information on
identities, see “To add an identity from Web-Admin” on page 75.
WARNING!
Because CIFS users can change directory and file permissions on their user
directories, the AD identity associated with a registered CIFS filer must be a
member of the “backup operators” and “domain administrators” groups for the
filer, otherwise files “hidden” when users put exclusive privileges on their
directories will not be crawled or classified.
Specify Use: Select one of the following:
|
Source Repository: Register this repository as a source, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a source, for example when doing a Collection in either
Web-Admin or the eDiscovery Case Manager.
|
Target Repository: Register this repository as a target, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a target.
|
Source and Target Repository: Register this repository as a both a source
and a target for dialogs.
Read Only: Check to indicate the filer being registered is Read Only to the
Kazeon Information Server. The option should be used if the repository (being
registered) is exported or shared as Read Only. If this option is not set, the IS1200
assumes the filer being added is Read Write.
Note: If Read Only is set (checked), then all classifications alter all file’s atime and
ctime on the crawled repositories, and the Preserve Access Time option—at the
bottom of the dialog box—is removed. Do not set this option if you need to use
Preserve Access Time (see below) to preserve atime.
106
Kazeon IS1200 Web-Admin User Guide
Registering Data Repositories
WARNING!
If you do not check Read Only for a data repository that is read only, the IS1200
will produce errors whenever the data repository is accessed, requiring the data
repository to be edited and reset to Read Only.
Storage Tier: Optionally, specify the storage tier where the data repository is
located. The storage tier can be any number between 0 and 255. Default is 0.
Force add on errors: Select to force adding this device to the registered list in
spite of errors.
Preserve Access Time: Select to have the original file access times saved during
crawls. This option applies only if the filer’s Read Only radio button (above) is
NOT checked. The following table describes the relationship between the source
filer, it’s Read Only setting on the IS1200, and whether the IS1200 will attempt to
preserve file timestamps during services like classifications.
Actual Filer Setting
Filer IS1200 Read Only option
IS1200 attempts to preserve
timestamps
Read Write
- (not specified)
Yes
Read Write
Read Write
Yes
Read Write
Read Only
No
Read Only
- (not specified)
Yes
Read Only
Read Write
Yes
Read Only
Read Only
No
The 5th and 6th lines generate errors when the IS1200 accesses files on the actual
filer, see the Warning on page 101 for more detail.
Submit. Click to register the data repository.
Adding a Local Data Repository (localdatafs)
Starting with version 4.3.2, all IS1200 installations allocate storage space for a local
data repository at the root level. The folder is named localdatafs1.
To add the standard local data repository:
1. Click Repository View in the Web-Admin left-navigation menu, the Repository tab opens.
2. From the Repository tab tool-bar, click the (
the Add Repository tab opens.
Kazeon IS1200 Web-Admin User Guide
) Add Repository icon,
107
Chapter 10:
Repository Registration and Management
3. Select Local Storage from the Repository Type menu.
4. Metadata Repository: Select a metadata repository from the drop-down menu to
associate with the local data repository, or let the IS1200 auto select one.
5. Mount Path. Choose a local an existing datafs from the drop-down list, there may
be only one listed on smaller systems. If the local datafs you are looking for is not
listed, it may not be properly mounted.
6. Specify Use: Select one of the following:
|
Source Repository: Register this repository as a source, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a source, for example when doing a Collection in either
Web-Admin or the eDiscovery Case Manager.
|
Target Repository: Register this repository as a target, this includes the
reference name (specified above) in all dialogs where a repository can be
choosen as a target.
|
Source and Target Repository: Register this repository as a both a source
and a target for dialogs.
7. Submit. Click to register the local directory as local data repository.
See the IS1200 Command Line Interface Reference Guidecommand ‘add localdatafs’
for information on how to use the CLI to add a local data repository.
Adding a Local USB Drive as a Data Repository
Starting with version 4.3.2, a locally attached USB drive may be added as a data
repository. USB drives may be formatted as NFS or VFAT (FAT32/VFAT).
This is especially useful for the Review and Analysis Product (RAP) and allows Legal
Service Providers (LSP) to make copies of their clients data repositories on removable
USB drives, move the drive to the LSP office, and register it on the LSP’s IS1200 as a
standard data repository.
The process is automatic. Simply connect an external USB drive to the IS1200 and the
IS1200 automatically recognizes and registers the USB drive. For example, before a
USB drive is attached, the Repositories page might look like this:
After a USB drive is attached, the USB drive shows up like this:
108
Kazeon IS1200 Web-Admin User Guide
Managing Repositories
Note: You may need to use the Refresh icon in the tool-bar to see the new drive.
The USB drive is registered as “usb-<drivename>”, where <drivename> is the
volume name of the USB drive.
Removing a Local USB Drive/Data Repository
The removal process is equally automatic. Simply disconnect the USB drive from the
IS1200 and it is automatically removed from the IS1200.
Note: Use the Refresh icon in the tool-bar to remove the USB repository from the listing.
Adding an Enterprise Vault, MS Exchange, SharePoint, or Lotus Domino Repository
To register Microsoft Exchange Servers, refer to the Kazeon IS1200 Connector for
Microsoft Exchange Server User and Configuration Guide.
To register Enterprise Vault Servers, refer to the Kazeon IS1200 Connector for
Symantec Enterprise Vault User and Configuration Guide.
To register Microsoft SharePoint Servers, refer to the Kazeon IS1200 SharePoint
Connector User and Configuration Guide.
To register Lotus Domino Servers, refer to the Kazeon IS1200 Lotus Domino
Connector User and Configuration Guide.
Managing Repositories
Managing repositories includes the following tasks:
z
Editing registered data repositories (or metadata repositories)
z
Importing repositories
z
Deleting repositories
z
Moving Metadata Repositories
Repository Listings and Status
The Repository View sub-heading, under Repositories in the left-navigation pane,
opens the Repository tab and the standard repository listing.
Kazeon IS1200 Web-Admin User Guide
109
Chapter 10:
Repository Registration and Management
The Repository tab contains the following elements:
The Repository Filters
Pick one of the following choices to set what repositories to display:
z
All: Show all registered repositories of all types.
z
kazfs: Show only metadata repositories.
z
datafs: Show only data repositories.
The Repository Toolbar
The Repository Toolbar contains the following tools:
z
Discover: Used to start Discovery jobs that can locate unregistered
repositories, see “Discovery Overview” on page 90 for details.
z
Add Metadata: Used to register a new metadata repository, see “Registering
NFS or CIFS Metadata Repositories” on page 86 for details.
z
Add Repository: Used to register a new data repository, see “Registering
Data Repositories” on page 99 for details.
z
Edit: Used to edit a current repository, see “Editing and Viewing Registered
Repositories” on page 111 for details. Repositories must be offline to edit.
z
Delete: Used to delete a current repository, see “Removing Repositories” on
page 114 for details. Repositories must be offline to delete.
z
Toggle Offline/Online: Used to change repository status between online and
offline, see “Managing Repository States” on page 116 for details.
z
Import: Used to import a previously removed repository, see “Importing
Data and Metadata Repositories” on page 112 for details.
z
Refresh: Used to refresh the repository listing for changes that might have
been created elsewhere, for example in the CLI.
The Repository Listing
The repository listing displays all registered repositories and information about them.
Each line listing displays the following information:
z
Name: The reference name the repository was given when it was registered.
z
Type: One of the following repository types:
|
110
Primary Metadata Repository: The primary metadata repository. The
IS1200 designates one of the registered metadata repositories as its Primary
metadata repository, usually this is the first metadata repository registered.
Besides the usual metadata repository content, the Primary metadata
Kazeon IS1200 Web-Admin User Guide
Managing Repositories
repository contains reports definitions, report results, system/data audit logs,
legal application information, and much more. The Primary metadata
repository is vital to a functional cluster. This metadata repository should
never be taken off line, otherwise many cluster operations will fail.
Consequently, a warning message will be displayed if you attempt to do so.
|
Metadata Repository: Any metadata repository other than the primary.
|
Data Repository: A data repository.
z
Metadata: If this listing is for a data repository, this column displays the metadata
repository assigned to it when it was registered.
z
Server: The server containing the share or mountpoint for this repository.
z
Mountpath: The share or mountpoint mountpath on the server for this repository.
z
Tier: The tier assigned to this repository.
z
Status: One of the following possible states the repository is currently in:
|
Online: The repository is online and available for IS1200 access.
|
Offline: The repository is offline and unavailable for IS1200 access other
than editing.
|
Quiescing: A transition state between while going from online to offline.
Editing and Viewing Registered Repositories
Once a data repository or metadata repository is registered, its registration information
can be viewed or edited as necessary. Information can be viewed by simply inspecting
the repository listings under in the Repositories pane.
Use the Edit tool in the Repositories tab tool-bar to edit registered repositories.
Edit may only be used when the data or metadata repository is offline. See “Managing
Repository States” on page 116 for help in setting a filer’s offline/online status.
Kazeon IS1200 Web-Admin User Guide
111
Chapter 10:
Repository Registration and Management
Simply select a repository listing under the toolbar, set the repository offline, and click
Edit in the tool-bar. The Edit Repository tab appears.
Edit the fields shown using the same instructions provided for registering repositories
using the Add Repository tab, note that each repository type has different instructions,
see “Registering Data Repositories” on page 99 for details.
Importing Data and Metadata Repositories
Data and metadata repositories that have been un-registered and deleted from the
Kazeon Information Server, but not physically deleted from their host file systems, are
called orphans, and can be re-registered by importing them.
You cannot register an orphan metadata repository if its directory contains a
previously active metadata files. To re-register previously-active, but currentlyunregistered metadata repositories, use the Import option instead.
You may need to import data repositories or metadata repositories for two reasons:
z
The cluster failed and must be re-configured.
When a cluster fails, it may lose the mapping information for the registered
repositories. If you backed up the cluster configuration, you can use the backup to
restore the cluster. However, if you did not save configuration information, you will
need to import the data repository or metadata repository back into the cluster.
z
A data or metadata repository was removed and must be re-registered with the cluster.
Before importing an orphaned data repository, you must import the associated orphan
metadata repository first. Once an orphaned metadata repository has been imported,
its previously registered data repositories can be displayed and imported as well.
112
Kazeon IS1200 Web-Admin User Guide
Managing Repositories
Note: After importing file-systems, run the CLI command “show database”. If results
show any database as “Database Upgrade Required” OR “Search Upgrade
Required” then complete the filesystem’s metadata import by running the
command “/opt/openkaz/bin/post-install/post_scripts/
POST030db” from a “root” login. This may take several hours depending on the
size of metadata, do not close the CLI window while this command is running.
To import a metadata repository
1. From the Web-Admin navigation pane under Repositories,
click Repository View, the Repositories pane appears:
From the Repositories pane toolbar, click Import,
The Import Repository tab opens.
2. Server: Enter the name of a server hosting an orphaned metadata repository.
3. Path/Share: Enter the pathname of the hosting server of the orphaned metadata
repository.
4. CIFS: Check this if the orphaned metadata repository was CIFS.
5. Identity: If you checked CIFS above, select an authorized identity from the dropdown menu to access the hosting server.
6. Click Import Metadata. The metadata repository is imported.
Kazeon IS1200 Web-Admin User Guide
113
Chapter 10:
Repository Registration and Management
To import a data repository
After importing an orphaned metadata repository, the Import Repository tab re-draws
and displays a list of all data repositories previously associated with the orphaned
metadata repository.
7. Click to select all data repositories, listed under the toolbar, you wish to import.
8. Click either Import Selected, or Import All, in the toolbar, the orphaned data
repositories are imported.
When you return to the Repositories tab, the imported metadata repository, and the
selected files systems, will be listed as registered, online, repositories.
Removing Repositories
Both data and metadata repositories can be removed from the Kazeon Information
Server cluster. However, before removing a metadata repository, all its associated data
repositories must be taken off-line first.
When removing a data repository, the associated metadata remains intact, however the
system marks the metadata as “orphaned” because it is no longer mapped to a data
source.
WARNING!
Orphaned metadata should be removed using CLI command remove metadata,
see the Command Line Interface User Guide for more information.
If a repository is removed, and another repository with the same name is
subsequently added to the Kazeon Information Server, the server incorrectly
reassociates the orphaned metadata with the new repository. However, the id of
the newly added filer and the old metadata file will not match, and this causes
errors. In particular, this will cause migrated files to fail on recall or restore. To
prevent these errors, remove all orphaned metadata repositories as soon as
feasible, or do not reuse old filer names when registering new data repositories.
You can reassociate orphaned metadata with a data repository. To do this, first import
the orphaned metadata repository, then import the data repository into the cluster. For
more detail, see “Importing Data and Metadata Repositories” on page 112.
114
Kazeon IS1200 Web-Admin User Guide
Managing Repositories
To remove a repository
1. On the Repositories tab, select a data repository listed under the toolbar.
2. Set it offline as described in “To change the state of a data repository” on page 117.
3. Wait for it to finish “quiescing”, use Refresh in the toolbar to check the data
repository status until it is reported “offline”.
4. Make sure the data repository is still selected, and click Delete on the tool-bar.
The IS1200 removes the repository from the cluster.
Removing all repositories
To remove all repositories (all data repositories and metadata repositories) from a
cluster and re-add them later (with or without an IS1200 version upgrade in between)
using the same, or different, metadata repositories, you must use the following steps:
1. Remove all repositories using the GUI or the CLI.
2. Issue the CLI command:
set primary-kazfs value 0
(see CLI Reference Guide for "set primary-kazfs").
3. Re-add the repositories using the standard procedures in the GUI or CLI.
Moving Metadata Repositories
Occasionally, when reorganizing repositories for maintenance reasons, it becomes
necessary to move a metadata repository (kazfs) to a new location. The following
procedure must be used to ensure the new metadata repository mountpoint is properly
updated in the IS1200.
1. Toggle all repositories supported by the metadata repository offline. See
“Managing Repository States” on page 116 for help changing repository states.
Before moving a metadata repository it must be taken offline. Metadata
repositories cannot be taken offline until all the data repositories they support are
also offline.
2. Toggle the metadata repository offline.
3. Move the metadata repository to its new location. (Do not delete the old/original
metadata repository until the last step of this procedure, otherwise the metadata
repository will be reported as “corrupt” in the next step.)
4. Import the metadata repository, and its associated data repositories, into the new
cluster. See “Importing Data and Metadata Repositories” on page 112 for details.
The metadata repository still shows the old mountpoint. This is because
mountpoints are recorded in the metadata repository, and the mountpoint
information was moved along with the repository. The mountpoint location must
be corrected before crawls using this new metadata repository can be done.
5. If the imported metadata repository is not offline (if it is reported as online,
corrupt, or any other state), toggle its state, and its datafs state, to offline. See
“Managing Repository States” on page 116 for help in changing file states.
Kazeon IS1200 Web-Admin User Guide
115
Chapter 10:
Repository Registration and Management
6. Do one of the following:
|
From Web-Admin: Use Edit (from the tool-bar) to correct the mountpoint
information. See “Editing and Viewing Registered Repositories” on page 111
for help in editing a registered repository.
|
From a CLI command line: Use “update fs” to correct the mountpoint.
For example: “update fs <mykazfs> mount <newMountPoint>”.
z
where <mykazfs> is the name of the metadata repository reference name
given when the repository was registered
z
where <newMountPoint> is the full pathname of the new mountpoint
7. Toggle the corrected metadata repository and data repositories back online.
8. Delete the original metadata repository.
Managing Repository States
When the Repositories pane is displayed, a listing showing currently registered data
repositories and metadata repositories including their state is shown under the toolbar.
A data repository or metadata repository can be in any one of the following states:
State
Online
Description
The repository is online and recognized on a specific node in the cluster. Applications and
services can use the repository on the node. However, the repository may not be online on
all the nodes in cluster.
You must set metadata repositories online before you can set the data repositories online.
Offline
The data repository is offline. It is not mounted and is inaccessible to all processes.
A metadata repository cannot be set offline if its associated data repository are online.
Before any filesystem is powered off for any reason, it should be taken offline first. No filer
should be un-exported, or un-shared, unless it is taken offline first.
Trying to
Mount
The data repository is temporarily offline while efforts are being made to bring it online.
This state occurs when first starting a cluster or a node, or when trying to bring a data
repository online, and occasionally after upgrades. Waiting a few minutes and clicking the
tool-bar Refresh button usually results in status changing to Online.
Degraded
The data repository is temporarily offline because it cannot be reached but efforts are being
made to bring it online. Attempts to access it may fail.
Quiescing
The data repository is quiescing while being taken offline or removed. Quiescing lasts for a
minimum of 10 seconds and up to two minutes.
Corrupt
The data repository is corrupt and needs maintenance.
116
Kazeon IS1200 Web-Admin User Guide
Managing Repository States
States of a repository can be changed from online to offline or from offline to online.
To change the state of a data repository
1. On the Repositories page, select a data repository from the listing under the
toolbar.
2. Do one of the following:
|
If the data repository is currently listed as “online”,
click Offline in the toolbar to toggle it offline.
|
If the data repository is currently listed as “offline”,
click Online in the toolbar to toggle it online.
The page reflects the change in status.
Kazeon IS1200 Web-Admin User Guide
117
Chapter 10:
118
Repository Registration and Management
Kazeon IS1200 Web-Admin User Guide
Chapter 11:
Policies: Classification Extraction and Assignment Rules
This chapter discusses creating classification instructions called Extraction and
Assignment rules, and the general use of rules and rule sets.
Topics are as follows:
z
“Classifying Files Using Classification Rules” on page 120
z
“Optimizing Classification of Large Files” on page 124
z
“About Classification Rules and rule sets” on page 126
z
“Using Extraction Rules” on page 128
z
|
“Creating an Extraction Rule” on page 132
|
“Using Regular Expressions in Extraction Rules” on page 133
|
“Using RegEx to Set Configuration Properties from the GUI” on page 133
“Using Assignment Rules” on page 129
|
z
“Creating an Assignment Rule” on page 134
“Creating and Managing Rule Sets and Rules” on page 131
|
“Moving Rules Between Rule Sets” on page 137
|
“Changing the Listing Order of Rules in Rule Sets” on page 138
Kazeon IS1200 Web-Admin User Guide
119
Chapter 11:
Policies: Classification Extraction and Assignment Rules
Classifying Files Using Classification Rules
Data is information recorded in files on data repositories (file servers). Metadata is
data that describes data. File type, file path, creation date are some examples of
metadata. Metadata can be used to select files you may wish to view, create, modify,
copy, move, or delete. You can also use metadata to group files and to assign them to
policy groups. For information on policy groups, see “About Policies and Policy
Groups” on page 142.
There are two basic types of metadata, standard and custom. Standard metadata is file
data like file type, file size, file path, etc, attributes that every file has.
Custom metadata is user-defined and generally used to identify files containing
information important on a customer-specific basis. For example, custom metadata
may identify files that contain or match digit patterns like social security numbers, or
files that contain specific part numbers, or phrases like “confidential” or “private”.
Classification rules define what kind of phrase or pattern should be matched, and how
those matches are recorded as metadata.
Classification rule pattern matching is done on chunks of file data, and chunks are
determined by delimiters on a filetype basis. For example, text files are chunked by
lines or paragraphs, whereas spreadsheet files may be delimited by cells, row, or
columns.
Note:
If the pattern (to match) defined in a classification rule falls across a file’s natural
delimiters, the classification rule may yield a false negative and not record
appropriate metadata for the file.
The Kazeon Information Server extracts and records metadata as tag-value pairs, such
as Department = “Marketing” or Department = “Engineering” (in this example the tag
is “Department” with two values “Marketing” and “Engineering”). Classification
services automatically scan files for both standard metadata, but also can be set to scan
for customer-specific metadata by looking for specific keywords such as “Marketing”
or “Engineering” or other conditions defined in classification rules.
Classification rules tag files that match the rule definitions with tag and value pairs
defined in the rule. Additionally, you can assign files to policy groups based on
metadata. Once files are classified, you can use the metadata to search for information
and create reports that audit user actions and report on network storage.
Note:
120
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
Kazeon IS1200 Web-Admin User Guide
Classifying Files Using Classification Rules
Metadata is extracted and recorded during three types of classification:
z
Basic classification
z
Deep classification
z
Metadata classification.
Basic Classification
A basic classification reads files on file systems and extracts (standard) file system
metadata, such as file type and file path, for each file and stores it in the metadata
repository. Based on metadata, you can search for files and create storage distribution
and audit reports.
Deep Classification
The first time a deep classification runs, it reads the textual contents of files and
extracts custom metadata based on classification rules. The system uses the metadata
to tag files, assign files to policy groups, and apply policies to filter search results
when users search file systems or CAS devices for information. For subsequent deepclassification service runs, the system classifies new and modified files to extract new
metadata, and applies new or updated policies and rules.
For example, to group all salary records under Payroll, assign all files tagged as Salary
Record to the Payroll policy group. The system then applies all authorization and
logging policies associated with the Payroll policy group to those files. For
information on policy groups, see “About Policies and Policy Groups” on page 142.
You can also use metadata tags to search file systems for information. For example,
use metadata such as FileType to search for Microsoft Word documents, or search for
information using custom metadata you created. In addition, use the FullText
extraction rule to extract the full file contents of each file and create a full-text Search
index. Use full-text index to search for files using terms or phrases from file contents.
Note:
Some files, do not yield useful full-text search indexes using the standard parser.
An additional parser is available to extract full-text from files using a unix
“strings” parser that may provide better results. See “Creating Full-text Indexes
with the Optional Parser” on page 134 for more information on how to designate
which file types should use this optional parser.
Kazeon Object Data Model
Objects deep classified by the IS1200 are classified into the following categories:
z
File: Objects residing on a file system or non-email objects on Enterprise Vault.
Physical container objects such as ZIP, TAR and PST.
z
Embedded File: Objects that are not emails and reside inside a container object
such as ZIP, TAR, gz etc.
z
Email: Emails residing on file systems as MSG or EML files, or emails on MS
Exchange, or Enterprise Vault.
Kazeon IS1200 Web-Admin User Guide
121
Chapter 11:
Policies: Classification Extraction and Assignment Rules
z
Embedded Email: These are email objects residing inside PST or NSF files,
including EML or MSG files residing inside a ZIP/TAR/... file container.
z
Email Attachment: Every sub-object of an email, or embedded email object, is
an email attachment (attachments which are also emails are marked as email
attachments).
The metadata displayObjectType receives these categorizations using the values:
file, embedded file, email, embedded email, and email attachment.
These are set as text and indexed in the search schema, and as such the Display Type
can be displayed in results by both Web-Search and Web-Reports.
Metadata Classification
During a metadata classification, the system reads the metadata repository and uses
the existing metadata as the basis to add new tags. For example, the metadata FileType
is always collected during basic classification, and if you have already crawled a file
system for all files containing “XYZ Corp”, you could create a new metadata tag for
all XYY Corp files of filetype Microsoft Word, Excel, or Outlook (email).
During a Metadata Classification, the IS1200 updates the metadata repository by
refreshing the Search Index with the old (pre-existing) tags and the new (metadata
classification generated) tags. This requires re-parsing each file to access its fullText.
You can use metadata classification after you create new, or update old, assignment
rules. Because metadata classification only applies to existing metadata, a basic or
deep classification service must be run at least once before running a metadata
classification service. For information on assignment rules, see “Using Assignment
Rules” on page 129.
122
Kazeon IS1200 Web-Admin User Guide
Classifying Files Using Classification Rules
Metadata Extracted by Classification Service
Table 10 lists the different types of classification services and the metadata extracted
during each type of classification service
Table 10
Types of Classification Services
File System
Classification
Type
NFS and CIFS
Basic
Description
Parses files to extract the following file system metadata:
z
CASID: A system-generated unique ID for each file on
the file system.
z
DocType: The file type such as Adobe Acrobat (PDF),
text, and Word.
z
File properties such as file name, user name, group
name, and permissions.
An optional assignment rule set may be specified.
NFS and CIFS
Deep
Parses files to extract file system metadata as well as
custom metadata that is based on extraction rules and
assignment rules.
Extracts full contents of files based on the FullText
extraction rule.
NFS and CIFS
Metadata
Metadata
Repository
Updates the metadata with new and modified assignment
rules. Before you run a metadata classification, you must
run a basic or deep classification service at least once to
extract metadata.
Basic classifications only extract file system metadata. Deep classifications can
extract custom metadata in addition to file system metadata. Extracting custom
metadata entails setting up extraction rules to parse for the custom metadata. After a
new install, a few general basic extractions rules (in rule sets) are automatically
available for use during deep classifications to extract obvious search possibilities
such as files marked confidential, or files containing sensitive information like social
security numbers. For non-obvious metadata—metadata that is important to only you
or your company’s specific operations—custom extraction rules must be created. See
“Using Extraction Rules” on page 128 for information on creating your own
extractions rules.
For lists of the standard file system metadata and optional metadata the IS1200 is
designed to look for, see “Default Metadata Tags / Search Schema” on page 359.
Optional metadata includes information such as the Microsoft Office fields file author
and owner, music file information like ID3 tags, and image file information like the
IPTC tags in JPEG files.
Kazeon IS1200 Web-Admin User Guide
123
Chapter 11:
Policies: Classification Extraction and Assignment Rules
Classification Service Management
A classification service can be run immediately or at specified time intervals. For
information on scheduling a classification service, see “The Job Manager page” on
page 174.
Because users can delete files from file systems, it is recommended that you
synchronize the metadata repository with your registered file systems to ensure that all
deletions are reflected in the metadata repository. For more information, see
“Scheduling a Metadata Synchronization” on page 201.
Optimizing Classification of Large Files
Deep classification of large files (2GB or more) can slow down the classification
process, especially when extracting full text. Computing file content hash to identify
duplicate files also slows down performance. To avoid impacting system performance,
the IS1200 provides configuration options to limit the amount of data classified.
When you configure the cluster or before you classify a file system, you can choose to
set configuration options to:
z
Limit the size of fulltext: Limit the size of text extracted from a file.
z
Partial classification: Classify a portion of the file rather than the whole file.
z
Classify the index text header: Classify only the header for files containing a
text header followed by binary data.
z
Compute a partial hash: Computing the file content hash is used primarily for
identifying duplicate files, and can be done on a portion of the file rather than the
whole file. Optionally, you may also set the maximum file size to compute by file
extension type.
z
Resetting Minimum/Maximum file classification time-outs: To prevent unduly
long individual file classification times, minimum and maximum classification
time limits are set in the parser configuration files. These can be changed by
support personnel.
You can set most of these configuration options using CLI commands described
below. For a complete description of these commands, see the Kazeon Information
Server IS1200 - Command Reference Guide.
Limiting the Size of Extracted Full-text
You can define the amount of text, in bytes, to extract from files as searchable text.
The default value is 10MB. All text greater than the specified size is not included in
the searchable text. However, the system will still process all the text for extraction
rules.
Use the following CLI command:
add extraction-rule ruleName regex * field fulltextLimit format 1000000
where ruleName is the name of the extraction rule.
124
Kazeon IS1200 Web-Admin User Guide
Classifying Files Using Classification Rules
Partial Classification
You can set limits on how much data is read from a given file. For example, you can
classify only the first 2MB of data. This would include extracting text from the first
2MB of the file and applying extraction rules only to the text contained in the first
2MB of the file.
To specify this limit, use the following CLI command:
add extraction-rule ruleName regex * field textLimit format 2000000
where ruleName is the name of the extraction rule.
Classifying Index Text Header
Certain file types may have a text header containing useful information followed by
binary data. You can classify only the text portion of the file using the following CLI
command:
add extraction-rule ruleName regex * field exitOnBinary format 1
where ruleName is the name of the extraction rule.
Computing Partial Hash
You can specify the maximum file size to use when making a hash computation. Hash
computations are used primarily for identifying duplicate files. The default behavior is
to compute the digest based on the entire file. Setting the partial hash value to n bytes
will compute the hash based on the first n bytes of the file. This is particularly useful
with large files and avoids reading the entire file just to compute the content hash.
If a crawl is defined using full-hash, or a large partial-hash value, and takes too long as
a result, a smaller partial-hash value can be used to improve (decrease) crawl times.
WARNING! Hash values must remain consistent from crawl to crawl, otherwise,
unexpected results can occur with other processes (for instance
identifying file duplicates) that use the computed hash-values. If a file
system is initially crawled with one hash-value and subsequent crawls
require a hash-value change, all metadata for that file system should be
removed before doing the subsequent crawls to insure all files are rehashed with the new hash-value.
Use the following CLI command to set hash parameters.
set partial-hash file-extension default file-size 1000
where the value associated with file-extension (default in the example above)
is the word default for all extensions (or files with out extensions), or any valid file
extension suffix, like pdf, or txt.
where the value associated with file-size is a number in kilobytes (1000 in the
example above) defining the maximum file length to use when computing the hash, or
the word full-size to reset hash computations to using the entire file.
For example:
set partial-hash file-extension pdf file-size 1500
Kazeon IS1200 Web-Admin User Guide
125
Chapter 11:
Policies: Classification Extraction and Assignment Rules
would set the default hash value for files with the extension pdf to 1500 kilobytes.
You can also set multiple hash file sizes by extension by using the following CLI
command.
set partial-hash multiple-extensions file-list
where file-list is space separated list of “file-extension=file-size” pairs enclosed
in double quotes.
For example:
set partial-hash multiple-extensions “pdf=1000 txt=2000 default=full-size”
You can use show partial-hash to show a list of current hash settings.
Resetting Minimum/Maximum file classification time-outs
Occasionally, due to file corruption or extremely large aggregate files (.zip etc), the
crawl procedure is trapped in a loop and cannot complete classifying a file. Default
per-file minimum and maximum classification time limits are set for individual files to
prevent corrupted or aggregate files from unduly lengthening crawl times. The
minimum and maximum.per-file classification time limits can be changed by editing
the parser configuration files. Should you need to do this, contact your Kazeon
support person.
Specifying a Kazeon URL
When extracting or classifying data, you must specify the Kazeon URL for the
location of the data files. The Kazeon URL is the relative path to the mount point
where the data files reside. You specify the Kazeon URL as follows:
file://fileSystem/directory
where
fileSystem is the name of the mounted file system.
directory is the directory on the file system where data resides.
When you perform a search or create a report, the system lists the Kazeon URL in the
search results or the report output as follows:
For file systems: file://fileSystem/fileNameandFileType
Example: file://NS1/abc.doc
About Classification Rules and rule sets
The Kazeon Information Server provides the following types of classification rules:
126
z
Extraction rules. Extract custom metadata based on file contents, tag files, and
assign files to policy groups during deep classification.
z
Assignment rules. Tag files and assign files to policy groups based on existing
extracted metadata. The system can apply assignment rules when running either a
basic or deep classification, or a metadata classification service.
Kazeon IS1200 Web-Admin User Guide
About Classification Rules and rule sets
You can also deep-classify your files using actionable services. For information
on actionable services, see the Kazeon IS1200 Web-Search User Guide and the
Kazeon IS1200 Web-Reports User Guide.
A rule set is a collection of rules. A rule set can contain either extraction rules or
assignment rules. Rule Sets allow you to specify different sets of assignment rules and
extraction rules for each classification job that you schedule. You must create a rule
set before you create the associated rules. The system will not allow you to delete a
rule set that still contains current rules. You must delete the rules first.
Note:
Rules within a rule set cannot share the same name. If you create a new rule with
the same name as an existing rule, it replaces the existing rule.
Figure 4 illustrates the relationship between rules and rule sets.
Figure 4
Classification Rules
Classification Rules
Assignment
rule set
Extraction
rule set
Assignment
Rule1
Extraction Rule1
Assignment
Rule2
Extraction Rule2
Assignment
Rule3
Extraction Rule3
Named Rule Sets
A named rule set is any rule set you create and name. Named rule sets allow you to
create rule sets tailored to your organization’s business policies. For information on
creating a named rule set, see “To create a rule set” on page 131.
Default Rule Sets
To automatically assign new rules to a particular rule set, specify a default rule set.
Each rule set type, assignment and extraction, has a default rule set. If no particular
rule set is selected when a new rule is added, the new rule becomes a member of the
appropriate default rule set.
To make any assignment or extraction rule set the default rule set, simply select that
rule set and click the Make Default button in the tool-bar.
Whenever the Job Scheduler is used to schedule a new classification service, both an
extraction and an assignment rule set must be specified for that service. The default
Kazeon IS1200 Web-Admin User Guide
127
Chapter 11:
Policies: Classification Extraction and Assignment Rules
assignment and extraction rule sets are automatically entered in the appropriate Job
Scheduler page fields.
Note:
It is recommended to explicitly specify rule sets when a classification job is
schedule. Otherwise, if a rule set is changed between recurring classification jobs,
the system uses the changed rule set during the next classification run and the
classification may yield unexpected results. For information on scheduling
classification, see “The Job Manager page” on page 174.
Create and use named rule sets to specify rule sets for classification jobs. For example,
you can specify extraction rule set A and assignment rule set B as the rule sets for
deep classification job 1. For deep classification job 2, you can specify extraction rule
set C and assignment rule set D as the rule sets. Both these classification jobs can run
simultaneously using different rule sets to extract metadata, tag files, and assign files
to policy groups.
Initial Rule Sets
Kazeon provides two separate rule sets, both named Initial, for assignment rules and
extraction rules. The Initial rule set for extraction rules contains the FullText
extraction rule that allows extracting the full contents of a file during deep
classification. You can copy the FullText extraction rule to other rule sets. To do this,
use the CLI to save a copy of the Initial rule set as a new named rule set. For the
appropriate CLI command, see the Kazeon Information Server IS1200 Command
Reference Guide.
Sample Extraction Rule Set
Kazeon also provides a sample extraction rule set named sampleruleset that consists
of several pre-defined extraction rules for extracting Kazeon-configured metadata.
The sample rule set contains rules for extracting metadata for some widely used words
such as “Email” and “Confidential”. To use Kazeon-configured metadata, you specify
this rule set during deep classification. If you do not need this rule set, you can delete
it. For more information on Kazeon-configured metadata, see “Default Metadata Tags
/ Search Schema” on page 359.
Using Extraction Rules
Extraction rules are used to extract custom metadata from file contents and to tag files
during deep classification.
The system provides a default extraction rule named FullText to extract full file
contents. The FullText extraction rule is included in the Initial extraction rule set to
create a full-text index. However, you can delete the FullText extraction rule or copy it
to multiple named rule sets.
Note:
128
While extraction rules add tags to files, those tags are not searchable unless
deliberately added to the Search Schema. See “Using ‘set schema’ to Add Tags to
Kaz Schema” on page 250 for details.
Kazeon IS1200 Web-Admin User Guide
About Classification Rules and rule sets
Use extraction rules to tag files according to content or other criteria, and to assign
files to policy groups. For example, you can create an extraction rule that tags all files
containing the keyword “Clause” (adding a tag/value pair such as clause=yes) to
group them in the contracts category, and assign them to the Contracts policy group.
Extraction rules can also match patterns such as a digit sequences that match social
security numbers, phone numbers, or other account numbers and extract those patterns
from a file. These keywords and patterns can be used when searching for information
and creating reports. Extraction rules can use regular expressions to tag files. See
“Using Regular Expressions in Extraction Rules” on page 133 for more information.
By default, extraction rules are applicable to all files and file types. However, you can
elect to apply rules to specific directories or file types. For example, rules that only
apply to a specific file type such as word processor documents, or to files residing in
certain locations.
Using Assignment Rules
Assignment rules are used to tag files with metadata, and to assign files to policy
groups. When files are assigned to a policy group, the authorization policies
associated with the policy group filter are used to filter search results so only
authorized users can view group files. Logging policies associated with the policy
group log actions on files. You can create reports to view user actions as well.
Assignment rules specify one or more file content conditions based on which, files are
tagged and assigned to policy groups. The conditions used, and the resultant tags are
both metadata. Conditions specified must be based on existing metadata. Assignment
rules can use custom metadata or any of the following native metadata to tag files:
Table 11
Native Metadata Supported in Assignment Rules
Native Metadata
atime
CasID
ctime
Date
FilePath
FileSize
GroupName
mtime
OwnerName
Assignment rules use a custom Kazeon query language (KQL) to tag files and assign
them to policy groups. For more information, see “Creating KQL Queries” on
page 135.
For example, you can specify that any file containing the term “SEC 17-a” must have
the “Compliance” tag set to “Yes” (Compliance=‘Yes’). The term “SEC 17-a” must
already exist in the metadata repository because it is the condition on which the
assignment rule is based. The term “Compliance” is metadata that may or may not
exist in the metadata repository. If it does not exist in the metadata repository, then the
system adds it to the repository when the assignment rule is evaluated.
Based on criteria such as location, type, or content you can assign files to multiple
policy groups. During basic or deep classifications, and metadata classification, the
Kazeon Information Server can associate any document to a specified policy group.
Kazeon IS1200 Web-Admin User Guide
129
Chapter 11:
Policies: Classification Extraction and Assignment Rules
You can update or create assignment rules during metadata classification and deep
classification.
Note:
Use extraction rules to assign files to policy groups.
For information, see “Using Extraction Rules” on page 128.
For information on classification, see “Classifying Files Using Classification Rules”
on page 120 and “The Job Manager page” on page 174.
You can create your own assignment rule sets or you can use the Initial rule set that the
system provides. You can also copy assignment rules from one rule set to another.
When to Use Extraction or Assignment Rules
While you can assign files to policy groups using both extraction rules and assignment
rules, consider the following guidelines before using one or the other:
z
Use extraction rules to assign files to policy groups during the process of
extracting metadata. This allows skipping the creation of assignment rules.
However, implementing extraction rules takes longer than using assignment rules
because a deep classification is necessary before using extraction rules.
z
Use assignment rules if the primary task is to tag files based on existing metadata
or to assign files to policy groups. Assignments rules allow using complex KQL
queries to tag and assign files. Also, using assignment rules save time because
they can be applied during a metadata classification service, which is faster than a
deep classification service.
You can group extraction and assignment rules into rule sets. For information on rule
sets, see “About Classification Rules and rule sets” on page 126.
130
Kazeon IS1200 Web-Admin User Guide
Creating and Managing Rule Sets and Rules
Creating and Managing Rule Sets and Rules
All rules are stored in rule sets. Consequently, rule sets must be created before creating rules.
To create a rule set
1. From the Web-Admin navigation pane under Policies & Rules,
click Advanced Rules, the Policies pane appears.
2. Click one of the two tabs:
|
Extraction Rule Set: to add (work with) extraction rules sets
|
Assignment Rule Set: to add (work with) assignment rules sets
3. From the Rule Set List (top) toolbar, click Add Rule Set,
one of the two following dialogs appears.
4. Enter values for the following fields:
Note:
|
Name. Enter a name for the rule set. The keyword “all” may not be used.
|
Description. Optionally, enter a brief description of the rule set.
|
Make Default. Select this box to make this the default rule set.
See “Default Rule Sets” on page 127 for more information.
|
Add. Click to create the rule set, the new rule set is added to the Rule Set List.
|
Cancel. Click to close the dialog.
If an existing rule name is added to a rule set, the new rule overwrites the first.
Kazeon IS1200 Web-Admin User Guide
131
Chapter 11:
Policies: Classification Extraction and Assignment Rules
To delete a rule set
1. On the Policies pane, click either the Extraction Ruleset or Assignment Ruleset tab.
2. From the Rule Set List, select a rule set.
The system displays the associated rules in the Rule List for Rule Set listing.
3. Delete all rules associated with the rule set.
4. From the Rule Set List toolbar, click Delete Rule Set.
The system deletes the rule set from the Rule Set List.
Creating an Extraction Rule
To create an extraction rule, do the following:
1. From the Web-Admin navigation pane under Policies & Rules, click Advanced
Rules, the Policies pane appears.
2. On the Policies pane, select the Extraction Ruleset tab.
3. From the Rule Set List, select a rule set to add the extraction rule to.
4. From the Rule List for Rule Set (bottom)
tool-bar, select Add Rule,
the Add Extraction Rule dialog appears.
5. Enter values for the following fields:
132
|
Name. Enter a name for the
extraction rule. Spaces are not
allowed. The keyword “all” may
not be used as a rule name.
|
Regular Expression. Enter a
regular expression or keyword. See
“Using Regular Expressions in
Extraction Rules” on page 133 or
“Regular Expressions (RegEx)” on
page 351 for more information.
Kazeon IS1200 Web-Admin User Guide
Creating and Managing Rule Sets and Rules
|
Note:
In versions 2.1.6 or 2.1.4 or lower, metadata Field names (or tags) may not be
SQL database reserved words such as “select”, “from”, or “case”.
|
Note:
Metadata Field. Enter a new field name or select an existing field in the
Search schema to populate with the metadata value, cannot exceed 48
characters.
Metadata Value. Enter a value, including boolean expressions, for the
metadata tag to find.
Date information stored in metadata values (in a metadata tag-value pair) must
match certain formats to be indexed properly and be searchable. See “Date Format
Requirements” on page 296 for more information.
|
Rule Set. Should already be entered, if not, enter an existing rule set name.
|
Description. Optionally, enter a brief description for the rule.
|
Repository. Enter a repository filepath to limit the rule to.
|
Type. Select a file type from the drop-down list to limit the rule to.
|
customize search schema. Select
to add the new tag to the search
schema, this puts the new tag in
future search menus. The dialog
box displays.
6. Add. Click to add the new extraction rule,
the new rule appears in Rule List for Rule Set.
7. Cancel. Click to close the dialog.
Using Regular Expressions in Extraction Rules
You can use regular expressions in extraction rules to match patterns such as a
sequence of digits resembling a social security number or an account number to
extract those digit patterns from a file.
Using RegEx to Set Configuration Properties from the GUI
Regular Expressions provide a “shortcut” for setting properties in some configuration
files, for example, setting properties in the parser.config file. The fullText rule
in the FullTextRuleSet (a standard rule set under the Policies tab) is another example
of using RegEx to set a property value.
If the Regular Expression field in the Add Extraction Rule dialog box is set to “*” (an
asterisk) then the rest of the fields in that dialog are interpreted as property settings.
Generally, setting properties through RegEx expressions in extraction rules is
recommended over editing the parser.config file because extraction rules are
retained during upgrades, while the config files are overwritten with default values.
Examples of setting properties with Regular Expressions follow.
Kazeon IS1200 Web-Admin User Guide
133
Chapter 11:
Policies: Classification Extraction and Assignment Rules
Creating Full-text Indexes with the Optional Parser
Some files do not yield useful full-text search indexes using the standard parser. An
additional parser is available to extract full-text from files using a unix “strings”
parser that may provide better results.
To handle this situation, create a standard extraction rule with the following fields:
1.In the Regular Expression field enter and asterisk (*).
2.In the Metadata Field enter “bestEffortExtensions”.
3.In the Metadata Value field enter a comma-separated list of extensions to apply the
optional parser to.
4.Click Add and when the dialog appears, check Indexed.
Creating an Assignment Rule
To create an assignment rule, do the following:
1. From the Web-Admin navigation pane under Policies & Rules,
click Advanced Rules, the Policies pane appears.
2. On the Policies pane, select the Assignment Ruleset tab.
3. From the Rule Set List, select a rule set to add the new assignment rule to.
4. From the Rule List for Rule Set (bottom)
tool-bar, select Add Rule,
The Add Assignment Rule dialog appears.
5. In the left pane, enter values for the
following fields:
134
|
Name. Enter a name for the rule. The
keyword “all” may not be used as a
rule name.
|
Description. Enter a description for
the rule.
Kazeon IS1200 Web-Admin User Guide
Creating and Managing Rule Sets and Rules
|
Query. Enter the KQL query to tag files or assign files to policy groups. For
more information, see “Creating KQL Queries” on page 135.
|
customize search schema. Select
to add the new tag to the search
schema, this puts the new tag in
future search menus. The dialog
box displays.
6. Add. Click to add the new rule, the new rule appears in Rule List for Rule Set.
7. Cancel. Click to close the dialog.
Creating KQL Queries
For a complete discussion of KQL, see “Kazeon Query Language (KQL)” on page 343.
Assignment rules use a custom Kazeon query language (KQL) to tag files and assign them
to policy groups. KQL uses the SET expression and the WHERE condition to tag files.
Note:
You cannot use the SET expression with file system metadata such as Owner or
FilePath. You can specify file system metadata values using the WHERE condition.
KQL Query Format
The KQL query has the following format to tag files:
SET field = expressionValue, ...* [WHERE condition]
where:
field is the name of a metadata field in the metadata repository that is mapped to a
specific file. A field can be any file-system, kazeon-configured, or custom metadata.
You use these metadata fields to search the file system for information and to create
reports. For a list of file system and kazeon-configured metadata, see “About Kaz
Schema” on page 244.
expressionValue is a computed expression string. You can specify multiple
expression strings using the comma delimiter.
...* denotes multiple comma-delimited occurrences of fields and expression values.
The WHERE condition specifies when to tag the files.
When you use a conditional expression, as in the WHERE clause, you can compare the
expression to other expressions using the following operators:
=, <, >, +, <=, >=, <>
Note:
All values in KQL are treated as strings. String constants must be placed between
single quotes or double quotes; example in this document use single quotes. The
keywords true and false are equivalent to ‘1’ and ‘0’ respectively.
Kazeon IS1200 Web-Admin User Guide
135
Chapter 11:
Policies: Classification Extraction and Assignment Rules
You can combine logical expressions using the AND, OR, NOT boolean operators:
Expressions can use the following functions:
z
concat (expression1, expression2, ...): returns the result of concatenating the
component expressions together.
The following example concatenates three expressions to return values for the
phoneNo field.
set phoneNo = concat (AreaCode, ‘/’, localPhoneNo)
z
locate (target, test): returns the position in the target string of the first match of the
test string, beginning at 1 and returning 0 if not found.
The following example tags all PowerPoint files that Smith created.
set Department = “Marketing” where locate (Author, “Smith”)>0 and locate
(DocType.FileType, “PowerPoint”) >0
z
replace (keyword1, keyword2, keyword3): In the first keyword, all occurrences of
the second keyword are replaced with the third keyword.
The following example replaces John Smith with Mary Jones as the Author.
set Author = replace (Author, ‘John Smith’, ‘Mary Jones’) where
Department= “Marketing”
Note:
When you create a KQL query using the CLI, enclose the query in either single
quotes or double quotes. For example: “set Author = replace (Author, ‘John
Smith’, ‘Mary Jones’) where Department= ‘Marketing’”. You do not need to
enclose queries in quotes when you create them using the GUI.
KQL Examples
The following are some examples of using KQL to assign metadata tags and policy
groups to files:
z
To tag salary records as confidential files:
set visibility =“confidential” where department = “Payroll” AND document =
“salary records”
z
To assign salary records to a policy group named TopSecret:
set PolicyGroups.TopSecret = true where visibility = “confidential”
See “Policy Groups” on page 345 for more details.
z
To tag files that contain social security numbers:
set SSN = true where locate (FullText,“(d\d\d-\d\d-\d\d\d\d)”) >0
z
To use the OR operator to group under the Marketing department, all PowerPoint
and Word documents that Smith created:
set Department = “Marketing” where locate (Author, “Smith”) >0 AND
locate (FileType, “PowerPoint”) > 0 OR locate (FileType, “Word”) >0
Note:
136
When a metadata value is a string, you need to enclose it within double quotes. Do
not use quotes if the value is true or false.
Kazeon IS1200 Web-Admin User Guide
Creating and Managing Rule Sets and Rules
For information on policy groups, see “Maintaining Policy Groups” on page 143.
Moving Rules Between Rule Sets
Rules can be copied between rule sets, or to new rule sets, as needed to create special
purpose rule sets for unique classification job requirements. Rules are copied using a
“drag and drop” procedure that places a copy of the selected rule in the destination, or
new, rule set, and leaves behind the original rule in the original rule set.
Do the following to copy a rule from a (source) rule set to another (target) rule set.
1. If the target rule set will be a new rule set, create that rule set first, see “To create a
rule set” on page 131 for details.
2. Open either the Extraction Ruleset or the Assignment Ruleset tab under
Policies & Rules and select the source rule set (the rule set containing the rule to
copy) in the Rule Set List pane as shown below (circled). The rules for that rule set
are displayed in the lower Rule List for Rule Set pane.
3. If the target rule set is not visible, use the rule set page navigation icons (circled
below) to move to the page containing the target rule set. For example move to the
fourth page so “myNewRuleSet” is visible as shown below.
The rules from the source rule set should still be visible in the lower Rule List for
Rule Set pane.
Kazeon IS1200 Web-Admin User Guide
137
Chapter 11:
Policies: Classification Extraction and Assignment Rules
4. From the lower Rule List for Rule Set pane, click and drag the rule you want to
copy to the upper pane, and onto the target rule set.
When the target ruleset highlights, release the mouse button. The original rule is
copied into the target rule set.
Changing the Listing Order of Rules in Rule Sets
You can change the listing order of rules in any rule set.
Do the following to change the listing order or any rule:
1. Open either the Extraction Ruleset or the Assignment Ruleset tab under
Policies & Rules and select the rule set (the set containing the rule that is listed in
the wrong order) in the Rule Set List pane. The rules for that rule set are displayed
in the lower Rule List for Rule Set pane (circled below).
138
Kazeon IS1200 Web-Admin User Guide
Creating and Managing Rule Sets and Rules
2. In the lower pane, select the rule to move and click the Cut icon in the tool bar.
The rule disappears from the listing.
3. Select the rule below the listing line you want the cut rule to move to,
and then click the Paste icon in the tool bar.
The cut rule appears in the new location, above the previously selected rule.
Note:
The Cut and Paste tools may only be used to move rules within a rule set, they
cannot be used to move rules between rule sets.
Kazeon IS1200 Web-Admin User Guide
139
Chapter 11:
140
Policies: Classification Extraction and Assignment Rules
Kazeon IS1200 Web-Admin User Guide
Chapter 12:
Policy Groups: Authorization Policies
This chapter discusses using Kazeon Information Server policies and policy groups to
add additional controls— to enforce organizational business policies—beyond the
controls provided by file privileges of the registered repositories themselves.
Topics are as follows:
z
“About Policies and Policy Groups” on page 142
z
“Maintaining Policy Groups” on page 143
z
“Authorization Policies” on page 145
z
“Maintaining Policies” on page 145
Kazeon IS1200 Web-Admin User Guide
141
Chapter 12:
Policy Groups: Authorization Policies
About Policies and Policy Groups
All filers provide some process for limiting what files and folders users can access.
These limits are generally referred to as access privileges. When needed, Kazeon
Information Server policies and policy groups allow adding another layer of control
beyond the filer’s standard user privileges. This is done with policy groups and
policies.
A policy group contains a set of files, and one or more policies that apply to those
files. Files are assigned to a group using actionable services, see “Assigning Files to
Policy Groups” section of the Kazeon IS1200 Web-Search User Guide for more detail
on assigning files to a policy group. Or, see “Using Assignment Rules” on page 129.
After assigning files to a policy group, the system uses the associated policies to
control user access to those files when using searches or reports.
You can create multiple policy groups containing different sets of policies. To enforce
policies on a file, you assign the file to the appropriate policy group. To enforce a new
policy on a file, you add a new policy to a policy group that contains that file. To
change a policy group’s policy associations, you can create, add, or delete its existing
policies. The system then applies the new policies to the files assigned to the policy
group. You can assign files to multiple policy groups.
A policy controls file access and specifies who the policy applies to. When the policy
is created, fields are provided to specify what user, or user group, to apply the policy
to. User names, and user group names, are defined in the authentication service—
either Active Directory (AD) or Network Information Services (NIS)—in use in the
filer’s domain. When you specify a user, or user group name, you must use the same
names defined by your authentication service. See “Configuring External
Authentication” on page 53 for more detail.
The following diagram shows the relationship between policy groups, policy rules,
and files assigned to policy groups.
Figure 5
Associating Policy Groups with Policy Rules and Files
Assigned Files
Assigned Files
Policy Group A
Policy Group B
Policy 1
Policy 4
Policy 2
Policy 22
Policy 3
Policy37
Policy 5
Every policy within a policy group must have a unique name.
Policy Groups contain Authorization Policies which control whether a user or group is
granted or denied access to a file and whether users can read a file but not modify it.
142
Kazeon IS1200 Web-Admin User Guide
Maintaining Policy Groups
Authorization Policies
If additional levels of control are required beyond those supplied by standard filer user
privileges, the Kazeon Information Server can create authorization policies to further
control file access based on file contents, your organization’s business policies, and
compliance requirements. For instance, all files containing the title “Personnel Files”
may be tagged and assigned to a group that only HR personnel can access.
When authorization policies are in use, after a user performs a search, the Kazeon
Information Server applies the authorization policies to filter search results based on
the users group membership. As a result, users only see files that they are authorized
to access.
Note:
Regardless of whether authorization policies are in affect, after a search is
performed using the Kazeon Information Server, the access checking option
determines whether the searchers user privileges on the filer limit what search
results may be viewed. If access checking is on, the results returned will be
limited by the searcher’s privileges on the filer, if access checking is off, the
searcher see all results, regardless of their privileges on the filer. For information
on how to turn access checking on or off, see “Turning Search Access Checks ON
or OFF” on page 296.
A user’s access privileges—as defined by Authorization Policies—also determine
how actionable services are applied. If an administrator-level user runs a job, for
example either a search or a report, that job’s results will display all files the
administrator has access to. If a second user, with fewer access privileges, opens that
job’s results they may see files they do not have access to. If the second user attempts
to apply Actionable Services to the job results, for instance a copy, move, or delete
action, the action will fail on any files the second user does not have access to.
WARNING!
The failures can only be discovered by viewing the job results, on the Job
Scheduler page, and checking the Failures column of the job listing. See
“Viewing or Reprocessing Job Failures from Web-Admin” on page 179 for more
information.
Maintaining Policy Groups
The Kazeon Information Server provides a default policy group named Default. Add
new policies to Default, or create other policy groups to suit your requirements.
Note:
Default policy group is assigned to all files, by default.
After you create a policy group, you can do the following:
1. Add one or more authorization policies to the policy group.
2. Assign one or more files to the policy group. For information, see the “Assigning
Files to Policy Groups” section of the Kazeon IS1200 Web-Search User Guide for
more information. Or, see “Using Assignment Rules” on page 129. Or, see “Using
Assignment Rules” on page 129.
Kazeon IS1200 Web-Admin User Guide
143
Chapter 12:
Policy Groups: Authorization Policies
To create a policy group
1. From the Web-Admin navigation pane under Policies & Rules,
click Policy Groups, the Policy Groups pane appears.
2. From the Policy Group List (top) toolbar,
click Add Policy Group, the Add Policy Group dialog appears.
3. In the Add Policy Group dialog, do the following:
Note:
|
Policy Group Name. Enter a name for the new policy group. The keyword
“all” may not be used as a policy group name.
|
Description. Optionally, enter a brief description of the policy group.
|
Add. Click to add the policy group,
the new policy is added to the policy group listing.
|
Cancel. Click to close the Add Policy Group dialog.
Policy group names are case-insensitive.
To remove a policy group
1. Click to select a policy group from the Policy Group List.
2. From the Policy Group List tool-bar, click Delete Policy Group.
The policy group is removed from the Policy Group List.
Note:
144
To delete a policy group, all policies associated with it must first be deleted.
Kazeon IS1200 Web-Admin User Guide
Authorization Policies
Authorization Policies
An IS1200 authorization rule, or Access Control policy, specifies who can view or
perform various actions on a file. By default, search results display all the files a user
has file permissions to see. Authorization policies allow you to override filer-native
permissions. In the absence of IS1200 authorization policies, the system uses filernative permissions to filter search results and reports. Access Control policies specify
permissions such as Grant Read, and Deny Read.
Resolving Permission Conflicts
Files have permissions set by the host file system. Additionally, the Kazeon
Information Server allows higher level permissions based on authorization policies.
This can result in conflicting permissions within a policy group.
To resolve conflicts, the Kazeon Information Server observes the following rules:
1. An authorization policy that denies access overrides an authorization policy that
allows access to the user.
For example, a policy group has two authorization policies associated with it. One
states that Group A has Read permissions to the file. The second states that user
John Smith denies Read permission to the file. So, even if John Smith belongs to
Group A, he is denied access to the file.
2. If authorization policies do not apply to a user or a group, file permissions do.
For example, Eva does not belong to Group A (above), and attempts to modify a
file. The first rule neither allows nor denies her permission. The second rule is
specific to John, so it does not apply to Eva. After, the IS1200 checks native filer
permissions, if Eva has permission to edit the file, the IS1200 allows her to edit it.
Maintaining Policies
You can view, edit, or delete a policy. You can view policies associated with all the
existing policy groups, or all policies associated with a specific policy group.
To add an Access or Logging policy
1. From the Web-Admin navigation pane under Policies & Rules,
click Policy Groups, the Policy Groups pane appears.
2. From the Policy Group List (top list), select a policy group name to add the new
policy to. The policy-group name is highlighted.
Kazeon IS1200 Web-Admin User Guide
145
Chapter 12:
Policy Groups: Authorization Policies
3. From the Policy List for Policy Group (bottom) toolbar,
click Add Policy, the Add Policy - [PolicyGroupName] dialog appears:
4. Enter the following:
Policy Name. Enter a name for the policy. If the name specified is already in use,
the system displays a warning and modifies the existing rule when Add is clicked.
The keyword “all” may not be used as a policy name.
Description. Optionally, enter a brief description of the policy.
5. Enter the Access Control fields:
User. To apply the access type to a user, enter the user name. User names are
defined by your network authentication services—either AD or NIS. The user
name must be identical to a user name already defined by your authentication
service. See “Configuring External Authentication” on page 53 for more detail.
Group. To apply the access type to a group, enter a group name. Group names are
supported for all Network Information Services (NIS) groups, but only the group
“domain users” for Active Directory (AD). Group names are defined by your
network authentication services—either AD or NIS. The group name must be
identical to a group name already defined by your authentication service. See
“Configuring External Authentication” on page 53 for more detail.
Access. Select one of the following:
|
Grant Read: Users can search for the file and view it.
|
Grant Write: Users can search, view, and modify the file.
6. Add. Click to add the policy to the policy group,
or click Cancel. Click to close the dialog without saving.
After creating any new rule, the system adds the new rule to the Policy List for Policy
Group listing of the Policy Groups page.
To view, edit, or delete a policy
1. Select a policy group from the Policy Group List listing, the policies belonging to
that group display in the Policy List for Policy Group listing below.
2. Right-click any policy listed in the Policy List for Policy Group listing and select
Edit Policy to view or edit it, or Delete Policy (and confirm) to delete it.
The system re-displays the modified list of policies for that group.
146
Kazeon IS1200 Web-Admin User Guide
Chapter 13:
Custodian Mapping
This chapter discusses the reasons for, design of, and standard custodian mappings, as
well as creating rules and exceptions to override or augment the standard custodian
mappings.
Topics are as follows:
z
“Overview” on page 148
z
“Using Global Mappings” on page 149
z
|
“Adding a Global Rule” on page 149
|
“Modifying a Global Rule” on page 150
|
“Deleting a Global Rule” on page 150
“Using the Exceptions Pane” on page 150
|
“Adding an Exception” on page 151
|
“Modifying an Exception” on page 151
|
“Deleting an Exception” on page 152
Kazeon IS1200 Web-Admin User Guide
147
Chapter 13:
Custodian Mapping
Overview
Beginning with version 4.2.0, a new metadata namespace, called OriginalSource, is
standard in the Kaz Schema. The OriginalSoure namespace contains two new
metadata fields, Custodian and Location. The information in these fields is
automatically extracted and populated during all classification services and is carried
over from source-object-metadata to destination-object-metadata during Actionable
Services such as Copies, Collections, or Moves.
These two new fields were added primarily for eDiscovery use. Custodian tracks each
file’s original owner/creator (or custodian in eDiscovery terms), and Location tracks
its original location in UNC format. These fields are important to eDiscovery as file’s
owners and locations may change as files in a legal matter are reviewed and analyzed
during legal review, and because it is often important to know who originally created
or authored a file, or email, and where it was originally created.
The IS1200 provides the following standard rules for assigning the Custodian values,
based on the repository types they are originally found on:
Repository Type
File Attribute Used to Assign Custodian
NFS/CIFS
Owner name
Microsoft Exchange Server
Mail-box name
Enterprise Vault
Authorname
Sharepoint Server
Modifiedby
Documentums Server
Documentum ownername.
Domino Server
Mail-box name
The Custodian rules can be overridden when necessary by clicking Custodian
Mapping under Policies & Rules in the left-navigation pane to open the following tab.
The Global Mappings pane contains the currently defined rules for mapping custodians
by the repository type and allows changing those standard assignments as necessary.
The Exceptions pane allows overriding global rules on a repository or folder-name basis.
148
Kazeon IS1200 Web-Admin User Guide
Using Global Mappings
WARNING!
Changes to either of these rules are not available for searches or reports until after
all repositories have been recrawled with the new rules in affect. The new rules
are automatically applied to all classifications.
Both panes use the following toolbar:
z
Add: Adds a new Global Mapping or Exception rule.
z
Edit: Edits the currently selected Global Mapping or Exception rule.
z
Delete: Deletes the currently selected Global Mapping or Exception rule.
z
Refresh: Refreshes the Global Mapping or Exception listing for changes that
may have occurred elsewhere, for example using the CLI.
Both panes also respond to the buttons at the bottom of the pane:
z
Save: Saves all changes. A warning dialog opens informing
that saved changes will not be affected until a new crawl is done.
z
Restore: Discards all changes and reverts to the default rules.
Using Global Mappings
Global mapping rules are extraction rules that assign a file’s Custodian metadata value
by simply looking at the type of repository it resides on, and then extracting a “name”
from one of the standard file metadata fields native to that repository type.
When first opened, the Global Settings pane listing contains custodian rules for all
repositories for which the cluster has licenses. If the server has only a basic license,
the rules will be for NFS/CIFS only. New rules may be added, existing rules may be
modified, and rules may be deleted.
Adding a Global Rule
To add a new rule, do the following:
1. Click the
Add icon in the Global Mapping toolbar, the dialog below opens:
2. Select Repository Type: Select a repository type from the drop-down menu. This
rule will affect only that type. The selection chosen will change the options in the
next step.
3. Select Kazeon Field for Custodian Mapping: Select a metadata field to use for
the custodian name.
4. Click OK to save your changes, or Cancel to exit with no other action.
Kazeon IS1200 Web-Admin User Guide
149
Chapter 13:
Custodian Mapping
Modifying a Global Rule
To modify or edit an existing rule, do the following:
1. Select the rule in the Global Mapping listing to change by clicking it.
2. Click the
Edit icon in the Global Mapping toolbar, the dialog below opens:
3. Select Repository Type: Select a repository type from the drop-down menu. This
rule will affect only that type.
4. Select Kazeon Field for Custodian Mapping: Select a metadata field to use for
the custodian name. The drop-down menu selections change depending on the
repository type selected in the step above.
5. Click OK to save your changes, or Cancel to exit with no other action.
Deleting a Global Rule
To delete an existing rule, do the following:
1. Select the rule in the Global Mapping listing to delete by clicking it.
2. Click the
Delete icon in the Global Mapping toolbar, the dialog below opens:
3. Read the dialog warning question.
4. Click OK to delete the rule, or Cancel to exit without deleting.
Using the Exceptions Pane
Besides the standard “by repository type” rules defined in the Global Mappings pane,
exception rules may be defined for specific repositories, or paths in a repository, so
custodian names may be assigned on more selective basis.
The various custodian exceptions available are
150
z
Explicit Custodians: Used to set a specific custodian name regardless of the file
content. This can be used when an Administrator wants to specify a specific
custodian name for all files in certain repositories or folders. If the Administrator
does not know the exact username, it can be looked up using Active Directory.
z
Set by Directory name: Allows using a directory name for the Custodian name.
This is helpful in server situations where all files for a specific user are stored in a
folder named after that user. For example, if the NFS export johndoemachine:/ is
mounted as filesystem name jdfs on the IS1200, you may extract directory level 2
as the name of the custodian, then, all files from file://home/johndoe/dir1/dir2 will
be assigned johndoe as their custodian name.
z
For Enterprise Vaults, you can choose to use the vaultname as the Custodian.
Kazeon IS1200 Web-Admin User Guide
Using the Exceptions Pane
When first opened, the Exceptions pane listing is empty. New exceptions may be
added, existing exceptions may be modified, and exceptions may be deleted.
Adding an Exception
To add a new exception, do the following:
1. Click the
Add icon in the Exceptions toolbar, the dialog below opens:
2. Select Repository Type: Select a repository type from the drop-down menu. This
rule will affect only that type.The selection chosen will change the options in the
next step.
3. Select Repository: Click to select a specific repository to apply this rule to. The
plus/minus sign preceding any repository listing may be clicked to expand the
directories or folders beneath it. And expanded listing may also be chosen.
Note:
To select a local data repository (a localdatafs, or a folder shared from an
IS1200 internal hard drive), set Select Repository Type to NFS/CIFS.
4. Select Kazeon Field for Custodian Mapping: Select a metadata field to use for
the custodian name. If you choose Explicit Custodian, do the following:
|
Select Custodian: Enter a specific custodian name, or click the Lookup
button to select one from an Active Directory server.
5. Click OK to save your changes, or Cancel to exit with no other action.
Modifying an Exception
To modify or edit an existing rule, do the following:
1. Select the rule in the Exceptions listing to change by clicking it.
Kazeon IS1200 Web-Admin User Guide
151
Chapter 13:
Custodian Mapping
1. Click the
Edit icon in the Exceptions toolbar, the dialog below opens:
2. Select Repository Type: Select a repository type from the drop-down menu. This
rule will affect only that type.The selection chosen will change the options in the
next step.
3. Select Repository: Click to select a specific repository to apply this rule to. The
plus/minus sign preceding any repository listing may be clicked to expand the
directories or folders beneath it. And expanded listing may also be chosen.
Note:
To select a local data repository (a localdatafs, or a folder shared from an
IS1200 internal hard drive), set Select Repository Type to NFS/CIFS.
4. Select Kazeon Field for Custodian Mapping: Select a metadata field to use for
the custodian name. If you choose Explicit Custodian, do the following:
|
Select Custodian: Enter a specific custodian name, or click the Lookup
button to select one from an Active Directory server.
5. Click OK to save your changes, or Cancel to exit with no other action.
Deleting an Exception
To delete an existing rule, do the following:
1. Select the rule in the Exceptions listing to delete by clicking it.
2. Click the
Delete icon in the Exceptions toolbar, the dialog below opens:
3. Read the dialog warning question.
4. Click OK to delete the rule, or Cancel to exit without deleting.
152
Kazeon IS1200 Web-Admin User Guide
Chapter 14:
Working With PST Files
This chapter reviews the procedures involved in classifying and searching files and
email in both general and eDiscovery situations, and describes the problems, error
messages, and solutions involved when working specifically with personal storage
files (PST files).
Topics include:
z
“How the IS1200 Provides World Class Searching” on page 154
|
z
“How PST Files Fit In The Picture” on page 157
“Failures Encountered with Open PST Files” on page 157
|
“PST Failure Solutions” on page 158
z
“Reprocessing PST Files in Another Location” on page 158
z
“Processing PST Files in Their Original Location Using OFM” on page 160
|
“How OFM Manager Works” on page 160
|
“Using OFM for Collections and Reclassifications” on page 161
|
“Using OFM for In-Place Processing” on page 161
|
“Installing OFM” on page 161
|
“Using the IS1200 With OFM Installed” on page 164
eDiscovery Case Manager: Administrators and Supervisors Guide
153
Chapter 14:
Working With PST Files
How the IS1200 Provides World Class Searching
To use the IS1200 for eDiscovery or general file search and management, there is a
standard process to follow that ensures legal reviewers, or network administrators, can
ultimately find what they need, quickly and efficiently. This process is:
1. Register your repositories. Essentially you need to identify to the IS1200, all the
file servers (group-ware, email, backup, etc) and laptop or desktops that might
contain the information you want to be able to search through. Most repositories
are registered using the FileSystem(NFS/CIFS) menu selection under Repositories
in Web-Admin, seen circled below:
The other menu selections beneath FileSystem(NFS/CIFS) may be used to register
other kinds of repositories, like laptops, desktops, or email servers. See the
“Repository Registration and Management” on page 79 for complete registration
details.
2. Optionally: Move or isolate the files. In situations like eDiscovery, files that are
relevant to a current legal matter may need to be isolated or locked against further
changes, or copies of the files moved to a secondary location to preserve point-intime copies of the files and allow the originals to remain in normal use.
The IS100 can isolate those files by moving copies to another more secure
location. Network administrators can do this using a Single-Step Collection
(circled below under the Jobs heading in Web-Admin), see “Single-Step
Collections” on page 173 for complete details,
154
eDiscovery Case Manager: Administrators and Supervisors Guide
How the IS1200 Provides World Class Searching
or it can be done by legal supervisors by doing a Collection when they define a
case, see the eDiscovery Case Manager for more complete details.
Additionally, the IS1200 can use Actionable Services to apply legal hold to files in
their original locations and prevent them from being changed until the legal matter
they relate to is resolved. See the Using Actionable Services chapter of
Web-Search for complete details.
3. Classify the repositories. Because the information you might look for can be in so
many different places (repositories), it is very time-consuming and difficult to
access and search them all individually each time you need to find data. To solve
this, the IS100 “classifies” all its registered repositories in one place. Basically,
the IS1200 accesses each registered repository in turn, opens each file the
repository contains, and creates an index of all the data in those files in a single
location called a metadata repository. This is done using a basic or deep
classification. A Deep Classification is done under the Jobs heading of
Web-Admin as seen circled below.
See “Scheduling a Deep Crawl” on page 192 for complete details.
If the files in questions were “collected” (as described in the step above) the target
location will already be classified. However, subsequent classifications may be
needed as more complex search issues are identified.
4. Search the metadata: With all the possible information recorded and indexed in
one place—the metadata repository—IS1200 users, or legal reviewers, can search,
or report, on all the repositories very quickly and very efficiently by accessing this
single location.
Basic searches are done from the Web-Search basic search page, shown below.
Advanced searches are done by clicking Advanced Search link, circled above. See
the IS1200 Web-Search User Guide for complete details on logging into
Web-Search and doing basic and advanced searches.
eDiscovery Case Manager: Administrators and Supervisors Guide
155
Chapter 14:
Working With PST Files
Reports are created, edited, and scheduled from any of the Templates pages in
Web-Reports, shown below.
See the IS1200 Web-Reports User Guide for details on logging into Web-Reports
and running reports.
5. Apply Tags or Actionable Services. Once files have been located and listed in
search or report listings, they can be tagged or have Actionable Services applied
to them. Tagging allows you to do things like marking a files in an eDiscovery
situation as “reviewed” or “responsive” as you prepare them during Review and
Analysis. The screen below shows a Web-Search results page with the Tagging
Panel circled.
Actionable Services allow you further manage files, or prepare files for legal
review, with actions like moving or copying them elsewhere, or downloading
them to zip files for transportation to other legal parties.
See the IS1200 Web-Search User Guide for complete details on logging into
Web-Search and using the tagging panel, or applying Actionable Services.
Web-Reports results may also have Actionable Services applied. See the IS1200
Web-Reports User Guide for details on applying Actionable Services to report
results.
156
eDiscovery Case Manager: Administrators and Supervisors Guide
Failures Encountered with Open PST Files
How PST Files Fit In The Picture
PST files can complicate these processes.
PST stands for personal storage. PST files are generally used by email programs like
Microsoft Outlook to store user email locally. PST files are also called “composite”
files, because they are packages meant to efficiently store a number of smaller related
files. Another example of a composite file is a ZIP storage file.
When the IS1200 classifies any repository, it opens all its files or email and extracts
both the standard file metadata they contain as well as any custom metadata defined
by user-defined extraction rules. Metadata is identified and stored or indexed for each
file classified.
When the IS1200 encounters a composite file like a PST, it attempts to open each file
or email it contains, and classify each as if they were all stand-alone files. Because
PST files are composite files, the IS1200 attempts to open them and classify all the
emails they contain individually.
Once files or emails have been classified, they may be searched, or reported on, and
the results displayed as a listing. Result listings may have Actionable Services applied
to allow network administrators to better manage their file repositories, or legal
reviewers to apply tags or prepare responsive files for delivery to another legal party.
However, both classifications and Actionable Services depend on being able to
routinely open all the files in a repository, including PST files. Some applications
automatically open files they read and write to regularly, and leave them open as long
as they are running. Prime examples are Microsoft Outlook and Express, which use
PST files to store local user email. Outlook and Express open their PST files when
they launch, and leave them open until they are closed.
When PST files are left open and locked like this, the IS1200 is normally unable to
access them, but there are ways to overcome this.
Failures Encountered with Open PST Files
When a file—like a PST—is opened by one application, the repository’s operating
system automatically locks that file’s access to all other applications. Open PST files
like these are sometimes called live-locked PST files.
When an IS1200 classification or other service encounters live-locked files, the
IS1200 cannot access those files (without special provisions to be described later) and
generates job-service errors, or failures. The Job List tab results listings circled below
(jobs 11 and 7, a deep classification and a collection), show examples of these failures.
eDiscovery Case Manager: Administrators and Supervisors Guide
157
Chapter 14:
Working With PST Files
Live-locked failures may occur in any IS1200 process that attempts to access a PST
file, this includes:
z
Classifications (basic and deep)
z
Reclassifications (Recurring basic or deep classifications, or Update Indexes and
Metadata in the Processing and Analytics section of Case Creation or Editing in
the eDiscovery Case Manager)
z
Single-Step Collections, and Case Collections
z
Any Actionable Services that attempt to access the file (Copy, Move, Lock, etc)
These failures can be dealt with in the ways described below.
PST Failure Solutions
Live-locked files are not ordinarily accessible to IS1200 classifications. When the
IS1200 encounters live-locked files, it skips the file and records an error in the
classification log. These errors can be dealt with two main ways:
z
Reprocess the files in another location. Use the error logs to identify the locked
files and move unlocked copies to another location, where they can be
reprocessed by another classification.
z
Process the files in their original locations using the Open File Manager (OFM)
from EVault. This allows the IS200 to access live-locked files during standard
classifications, collections, or Actionable Services without failures.
Both methods are described in details in the following sections.
Reprocessing PST Files in Another Location
When the IS1200 encounters a live-locked PST file during processing like
classifications, it logs an error message that the file is unavailable for reading and
continues processing the next file. This section describes how to identify those errors
and how to process live-locked files without installing additional software.
If this method is unacceptable, see “Processing PST Files in Their Original Location
Using OFM” on page 160 for details about using a more automatic third-party
software solution.
Identifying Live-Locked Errors During Processing
Live-locked file errors can be identified by looking in the job result listings of the Job
List tab in Web-Admin. See “The Job Manager page” on page 174 for details.
158
eDiscovery Case Manager: Administrators and Supervisors Guide
Reprocessing PST Files in Another Location
Jobs are listed in run order, the most recent at the top. The listing above shows several
jobs, the first two (job numbers 11 and 7, large red circles) were a deep classification
and a collection. Both jobs crawled repositories with live-locked files, and both
generated failures (the right red circle).
The jobs were repeated (#s 12 & 13, green circles below) after installing OFM on their
respective repositories and generated no failures (no failures in the right green circle).
Job #s 14 & 16 below, are copy jobs, both on repositories with live-locked files.
The first job (#14) repository had OFM installed (bottom blue circles), the second
(#16) did not, so only the first copy job shows no failures.
For details on specific job failures from any job listing, click any number link (circled
below) in the Failures column of that listing.
This opens the Failure Summary tab which shows all failures for that job. To see
details on a specific failure, click the number link (circled below) in the Count column
of that failure listing.
This opens the Failure Details tab that provides the details about that error.
eDiscovery Case Manager: Administrators and Supervisors Guide
159
Chapter 14:
Working With PST Files
Reprocessing Files with Live-Locked Failures
Files that failed classification with live-locked errors can be reprocessed as follows:
1. Use the Failures tabs described above to identify the filepath of the registered
laptop, desktop, or other repository with the live-locked file errors.
2. Stop the application on the laptop/desktop that is using the live-locked file. For
PST files, Microsoft Outlook (or another email application) must be stopped.
3. Use an Actionable Services Copy to copy the files to another target (another
registered repository). With the email application stopped, the files are no longer
be locked.
4. Restart the email application on the laptop/desktop.
5. Use Web-Admin to reprocess the files on the Copy target repository. The formerly
live-locked files process successfully now because no application has them open.
Processing PST Files in Their Original Location Using OFM
The Open File Manager (OFM) from EVault provides a more automatic solution to
processing live-locked files. Once OFM is installed, standard classifications,
collections, and Actionable Services can routinely access composite files, like PST
files, without failures.
How OFM Manager Works
For laptop and desktop systems with OFM installed, OFM monitors the system for
read requests on live-locked files initiated by backup programs or remote clients like
the IS1200. OFM facilitates those requests using an authorization system based on a
configurable user name, which the System or Network Administrator creates and
reserves for clients like the IS1200 or backup programs.
As applications open files and live-lock them, the OFM starts and maintains a pointin-time file copy of the file where no partial transactions are pending on the system.
OFM then presents a dynamically allocated pre-write cache for each open file on the
system to other applications—like the IS1200—that request file access. From then on,
file modifications from the application that originally opened and locked the file, go
directly to the intended file; and applications (like the IS1200) requesting access to
that file are presented instead with the pre-write preview data in the cache. This allows
the IS1200 to classify a live-locked file.
While file cache data may not always be completely up to date, second-by-second,
subsequent classifications will always pickup the latest exclusively locked file after
OFM takes its next snapshot of the live-locked files.
OFM allows the IS1200 to process live-locked files two ways:
160
z
Collection to a target location and reprocessing. The IS1200 can use the OFM to
collect the live-locked files, along with other files, and copy them to a new target
location. Because the copied files are not live-locked by an application on the
target, they can be successfully classified.
z
In-place processing. The IS1200 can process the live-locked files in-place, in their
original location, using the OFM to open the cached copies, and classifying those
eDiscovery Case Manager: Administrators and Supervisors Guide
Processing PST Files in Their Original Location Using OFM
Using OFM for Collections and Reclassifications
The following are the basic installation, setup, and process steps required to use OFM
to collect live-locked PST files and reprocess them elsewhere:
1. On the IS1200, discover and register, or manually register all laptops, desktops, or
other systems you need to classify. See “Repository Registration and
Management” on page 79 for details.
2.
Install OFM on all laptops or desktops that have live-locked file errors. Be sure to
configure OFM with the same identities used when the systems were registered
with IS1200. See “Installing OFM” on page 161 for details
3. Do one of the following:
|
Use the IS1200 to start a Collection job to copy the files on the desktop/laptop
another target location.
|
Use a Copy Action on the IS1200 to copy the files to another target location.
OFM allows the IS1200 to access, and copy, the live-locked PSTs on the laptop/
desktops to the target location.
4. Start a deep classification on the target of either the Collection or the Copy target
of the preceding step. The previously locked PST files are no longer opened (and
locked) by any application on the target location, so they process normally.
Using OFM for In-Place Processing
The following are the basic installation, setup, and process steps required to use OFM
to process PST files in-place:
1. On the IS1200, discover and register, or manually register all laptops, desktops, or
other systems you need to classify. See “Repository Registration and
Management” on page 79 for details.
2.
Install OFM on all laptops or desktops that have live-locked file errors. Be sure to
configure OFM with the same identities used when the systems were registered
with IS1200. See “Installing OFM” on page 161 for details
3. Use the IS1200 to deep classify the files on the laptop/desktop. OFM allows the
IS1200 to access the live-locked files using the cached-copy described in : “How
OFM Manager Works” on page 160.
Installing OFM
While there are a variety of commonly available tools and utilities that allow access to
open files, Kazeon recommends using the Evault Open File Manager 9.5, go to:
http://ofm.evault.com/ for more information, or http://ofm.evault.com/order.asp to
download.
Evault recently acquired the Open File Manager (OFM) from StBernard, the
following information references the StBernard version.
The OFM must be deployed, configured, and started on all laptops or desktops before
the IS1200 can classify, or copy, live-locked files on them. The OFM can be installed
on individual computers or remotely on many computers using an application that
comes with OFM. Once OFM is properly installed and configured on your laptops and
eDiscovery Case Manager: Administrators and Supervisors Guide
161
Chapter 14:
Working With PST Files
desktops, and they are registered and classified like any other repository, the open files
they contain (like PST files) can be transparently opened and classified.
Basic OFM Installation Overview
Installing the OFM involves the following basic steps:
1. Obtain OFM (version 9.5), and acquire the installer CD or download the software
to a local administrator’s system. OFM may be purchase on-line here: http://
ofm.evault.com/order.asp
2. Run the OFM Setup Application to install the Control Component on an
administrator’s system. If you are installing OFM on just one computer, that
computer can be used as the administrator’s system.
3. Run the Control Component (using an administrator’s username and password)
and use it to install, configure, and start the System Components (Windows
System Component and Netware System Components) on all laptops and
desktops (and the administrator’s system if necessary) that need to allow locked
files access to the IS1200.
Note: Special OFM programs are available to do remote mass installations on large
numbers of desktops and laptops. Refer to the OFM manuals for details.
4. After the Systems Components are installed and started on all laptops and
desktops, use the Control Component from the administrators system to monitor
and manage the remote Systems Components as needed.
Complete instructions for the OFM manager can be found here:
http://ofm.evault.com/ReleaseNotes/ofm_usersmanual.pdf.
Detailed OFM Installation
The following instructions provide more details for step 3 above.
Use the following steps only after logging into any computer system with network
access to all the laptops or desktops that need OFM. You must log onto this system
with a user account and password that has administrator’s rights for that system. Then,
run the OFM Installer to install the Control Component on that computer.
162
eDiscovery Case Manager: Administrators and Supervisors Guide
Processing PST Files in Their Original Location Using OFM
1. From Windows Start, launch the Open File Manager Control Component.
2. Right-click the laptop or desktop that needs to be setup and select Properties.
The system Properties dialog opens.
3. Click the Agents tab to display the following:
4. Do one of the following based on how you want the IS1200 to access this system:
|
If you want the IS1200 to use a specific user name,
check Remote System Backup (login) and enter that username in the Name
field at the bottom of the dialog. This same username should be contained in
the identity associated with the system when it was registered as a repository.
eDiscovery Case Manager: Administrators and Supervisors Guide
163
Chapter 14:
Working With PST Files
|
If you want the IS1200 to use any authorized laptop or desktop username
(a username already setup in the laptop or desktop’s User Control Panel),
check Remote System Backup (NT Aware). This same username should be
contained in the identity associated with the system when it was registered as
a repository.
If the IS1200 has ACL checking enabled (to check user credentials before
displaying search displays or allowing file downloads, see “Turning Search
Access Checks ON or OFF” on page 296 and “Controlling ACL Checking” on
page 319 for more information) use Remote System Backup (NT Aware). This
setting also works when ACL is disabled.
If the IS1200 had NO ACL checking on, use Remote System Backup (login).
5. Click OK to close the Properties dialog.
6. Back in the Control Component interface:
a. Right-click the laptop or desktop again and select Stop,
click OK if another dialog appears
b. Right-click the laptop or desktop again and select Start
c. Right-click the laptop or desktop again and select Advanced,
and then select Synchronize System
The laptop or desktop is now setup for open file access during IS1200 classification.
In large scale deployments where many laptops or desktops need to be setup, their are
scripts that can perform the tasks above on sets of laptops and desktops. Details can be
found in the OFM User Guide, here:
http://ofm.evault.com/ReleaseNotes/ofm_usersmanual.pdf.
Using the IS1200 With OFM Installed
Once OFM is installed, the IS1200 should be able to routinely access all PST files just
like any other files, and the normal methods of classifying or performing collections
on repositories, or for applying Actionable Services apply.
164
eDiscovery Case Manager: Administrators and Supervisors Guide
Chapter 15:
Job Scheduling and Classification Services
This chapter discusses how the Jobs menu of Web-Admin is used to create, schedule,
edit, and review jobs such as classification services, synchronizations, collections, and
actionable services.
Topics are as follows:
z
“Job Scheduling Overview” on page 166
z
“Factors Affecting Job Scheduling, Completion, and Speed” on page 170
|
“Licensing and Job Scheduling” on page 170
|
“Repository Status and Availability” on page 170
|
“Ensuring Complete Classifications” on page 170
|
“Computing File Hash Values” on page 171
z
“Other Types of Classifications and Services” on page 172
z
“Job Editing” on page 173
z
“The Job Manager page” on page 174
|
“Deleting a Job” on page 177
|
“Editing a Job From Web-Admin” on page 177
|
“Editing a Job From The Command Line Interface” on page 178
|
“Viewing or Reprocessing Job Failures from Web-Admin” on page 179
|
“Starting, Stopping, Suspending, or Resuming a Job” on page 180
z
“Scheduling Jobs” on page 181
z
“Job Scheduling Procedures” on page 186
|
“Scheduling a Basic Crawl” on page 187
|
“Scheduling a Deep Crawl” on page 192
|
“Scheduling a Metadata Classification” on page 199
|
“Scheduling a Metadata Synchronization” on page 201
|
“Scheduling a Single-Step® Collection” on page 203
|
“Scheduling In-place Processing” on page 213
Kazeon IS1200 Web-Admin User Guide
165
Chapter 15:
Job Scheduling and Classification Services
Job Scheduling Overview
Services, such as file server discovery, classifications, and synchronizations, are
created and scheduled as jobs using the Web-Admin Jobs page. Other jobs, like
Actionable Services, are applied to search or report results by users from Web-Search
and Web-Reports. All jobs, regardless of origin, are monitored and controlled by the
IS1200 System Services monitor.
System Services is a monitor that maintains the list of work to be done, the job
schedules, and the resources required, and runs jobs as scheduled and as resources are
available. Additionally, this monitor allows jobs that have not completed successively
because of resource problems or because they ran out of scheduled time to be restarted
when the resource problems are corrected or more time is available. This is espeically
important for services that run on laptops or desktops because they can be arbitarily
started, stopped, or disconnected from the network by their users. This monitor allows
jobs and services running on variable-availability connections to be automatically
started, paused as necessary, and restarted as time and resources are available.
Note:
Starting with version 4.3.0, this monitor controls all services and jobs including
Actionable Services on laptops and desktops.
Jobs can be scheduled to run once (immediately, or in the future), or on recurring
schedules.
The following kinds of services—jobs—can be scheduled using Web-Admin.
z
Basic classifications (crawls)
z
Deep classifications (crawls)
z
Metadata classifications (crawls)
z
Metadata synchronizations
z
Single-Step Collections
z
In-Place Processing
Note:
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.Re
WARNING!
The standard IS1200 installation configures Web-Admin with a single initial user
named “admin” and allows both “root” and “admin” to login to the Command
Line Interface (CLI). Both “admin” and “root” have unlimited access privileges
and can see and alter all registered repositories. It is recommended that neither of
these users be used for routine access of either Web-Admin or the CLI.
See “Role Based Administration” on page 37 for details on limiting user roles.
166
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Overview
File server Discovery jobs are also reported on Jobs page, but are scheduled from the
Repositories page. See “The Discovery Process” on page 90 and “Scheduling a
Discovery Service” on page 92 for details on scheduling Discovery jobs.
Discovery jobs are used to locate file servers (repositories) when a complete list of
possible repositories is not already know. Once discovered, repositories can be
registered for classification services.
Basic and Deep Classifications Compared
The two services that are run most often are Basic and Deep classifications.
A Basic classification (or crawl) extracts native file directory attributes such as
filepath, filetype, size, creation date, etc. See “Default Metadata Tags / Search
Schema” on page 359 for a detailed list of the standard attributes extracted.
Notes: Two new CLI commands became available in v2.1.4—show doctypemode
and set doctypemode status on/off —to display, and determine,
whether basic crawls use file content to populate the metadata document type
field. See the Command Line Interface Reference Guide for more detail.
During a basic crawl, if doctypemode is off, files are not opened to
determine their document type and their document type fields default to
“unknown” (for search and reports). If doctypemode is on, then files are
opened during basic crawls, and their document type fields are populated by
parsing the file’s actual content.
doctypemode defaults to on. Turning doctypemode off reduces the time
needed for crawls.
Basic classification speed is determined by the number of files processed if file-hash
is turned off, or by file-size if file-hash is turned on. See “Computing File Hash
Values” on page 171 for more information.
A Deep classification (or crawl) extracts additional file extended-attributes and
content-related, or pattern-based, metadata. Extended attributes, or file properties,
such as application-specific predefined and custom document-properties, are only
collected when the system configuration files are set to do so. Additionally, if custom
rules have been added to the classification rule sets—either assignment or extraction
rules—then custom metadata such as phone numbers, account or part numbers, or
significant keywords such as confidential or personnel, can also be extracted.
Deep classification speed is determined by the number of files classified, the
classification rules applied, and whether file-hash is on or off, and what type of filehash is used. See “Computing File Hash Values” on page 171 for more information.
Deep classification also opens up “composite” objects (.zip, .pst, .tar, etc., files that
contain multiple other files), and attempts to classify the sub-file contents, assuming
the container file isn’t password protected, or encrypted.
Note:
Currently, zip files larger then 4 gigabytes cannot be classified by sub-object.
Kazeon IS1200 Web-Admin User Guide
167
Chapter 15:
Job Scheduling and Classification Services
Selective Classifications
By default, basic and deep classifications process all files in the specified repositories.
This default can be changed to automatically exclude files by type or category, see
“Skipping File Classification by Type or Category” on page 317 for details.
See also, “Scheduling In-place Processing” on page 213.
Incremental and Differential Crawls
Crawl jobs—classifications—can be scheduled for designated-file-systems as
run-once or run-recurring jobs. Either way, after the job has run once, the appropriate
metadata repository for the designated data repositories has been populated with
metadata from the crawled files. If subsequent crawl jobs are run against those data
repositories later, the IS1200 can use the existing metadata repository file data to
decide whether to re-classify each file. Files that have not changed since the last crawl
can be skipped to speed up the classification process. Two methods can be used with
subsequent crawls to decide whether to re-classify files. The methods are called
incremental and differential crawls.
Incremental Crawls
After a file system is first classified, the system sets all subsequent crawls to
incremental by default (unless differential crawl is deliberately selected instead when
the job is setup).
In incremental crawls, files are re-classified if they have changed since the last time
they were crawled. Change status is determined using either a file’s mtime or atime,
depending on the system-wide settings applied to all incremental crawls. If a file’s
mtime or atime falls between the time of the last crawl and when the current crawl
started, it is considered changed.
To check a file for change requires pre-existing file metadata stored from a previous
crawl. If new files are added to a repository after it has been classified, there will be no
metadata for those files, and no way to compare them for change using the
incremental procedure. Because of this, incremental crawls fail to classify new files
added to a file system between crawls.
If a Metadata synchronization is also needed for the file system, see Synchronizing
Metadata Repositories below for details about when synchronization is needed, the
synchronization must be scheduled as a separate job after the incremental crawl.
Differential Crawls
Differential crawls are only used if the Differential Crawl checkbox is selected when
the crawl is created.
Differential crawls check for file change the same way as incremental, but if they find
no previous metadata, they assume the file is new and classify it. This makes metadata
available for determining change status for the next crawl.
Differential crawls may also determine file change by atime, mtime, ctime, or arbitrary
user-set time ranges on a job-by-job basis, instead of relying on system wide settings.
168
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Overview
Differential crawls are generally not available for the first run of a cron job. However,
if it is certain that a previous crawl has classified the selected file systems, differential
crawl can be forced for the first run of a cron job.
Additionally, if a file system requires metadata synchronization, see Synchronizing
Metadata Repositories for details about when synchronization is needed, the sync can
be scheduled to occur along with the differential crawl as part of the same job.
Choosing Between Incremental and Differential Crawls
The following summary lists the advantages and disadvantages of incremental and
differential crawls:
z
Differential crawls find files added since the last crawl that have an mtime earlier
than the last crawl, incremental crawls miss these files.
z
Differential crawls find previously hidden or permission-denied directories (and
their files) that have become visible or had permission changed since the last
crawl, incremental crawls miss these directories.
z
Differential crawls keep track of all file's 'last seen' time so—upon user request—
deleted file metadata can be removed during a crawl instead of a time consuming
metadata synchronization after the crawl, as required by incremental crawls.
z
Differential crawls track job checkpoints so—if a job stops—it restarts at the last
check point, not from the very beginning like incremental.
z
Differential crawls take advantage of the load balancing capabilities of the
workflow engine rather than running single threaded like incremental crawls.
Metadata Repositories
At least one operational metadata repository—a kazfs—must exist for the Kazeon
Information Server to provide classification or discovery services. A metadata
repository is created—and maintained—by classification services. Additionally, they
are used to store the results of file server Discovery services.
A classification service fills a metadata repository by crawling every file in the
specified data repositories, extracting information about each file, and adding that
information to the metadata repository.
WARNING!
No two jobs should ever be scheduled to run simultaneously on the same data
repository. While the files being classified, or crawled, are not locked during the
classification process, the respective metadata repositories are locked as they are
updated. If two jobs attempt to access the same metadata repository
simultaneously, the first to access the metadata locks the second one out and result
in errors and job failures on the second job, with possible index or metadata
repository corruption.
Each subsequent classification service updates the metadata repository based on
modified, moved, or deleted files since the previous classification.
A metadata repository must be built before searches or reports can be run.
Kazeon IS1200 Web-Admin User Guide
169
Chapter 15:
Job Scheduling and Classification Services
Factors Affecting Job Scheduling, Completion, and Speed
Besides the job setup screen options used to define and schedule a job, various other
conditions may affect if, when, and how a job finishes.
Licensing and Job Scheduling
Jobs that require optional modules, for instance classifying NetApp Snapshots (which
requires the SnapSearch optional module), can only be scheduled if the required
license is currently installed and valid on all nodes of the cluster. Jobs fail if the
required license is removed or expires before the job executes.
Additionally, for recurring jobs, a job requiring a license that is in-progress when the
key is removed or expires will complete, but its next recurrence will fail.
Repository Status and Availability
If a repository a job needs to access is offline, or goes offline (or otherwise becomes
unavailable due to shutdown or system failure), the job may go into a paused or
waiting mode, or may be aborted.
While most file servers are configured to be continuously available, desktop and
laptop systems registered as repositories can be problematic. Both are often removed
from the network or powered off without warning. The IS1200 reserves special job
processing procedures for these repositories. One of these procedures involves
tracking job “checkpoints” that allow an interrupted job to restart at a point that
insures no files are missed or skipped.
Generally, a job scheduled on a desktop or laptop is started immediately (if started
from a Submit button), or as scheduled if the required repository is currently available
and online. If a required repository is removed from the network or powered off
during the job run, the IS1200 has procedures that allow it to wait for the repository to
come back on and then efficiently decide whether to finish the job for Run Once jobs,
or start another run for Recurring Jobs. Whether a recurring job is continued or
restarted depends on whether it comes back online during its scheduled interval, and
what percentage of the job was complete before the repository became unavailable.
Additionally, a metadata repository share must support read/write permissions for the
IS1200 and the share and its permissions must not be changed, removed, or
deactivated on its host filer while the metadata repository is being actively used by the
the IS1200 or a job. If such changes occur during active use, the metadata repository’s
databases may crash, and metadata may be lost or corrupted, or jobs may hang waiting
for metadata repositories to be normal.
Similarly, if a metadata repository loses power, active crawls or reports using it, as
well as other operations, may halt or hang until the metadata repository is up and
running normally.
Ensuring Complete Classifications
Classifying data on a data repository depends on the IS1200’s ability to open all the
files on the repository so the data contained can be inspected. Many things determine
whether the IS1200 can open the files.
170
Kazeon IS1200 Web-Admin User Guide
Factors Affecting Job Scheduling, Completion, and Speed
Most obvious is the data repository’s network status. For most file servers, archive
systems, and other file “libraries”, this is not an issue because they are online and
accessible all the time. However, user laptops and desktops may also contain valuable
and relevant information requiring classification, and they are often disconnected
from the network, or powered off without warning and on irregular schedules. See
“Repository Status and Availability” on page 170 for details on how the IS1200
handles this.
Program open file locking also affects file access. Programs like Microsoft Outlook
often open (PST) files for read/write access and leave them open for as long as the
program runs. PST files store copies of user emails on the user’s local hard disk.
These emails may contain information relevant to legal issues or consumer privacy,
making PST files prime candidates for classification. Normally, files already opened
by one user or program are not accessible by another user or program (for example,
not accessible to the IS1200 for crawls). However, even open files can be classified
with the right preparation. See “Preparing Laptops and Desktops To Access Open
Files” on page 412 for details.
Finally, file passwords, encryption, or exclusive folder and file ownership privileges
can prevent file access for classification. Nothing can be done to prevent users from
locking files (like zip files) with passwords or encrypting files, but these files are
reported in error logs when they are encountered if they cannot be opened. Exclusive
folder permissions can be overcome using the right identities when registering and
accessing a data repositories. See “Identities Purpose and Usage” on page 74 for
details.
Note: Classifications may encounter the following types of PST folders:
1. PST created with no encryption
2. PST created with no encryption and password protected
3. PST created with compressible encryption
4. PST created with compressible encryption and password protected
5. PST created with high encryption
6. PST created with high encryption and password protected
The IS1200 can classify (1) and (3). All other types above report an error.
Computing File Hash Values
Both basic and deep classification compute a “hash” value for each file they crawl.
The hash value is used to compare one file with another for duplicates. Hash values
can be turned on, or off to increase classification speed. A “partial hash” may also be
used instead of a full hash to increase classification speed.
Here is an extremely simplified description of how file hash is computed. Basically,
the numeric values of all bytes in a file are added into a grand total. The chances of
two different files yielding the same result (hash value) are so remotely small, that
hash values can be used to identify duplicate files, or compared between files with the
same name to decide if files have been modified.
Kazeon IS1200 Web-Admin User Guide
171
Chapter 15:
Job Scheduling and Classification Services
The IS1200 allows file hashing to be turned on or off. It also allows limiting the
amount of the file to hash to either the entire file or some beginning number of bytes.
Computing hash on an entire file is called a full-hash, and computing hash on a
portion of the file is called a partial-hash. Computing a partial-hash can save
significant classification time. Because file hash takes time, adding it to a
classification service increases the job time.
Both basic and deep classifications can have full-hash turned on or off, but only deep
classifications allow partial-hash.
Other Types of Classifications and Services
Besides basic and deep classifications, there are several other classification jobs that
are used less frequently.
Metadata Classifications
A Metadata classification allows parsing through an existing metadata repository and
using it’s contents to add new metadata to the repository based on the metadata that
already exists. For example, a metadata classification could look for all files that
contain both the keywords “personnel” and “salary” and add a new metadata tag to
those files with that dual condition.
The first classification service must be either basic or deep to build your initial
metadata repository. After the initial metadata repository is built, you can run
metadata classifications to update metadata tags and policy group assignments. For
more information of types of classification services, see “Classifying Files Using
Classification Rules” on page 120.
Synchronizing Metadata Repositories
When the Kazeon Information Server classifies a file system and extracts metadata, it
maps each file to the metadata that is extracted from that file. This mapping becomes
invalid if files are deleted from your file system. Invalid metadata yields incorrect
results when used to perform a search or to create reports.
When you delete a file without using the Kazeon Information Server’s actionable
services, the system is unaware of the file deletion. Therefore, the metadata is not
removed from the metadata repository even though it is invalid. For information on
actionable services, see the Kazeon IS1200 Web-Search User Guide and the Kazeon
IS1200 Web-Reports User Guide.
Synchronizing the metadata repository with your file systems allows the Kazeon
Information Server to validate metadata mappings. Metadata of a deleted file is
marked as “orphaned” but is not deleted so that you can run reports to audit deleted
files. You can synchronize the metadata repository with a specific file system or all
your file systems.
When you use actionable services to delete a file, the associated metadata is also
deleted. Therefore, the metadata repository does not need to be synchronized with the
data file system.
172
Kazeon IS1200 Web-Admin User Guide
Job Editing
Single-Step Collections
A Single-Step Collection allows combining a deep crawl, a search, and an
Actionable Services copy. User selectable filters provide an easy way to specify which
files are relevant to the copy action. Creating an index for the copied files is optional
and can be located at the source or destination.
A single-step collection is most useful in eDiscovery situations where repositories
must be searched for files pertinent to a legal matter, and relevant files either moved or
copied to a holding area for further legal inspection.
Job Editing
The Kazeon Information Server allows job editing from both the CLI and Web-Admin.
Jobs are edited from Web-Admin using the Job Editing icon of the Job Scheduling
page tool-bar. See “Editing a Job From Web-Admin” on page 177 for more detail.
For the most part, only attributes of future jobs—run once jobs that have not yet run,
or cron jobs—can be edited. The exception is the job description attribute which can
be edited for any job at any time. In-progress run-now jobs are not editable.
The following table lists all editable job attributes and required editing conditions.
Table 12
Job Editing Attributes, Conditions, and States.
Job attribute
description
Conditions
State Editable
Editable for any job any time.
Any state
notification email address Editable for any job any time.
Any state
extraction rule set
Only editable for deep classification jobs. Changes
made to rule sets while the job is running lead to unpredictable results.
Idle or suspended
assignment rule set
Only editable for deep classification jobs. Changes
made to rule sets while the job is running lead to unpredictable results.
Idle or suspended
duration
Editable for any job any time. New duration takes
affect the next time the job is launched or resumed.
Running jobs continue to use the duration they were
launched under.
Any state
schedule
Editable only for a cron job.
- For recurring jobs, the schedule is changed immedi- - Any state
ately for all future launches, scheduling changes to not
affect the state of running jobs, and running jobs
continue to run. Recurring jobs can not be changed to
run-once.
- For run-once jobs, schedule can only be changed
- Idle
before it launches. A run-once job can be changed to a
recurring job.
Note:
When changing the schedule from the CLI, the complete schedule must be respecified. Errors in any part invalidate all changes to the schedule.
Kazeon IS1200 Web-Admin User Guide
173
Chapter 15:
Job Scheduling and Classification Services
The job manager updates the cron table immediately when a job is changed. Job
editing does not support any editing that would change a job state.
The Job Manager page
Opening the Page
From the Web-Admin navigation pane under Jobs,
click Dashboard, the Job Manager pane opens
.
The Jobs Manager Pane Interface
The Jobs dashboard pane displays the standard tool-bar and the Job List tab. Other
tabs appear as needed, for example the Basic Crawl and Deep Crawl tabs appear when
scheduling crawls.
The Job List Tab
Just below the Job List tab are Refresh and Filter sections.
The Refresh section contains a drop-down menu with the following three options that
control the refresh rate of the job listing.
174
|
Off. The job listing is not refreshed automatically and can only be refreshed
manually using the Refresh icon in the tool-bar.
|
30 Sec. The job listing is automatically refreshed every 30 seconds.
|
1 Min. The job listing is automatically refreshed every minute.
Kazeon IS1200 Web-Admin User Guide
The Job Manager page
The Filter section contains two menus, Job Type and Status. These menus control
what jobs are displayed in the Job List tab.
Job Type: a drop-down menu, choose any of the following:
|
All: display all jobs regardless of type
|
Basic: display only basic crawl jobs
|
Classification: display only Metadata Classification jobs
|
Deep: display only deep crawl jobs
|
Discovery: display only file system discovery jobs
|
Report: display only reports
|
Sync: display only Metadata Synchronization jobs
Status: a drop-down menu, choose one of the following:
|
All: display all jobs of the Job Type selected regardless of status
|
Running: display only running jobs of the Job Type selected
|
Complete: display only completed jobs of the Job Type selected
|
Idle: display only idle jobs of the Job Type selected
|
Suspended: display only suspended jobs of the Job Type selected
|
Aborted: display only aborted jobs of the Job Type selected
The Job List tab displays all jobs specified by the filters for selected job type and
status. Each job listed is proceeded by a plus or minus sign. Click the plus sign to
display the job’s details, click a minus sign to close the job details. When a
category is expanded it displays the jobs currently in that category.
Each listing contains the following columns:
|
ID: The service’s job id number, as jobs are created they are assigned
sequential job ID numbers.
|
Status: Displays the job status using the following icons:
Icon
Icon Meaning
Completed
Completed with Failures
Scheduled
Recurring
Suspended
Live-loading (rotating animation)
Crashed
Aborted
Kazeon IS1200 Web-Admin User Guide
175
Chapter 15:
Job Scheduling and Classification Services
|
Service: The type of service, basic, deep, etc.
|
Repositories: The registered file system(s) that job was applied to.
|
Start Time: The time the job last started (this changes for cron jobs).
|
Duration: The time the job took to complete.
|
Objects: The number of objects (files, emails, attachments, etc.) processed.
This number may be presented in the format N (sub) where
N is the number of objects processed
(including container objects like zip files which contain sub-files) and
(sub) is the number of sub-files processed inside container files.
Note:
Object/sub-object counts may not always agree on seemingly-identical data sets
from job to job because of the way objects and sub-objects are counted in the jobs.
For example, a collection job may process 5 objects, 1 of which is a zip file
containing 4 sub-objects, and collect only 3 of the objects and 2 of the sub-objects
in the zip subsequently reporting 3 (2) objects collected. If the collection target is
later classified it reports 5 objects processed because the two sub-objects collected
were copied to the target as objects. The CLI reports objects counts the same way.
Note:
Symbolic link files, offline or archived files (when the skip offline files parameter
is set), and files or directories that match Advanced Options: Exclude Filters are
all skipped by crawl jobs and the number of objects skipped are not reflected in
job statistics for Objects or Failures.
|
Failures: The number of objects, sub-objects, and folders that could not be
processed. Only non-zero totals are reported. Click a total to view the failures.
|
Size in MB: The total number of megabytes processed for the job.
The Tool-bar
The Job Manager page tool-bar contains the following tools:
New. A drop-down menu that allows creating all possible job types.
Edit. Opens the selected job for editing.
See “Editing a Job From Web-Admin” on page 177 for usage
Delete. Deletes the selected job.
See “Deleting a Job” on page 177 for usage
Start. Starts the selected job.
See “Starting, Stopping, Suspending, or Resuming a Job” on page 180 for usage
Stop. Stops the selected job if running.
See “Stop a Job” on page 180 for usage
Suspend. Suspends the selected job if running.
See “Suspend a Job” on page 180 for usage
176
Kazeon IS1200 Web-Admin User Guide
The Job Manager page
Resume. Resumes the selected job if idle or suspended.
See “Resume a Job” on page 180 for usage
Detail. Displays a new tab showing job details.
See “Job Details” on page 180 for usage
Refresh. Refreshes the current page to reflect changes that might have occurred
elsewhere, for instance in the CLI.
See “Refresh Job Listings” on page 180 for usage
The Job Listing
The Job List tab contains a listing of all current jobs, including completed jobs, jobs in
progress, and future or cron jobs that will run, or run again, in the future. The
following shows a listing of four jobs.
The column headers are self-explanatory. However, the data in the Objects, Failures,
and Size columns can have two values, a simple number, and sometimes a second
number in parentheses. The first number indicates the number of objects processed.
The number in parentheses indicates sub-objects (if found). Sub-objects are objects
inside container files like .zip, .tar, or .pst files. During a crawl, if a .zip file containing
78 files is processed, the objects count will increase by one, while the sub-objects
count will increase by 78.
Managing Jobs
Use the following procedures to manage previously defined jobs.
Deleting a Job
1. From the Job List tab, select a job in the job listings.
2. On the top menu bar, click Delete.
The system terminates the currently running instance of the classification service
job and deletes the job from the classification service schedule. No further
instances of this job will execute.
Editing a Job From Web-Admin
All jobs scheduled to run in the future—run once jobs that have not yet run, or cron
jobs—can be edited. Additionally, all completed jobs may be edited to become runonce or cron jobs in the future. The job description attribute can be edited for any job
at any time. In-progress run-now jobs are not editable.
Kazeon IS1200 Web-Admin User Guide
177
Chapter 15:
Job Scheduling and Classification Services
To edit a job, do the following:
1. Select any job listing from the Job List tab.
2. Click the Edit icon on the Job Manager page tool-bar. The Edit Job Schedule tab
appears displaying the attributes of the selected job.
3. Change any job attribute as desired.
4. Click Submit to run the job again immediately, or Schedule Options to schedule
the job in the future.
Editing a Job From The Command Line Interface
For the most part, only attributes of jobs that are scheduled to run in the future—run
once jobs that have not yet run, or cron jobs—can be edited, with the exception of job
description, which can be edited for any job at any time.
1. Login to the CLI as admin.
2. Enter the following command and any optional arguments:
edit service <job-id> [notify <email_addresses_to_notify> | description
<job_description> | schedule <schedule_specs> | duration <duration> |
extraction-ruleset <ruleset> | assignment-ruleset <ruleset>]
Where:
<job-id> is an currently-existing job id number
<email_addresses_to_notify> is a comma-separated list of email addresses
<job_description> is a quoted string
<schedule_specs> includes a full set of schedule settings. If only some
settings are specified, the missing settings are filled in with default values, not
the current values
<duration> is defined the same way as used in the add service command
<ruleset> is a currently-existing rule set
For example:
178
Kazeon IS1200 Web-Admin User Guide
The Job Manager page
Viewing or Reprocessing Job Failures from Web-Admin
1. On the Job List tab, find a job with non-zero totals in the Failures column.
2. Click the failures number link in the Failures column,
the Failure Summary tab opens:
A new tool-bar appears under the Failure Summary tab.
3. From the new toolbar, click either Select All, or click the checkboxes of the
individual failures you want to select for reprocessing or export.
4. From the tool-bar, click Re-Process or Export Data to export or reprocess the
selected failures.
From the Job List tab, you may also select any job and click the tool-bar Detail button
to open the Job Details tab which displays the details for the selected job:
Viewing Job Failures From The CLI
1. Log in to the CLI as admin.
2. Enter a show services command: sh services
Kazeon IS1200 Web-Admin User Guide
179
Chapter 15:
Job Scheduling and Classification Services
The server response includes column headings for (file) ErrorsEncountered
and DirectoriesFailed. The corresponding number of file or directory errors
is listed below the column heading.
sh services job-id <#> also displays the same failures for a single job.
Starting, Stopping, Suspending, or Resuming a Job
From the Dashboard under Jobs in the left-navigation pane you can select any idle,
stopped, or suspended job and do the following:
Start Job
1. Select any job that is idle, stopped, or suspended.
2. Click Start in the tool-bar to start the job.
Stop a Job
1. Select a currently running job.
2. From the toolbar, click Stop.
The system terminates the currently running instance of the job, but does not
modify the classification service schedule. Therefore, the system carries out future
classification services per the existing schedule.
Suspend a Job
1. Select a currently running job.
2. From the toolbar, click Suspend.
The system pauses the currently running instance of the classification service job
at the end of the current checkpoint.
Resume a Job
1. Select a currently suspended job.
2. From the toolbar, click Resume.
The system resumes the suspended instance of the classification service job at the
checkpoint it was suspended from.
Refresh Job Listings
1. From the Job Manager pane Job List tab, click Refresh.
The page is redrawn with updated information.
Job Details
To see the details of any job, do the following:
180
Kazeon IS1200 Web-Admin User Guide
Scheduling Jobs
1. From the Job List tab, either double-click a job listing, or select a job listing by
clicking it, and then click Details in the tool-bar, the Job Details tab opens.
2. Further information is available by clicking any of the column links, for example
click links in the Failures to open the Failures Summary tab below, or click a link
in the Stats columns to open the Run Statistics windows.
Scheduling Jobs
Job Scheduling Overview
There are two basic timing options for scheduling a classification service or job:
z
Run now or Run once: Run the service just one time, either immediately or at
some specified time in the future.
z
Run recurring: Run the service on a recurring basis, this can be set to a variety of
options including daily, weekly, and monthly and can be set to run for specified
durations each time.
Kazeon IS1200 Web-Admin User Guide
181
Chapter 15:
Job Scheduling and Classification Services
When a classification service is scheduled to run now or run once, the service runs
continuously until classification is complete. The system classifies all files regardless
of whether they are new, modified, or unchanged. If you have millions of files,
classification can take days or weeks to complete because the service runs
continuously until completion.
When a classification service is scheduled to run on a recurring basis, it can run daily,
weekly, or monthly at a specific time and for a specific duration. This allows
classification to complete in incremental steps. For example, a classification job can
be scheduled to run for four hours every night. The system classifies a portion of the
files every night until all the files have been classified. After that, when the next
classification service recurs, the system only classifies files that are new or have been
accessed or modified. It does not classify files that are untouched since the last
classification service.
Now or recurring jobs can be suspended and resumed as needed.
If you kill or abort a recurring classification job, or if the job crashes, you can resume
it from the point where classification halted, or it will automatically resume at its last
valid checkpoint when it is next scheduled to recur.
Note:
Specify the rule-set explicitly when running a deep classification or metadata
classification. If the current rule-set is changed during a pause in a recurring
classification job, the system uses the new current rule-set at the next
classification resume. As a result, classification may yield unexpected results.
The Kazeon Information Server generates a job ID for every classification service—or
job—and displays details such as the job type, job status, number of processed files
and the number of failures on the Job Manager page. Recurring jobs also have a run
ID, which is incriminated for each subsequent run of the job.
Submitting or Scheduling Jobs
Regardless of what kind of kind of job is being scheduled (classification,
synchronization, or Single-Step Collection, etc.) job setup screens provide two options
for running a job.
182
z
A Submit button that can be clicked to add the job to the job queue for immediate
processing, which continues until the job completes, or the job is manually paused
or stopped.
z
A Scheduling Options section (like the following) at the end of the setup screens
that allows the job to be scheduled for a future date or on a recurring schedule.
Kazeon IS1200 Web-Admin User Guide
Scheduling Jobs
Using job Scheduling Options:
The first scheduling option, the Schedule drop-down menu, controls how other
scheduling options are displayed.
Choose one of the following scheduling options:
z
Run now: Runs the job once, immediately, until completion.
z
Run once: Runs the job once, at a future date and time, until completion.
z
Recurring: Schedules the job to run on a recurring schedule for a specified time
interval each time. Work not finished in one interval is continued at the next
scheduled interval.
z
Run forever: Only available for deep crawls. Schedules the job to run forever,
immediately restarting after each successful completion.
Each choice presents different controls and is explained below.
Run Now Jobs
Runs the job immediately.
Duration (mins): By default, the duration is unlimited. Enter a number (of minutes)
in the duration field to limit the job time.
Send Email: Enter a list of space separated email addresses to notify when the job is
complete.
Note:
Email alerts for jobs that do NOT complete, or complete with errors, or
maintenance jobs (like database vacuuming) can be scheduled as well.
See “Setting Email Alerts for Scheduled Jobs and Database Maintenance” on
page 322 for details.
Run Once Jobs
Schedules a one-time job in the future.
Specify the duration, date, and time in the fields below.
Kazeon IS1200 Web-Admin User Guide
183
Chapter 15:
Job Scheduling and Classification Services
Duration (mins): By default, the duration is unlimited. Enter a number (of minutes)
in the duration field to limit the job time.
Send Email: Enter a list of space separated email addresses to notify when the job is
complete.
Date/Time: Enter the date and time to begin the crawl
z
Click the calendar icon to the right of the first field to present a calendar you can
pick the date to start from.
z
From the middle drop-down menu, choose an hour (military time) to start.
z
From the left drop-down menu, choose the minute of the hour (above) to start.
Recurring Jobs
Schedule a recurring service that runs for specified intervals.
Duration (mins): By default, the duration is unlimited. Enter a number (of minutes)
in the duration field to limit the job time.
Send Email: Enter a list of space separated email addresses to notify when the job is
complete.
Schedule Frequency: Pick a recurring schedule from the drop-down menu. Time and
date options change with each choice as shown below.
Hourly runs the crawl hourly,
If hourly is chosen, there are no other options.
Daily runs the crawl daily,
After choosing daily, the two At-Hour (HH:MM) drop-down menus appear. Use the
menus to specify a time of day to run the service, use the left-hand menu to specify
hours, and the right-hand for minutes.
184
Kazeon IS1200 Web-Admin User Guide
Scheduling Jobs
Monthly runs the crawl monthly,
After choosing monthly, the Day of the Month and two At-Hour (HH:MM) drop-down
menus appear. Use the Day of the Month drop-down menu to specify the day of the
month to run the job. Use the two At-Hour (HH:MM) drop-down menus to specify a
time of day to run the service, use the left-hand menu to specify hours, and the righthand for minutes.
Weekly runs the crawl weekly,
After choosing weekly, the Days checkboxes and two At-Hour (HH:MM) drop-down
menus appear. Use the Days checkboxes to specify which days of the week to run the
job. Use the two At-Hour (HH:MM) drop-down menus to specify a time of day to run
the service, use the left-hand menu to specify hours, and the right-hand for minutes.
Run Forever Jobs
Only available for deep crawls. Schedule a recurring service that runs for forever,
immediately restarting after each successful completion.
Kazeon IS1200 Web-Admin User Guide
185
Chapter 15:
Job Scheduling and Classification Services
Job Scheduling Procedures
Refer to the following procedures to schedule, edit, or manage jobs.
Scheduling Classification Services
1. From the left-navigation menu, click Dashboard under Jobs,
the Job-List tab appears.
2. On the tool-bar, click New and select an option from the drop-down menu.
186
|
Basic Crawl.
See “Scheduling a Basic Crawl” on page 187 for more information.
|
Deep Crawl.
See “Scheduling a Deep Crawl” on page 192 for more information.
|
Metadata Classification.
See “Scheduling a Metadata Classification” on page 199 for more information.
|
Metadata Synchronization.
See “Scheduling a Metadata Synchronization” on page 201 for more information.
|
(Single-Step) Collection.
See “Scheduling a Single-Step® Collection” on page 203 for more information.
|
In-Place Processing.
See “Scheduling In-place Processing” on page 213 for more information.
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
Scheduling a Basic Crawl
1. From the left-hand navigation pane under Jobs,
click Dashboard, the Job Manager pane opens.
2.
From the Job List tab tool-bar,
click New, select Basic Crawl from the drop-down, and the Basic Crawl tab opens.
Enter values for the following fields:
|
Description. Optional, enter a brief description for this classification service.
|
Add Source button: If the repositories you want do not appear in the
Repositories scroll-box (make sure you have the right repository type selected
in the Show drop-down menu), then click the Add Source button to open a
new Add Repository tab where you can add the required new repository. See
“Registering Data Repositories” on page 95 for details on using this tab.
|
Show (drop-down menu): Select the type of repository to display in the
Repositories box below. The Repositories box (and other options displayed
(filters etc.)) will change depending on the type selected. The following
options are available:
- All Repository types, lists all registered repositories.
- NFS/CIFS to list only registered NFS or CIFS repositories
Kazeon IS1200 Web-Admin User Guide
187
Chapter 15:
Job Scheduling and Classification Services
-
-
Note:
WARNING!
Laptop/Desktop to list only registered laptops and desktops
(laptops and desktops that are offline when a crawl begins can be
automatically skipped if necessary, see “Automatically Bypassing Offline
Repositories During Crawls” on page 323 for details, additionally,
if laptop or desktop crawls return errors such as 'NOT ENOUGH
STORAGE” or “NT_STATUS_INSUFF_SERVER_RESOURCES” see
“Question: Why can’t I crawl Windows XP Service Pack 3 laptops or
desktops ?” on page 310)
Other options such as Enterprise Vault, Exchange, SharePoint,
Documentum, and Domino etc, require an appropriate optional module
license to be installed, AND a repository of that type to be currently
registered.
For further details on classifying repositories that require an optional module
license, such as Enterprise Vaults or Microsoft Exchange Servers, see the
appropriate Kazeon User Guide for that module.
Because CIFS users can change directory and file permissions on their user
directories, if the AD identity associated with a registered CIFS repository is not a
member of the “backup operators” and “domain administrators” groups for that
repository, some files may not be crawled.
|
Repositories. From the list of registered repositories in the left-hand box,
select each repository to classify and click the right arrow (
) to add it to
the classification repository list in the right-hand box. (Select a repository in
) to remove a repository.)
the right-hand list and click the left-arrow (
Once a repository is available in the right-hand box, the listing can be doubleicon clicked, to edit that line manually.
clicked, or selected and the
Each repository is preceded by a plus sign. Clicking the plus displays that
repositories’ directory structure. Select any folder displayed in the expanded
directory, and add it to the job list, to limit the classification to just that folder.
WARNING!
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
|
188
Assignment Rule Set. From the drop-down list, select an assignment rule-set
to use during classification. This may not be an empty rule set. If this is the
first crawl on a repository, see “Directory Level Metadata” in the Kazeon
IS1200 Web-Reports User Guide to determine if the DirectoryReporting ruleset should be used.
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
|
Choose Profile. Choose one of the following profiles from the drop-down
menu to pre-populate the Include/Exclude filters section with entries designed
to focus the crawl on certain kinds of files:
- Windows: The filters are auto-populated with entries that include
documents and exclude Windows system files, as shown below.
-
None: No pre-populating is done, the filters are blank but can still be used
any way needed.
3. Click Advanced Options to reveal more options if it is not already open.
If the options presented in the Advanced Options section are ignored, then ALL
files (on the repositories selected above) are selected for classification.
Advanced Options allows limiting the files classified to only those that match the
criteria specified in the following sections.
As appropriate, enter the following Advanced Options:
|
File Content Hash. Select to compute a full hash value for each file.
Generally, basic crawls do a full-hash. However, they may do partial hash if
that is set from the CLI.
Hash values are used to identify file duplicates. See “Computing File Hash
Values” on page 171 for more information.
Kazeon IS1200 Web-Admin User Guide
189
Chapter 15:
Job Scheduling and Classification Services
File Include/Exclude Filters:
Enter file(name) or directory(name) matching criteria to select objects to classify.
Note:
Criteria entered in this section are applied to file pathnames, not content.
Note:
Asterisk wildcards (automatically applied in version prior to 4.1.2) must be
explicitly added if desired in Include/Exclude fields, otherwise only the exact
string entered is filtered for.
|
Include Files matching: Enter exact file names (case sensitive) to include,
wildcards are allowed. For example, to include all MS Word files, enter:
*.doc.
|
Include Directories matching: Enter exact folder names (case sensitive) to
include, wildcards are allowed. To include multiple directories (folders) use:
folder1,folder2,folder3 (Note: comma separated, no spaces). To
include directories (folders) inside another directory (for example, to include
folderB inside folder1 and folderC inside folder2) enter: folder1/
folderB,folder2/folderC
|
Exclude Files matching: Enter exact file names (case sensitive) to exclude,
wildcards are allowed. For example, to exclude all Microsoft Word files,
enter: *.doc.
|
Exclude Directories matching: Enter exact folder names (case sensitive) to
exclude, wildcards are allowed. To exclude multiple directories (folders) use:
folder1,folder2,folder3 (Note: comma separated, no spaces). To
exclude directories (folders) inside another directory (for example, to exclude
folderB inside folder1 and folderC inside folder2) enter: folder1/
folderB,folder2/folderC
WARNING!
Note:
For all services on the IS1200 (classifications, searches, reports, etc), no filepath
can be used that exceeds 4050 characters in filepath length or is more then 200
sub-directories deep.
By default, classifications process all files in their specified repositories. This
default can be changed to automatically exclude files by type or category, see
“Skipping File Classification by Type or Category” on page 317 for details.
Time Filters
Time Filters allow limiting the classification to files whose time attributes
changed within a certian number of days.
190
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
In any of the Time Filter file-time-attribute fields, enter a number of days. This
limits the classification to files whose time attributes changed within that number
of days.
|
Accessed: is the file access time attribute
|
Modified: is the file modified time attribute
|
Changed: is the file changed time attribute
Size Filters
Size Filters allow skipping crawled files based on file size.
|
Size: Choose a logical operator (greater than, less than) from the menu
|
Enter a file size number in the middle field
|
Choose KB (kilobytes) or MB (megabytes) or GB (gigabytes) from the right
drop-down menu.
For example, enter Less Then, 200, MB to crawl only files less then 200
megabytes in size.
Crawl Options
All classifications default to differential unless specifically forced otherwise. See
“Differential Crawls” on page 168 for more information about differential
classifications.
|
Force full crawl on the first crawl. Check this box to force the first run of
this job to be a full—non-differential—classification.
|
Remove Deleted Documents from Kazeon Index. Check this box to have
the IS1200 check all prior metadata for this repository and remove metadata
for files that have been deleted from the repository since the last classification
was run. This was previously called a Sync Service.
4. If you want this classification to run on a schedule, either once in the future, or on
a recurring basis, expand the Schedule Options header to specify your choices.
See “Using job Scheduling Options:” on page 183 for details on setting schedule
options.
Kazeon IS1200 Web-Admin User Guide
191
Chapter 15:
Job Scheduling and Classification Services
5. Click Submit to run the job immediately, or click Cancel to exit the Basic Crawl
tab without scheduling the job, or click Schedule Options to display other
scheduling options.
Scheduling a Deep Crawl
1. From the left-hand navigation pane under Jobs,
click Dashboard, the Job Manager pane opens.
2.
From the Job List tab tool-bar, click New and select Deep Crawl from the menu,
the Deep Crawl tab opens.
Alternatively, from the Web-Admin navigation pane under Jobs, click Deep
Crawl, Windows Profile, or Security Profile. A tab similar to above opens. If
one of the profiles was chosen, some fields may be pre-populated.
3. Enter values for the following fields:
192
|
Description. Optional, enter brief description of the classification service.
|
Add Source button: If the repositories you want do not appear in the
Repositories scroll-box (make sure you have the right repository type selected
in the Show drop-down menu), then click the Add Source button to open a
new Add Repository tab where you can add the required new repository. See
“Registering Data Repositories” on page 95 for details on using this tab.
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
|
Note:
WARNING!
Show (drop-down menu): Select the type of repository to display in the
Repositories box below. The Repositories box (and other options displayed
(filters etc.)) will change depending on the type selected. The following
options are available:
- All Repository types, lists all registered repositories.
- NFS/CIFS to list only registered NFS or CIFS repositories
- Laptop/Desktop to list only registered laptops and desktops
(laptops and desktops that are offline when a crawl begins can be
automatically skipped if necessary, see “Automatically Bypassing Offline
Repositories During Crawls” on page 323 for details, additionally,
if laptop or desktop crawls return errors such as 'NOT ENOUGH
STORAGE” or “NT_STATUS_INSUFF_SERVER_RESOURCES” see
“Question: Why can’t I crawl Windows XP Service Pack 3 laptops or
desktops ?” on page 310)
- Other options such as Enterprise Vault, Exchange, SharePoint,
Documentum, and Domino etc, require an appropriate optional module
license to be installed, AND a repository of that type to be currently
registered.
For further details on classifying repositories that require an optional module
license, such as Enterprise Vaults or Microsoft Exchange Servers, see the
appropriate Kazeon User Guide for that module.
Because CIFS users can change directory and file permissions on their user
directories, the AD identity associated with a registered CIFS repository must be a
member of the “backup operators” and “domain administrators” groups for the
repository, otherwise files “hidden” when users put exclusive privileges on their
directories will not be crawled or classified.
|
Repositories. The list of registered Repositories changes depending on the
Repository Type selected above. When the correct list of repositories appears
in the left-hand scroll-box, select each repository to classify and click the right
arrow (
) to add it to the classification job list in the right-hand scroll-box.
(Select a repository in the right-hand list and click the left arrow (
) to
remove a repository). Once a repository is available in the right-hand box, the
listing may be double-clicked, or selected and the
icon clicked, to edit
that line manually.
Each repository listing is preceded by a plus sign. Clicking the plus displays
that repositories’ directory structure. Select any folder displayed in the
expanded directory, and add it to the job list, to limit the classification to just
that folder. For example, if crawling laptops or desktops in eDiscovery
situations, expand the laptop’s directory until the “Documents and Settings”
folder is displayed. Then add that folder to the classification list so the crawl
does not waste time on the thousands of standard PC system files.
WARNING!
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
Kazeon IS1200 Web-Admin User Guide
193
Chapter 15:
Job Scheduling and Classification Services
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
|
Choose Profile. Choose one of the following from the drop-down menu to
pre-populate the Include/Exclude filters section with entries designed to focus
on certain kinds of files:
- Windows: The filters are auto-populated with entries that include
documents and exclude Windows system files, as shown below.
-
-
Security: Displays the following new filters for Keywords and Patterns.
These can be used to specify RegEx expressions that look for security
issues like social security or credit card numbers. These expressions
generate simple Quick Rules that can also be edited or augmented via the
Quick Rule builder screen of the Job Wizard
None: No pre-populating is done, the filters are blank but can still be used
any way needed.
4. Click Advanced Options to reveal more options.
194
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
If the options presented in the Advanced Options section are ignored, then ALL
files (on the repositories selected above) are selected for classification.
Advanced Options allows limiting the files classified to only those that match the
criteria specified in the following sections.
Enter the following options as necessary:
File Include/Exclude Filters:
Enter file(name) or directory(name) matching criteria to select objects to collect.
Note:
Criteria entered in this section are applied to file pathnames, not content.
Note:
Asterisk wildcards (automatically applied in version prior to 4.1.2) must be
explicitly added if desired in Include/Exclude fields, otherwise only the exact
string entered is filtered for.
|
Include Files matching: Enter exact file names (case sensitive) to include,
wildcards are allowed. For example, to include all MS Word files, enter: *.doc.
|
Include Directories matching: Enter exact folder names (case sensitive) to
include, wildcards are allowed. To include multiple directories (folders) use:
folder1,folder2,folder3 (Note: comma separated, no spaces). To
include directories (folders) inside another directory (for example, to include
folderB inside folder1 and folderC inside folder2) enter: folder1/
folderB,folder2/folderC
|
Exclude Files matching: Enter exact file names (case sensitive) to exclude,
wildcards are allowed. For example, to exclude all Microsoft Word files,
enter: *.doc.
|
Exclude Directories matching: Enter exact folder names (case sensitive) to
exclude, wildcards are allowed. To exclude multiple directories (folders) use:
folder1,folder2,folder3 (Note: comma separated, no spaces). To
exclude directories (folders) inside another directory (for example, to exclude
folderB inside folder1 and folderC inside folder2) enter: folder1/
folderB,folder2/folderC
WARNING!
Note:
For all services on the IS1200 (classifications, searches, reports, etc), no filepath
can be used that exceeds 4050 characters in filepath length or is more then 200
sub-directories deep.
By default, classifications process all files in their specified repositories. This
default can be changed to automatically exclude files by type or category, see
“Skipping File Classification by Type or Category” on page 317 for details.
Kazeon IS1200 Web-Admin User Guide
195
Chapter 15:
Job Scheduling and Classification Services
Time Filters
Time Filters allow limiting the classification to files whose time attributes
changed within a certian number of days.
In any of the Time Filter file-time-attribute fields, enter a number of days. This limits
the classification to files whose time attributes changed within that number of days.
|
Accessed: is the file access time attribute
|
Modified: is the file modified time attribute
|
Changed: is the file changed time attribute
Size Filters
Size Filters allow skipping crawled files based on file size.
|
Size: Choose a logical operator (greater than, less than) from the menu
|
Enter a file size number in the middle field
|
Choose KB (kilobytes) or MB (megabytes) or GB (gigabytes) from the right
drop-down menu.
For example, enter Less Then, 200, MB to crawl only files less then 200
megabytes in size.
Crawl Options
All classifications default to differential unless forced otherwise. See “Differential
Crawls” on page 168 for more information about differential classifications.
|
Force full crawl on the first crawl. Check this box to force the first run of
this job to be a full—non-differential—classification.
|
Remove Deleted Documents from Kazeon Index. Check this box to have
the IS1200 check all prior metadata for this repository and remove metadata
for files that have been deleted from the repository since the last classification
was run. This was previously called a Sync Service.
Hash Parameters
Chose one of the following two hash options:
196
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
WARNING!
Hash settings (full/partial) must remain consistent between crawls, otherwise,
unexpected results can occur with other processes (for instance identifying file
duplicates) that use the computed hash-values. If a file system is initially crawled
with one hash-value and subsequent crawls require a hash-value change, all
metadata for that file system should be removed before doing the subsequent
crawls to insure all files are re-hashed with the new hash-value.
|
Full Hash: Computes file hash, for each file, on the entire file. See
“Computing File Hash Values” on page 171 for more details.
|
Partial Hash: Computes file hash on the first N bytes of a file. N is set by
entering a number in the field between “first” and “KB”.
|
To set file hash sizes by file type, click the Advanced button,
the following fields appears,
Click Advanced each time you need to add a new extension.
Enter a file extension (for example .pst, .zip, .doc) in the File Extension field
and a file size (N, in kilobytes) in the File Size field. This limits hash
computations for the file extension entered to the first N bytes of that file.
To remove a file extension-file size pair, click the red X by File Size.
5. Click Submit to run the job immediately as is, or
click Next to continue and specify (or create new) Quick Rules, and Assignment
and Extraction rule and rule sets.
6. If Next is clicked, the following Content Policy Selection screen appears.
Select either the Quick Rule Builder or Extraction/Assignment Rules Sets radio
button (only one can be selected), and fill out the section selected as follows:
Kazeon IS1200 Web-Admin User Guide
197
Chapter 15:
Job Scheduling and Classification Services
|
Quick Rule Builder.
1.Optional, change the Quick Rule Name to your own descriptive title.
2.Click Add, the following dialog opens.
Do the following to build your Quick Rule(s):
-
-
-
198
Summary: Optional, enter a brief description of what the rule does.
Step 1: Rule Conditions Check one (or more) condition check boxes.
When checked, the rule appears in the Rule Description area. Click
each rule underlined blue field and fill in the dialog box that opens.
Specify Values to match: Enter values you want to match and click
Add, the value appears in the Matchlist: box. Repeat for all values
you want to add, and then click OK to finish.
Step 2: Rule Actions Check one (or more) rule action check boxes.
When checked, the action appears in the Rule Description area. If the
action contains an underlined blue field, click that field and fill out
the dialog box as you did in the step above.
Rule Description All underlined blue fields must be clicked and
responses added for as described in the preceding two steps.
Click Add to add the rule to the Quick Rule List.
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
|
Extraction/Assignment Rule Sets. Make selections from both of the
following two drop-down menus:
- Extraction Rule Set. From the drop-down list, select an extraction ruleset to use during classification. See “Using Extraction Rules” on page 128
for more information about creating and managing extraction rule sets
and rules. Generally, when repositories are classified this should include
at least the “fullTextRuleSet”.
- Assignment Rule Set. From the drop-down list, select an assignment
rule-set to use during classification. See “Using Assignment Rules” on
page 129 for more information about creating and managing assignment
rule sets and rules.
If this is the first crawl on a repository, see “Directory Level Metadata” in
the Kazeon IS1200 Web-Reports User Guide to determine if the
DirectoryReporting rule-set should be used.
3. Click Submit to run the job immediately as is, or click Next to make other
scheduling arrangements. You can also click, Back to return to the previous
screen and make changes, or Cancel to exit the Deep Crawl tab without
submitting the job.
4. If Next is clicked, the following scheduling dialog appears:
See “Using job Scheduling Options:” on page 183 for details on scheduling options.
Scheduling a Metadata Classification
1. From the left-hand navigation pane under Jobs,
click Dashboard, the Job Manager page opens.
Kazeon IS1200 Web-Admin User Guide
199
Chapter 15:
Job Scheduling and Classification Services
2.
From the Job List tab tool-bar, click New and select Metadata Classification
from the drop-down list, the Metadata Classification tab opens:
3. Enter values for the following fields:
Note:
200
|
Description. Optional, enter a brief description for this classification service.
|
Add Source button: If the repositories you want do not appear in the
Repositories scroll-box (make sure you have the right repository type selected
in the Show drop-down menu), then click the Add Source button to open a
new Add Repository tab where you can add the required new repository. See
“Registering Data Repositories” on page 95 for details on using this tab.
|
Show (drop-down menu): Select the type of repository to display in the
Repositories box below. The Repositories box (and other options displayed
(filters etc.)) will change depending on the type selected. The following
options are available:
- All Repository types, lists all registered repositories.
- NFS/CIFS to list only registered NFS or CIFS repositories
- Laptop/Desktop to list only registered laptops and desktops
(laptops and desktops that are offline when a crawl begins can be
automatically skipped if necessary, see “Automatically Bypassing Offline
Repositories During Crawls” on page 323 for details, additionally,
if laptop or desktop crawls return errors such as 'NOT ENOUGH
STORAGE” or “NT_STATUS_INSUFF_SERVER_RESOURCES” see
“Question: Why can’t I crawl Windows XP Service Pack 3 laptops or
desktops ?” on page 310)
- Other options such as Enterprise Vault, Exchange, SharePoint,
Documentum, and Domino etc, require an appropriate optional module
license to be installed, AND a repository of that type to be currently
registered.
For further details on classifying repositories that require an optional module
license, such as Enterprise Vaults or Microsoft Exchange Servers, see the
appropriate Kazeon User Guide for that module.
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
|
Repositories. The list of registered repositories changes depending on the
Repository Type selected above, when the correct list of repositories appears,
select each repository to classify and click the right arrow (
) to add it to
the classification job list in the right-hand scrolling list. (Select a repository in
the right-hand list and click the left arrow (
) to remove a repository).
Once a repository is available in the right-hand box, the listing may be doubleclicked, or selected and the
icon clicked, to edit that line manually.
Each repository listing is preceded by a plus sign. Clicking the plus displays
that repositories’ directory structure. You can select any folder displayed in
the expanded directory, and add it to the job list, to limit the classification to
just that folder. For example, if crawling laptops or desktops in eDiscovery
situations, expand the laptop’s directory until the “Documents and Settings”
folder is displayed. Then add that folder to the classification list so the crawl
does not waste time on the thousands of standard PC system files.
WARNING!
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
|
Assignment Rule Set. From the drop-down list, select an assignment rule-set
to use during classification. This may not be an empty rule set.
4. If you want this classification to run on a schedule, either once in the future, or on
a recurring basis, expand the Schedule Options header to specify your choices.
See “Using job Scheduling Options:” on page 183 for details on setting schedule options.
5. Click Submit to run the job immediately, or click Cancel to exit the
Metadata Classification tab without scheduling the job, or click Schedule
Options to display other scheduling options.
Scheduling a Metadata Synchronization
1. From the Job List tab toolbar, click Add and select Metadata Synchronization
from the drop-down list. The Metadata Synchronization tab displays.
Kazeon IS1200 Web-Admin User Guide
201
Chapter 15:
Job Scheduling and Classification Services
2. Enter values for the following fields:
Note:
|
Description. Optionally, enter a brief description of the classification service.
|
Add Source button: If the repositories you want do not appear in the
Repositories scroll-box (make sure you have the right repository type selected
in the Show drop-down menu), then click the Add Source button to open a
new Add Repository tab where you can add the required new repository. See
“Registering Data Repositories” on page 95 for details on using this tab.
|
Show (drop-down menu): Select the type of repository to display in the
Repositories box below. The Repositories box (and other options displayed
(filters etc.)) will change depending on the type selected. The following
options are available:
- All Repository types, lists all registered repositories.
- NFS/CIFS to list only registered NFS or CIFS repositories
- Laptop/Desktop to list only registered laptops and desktops
(laptops and desktops that are offline when a crawl begins can be
automatically skipped if necessary, see “Automatically Bypassing Offline
Repositories During Crawls” on page 323 for details, additionally,
if laptop or desktop crawls return errors such as 'NOT ENOUGH
STORAGE” or “NT_STATUS_INSUFF_SERVER_RESOURCES” see
“Question: Why can’t I crawl Windows XP Service Pack 3 laptops or
desktops ?” on page 310)
- Other options such as Enterprise Vault, Exchange, SharePoint,
Documentum, and Domino etc, require an appropriate optional module
license to be installed, AND a repository of that type to be currently
registered.
For further details on classifying repositories that require an optional module
license, such as Enterprise Vaults or Microsoft Exchange Servers, see the
appropriate Kazeon User Guide for that module.
|
Repositories. The list of registered repositories changes depending on the
Repository Type selected above, when the correct list of repositories appears,
) to add it to
select each repository to classify and click the right arrow (
the classification job list in the right-hand scrolling list. (Select a repository in
the right-hand list and click the left arrow (
) to remove a repository.)
Once a repository is available in the right-hand box, the listing may be
double-clicked, or selected and the
icon clicked, to edit that line
manually.
Each repository listing is preceded by a plus sign. Clicking the plus displays
that repositories’ directory structure. You can select any folder displayed in
the expanded directory, and add it to the job list, to limit the classification to
just that folder. For example, if crawling laptops or desktops in eDiscovery
situations, expand the laptop’s directory until the “Documents and Settings”
folder is displayed. Then add that folder to the classification list so the crawl
does not waste time on the thousands of standard PC system files.
WARNING!
202
Some CIFS filers support virtual shares (Distributed File System (DFS), Virtual
File Manager (VFM), and other virtual shares such as "wide symlink" or
"widelink enabled") which are subdirectories actually shared from physically
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
different file servers. No virtual shares (DFS or otherwise) are supported by the
IS1200. These directories can only be registered and classified when shared
directly from their physical hosts and registered as NFS systems.
3. If you want this synchronization to run on a schedule, either once in the future, or
on a recurring basis, expand the Schedule Options header to specify your choices.
See “Using job Scheduling Options:” on page 183 for details on setting schedule
options.
4. Click Submit to run the job immediately, or click Cancel to exit the
Metadata Synchronization tab without scheduling the job, or click Schedule
Options to display other scheduling options.
Scheduling a Single-Step® Collection
A Single-Step Collection allows combining a deep crawl, a search, and an actionable
services copy operation. In one step, registered repositories are classified for updated
metadata, and files specified by the collection service filters are copied to a new
location. This provides a quicker, more efficient option, then doing a deep crawl and
then searching and applying an actionable services copy.
When a Single-Step collection is performed, the new metadata can be written to either
the source (the classified repository’s) or the copy-target’s metadata repository.
Optionally, if searching will not be required later, indexing may be skipped to save
storage.
Note:
The new metadata generated by the classification does not have to be saved.
Optionally, it can be saved to either the source or the target’s metadata repository.
If the new metadata is saved, regardless of where it is saved, the new metadata
replaces any previous metadata that might exist.
Optimizing a Single-Step® Collection. Occasionally, a Single-Step Collection may
be used simply to copy files from source repositories to a target repository, and no
metadata indexing is required on either the source or the target. In this case, the
automatic file typing and hash procedures (normally done in collections and other
deep classification services) are not required, and in fact significantly slow down the
collection. In this specific case, the following Pre and Post Procedures may be used to
speed up a Single-Step collection.
WARNING!
The CLI commands used in the Pre and Post Procedures described below affect
global IS1200 settings. This means changing these settings, changes all future
collections and deep classification services, unless the original settings are
restored using the Post Procedure. Generally, restoring the original settings using
the Post Procedure is strongly recommended!
Pre Procedure: If you need to restore the original hash settings after the collection
(recommended), first display the original hash values using the CLI command
sh partial-hash as shown below:
Kazeon IS1200 Web-Admin User Guide
203
Chapter 15:
Job Scheduling and Classification Services
sh partial-hash
file-extension
-------------default
xls
file-size
--------full-size
1024
Be sure to record these settings for use in the Post Procedure!
Now, clear all current partial hash values, and set the default file-extension hash to
file-size 0 as shown in the example below:
clear partial-hash file-extension all
result
-----partial-hash cleared for "default xls"
sh partial-hash
[300] Nothing to report
set partial-hash file-size 0 file-extension default
result
-----partial-hash set for file-extension: "default" file-size: 0
sh partial-hash
file-extension file-size
-------------- --------default
0
Finally, use the following CLI command to turn off the doctype computation:
sh doctypemode
status
-----on
And if status is on, turn it off as follows:
set doctypemode status off
Post Procedure: After the collection has finished, and before starting another
collection or deep classification service, do the following (recommended):
Use the following CLI command to turn the doctype computation back on:
set doctypemode status on
Restore the original partial-hash settings by clearing the current partial-hash setting
and using multiple set partial-hash commands to restore the original settings as
shown in the previous example, continued below:
clear partial-hash file-extension all
result
-----partial-hash cleared for "default xls"
sh partial-hash
[300] Nothing to report.
set partial-hash
204
file-extension default file-size full-size
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
result
-----partial-hash set for file-extension: "default" file-size:
full-size
sh partial-hash
file-extension file-size
-------------- --------default
full-size
set partial-hash file-extension xls file-size 1024
result
-----partial-hash set for file-extension: "xls" file-size: 1024
sh partial-hash
file-extension
-------------default
xls
file-size
--------full-size
1024
To schedule a standard Single-Step Collection service, do the following:
1. Click Single Step Collection under Jobs in the left-navigation pane, or
From the Job List tab, click New and select Collection from the drop-down list.
The Collection Service tab displays.
2. Enter values for the following fields:
Collection Name: A name for the collection service is automatically generated,
but may be changed if desired. When the collection job is run, it automatically
Kazeon IS1200 Web-Admin User Guide
205
Chapter 15:
Job Scheduling and Classification Services
generates new extraction and assignment rule sets for the service based on the
collection filters chosen below. These new rule sets are saved on the Policies page
using the Collection Name as a prefix. Additionally, for files that match all
collections filters, a metadata tag is also saved with this name allowing copied
files to be identified at a later date.
Description: (Optional) Enter a brief description of the collection purpose, for
example what kinds of files it looks for.
3. Select the source repositories to collect from.
Show drop-down menu: Select the type of repository you want to collect from.
The listing in the Source Repository scroll box, and other options displayed (filters
etc.) will change depending on what repository type is selected.
Add Source button: If the repositories you want do not appear in the
Source Repository scroll-box (make sure you have the right repository type
selected in the Show drop-down menu), then click the Add Source button to open a
new Add Repository tab where you can add the required new repository. See
“Registering Data Repositories” on page 95 for details on using this tab.
Source Repository: Select the source repositories to crawl and collect from.
Select any repository in the left-hand box, and click the Right-Arrow to move it
to right-hand box. Display repository folders and sub-folders by clicking the plus
signs that precede them. Any repository, folder, or sub-folder may be added to the
right-hand box. Once repositories are available in the right-hand box, the listing
can be double-clicked, or selected and the
icon clicked, to edit that line
manually.
To remove an item from the right-hand box, select it and click the Left-Arrow.
WARNING!
If the source repository is a FAT drive exported as CIFS, the Collection will fail.
4. Select the target repository you want to move collected files to:
Show drop-down menu: Select the type of repository you want to copy the
collected files to. The listing in the Target Repository scroll box will change
depending on what repository type is selected.
206
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
Use the
Create New Folder icon to create a new folder on the target directory
if necessary. You must select a repository in the Target Repository scroll-box
before clicking the Create New Folder icon.
Add Target button: If the repositories you want do not appear in the
Target Repository scroll-box (make sure you have the right repository type
selected in the Show drop-down menu), then click the Add Target button to open a
new Add Repository tab where you can add the required new repository. See
“Registering Data Repositories” on page 95 for details on using this tab.
Target Repository: Select a target repository to copy to. Select, edit, or remove
the Target Repository the same way you manage Source Repositories (above).
WARNING!
Collections done from the eDiscovery Case Manager to a local data repository (a
localdatafs) are done to a case-name folder (a folder with the same name as
the case), this prevents the data from multiple cases from being inter-mixed.
Single-step Collections should be careful not to target these case-name folders
unless you intend to alter the data for that case!
5. Choose Profile. Choose one of the following from the drop-down menu to prepopulate the Include/Exclude filters section with entries designed to focus the
crawl on certain kinds of files:
|
Windows: The filters on the screen below are auto-populated with entries that
include only documents and exclude Windows system files, as shown below.
|
None: No pre-populating is done, filters are blank but can be used as needed.
6. Collection Filters/Options: Click the Collection Filters/Options triangle to
expand the section if it is not already open.
Kazeon IS1200 Web-Admin User Guide
207
Chapter 15:
Job Scheduling and Classification Services
Enter criteria here to determine what files are “collected” to the target repository.
WARNING!
If this section is ignored, or left blank, all possibilities for all options are
considered true, and all files are collected.
Between outlined Collection Filters/Options sub-sections, criteria entered are
AND’d together to determine what files are copied. For example, if a file name is
entered in the Include Files matching field in the File Include/Exclude Filters
section, and a Custodian name is entered in the Custodian/Date Filters section,
then only files that match both the file name and the custodian entered are copied.
Within the filter fields, the values are OR’d. For example, if the Custodian filter
has the names Smith, Wong, and Garcia entered, files are collected if the file’s
custodians are Smith OR Wong OR Garcia.
There are two tabs at the top of the Repository Filters section, Exchange/Domino
and Other. Click the one appropriate for the repositories you’re collecting from.
The two tabs differ only in the first sections. The sections from Custodians/Date
Filters down are the same.
The Exchange/Domino Filters (Mail Related Filters)
Clicking the Exchange/Domino Filters tab displays the following filters.
Include:
For Exchange and Domino Servers, check the boxes of all types of email server
files you want to include.
Mailbox/Folders Filters:
Include Mailboxes: Enter RegEx expressions to use to determine what mailboxes
to include. See “Regular Expressions (RegEx)” on page 351 for more details on
using RegEx.
Exclude Mailboxes: Enter RegEx expressions to use to determine what
mailboxes to exclude.
Include Folders: Enter RegEx expressions to use to determine what folders to
include.
208
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
Exclude Folders: Enter RegEx expressions to use to determine what folders to
exclude.
The Other Filters (File Related Filters)
Clicking the Other Filters tab displays the following filters.
File Include/Exclude Filters:
Enter file(name) or directory(name) matching criteria to select objects to collect.
Note:
Criteria entered in this section are applied to file pathnames, not content.
Note:
Asterisk wildcards (automatically applied in version prior to 4.1.2) must be
explicitly added if desired in Include/Exclude fields, otherwise only the exact
string entered is filtered for.
Include Files matching: Enter exact file names (case sensitive) to include,
wildcards are allowed. For example, to include all MS Word files, enter: *.doc.
Include Directories matching: Enter exact folder names (case sensitive) to
include, wildcards are allowed. To include multiple directories (folders) use:
folder1,folder2,folder3 (Note: comma separated, no spaces). To include
directories (folders) inside another directory (for example, to include folderB
inside folder1 and folderC inside folder2) enter: folder1/folderB,folder2/
folderC
Exclude Files matching: Enter exact file names (case sensitive) to exclude,
wildcards are allowed. For example, to exclude all Microsoft Word files, enter:
*.doc.
Exclude Directories matching: Enter exact folder names (case sensitive) to
exclude, wildcards are allowed. To exclude multiple directories (folders) use:
folder1,folder2,folder3 (Note: comma separated, no spaces). To exclude
directories (folders) inside another directory (for example, to exclude folderB
inside folder1 and folderC inside folder2) enter: folder1/folderB,folder2/
folderC
Kazeon IS1200 Web-Admin User Guide
209
Chapter 15:
Job Scheduling and Classification Services
The Common Filters (found under both tabs)
The following filter sections are common to both tabs.
Custodial/Date Filters:
Enter custodian-matching and date range criteria to select objects to include in the
collection.
Custodians: Enter a comma separated list of owner names. Files containing these
owner names are copied.
Lookup: Allows searching an AD directory for usernames or emails to add to any
field that accepts a list of names or emails.
Note:
AD authentication must be added before Lookup will work!
Click the Lookup button to open
the Active Directory Lookup dialog
shown at right.
Select either By Name or By Email
to set which to search for.
Select a domain from the Domain
drop-down menu, or enter a domain
name directly, this sets the AD server to use for lookups.
Enter a search string in the Lookup Filter field, (wild cards may be used, for
instance enter *min to find Admin, Minister, or Carmine.) and click Go.
From the results, check the box preceding any name (or email) to include in the
list-of-names and click the Add Selected button. The dialog disappears, and the
list field populates with the list-of-names you selected.
Last Accessed from: Enter a date range for file Last Accessed dates that should
be copied. The left field determines the range start, and the right field determines
the range end. Click the calendar icons to pick dates for either field.
WARNING!
Date Range complications: Metadata recorded for Last Access time is simply the
last time the file was accessed, not a list of all times the file was accessed. If the
file has been accessed after the date range specified, the metadata records that last
access date. Files that were accessed within the range, but subsequently accessed
after the range, will not be included because only the last access time is recorded
in the metadata. Therefore, if date ranges contain an end date less then the current
date, you may not copy all files actually accessed within the date range.
Last Modified from: Enter a date range for file Last Modified dates that should
be copied. The left field determines the range start, and the right field determines
210
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
the range end. Click the calendar icons to pick dates for either field. The warning
above applies for Last Modified ranges as well.
Created from: Enter a date range for file Creation dates that should be copied.
The left field determines the range start, and the right field determines the range
end. Click the calendar icons to pick dates for either field. The warning above
applies for Created From ranges as well.
Content Filters:
Enter content-matching criteria for files, emails, attachments, or container objects
that should be included in the collection. These criteria fields allow RegEx
expressions, used just as extraction rules do (case in-sensitive).
Note:
Criteria entered in this section are applied to file content, not pathnames.
Note:
Logically, this filter sub-section OR’s the first field with the AND’d results of the
last two.
Contains any of the words: Enter a list of comma separated words. Files
containing any of these words match this criteria.
Contains all of the words: Enter a list of comma separated words. Files
containing all of these words match this criteria.
Contains the phrase(s): Enter a list of comma separated phrases. Files containing
any of these phrases match this criteria. If quotes are included, they are treated as
part of the phrase, not as phrase delimiters.
Email Filters:
Enter email-matching criteria for email headers and date ranges, for files,
attachments, or container objects to include in the collection.
This sub-section relates to emails wherever they are found, in .msg, .pst, or other
types of email containers.
Sent from users: Enter a list of comma separated users, for example enter
“bob@acme.com, jane@enron.com”. Emails sent from any of these users are
matches.
Kazeon IS1200 Web-Admin User Guide
211
Chapter 15:
Job Scheduling and Classification Services
Lookup: The Lookup buttons work as described above.
To/Cc/Bcc/ Users: Enter a list of comma separated users. Emails To, Copied to, or
Blind Copied to any of these users are matched.
Subject Contains: Enter a list of comma separated words or phrases. Emails with
subjects containing any of these are matched.
Sent/Received from: Enter a list of comma separated users in the left and right
hand fields. Emails between any two of these fields are mtached.
Has Attachments: Check to copy any emails with attachments.
Collection Options:
Determine if and where to create indexes for copied objects.
Index Source: Select to create a new index of the entire source repository on the
source’s metadata repository.
The default is unchecked because this option replaces ALL current metadata
(including metadata from custom extraction rules, and fulltext rules) that exists
from previous classifications.
However, the new metadata will include all standard file metadata normally
collected for files (or email) by a classification, including a fulltext index but
without saving the fulltext itself.
Collect Basic Source Metadata: Copy the source metadata to the target.
Note:
Collect Basic Source Metadata is NOT available when the target repository
selected is a SharePoint, Documentum, or Enterprise Vault server.
Index Copied File(s) at Target Repository: Select to create an index of the
copied files in the target repository’s metadata repository.
If checked, metadata for all copied files is added to the target’s metadata
repository and, if Overwrite file at target (above) is selected, duplicated file’s
metadata replace the original file’s metadata.
If unchecked, no new metadata is added to the target’s metadata repository leaving
both copied and duplicated files without metadata on the target.
Preserve Source Hierarchy: Files are normally copied into target directories and
sub-directories created to match the file’s source location hierarchy. Uncheck this
box to not re-create the source hierarchy on the target.
212
Kazeon IS1200 Web-Admin User Guide
Job Scheduling Procedures
Overwrite File(s) at Target Repository: Select to overwrite duplicate files on the
target repository. If unselected, files are duplicated with version numbers.
Prefix Repository Name to Target Repository: Check to add the source
filesystem name to the destination subdirectory’s name.
Perform Action on Physical Object: If a sub-object of a container file is to be
collected, collect the entire container file, not just the sub-object.
Perform Data Verification: Check to have a Data Verification report created that
contains auditing information about the files collected (most importantly their
source and target file hash values) that can be used to prove the files were not
altered during the collection. This option may not always be enabled, See “Data
Verification Overview” on page 258 for more details about Data Verification.
Note:
Audit Reports for Single Step collections are listed as
Deep Classification Services in System Audit Reports and as
Copy Services in Data Audit Reports.
7. When finished making all collections options:
Click Next to schedule this job (see “Using job Scheduling Options:” on page 183 for
details), Submit to run it immediately, or Cancel to leave the tab and do nothing.
Note:
When a collection job runs, two new assignment and two new extraction rules are
automatically generated using the filter options set above. After the job executes,
these rules can be found on the Policies page, prefixed with the collection job name.
Note:
When collection job results are displayed and expanded in Web-Reports, there is
new job information data available detailing the results of the copy.
Scheduling In-place Processing
In-place Processing is used in situations where a repository containing huge amounts
of data needs to be classified, but you are interested in creating or updating the
metadata for just a small sub-set of the total files. This is especially useful in
eDiscovery situations where a huge data repository may contain only a very small
sub-set of files that are relevant to a case. In this situation, In-place Processing can be
used to process only the files of interest.
In-place Processing works very much like a Single-Step Collection—in how the setup
screens are used—but does not actually “collect” files. Instead, the filters are used
only to determine what files to classify, or record metadata for. Any files that do not
match the “collection” criteria are skipped for classification.
Additionally, there are no “Collection Options”, instead In-place Processing uses the
default extraction and assignment rule sets.
Kazeon IS1200 Web-Admin User Guide
213
Chapter 15:
Job Scheduling and Classification Services
To schedule an In-Place Processing, do the following:
1. Click In-Place Processing under Jobs in the left-navigation pane, or
From the Jobs Dashboard, click New and select In-Place Processing from the
drop-down list. The In-place Processing tab displays.
2. The entry fields, and options, on this tab are a sub-set of the fields and options
found on the Collections Services tab. Use the instructions on “Scheduling a
Single-Step® Collection” on page 203 to complete this screen.
3. When finished making all collections options:
Click Next to schedule this job (see “Using job Scheduling Options:” on page 183
for details), Submit to run it immediately, or Cancel to leave the tab and do
nothing.
214
Kazeon IS1200 Web-Admin User Guide
Chapter 16:
System Administration, BackUp, and Health
This chapter describes how to backup and restore system configuration information,
presents a recommended procedure for cluster disaster recovery, and explains the
Health Info page.
Topics are as follows:
z
“Backing up System Configuration” on page 216
z
“Restoring System Configuration” on page 217
z
“Cluster Disaster Recovery Best Practices” on page 219
Kazeon IS1200 Web-Admin User Guide
215
Chapter 16:
System Administration, BackUp, and Health
Backing up System Configuration
IS1200 system configuration includes information on cluster nodes, registered file
systems, policies, classification rules, classification jobs, and license keys. The Kazeon
Information Server stores the configuration information for clusters on the cluster nodes.
Configuration information can be saved to a file, either on the IS1200 or to a network
location, allowing the cluster configuration to be restored during disaster recovery.
Configuration information can also be used to roll back to a previous configuration or
version, or to replicate it on a different cluster. You can restore or replicate the entire
configuration or specific sections such as policies or classification rules.
Configuration data can be saved for NFS and CIFS data file systems.
By default, the system saves the configuration information on the node you are logged
into when the configuration is saved. (The file is located in /var/openkaz/backups with
a date-stamp as the file name.) However, any directory—including the local client—
on a registered file system may be specified. When specifying a file system, ensure the
Kazeon Information Server has Read-Write permissions to the file system.
After saving the configuration file, it can be copied to any computer system accessible
through scp (Linux secure copy).
Best Practices:
Note:
z
Back up system configuration for all clusters and nodes on a regular basis.
z
Shut down the cluster before backing up its configuration.
The system does not save authentication configuration with backup configurations.
After restoring a configuration, reconfigure authentication for AD and NIS.
Back Up Procedure
1. From the Web-Admin navigation pane under Administration,
click Backup/Restore, the Backup/Restore Configuration pane appears with the
Save Configuration tab active.
If the Save Configuration tab is not active, click it to make it active.
2. Select one of the following:
|
Save on Server. Saves cluster configuration information to a zip file in var/
openkaz/backups with a date-stamp as the file name. The system uses a
timestamp to name the file.
Note the file name, it will be needed when restoring the configuration. After
you backup the configuration, you can view the backup file.
216
Kazeon IS1200 Web-Admin User Guide
Restoring System Configuration
|
Save in Local Directory. Saves configuration information on your local
machine. You will need to enter a path to the desired backup location later.
3. Password. Enter a password to control access to the configuration file.
4. Confirm Password. Confirm the password (enter it again) entered above.
5. Save. Click to save the configuration information. A standard save dialog appears,
choose a location for the backup and click Save to finish.
Restoring System Configuration
After backing up system configuration, the backup can be used to restore the
configuration during disaster recovery, or to roll back the configuration to a previous
version, or to replicate the configuration on a different cluster.
WARNING!
If replicating a configuration on a node or cluster different from the node or cluster
the backup was made from, ensure the Cluster and Network boxes are un-checked!
When restoring a multi-mode cluster do either:
Note:
z
Backup each node separately, and restore each node only from it’s own backup.
z
Backup the leader node, and restore that configuration to each cluster node, but
ensure the Cluster and Network boxes are un-checked.
Restore does not replace identities or authentication. After doing a restore all
identities and authentication servers must be re-added.
Restore Procedure
1. Stop the cluster if it is active. See “To stop a cluster” on page 50 for more help.
2. From the Web-Admin navigation pane under Administration,
click Backup/Restore in the left navigation pane,
the Backup/Restore Configuration pane appears.
Kazeon IS1200 Web-Admin User Guide
217
Chapter 16:
System Administration, BackUp, and Health
3. Click the Restore Configuration tab to make it active.
4. Restore from: Select one of the following:
|
Server. Select if the backup file is located on your server. The available
configuration backup files are listed in the Select Restore File dialog box.
Select the file that you want to use to restore the system and click Select.
|
Local directory. Select if the backup file is located on your local machine.
Enter the backup configuration file path in the File Location field below,
or click Browse to navigate to the backup file location.
5. Password enter the password specified when the backup file was created.
6. Restore Options use the following to specify what configuration information to restore.
ALL. Restores all the configuration settings.
Cluster. Restores cluster information such as cluster name and node names.
This should not be checked when restoring a backup configuration after an
install or upgrade, as those operations may have reset the cluster information.
Repositories. Restores registered file system information.
Policies and Classification Rules. Restores policy, classification rules, and
authorization rule information.
Services. Restores classification and actionable services information.
Time. Restores time definitions.
Service Failures. Restores service failure definitions.
Network. Restores network definition. This should only be checked when
restoring a backup configuration originally made on the node being restored.
7. Restore. Restores the cluster configuration from the specified configuration file.
8. Reboot the machine.
9. Start the cluster, see “To start a cluster or export Cluster keys” on page 49.
Note:
218
Start the cluster from the same node the system configuration was restored from
and specify that node first. For example, in a two node cluster, if you restored the
configuration on node B, specify: start cluster node B node A.
Kazeon IS1200 Web-Admin User Guide
Cluster Disaster Recovery Best Practices
Cluster Disaster Recovery Best Practices
On a fully configured and operational IS1200 system, the system configuration and
metadata maintained by the IS1200 are vital information. When file system disasters
occur, cluster configuration information is lost, or metadata filesystems are lost, one
method of recovery is to rebuild the IS1200 with a fresh install, including
reconfiguring all system information. This is an extremely time-consuming process.
To avoid the need for complete rebuilds, Kazeon recommends making periodic
backups of the cluster configurations and all metadata filesystems. If disaster occurs,
and comprehensive backups are available, a Kazeon cluster can be restored to a
previously usable state with far less effort and time then that required by a complete
rebuild.
Note:
The following procedures should only be done under the guidance of Kazeon
personnel until the process is refined and automated.
Preparing to Avoid Disaster
Before beginning any regular backup program, it is essential to ensure the system is in
good operating condition first. Backing up a malfunctioning system will only allow
restoring a malfunctioning system.
Start With a System in Good Operating Condition
When a Kazeon cluster in operating normally, the following “good operating”
conditions are in affect. Some of the items below may depend on having various
optional add-on modules installed and operating with valid licenses.
z
First and foremost, the cluster must be fully installed, correctly configured (via
kaz_setup), and the cluster started with all operational nodes using the same key.
The system must be operating with no errors occurring and no systemic failures.
See the Kazeon IS1200 Installation and Quickstart Guide, and “Initial
Configuration Overview, Options and Outlines” on page 17 for installation and
configuration details.
z
The cluster must have valid module licenses installed on all nodes for all working
optional modules. See “Installing License Keys: Administration” on page 7 for
installation details.
z
All desired file systems, and their associated metadata file systems must be
registered. See “Repository Registration and Management” on page 79 for details.
z
All regularly used identities are created and stored in the Identity Vault. See “The
Identity Vault” on page 73 for details.
z
Authentication is setup for Active Directory and NIS. See “Configuring External
Authentication” on page 53 for details.
z
All regularly used classification policies (extraction and assignment rule sets and
rules) and policy groups must be created and saved. See “Policies: Classification
Extraction and Assignment Rules” on page 119 and “Policy Groups:
Authorization Policies” on page 141 for details.
Kazeon IS1200 Web-Admin User Guide
219
Chapter 16:
System Administration, BackUp, and Health
z
All registered file systems have been crawled at least once (and thus have valid
metadata repositories populated) and any regular or recurring crawls or metadata
services have been setup and scheduled. See “Job Scheduling and Classification
Services” on page 165 for details.
z
All regularly used custom reports have been created and saved. See the Kazeon
IS1200 Web-Reports User Guide for details.
When all “good operating” conditions are in affect, the IS1200 maintains the
operating configuration information in metadata repositories that include a search
index, and various databases for the various license numbers, registrations, reports,
and schedules. This includes keeping track of “checkpoints” for idle, suspended, or
stopped jobs or services. Thus backing up the metadata repositories is a major step in
backing up system configuration.
Follow up with Regular Backups
Once the system is in good operating condition, cluster level backups of the metadata
repositories and the system configuration information should be performed on a
regular basis. Every two weeks, or monthly is recommended. You may decide on a
different maintenance schedule depending upon your unique risk tolerance situation.
With regular backup of all metadata repositories and system configuration
information, if the cluster fails in any way, or metadata is lost, the problem can be
corrected by restoring to a previously saved backup.
General Backup Procedures
The following is an overview of the general steps recommended for regular backups:
1. Quiesce the system
a) Suspend all running jobs (some jobs—like actionable services and reports—
are non-restartable, suspending these requires re-submission)
b) Stop the cluster
2. Capture the current state of the system
a) Backup the system-config, see “Back Up Procedure” on page 216 for details
b) Backup all metadata repositories using your standard enterprise backup
procedures (for example, if you use SnapShot technology, take a SnapShot of
the repository)
3. Restart the cluster
4. Resume suspended jobs
220
Kazeon IS1200 Web-Admin User Guide
Cluster Disaster Recovery Best Practices
Detailed Backup Procedures
The following are the details steps recommended for regular backups:
1. Login as admin
2. Suspend all running services, wait for all service statuses to become
"suspended", for example:
3. If you suspended services (and have a search license enabled), ensure all search
indexes are flushed on the metadata repositories. Use the following find
command—from a root login, and on all nodes of the cluster—to make sure
there are no files in the directory /var/openkaz/search/spool.
find /var/openkaz/search/spool -depth -print -type f
4. Stop the cluster, see “To stop a cluster” on page 50 for details.
5. Run the command: backup system-config backup-<nodename>-<date-time>
For example: backup system-config backup-H01-2007-09-05-13-30
Where: H01 is the node name and Timestamp is the date/time when the backup
was taken (09/05/2007 13:30)
The command automatically requests a password to encrypt the configuration
backup zip file and creates the following file on local node H01:
/var/openkaz/backups/backup-H01-2007-09-05-13-30.zip
6. Login as root user
Kazeon IS1200 Web-Admin User Guide
221
Chapter 16:
System Administration, BackUp, and Health
7. Run the command
#version.pl | xmlpr versionReport > /opt/openkaz/config/
version.txt
This will save the version of current kazeon software for future reference. (i.e. if
restore is required, you can find out what is the software version of the backed-up
config).
8. GZip the configuration directory using command:
#tar -cvzf /var/openkaz/backups/config-<nodename><date-time>.tgz /opt/openkaz/config
For example:
#tar -cvzf /var/openkaz/backups/config-H01-2007-09-0513-30.tgz /opt/openkaz/config
A GZip file of the configuration directory is created (including version.txt
created earlier).
9. Copy both files (from steps 5 & 8) to your backup system—any other storage
system, tape, disk, CD etc—using the unix scp command.
For example:
#scp /var/openkaz/backups/backup-H01-2007-09-05-1330.zip /var/openkaz/backups/config-2007-09-05-1330.tgz backupserver:/home/kazeon/backup-2007-09-05/.
10. Repeat the steps above for all cluster nodes.
Note:
It is extremely important to backup all metadata repositories now while the cluster
is down.
11. Backup ALL metadata repositories. Backup to tape, disk, to snapshots on NetApp
filers, or whatever your enterprise backup strategy normal requires.
If you are using a local disk-partition on the IS1200 as a metadata repository, be
sure to make a backup of this repository as well.
Making backups of metadata repositories is the KEY to the disaster recovery
process. The metadata volumes contain all metadata search indexes, the reports
created by users, user preference information, and other vital information created
through various services execution. It is extremely important that these backups
are performed correctly and regularly.
12. Re-start the cluster and restart all suspended. The backup procedure is complete.
What to Do When Disaster Strikes
If a disaster occurs, identify the disaster conditions and loss of information and then
follow the steps below. Contact Kazeon Customer Support team if you require help.
222
Kazeon IS1200 Web-Admin User Guide
What to Do When Disaster Strikes
Possible Disaster Scenarios
The following are some of the possible disaster situations you might encounter, and
steps to deal with those situations.
z
If a node has crashed or is not starting, local configurations are corrupt OR a node
becomes unusable while other nodes continue to work, then rebuild the node
using a Kazeon Installation CD, configure it and simply add it back to the running
cluster. No config-restoration is required.
z
If no nodes are working or have problems, but the metadata repositories are
working, then rebuild all nodes using a Kazeon Installation CD and import all data
and metadata repositories, one by one, with the help of a Kazeon Customer
Support professional. See “To import a metadata repository” on page 113 and “To
import a data repository” on page 114 for more detail.
z
The metadata repositories are corrupted OR lost for some reason, but the cluster
nodes are working. Follow the steps below to restore the metadata from the most
recent backups of IS1200 software.
Steps to Restore Cluster Nodes
The following procedures assume your backups were made from the same version of
IS1200 software as the system being restored. Always keep your backups current with
your installed software, if you upgrade a cluster, immediately perform a backup.
Otherwise, if you have to restore and older software version to an upgraded cluster,
you must repeat the entire upgrade process again after the restore. Contact Kazeon
customer support for more help in this situation.
Moreover, to minimize potential of losing information and work done on a cluster,
always perform a backup after any major change in the system, such as the addition or
removal of file systems, major crawls, sync services or IS1200 cluster upgrades.
Note:
All cluster nodes must be running the same Kazeon software version.
1. Stop the cluster. See “To stop a cluster” on page 50 for details.
2. Login as root to any node
Now you will restore the node configuration from the two backup files (backupH01-2007-09-05-13-30.zip and config-H01-2007-09-05-13-30.tgz)
created in steps 5 and 8 of “Detailed Backup Procedures” on page 221. These are best
restored to /var/tmp/ directory.
3. Make sure the files have read/access permission for all users.
If not run following commands.
#chown admin:kazeon /var/tmp/backup-H01-2007-09-05-13-30.zip
#chown admin:kazeon /var/tmp/config-H01-2007-09-05-13-30.tgz
#chmod 660 /var/tmp/backup-H01-2007-09-05-13-30.zip
#chmod 660 /var/tmp/config-H01-2007-09-05-13-30.zip
4. cd to the root directory using command "cd /"
Kazeon IS1200 Web-Admin User Guide
223
Chapter 16:
System Administration, BackUp, and Health
5. Run command "tar -xzvf <path-of-config-tar-gzip file>"
For example:
#tar -xzvf /var/tmp/config-H01-2007-09-05-13-30.tgz
This restores the "config" directory preserving user permissions and file time stamps.
6. Login as admin
Run the command:
SysPrompt>restore system-config /var/tmp/<system-config
filename>For example:
SysPrompt>restore system-config /var /tmp/backup-H012007-09-05-13-30.zip
The command asks for a password, enter the password used when the systemconfig backups were made.
7. Repeat the above steps on all the nodes of cluster.
8. Restore the kazfs data on the respective kazfs from the backup OR snapshot taken
at the time above configuration files were backed-up.
9. Start cluster <node-list>
Verifying the Restore Operation
After a successful restore operation, the following steps should be performed to verify
the state of the cluster restored to the state of the date/time of backup (restored).
1. Login on cluster as admin user
2. Run the following commands:
SysPrompt>show cluster
The cluster should be active after it was started.
SysPrompt> show cluster
node-name
cluster-name
status private-ip-addr
membership
------------------- ----------
---------------
0019B9ED2BB8 active 10.10.170.54
leader
hostname
--------
H01
------
cluster
SysPrompt>
3. Enter the following command:
SysPrompt>show fs
A list of all registered data and metadata repositories can be seen to make sure all
file-systems that were configured at backup are restored.
224
Kazeon IS1200 Web-Admin User Guide
What to Do When Disaster Strikes
SysPrompt> show fs
fs_name type
status
tier backend
------- ---------
---- -------
data6
datafs (nfs)
0
20M_2/10M_3/5M_6 online
ns1:/vol/data/4TB_40M/
data2
datafs (nfs)
0
20M_1/10M_1/5M_2 online
ns1:/vol/data/4TB_40M/
data4
datafs (nfs)
0
20M_1/10M_2/5M_4 online
ns1:/vol/data/4TB_40M/
data1
datafs (nfs)
0
20M_1/10M_1/5M_1 online
ns1:/vol/data/4TB_40M/
data3
datafs (nfs)
0
20M_1/10M_2/5M_3 online
ns1:/vol/data/4TB_40M/
data5
datafs (nfs)
0
20M_2/10M_3/5M_5 online
ns1:/vol/data/4TB_40M/
mdlocal kazfs (local) 0
online
md1
kazfs (nfs)
online
0
h54:/localkazfs
esgmd:/vol/prashant_md/md1
4. Enter the command:
SysPrompt>show database
This lists all databases corresponding to the data and metadata repositories listed
in "show fs" output. Make sure all databases are Active and the total number of
file-systems printed at the bottom of the output matches the total number of data
repositories on cluster.
Kazeon IS1200 Web-Admin User Guide
225
Chapter 16:
System Administration, BackUp, and Health
5. Enter the command:
SysPrompt>show services
The show services command lists all services and their state. The output
should be same as seen at the time of backup. If there were jobs suspended at the
time of backup, they can be seen in the same suspended state and can be resumed.
Health Info
Besides administratering backups and licenses, the Administration section also
provides a snapshot of the IS1200 cluster’s health.
Select Health Info (under Administration) from the Web-Admin left-navigation
pane to display the following page.
The page listing displays all the local and registered resources managed or
accessed by the IS1200. The column heading are self-explanatory.
226
Kazeon IS1200 Web-Admin User Guide
Chapter 17:
Managing Error Logging and Debugging
This chapter discusses the Kazeon Information Server sub-systems and how to log and
debug their messages.
These tasks can only be performed through the CLI.
Topics are as follows:
z
“About Subsystems” on page 228
z
“Managing Syslog” on page 229
Kazeon IS1200 Web-Admin User Guide
227
Chapter 17:
Managing Error Logging and Debugging
About Subsystems
Each Kazeon Information Server node consists of several subsystems. Each
subsystem is one or more software processes that can communicate debugging,
informational, and error messages to the system operator using Syslog (RFC 3164).
Note:
Because error messages can contain detailed information about your organization
and your customers, uploading error logs (other then CRIT) to support
organizations (including Kazeon) can result in inadvertent disclosure of sensitive
information.
The Syslog can be configured to record these messages in a log file for
troubleshooting purposes. If you have set up other computers to receive Syslog
messages, then the system routes these messages to those computers.
The subsystems are as follows:
z
Service-Provider: manages the workflow of various classification services.
z
Queue-Manager: distributes the workload to cluster nodes.
z
Search: indexes metadata and manages search queries.
z
Cluster: manages communication between cluster nodes and the health of the
nodes.
z
Data-Mover: processes requests from the Service Provider to move or copy files
on a node and confirms whether the request was processed successfully or not.
z
Service-Monitor: monitors the overall progress and health of the ServiceProvider.
Each Syslog message contains:
z
the subsystem name
z
the timestamp when Syslog recorded the message
z
a text string message up to 1020 characters.
On each node, a Syslog daemon process (syslogd) is responsible for processing
messages that are generated by other nodes in the cluster and other processes running
locally. Syslogd opens the standard port UDP/514 to receive messages from other
nodes in the cluster. This allows each node to have a complete record of the cluster's
most critical events.
228
Kazeon IS1200 Web-Admin User Guide
Managing Syslog
Figure 6 illustrates the components involved in system logging.
Figure 6
System Logging Components
Subsystem2
Subsystem1
Subsystem2
Subsystem1
Syslogd
process
Syslogd
process
file
file
External
Syslog
Sever
Managing Syslog
You can use the CLI to check if Syslog is running, view log contents, or specify an
external Syslog server. You can redirect system logging to a properly configured
Syslog server running on Microsoft Windows or any UNIX based system. You can
also specify a new Syslog server for any node in the cluster. There is no specific limit
on the number of servers to log. However, using more servers results in increased
CPU usage and network I/O.
To view Syslog status
Type the following command at the command line prompt and press Enter:
Nodename> show logging
The system displays the status of the Syslog service. It also displays the facility level,
and the destination, if you configured them.
To view Syslog contents
Type the following command at the command line prompt and press Enter:
Nodename> show log-buffer lines
where lines is the number of latest number you want to view from the log.
The log-buffer file is renewed once each week and backups of the prior four weeks are
kept in case of debugging.
To add a remote Syslog server
Type the following command at the command prompt and press Enter:
Nodename> add logging remoteHostName
where remoteHostName is the name or the IP address of the remote host machine.
Kazeon IS1200 Web-Admin User Guide
229
Chapter 17:
Managing Error Logging and Debugging
The system adds the Syslog server and confirms that the Syslog update for the node is
complete. Log messages for levels INFO through CRIT are recorded. DEBUG level
messages are not sent unless you configure it.
To turn off system logging to a remote machine
Type the following command at the command line prompt and press Enter:
Nodename> remove logging remoteHostName
where remoteHostName is the name or the IP address of the remote host machine.
The system turns off system logging for the specified node and displays a message
stating that the Syslog update is complete.
Managing Debug Level Logging for Subsystems
You use the CLI to manage logging messages for a subsystem. You can view, turn on,
and turn off logging for a subsystem.
To view the debug level logging
Type the following command at the command line prompt and press Enter:
Nodename> show debug [subsystem subSystemName]
where subSystemName is the name of the subsystem.
If you do not specify a subsystem, the system displays the debugging status for all
subsystems. If you specify a subsystem, the system displays the debugging status for
the specified subsystem.
The debugging status consists of the following details:
z
Module: The name of the subsystem.
z
Process: The name of the internal component responsible for running the
subsystem.
z
Log level: The default logging level for the subsystem.
z
Notification: The type of notification, Signal or LAM, sent to the subsystem
when the logging level changes.
|
LAM: When the logging or debugging settings change, a LAM message is
sent to all registered LAM processes along with the logging or debugging
status.
|
Signal: When the logging or debugging settings change, a signal notifies the
subsystem. When the subsystem receives the signal it reads the configuration
file and uploads the latest settings.
To turn on debug level logging
Type the following command at the command line prompt and press Enter:
Nodename> debug subsystem [subSystemName] level
where subSystemName is the subsystem for which you want to turn on the logging. If
you do not specify a subsystem, the system turns on logging for all the subsystems.
230
Kazeon IS1200 Web-Admin User Guide
Managing Syslog
The logging level can be any of the following: off, fatal, emerg, alert, crit,
error, warning, info, major, minor, debug, trace, and hose.
For a description of these level, refer to Syslog RFC 3164.
To turn off debug level logging
Type the following command at the command line prompt and press Enter:
Nodename> clear debug subsystem subSystemName
where subSystemName is the subsystem for which you want to turn off the logging.
If you do not specify a subsystem, the system turns off logging for all subsystems.
Kazeon IS1200 Web-Admin User Guide
231
Chapter 17:
232
Managing Error Logging and Debugging
Kazeon IS1200 Web-Admin User Guide
Chapter 18:
Managing the Search Index
This chapter discusses managing the Search index to minimize required storage space.
Topics are as follows:
z
“Manipulating the Search Index Size” on page 234
z
“Deleting and Rebuilding the Search Index” on page 236
Kazeon IS1200 Web-Admin User Guide
233
Chapter 18:
Managing the Search Index
Manipulating the Search Index Size
By default, during a basic classification, the Kazeon Information Server creates a
Search index containing only file (system) metadata such as FilePath, and creation,
modification, and access times. During a deep classification, the same Search index is
created, but the classification also adds indexing for file content metadata (including
extended attributes) like the fullText index and indexing for custom user-defined
metadata created by extraction rules.
A large index can consume a significant amount of storage space. To optimize storage
space, the Kazeon Information Server allows managing the index size by limiting the
options the search index provides.
The following Search indexes produce increasingly larger index sizes:
z
An index containing only file system metadata.
Create this index with a basic classification. For more information, see
“Scheduling a Basic Crawl” on page 187. The Search index created can used to
search for file metadata such as FilePath and Owner. This creates the smallest
Search index sizes.
z
An index containing file system and custom metadata, using limited classification
rules sets (with or without a full-text rule).
Create this index with a deep classification. For more information, see
“Scheduling a Deep Crawl” on page 192. Search index size can be controlled by
setting up classification policy rule sets with varying number of extraction rules,
the more rules in use, the bigger the index becomes. Opting to include, or not
include, the full-text rule (index) in a set is a major factor in determining Search
index size. For more information see “Creating and Managing Rule Sets and
Rules” on page 131.
z
An index containing metadata for a selected-set-of-files on your file system.
A search index for a set-of-files can be significantly smaller than a search index
for all files on a file system. A Search index containing metadata for a selected
set-of-files can be done two ways.
z
|
Use the Job Scheduler’s Advanced Options to limit the files classification
rules are applied to in a classification job. Refer to the bullet options titled
“Include files/directories” or “Exclude files/directories” for either basic or
deep classifications in “Scheduling Classification Services” on page 186 for
more details.
|
Schedule a basic classification to create a basic Search Index, and use
Actionable Services to apply additional Deep Classification or Tagging to just
those files in the Search index. Refer to the Actionable Services chapter of the
Kazeon IS1200 Web-Search User Guide for details.
An index containing basic and custom metadata (including full-text) for all files
on your filer using a complete rule set of classification and assignment rules.
Create this index with a standard deep classification using a classification rule set
including all extraction and assignment rules (including full-text rule) with no
Advanced Options limitations. This creates the largest Search index sizes.
234
Kazeon IS1200 Web-Admin User Guide
Creating a Search Index for a File Set
Index size varies depending on both the size of the data file system classified and the
extracted metadata. Figure 7 illustrates the probable variations in index size
depending only on the type of index (from above) produced.
Search Index Options
Index Size
Figure 7
System
Metadata
System+Custom
Metadata
Metadata+Full-Text for
Set of Files
Metadata+Full-Text
for all Files
You can change from one index option to another at any time depending on your
requirements.
Creating a Search Index for a File Set
Creating an index for a set-of-files, rather then a complete filer, allows building
specialized search indexes dedicated to advanced search criteria, or projects, while not
wasting classification time, or storage space, on files that do not contain the required
information. After completing the search project, you can delete the specialized index
to free up storage space.
To create a Search index with full-text for a set-of-files on a filer, follow these steps:
1. Run a basic classification service to create a basic Search index containing only
file system metadata.
or Run a deep classification service, with an minimal extraction rule set that does
not contain the FullText extraction rule.
This creates an index containing minimal system and custom metadata.
For information on extraction rules, see “Using Extraction Rules” on page 128.
For information on classification, see “The Job Manager page” on page 174.
2. Use the index to search for, or report, files that are most likely to contain the
required information. From the search or report results, select the files requiring a
full-text index.
3. Deep-classify the selected files using Actionable Services and a rule set containing
the full-text rule.
4. Use the new Search index created by Actionable Services to located the required
information.
5. After the information is located, delete the Search index containing the full-text
index and recreate the original standard index.
Figure 8 illustrates the variations in index size during this process.
Kazeon IS1200 Web-Admin User Guide
235
Chapter 18:
Managing the Search Index
Figure 8
Creating a Search Index for a Set of Files
Metadata+Full-Text
Index Size
Metadata+Full-Text
for File Set
Metadata
Index
Metadata
Index
Time Line
t1
t2
t3
Deleting and Rebuilding the Search Index
You can delete the Search index to save storage space and rebuild it when necessary.
During deep classification, the system builds the Search index. But you may need to
rebuild the Search index manually for the following reasons:
z
Anytime you delete the server database (possibly because it became corrupt and
needed to be rebuilt), you must delete and rebuild the search index to keep the
database and search index in sync.
z
You added a new metadata field to the Search schema. The search index must be
rebuilt to include the new metadata.
z
You deleted the index because it was very large, or because it was corrupt.
To delete the Search index from the CLI:
Enter the following command at the command line prompt:
Nodename> remove search-index url
To rebuild the Search index from the CLI
Enter the following command at the command line prompt:
Nodename> add service search-index-rebuild
The system deletes the existing search index and rebuilds it using the updated Search
schema.
Table 13 describes the optional keywords available with this command.
Table 13
Rebuild Search Index - Keywords
Field Attributes
Description
from-scratch
Deletes the existing index before recreating it.
fsname-list
Specifies the file systems or IDs to use to create the Search index.
Use comma delimiters to specify multiple file system names or IDs.
236
Kazeon IS1200 Web-Admin User Guide
Creating a Search Index for a File Set
Table 13
Rebuild Search Index - Keywords
Field Attributes
Description
description
Specify the description for the job.
notify
Email addresses where the status of the job should be sent after
completion, for multiple addresses give space separated list, e.g
“abc@abc.com xyz@xyz.com”
To create a Search Index from the metadata file:
1. Schedule a basic classification to create a metadata repository that contains
system-generated keywords.
2. Use actionable search to re-classify all files that contain a specified systemgenerated keyword or field:value pair as follows:
Kazeon> add service actionable-search searchkeyword|field:value action deep classification [schedule athour hourValue|day listOfDays]
The system creates a full-text Search index for only those files that contain the
specified keyword.
Kazeon IS1200 Web-Admin User Guide
237
Chapter 18:
238
Managing the Search Index
Kazeon IS1200 Web-Admin User Guide
Chapter 19:
Managing the Database
This chapter discusses why and how database maintenance should be performed.
Topics are as follows:
z
z
“Why Databases Need Maintenance” on page 240
|
“Database Vacuuming” on page 240
|
“The Database Maintenance Tool” on page 241
“Monitoring and Scheduling Database Maintenance” on page 241
Kazeon IS1200 Web-Admin User Guide
239
Chapter 19:
Managing the Database
Why Databases Need Maintenance
The IS1200 maintains a variety of metadata about the files in it’s registered
repositories, for example it maintains standard file metadata, file-specific, custom, etc.
Metadata is stored in a metadata repository in a database. When files change between
crawls, their metadata must be replaced in the database. To keep database access quick
and simple, the row containing the “old” metadata is simply marked as deleted and a
“new” metadata row is inserted in the database elsewhere. Sync services modify
metadata tables the same way. See “Synchronizing Metadata Repositories” on
page 172 for information about syncing.
This design allows the database to be updated and still ensure a consistent view of the
database to all running queries. However, every time a row is updated, a “hole” (of
deleted data) is created in the database that occupies unnecessary storage space on the
metadata repository.
Over time, the database grows in size. Eventually this becomes a storage space issue if
nothing is done to recapture the space the “holes” (the old deleted data) occupy.
Note:
As DB storage requirements increase, database speed and efficiency decrease.
DB Best Practices suggest scheduling DB Maintenance on a regular basis.
There are two ways to address this problem, database vacuuming and the
database maintenance tool.
Database Vacuuming
Database “vacuuming” attempts to recapture “old” deleted data space by marking the
“holes” (deleted rows) as reusable so the next crawl can overwrite the space occupied
by these rows.
Vacuuming can be done while other processes (for example crawls or reports) are
using the database but this is not recommended. Because vacuuming slows down
these other processes, it is best scheduled when other processes are not scheduled. To
prevent conflicts, scheduled vacuuming does not start if it finds other processes
currently active on the database. However, if vacuuming is started, and other
processes subsequently access the database, both vacuuming and the other processes
continue but each slows the other down.
Vacuuming is done daily and defaults to running at 2AM. This schedule can be
changed if other services like crawls or reports are regularly scheduled at that time.
Vacuuming only works as long as it is run regularly. The database engine has a
limitation on the number of database-pages it can track for re-usability. The longer the
time between vacuuming, the more pages become marked as unusable. If vacuuming
fails to start too many times (because of conflicts with other processes), the page-limit
is exceeded and some space becomes unrecoverable.
When this happens, database maintenance is required.
240
Kazeon IS1200 Web-Admin User Guide
Monitoring and Scheduling Database Maintenance
The Database Maintenance Tool
When vacuuming isn’t enough, database “maintenance” can completely rebuild the
databases. The maintenance procedure writes all current data to a new database copy,
until all current data is copied and verified, and then erases the entire old database
(and all unrecoverable space). This requires the metadata repository to have sufficient
space to build a second temporary copy of the database.
The database maintenance tool puts a database in maintenance-mode when run. As
a result, the tool requires exclusive access to the database and cannot be run while
other services like crawls or reports are running.
A number of Command Line Interface (CLI) commands can be used to check a
database’s status and determine whether it requires, or is available for, maintenance.
Monitoring and Scheduling Database Maintenance
The following describes practices recommended to keep metadata repositories
(databases) efficient and healthy and the commands useful for doing so.
Vacuum is scheduled to run at 2AM daily, however you can change the schedule using
the command:
set database-vacuum schedule
(see the Command Line Interface Reference guide for details).
If you are unsure of the current vacuuming schedule, use the command:
show database-vacuum schedule
(see the Command Line Interface Reference guide for details).
If vacuum is missed for several days in a row OR intermittently, and you have several
updates or deletes in the daily crawls, then the database is likely to grow to a size
where vacuuming can’t help. In this case, full database maintenance is recommended.
To avoid needing to use the database maintenance tool, ensure vacuuming occurs on a
daily basis.
Use the following command to execute the database-maintenance tool:
perform database-maintenance
(see the Command Line Interface Reference guide for details)
This command should be used one database at a time. The operation can take several
hours to complete and puts the database in maintenance mode. This requires that
NO other services (like crawls or reports) run while the tool works. It is best to
schedule this maintenance during the weekend OR at night time.
Operation of the database-maintenance tool must not be terminated. When complete,
the database is returned to an operational state. If the tool is unavoidably stopped in
progress, restart the cluster. Restart puts the original database back into live mode. If
the tool is then re-run, it restarts the maintenance process from the beginning.
The utility rebuilds the database while removing all unused (but still occupied) space
in the database. The tool also rebuilds all database indexes, removes all fragmentation,
and puts the database back in a HEALTHY state.
Kazeon IS1200 Web-Admin User Guide
241
Chapter 19:
Managing the Database
The tool also requires free space, equal to the current size of the database, on the
metadata repository hosting the database to run. Use the following command to check
for free space:
show database statistics
(see the Command Line Interface Reference guide for details)
The progress of the database-maintenance tool can be tracked using the following
command:
show database maintenance-status
(see the Command Line Interface Reference guide for details)
To determine if you need to run the database-maintenance tool, or track the state of
your databases, use the command:
show database alerts
(see the Command Line Interface Reference guide for details)
Run this command from the CLI logged in as admin. It is also integrated with systemalerts and if the IS1200 is configured to send system alerts, you receive email when
databases require attention.
Additionally, other vital database information is available using the command:
show database statistics
(see the Command Line Interface Reference guide for details)
If you are concerned about IS200 crawl or report performance, you can send the
output of this command to Kazeon Support Team for further suggestions.
242
Kazeon IS1200 Web-Admin User Guide
Chapter 20:
Kaz Schema and Tag Management
This chapter discusses metadata tag creation and management using the Command
Line Interface (CLI) to edit Kaz Schema. Most tag management tasks can only be
performed from the CLI. See the Kazeon IS1200 Command Line Interface Reference
Guide for complete descriptions of the CLI commands described here.
Topics are as follows:
z
“About Kaz Schema” on page 244
|
“The fulltext Metadata Field” on page 244
|
“Default Kaz Schema Fields” on page 244
|
“Viewing Kaz Schema” on page 245
z
“How Metadata Tags Are Defined in Kaz Schema” on page 246
|
“Metadata Tag Attributes” on page 246
|
“Metadata Tag Namespaces” on page 248
|
“Fully Qualified Tag Names” on page 248
z
“Using ‘set schema’ to Add Tags to Kaz Schema” on page 250
|
“Deleting a Field from Kaz Schema” on page 250
z
“Other CLI Commands for Tag Maintenance” on page 250
|
“Creating New Namespaces” on page 251
|
“Editing Tags” on page 251
|
“Un-hiding Tags” on page 251
|
“Listing Name Spaces” on page 251
|
“Listing Tags in a Specific Name Space” on page 251
|
“Listing the Indexed Tags in a Name Space” on page 252
|
“Listing the Details of a Specific Fully Qualified Tag” on page 252
|
“Synchronizing Tag Management with Database” on page 252
z
“Best Practices” on page 252
z
“Customizing Kaz Schema for Web-Search Preview” on page 252
z
“Customizing the Search Schema for DICOM Data” on page 253
Kazeon IS1200 Web-Admin User Guide
243
Chapter 20:
Kaz Schema and Tag Management
About Kaz Schema
Kaz Schema defines the set of metadata fields used to build a Search Index for
registered data repositories (file systems). The Search Index is built whenever a
classification is performed, and the information extracted is stored in the Search
Index. This allows the IS1200 to parse the Search Index for search query terms rather
than directly accessing the files on all registered data repositories.
Basic classifications store standard metadata like file size; file name; and file creation,
modification, and access dates in the Search Index. Deep classifications add even
more information based on extractions rules which define custom metadata to locate
and index. Custom metadata is defined by extraction rules that locate information like
social security numbers, part numbers, or key words like “confidential” or “private”.
The fulltext Metadata Field
The custom metadata field called “fulltext” deserves special attention. This field is
defined and contained in an extraction rule called “the fulltext rule” and this rule
constitutes the default rule set applied to new deep classifications when they are
created. The fulltext extraction rule looks at the body of a file (for example, the text in
the body of a word processing or email document) and indexes each word in the
document body in the Search Index in a metadata field called “fulltext”. Simple
searches, for example looking for a company name like “ACME Inc.”, actually check
the fulltext Search Index for the string “ACME Inc.”.
Note:
Fulltext does not necessarily index all the “text” in a file, so simply searching for a
string like “the acme project” will not return a file, like an email, if the search string is
not in the email’s body, even though the string is contained in the email’s subject.
Likewise, searching for an “author” named “john smith” will not return a Word file
authored by John Smith (and duly recorded in the file’s directory attributes) unless the
name “john smith” is actually a part of the text body of the file.
HOWEVER, information in metadata fields like “author” and “mailsubject” can be
made part of the fulltext search index, and thus searchable with simple keyword
searches, by manually configuring the Search Index to include the information from
those metadata fields. See “Using ‘set schema’ to Add Tags to Kaz Schema” on
page 250 for more details.
Default Kaz Schema Fields
The default Search Schema contains the following types of metadata fields:
File system fields: These metadata fields consist of file properties such as
FileType and Owner extracted during basic classification. Do not delete these.
Kazeon-configured fields: The IS1200 provides an extraction rule set named
sampleruleset that contains several pre-defined extraction rules. Kaz Schema
contains metadata fields added for these sample extraction rules to populate.
These metadata fields can be deleted if you choose to not use these rules.
For information on sampleruleset, see “Sample Extraction Rule Set” on page 128.
244
Kazeon IS1200 Web-Admin User Guide
About Kaz Schema
Internal fields: The IS1200 uses internal metadata fields to classify files and
perform other operations. You cannot delete these fields.
With the appropriate optional modules installed, the following are available:
Snapshot fields: These Snapshot-specific metadata fields are extracted during
basic classification.
SnapLock fields: These SnapLock-specific metadata fields are extracted during
basic classification.
Not all fields are populated because field values depend on file contents and document
type. For example, the Kazeon-defined field called “Company” is a property of
Microsoft Word files. So, the system populates this field with values extracted from
Microsoft Office files. But PDF files do not contain a “Company” field, so the system
leaves “Company” unpopulated in the metadata for pdf files. You can use extraction
rules to populate empty fields. For information on extraction rules, see “Using
Extraction Rules” on page 128.
Kaz Schema can be customized for any kind of meta field needed. For information,
see “Using ‘set schema’ to Add Tags to Kaz Schema” on page 250.
Note:
When classifying PST files, the IS1200 maps the file type to “MS Outlook Personal
File Folder” and extracts the following metadata fields: MailCc, MailFrom, MailTo,
MailSubject. Add these fields to the Search index to use them in search. For more
information, see “Using ‘set schema’ to Add Tags to Kaz Schema” on page 250.
Typically, the Search schema is set only once, when the Kazeon Information Server is
configured. If a new keyword is added to the Search schema later, the Search index
must be rebuilt by doing a deep classification to update the metadata fields. This
ensures the index contains the appropriate metadata to retrieve information from the
corresponding file systems.
Note:
See “Default Metadata Tags / Search Schema” on page 359 for the fields included in
the default search schema.
Viewing Kaz Schema
To view the current contents of Kaz Schema use the CLI command:
show schema
The system responds:
Kazeon IS1200 Web-Admin User Guide
245
Chapter 20:
Kaz Schema and Tag Management
How Metadata Tags Are Defined in Kaz Schema
The ‘set schema’ command adds new tags to Kaz Schema. Tags have a variety of
parameters and attributes that must (or can) be set when using this command. These
parameters and attributes must be understood before using the command.
Metadata Tag Attributes
The following types of attributes may be specified when issuing the set schema
command.
z
attributes (space separated list)
z
search-attributes (comma separated list)
z
display-attributes (comma separated list)
z
report-attributes (comma separated list)
z
delimit-attributes (comma separated list)
Each is set using a specific CLI command keyword.
The set schema attribute keywords, and their usage, follows:
Table 14
Types of Attributes for ‘set_schema’ CLI Command.
set schema
keyword
attributes
Attribute Description
A list of one or more attributes separated by spaces within single quotes. If set schema
is in edit mode, new attributes are added to existing ones. Attributes include:
z
Keep: The tag must be populated during classification and persists during
IS100 software upgrades.
z
Indexed: The tag must be populated in the search index
z
Usertag: The tag is cumulative across classifications
z
Multivalued: The tag can have a set of values
z
Alias: The tag is an alias of another tag, this attribute may not be used with
any other attribute!
Example: set schema NewTag type string namespace foo
attributes 'keep indexed'
defines the fully qualified tag fooNewTag that is a string and has the attributes keep and
indexed.
246
Kazeon IS1200 Web-Admin User Guide
How Metadata Tags Are Defined in Kaz Schema
set schema
keyword
searchattributes
Attribute Description
A list of one or more attributes separated by commas within single quotes. These are
search-specific system configuration parameters. When set schema is used in edit
mode, new search-attributes are added to existing ones. Search-attributes include the
following:
z
Text: Specifies that the field contains full form text such as sentences,
paragraphs and long bodies of text.
z
Kaztext: Specifies that Kazeon specific aggressive tokenization be used on
the value of the tag while indexing and search.
z
String: Tag contains a complete string and can only be searched for as a
complete string.
z
Date: The tag contains date/time values that are parsed using all
internationally accepted date formaters (MM/dd/yyyy, dd/MM/yyyy, yyyyMM-dd are defaults)
z
Uri: The value for this tag is tokenized with <slash> and <space> as a
universal resource indicator
z
Email: The tag value should be tokenized with as an e-mail.
z
Saved: Specifies that the field value should be stored in the search index
repository, instead of fetching from metadata store. Generally this should
not be used as it may result in slow retrieval performance.
z
Stemmed: Specifies that Porter stemming analyzer should be used for the
field while indexing and searching
z
Content: Specifies the tag is populated in both fullText and the search
index.
Example: set schema NewTag type string namespace foo
search-attributes ‘saved, stemmed'
defines the fully qualified tag fooNewTagName that is a string and has the search-attributes saved and stemmed.
displayattributes
A list of one or more attributes separated by commas within single quotes. Provides a
way to control display screen clutter so only tags of interest are displayed. By setting
display-attributes to ‘hidden’, tags are not displayed in some displays. Only ‘hidden’ and
‘extractable’ are currently supported. When set schema is used in edit mode, new
display-attributes are added to existing ones.
Example:
set schema NewTag type string namespace foo
display-attributes ‘hidden'
defines the fully qualified tag fooNewTagName that can be classified (works in the
search index and the database) but is hidden on the screen. To un-hide, see “Un-hiding
Tags” on page 251.
reportattributes
A string containing report-specific system configuration parameters. Used for internal
purposes, not for general use.
delimitattributes
A string containing multi-valued tokenization system configuration parameter. For future
use, not currently used.
Kazeon IS1200 Web-Admin User Guide
247
Chapter 20:
Kaz Schema and Tag Management
Metadata Tag Types
Each metadata tag has a type which can also be set using the set schema command.
Types include: string, url, date, integer, decimal, boolean, and email
When the set schema command is issued without specifying a type, set schema
looks for an existing tag with the name specified and attempts to enter edit mode to
modify the existing tag.
Fully Qualified Tag Names
A fully qualified tag name contains both its namespace and the tag name. For example
the default namespace document contains a tag called author.
This tag’s fully-qualified name is documentauthor
and will appear in GUI-generated search queries as ‘DocumentAuthor’
and in GUI metadata field drop-down menus as ‘Author[Document]’.
Metadata Tag Namespaces
A namespace must be declared whenever a new metadata field (tag) is added to
Kaz Schema using the set schema command.
IS1200 software versions 4.0 and higher, organizes metadata tags into a hierarchy
defined by namespaces. Namespaces group similar sets of tags, for example all the
file level tags, like FileType, FileSize, ATime, and CTime are grouped together
under the System namespace.
The standard IS1200 software installation provides a standard set of active
namespaces. Additional namespaces may be created as needed. Additionally, some
standard namespaces are not normally enabled at installation, but can be activated if
needed. See “Using DICOM Tags” on page 367 for more details.
Standard Installation Name Spaces
A standard IS1200 installation provides the following standard namespaces:
Table 15
248
Standard or Default Name Spaces
Namespace
Description
Document
Tags specific to Microsoft Office documents, PDF, HTML, etc
Directory
Tags specific to Directory Reporting Rule set
Hierarchy
Internal name space for Hierarchical objects like, zip, tar, pst files.
IPTC
Tags specific to JPEG and GIF file properties
Kazcollection
Internal name space managed by quick rule builder
Kazeon
Tags specific to some prepackaged default rule sets
Mail
Tags specific to the Email properties of exchange, pst, and other email objects
InheritedMail
Internal name space for managing inheritance of properties under a given hierarchy
Dumpster
Tags specific to objects in the dumpster folder
MDB
Tags specific to Access database files
Kazeon IS1200 Web-Admin User Guide
How Metadata Tags Are Defined in Kaz Schema
Namespace
Description
Document
Tags specific to Microsoft Office documents, PDF, HTML, etc
System
Tags specific to system metadata captured by Kazeon IS1200
Legal
Tags specific to Legal service
Legalapp
Tags specific to Legal application, like Interactive tagging.
Enterprisevault
Tags specific to data from enterprise vault files
Glba
Tags specific to GLBA rule set
Master
Tags specific to Master Card rule set
Visa
Tags specific to Visa rule set
Jcb
Tags specific to JCB rule set
Discover
Tags specific to Discover rule set
Dinersclub
Tags specific to Dinersclub rule set
Amex
Tags specific to American Express rule set
Ssn
Tags specific to social security number rule set
Ssncc
Tags specific to SSNCC rule set
Sin
Tags specific to SIN rule set
Itin
Tags specific to ITN rule set
Ein
Tags specific to EIN rule set
Nin
Tags specific to NIN rule set
Additionally, new tags may be created by Actionable Services and Extraction rules
and they will use the following standard namespaces:.
Namespace
Description
Userdefined
Tags populated from CD_tagging services
Userextracted
Tags created by extraction rules, and tags carried over during upgrades from preexisting extraction rule tags that have no specific namespace defined.
The IS1200 uses the name spaces UserDefined and UserExtracted for special
purposes aimed at preserving custom tags. All tags created in GUI screens (such as
Actionable Services Tagging services) are automatically added to the UserDefined
name space. An alias is defined for the tag entered for the field.
The UserExtracted name space is populated during upgrades from releases earlier
then 3.X or 4.X. All custom tags found during an upgrade are automatically added to
the UserExtracted name space to preserve them beyond the upgrade process.
Kazeon IS1200 Web-Admin User Guide
249
Chapter 20:
Kaz Schema and Tag Management
Using ‘set schema’ to Add Tags to Kaz Schema
The CLI set schema command is used as follows:
set schema <fieldName> namespace <nameSpaceName> type <typeCode>
attributes <spaceSeparatedListOfAttributes in quotes>
search-attributes <commaSeparatedListOfAttributes in quotes>
display-attributes <commaSeparatedListOfAttributes in quotes>
Where:
<fieldName> is the name of the new metadata tag
<nameSpaceName> is the name of the namespace to add the new tag to
<typeCode> is either text, string, integer, decimal, boolean, or date
and the attributes, search-attributes, and display-attributes lists
are defined in “Types of Attributes for ‘set_schema’ CLI Command.” on page 246
For example:
set schema capacity namespace geex type string
attributes 'indexed keep' search-attributes ‘saved, stemmed'
display-attributes ‘hidden'
Defines a new metadata field (tag) with the fully-qualified name geexcapacity,
for the tag capacity in the namespace geex, of type string,
with attributes indexed and keep, with search-attributes of saved and stemmed,
and the display-attributes of hidden.
All extraction rules populating the field geexcapacity will add (cumulatively, not
replace) the data of geexcapacity both in the search indexer and the database.
Note:
Date information stored in metadata values (the value side of a metadata tag-value
pair) must match certain formats to be indexed properly and be searchable. See “Date
Format Requirements” on page 296 for more information.
Deleting a Field from Kaz Schema
Enter the following command at a command line prompt and press Enter:
remove schema fieldName
where fieldName is the name of the metadata field to remove.
Do not delete file system metadata from Kaz Schema because these fields are required
to search file systems successfully. The IS1200 does not allow deleting Kazeon
internal metadata fields. However, you can delete the Kazeon-configured metadata or
any custom metadata added to Kaz Schema.
Other CLI Commands for Tag Maintenance
Besides adding and deleting tags in Kaz Schema, the CLI can be used to perform other
kinds of tag maintenance, and to inspect Kaz Schema. To show the basic Kaz Schema,
see “Viewing Kaz Schema” on page 245.
250
Kazeon IS1200 Web-Admin User Guide
Other CLI Commands for Tag Maintenance
Creating New Namespaces
When the set schema command specifies a namespace that does not exist, it
automatically creates a new namespace with the name specified.
For example, if the following command is issued:
set schema newTagName namespace foo type text attributes 'keep indexed'
And the namespace foo does NOT exist, the IS1200 creates a new foo namespace
and adds the new tag newTagName to it.
Editing Tags
Generally, tags may be edited by using the set schema command without a type
designator. When type is omitted, and new attributes specified are added to current
attributes, rather than replacing the current ones.
For example, to modify search-attributes previously set with:
set schema categories type string namespace geex attributes
'keep indexed' search-attributes 'saved, stemmed'
To change the tag geexcategories to be aggressively tokenized by the search
indexer, use the command:.
set schema categories namespace geex search-attributes 'saved,
stemmed, kaztext'
Note the type parameter is not used!
Un-hiding Tags
Assuming a the ‘hidden’ display-attribute was previously applied, to un-hide the tag
geexemailaddress, use the command:
set schema emailaddress namespace geex display-attributes ''
This makes the geexemailaddress tag visible in GUI screens, meaning the tag
name will now appear in all drop-down menus where metadata field names can be
chosen.
Listing Name Spaces
The CLI command: show schema namespaces
Displays the name spaces currently under tag management.
Listing Tags in a Specific Name Space
The CLI command: show schema document namespace
Displays the fully qualified tags under the name space document.
Kazeon IS1200 Web-Admin User Guide
251
Chapter 20:
Kaz Schema and Tag Management
Listing the Indexed Tags in a Name Space
The CLI command: show schema document namespace select indexed
Displays the indexed tags in the name space document. Similarly, one can select
keep, multivalued, and other attributes and restrict the display to those specific
fields.
Listing the Details of a Specific Fully Qualified Tag
The CLI command: show schema geexcategories
Displays all details of the fully qualified tag geexcategories.
Synchronizing Tag Management with Database
The CLI command: synchronize schema
Synchronizes tag management with the database. Use this command after editing a
field to ensure subsequent classifications are affected. Use this command only when
other services are not running. Tag management changes should only be done when no
services are running.
Best Practices
The following Best Practices should be followed.
Always synchronize the tag management with database after editing any tag.
Always use fully qualified tags in extraction and assignment rules
Always define different name spaces for extraction rule set tags and assignment rule
set tags.
Tags designated for extraction rule sets should not be cumulative (should not have an
attribute of ‘usertag’), this ensures that each successive classification puts new
metadata in the tag, and that previous values do not persist.
When required, edit a tag's properties to un-hide a tag or change search attributes.
Tags that are not defined anywhere in the tag management are temporary tags and are
not persisted
Customizing Kaz Schema for Web-Search Preview
To enable Preview mode in Web-Search, issue this Command Line Interface command.
For v4.2 or greater:
set previewer status enable
For v4.1.2 or earlier:
set schema System.FullText search-attributes
kaztext,content,indexed,index=primary,saved
This allows Preview mode to display the text of search results files in the Preview
pane. Once set, a new deep classification must be run to extract and record the
Preview information
252
Kazeon IS1200 Web-Admin User Guide
Customizing the Search Schema for DICOM Data
Customizing the Search Schema for DICOM Data
If you intend to classify DICOM files, the Kazeon Information Server is designed to
recognize and classify the standard DICOM file attributes. However, because there are
hundreds of these, they are not a part of the default search schema.
Be aware that the IS1200 only classifies DICOM file headers, the images themselves
are not opened or parsed.
To add any of the DICOM file attributes to the default search schema, see “Using
DICOM File Attributes as Metadata” on page 368.
Kazeon IS1200 Web-Admin User Guide
253
Chapter 20:
254
Kaz Schema and Tag Management
Kazeon IS1200 Web-Admin User Guide
Chapter 21:
Auditing and Data Verification
This chapter describes enabling, managing, and using the new Audit features available
in v4.0.0 as well as the Data Verification feature that becomes available when auditing
is enabled in v4.1.0.
Topics include:
z
“Auditing Overview” on page 256
z
“Data Verification Overview” on page 258
z
“Auditing Storage Requirements and Management” on page 258
z
z
|
“Auditing Storage Requirements” on page 259
|
“Managing Auditing” on page 259
z
“Enabling or Disabling Global Auditing” on page 260
z
“Enabling or Disabling Auditing by Component:” on page 260
z
“Displaying Auditing Status” on page 260
z
“Enabling or Disabling Auditing by Event:” on page 261
z
“Audit Event Types” on page 262
“Data Verification Management” on page 263
|
“Data Verification Storage Requirements” on page 263
|
“Enabling the Data Verification Checkbox” on page 263
“Audit and Data Verification Reporting” on page 263
|
“Audit Reports” on page 263
|
“Data Verification Reports” on page 265
Kazeon IS1200 Web-Admin User Guide
255
Chapter 21:
Auditing and Data Verification
Auditing Overview
The Auditing feature allows the IS1200 to record all IS1200 system events according
to who did what, when, and the event result. Auditing ultimately adds new reporting
functionality providing an audit trail for all IS1200 system and object activity. All
activities can be recorded, regardless of whether they are initiated by a user or the
system. Auditing is configurable (on/off) at the global, module, or user level.
Note:
Auditing tracks all user activity with one exception. If a user logs into the IS1200
at the "root" (Linux shell) level, then UNIX level commands (such as rm, ls,
mount, or unmount) are not tracked, and any actions that result from Kazeon
Applications started by "root" are not tracked.
Auditing is implemented on each cluster node as a demon that monitors, and records,
all system and object activity as determined by object-by-object audit settings
recorded in LDAP. Settings are loaded when the demon first initializes, but can be
forced to reload (on user command) when settings are changed. As individual system
components generate auditable events, they send audit requests to the demon which
records the events in the system database.
All event records include the following information:
z
the event initiator (username or system)
z
the time the event was generated
z
the event id (event type)
z
the node it occurred on
z
the event result (success/failed)
Additional information is also recorded depending on the event type. For example,
crawl events record repositories processed, and file successes and failures. See “Audit
Event Types” on page 262 for more detail on what events are recorded and what their
event IDs are.
Auditing can be configured to record only selected events of interest, or literally all
events from user login to logout and system startup to shut down. This includes all
one-time and regularly scheduled job and services, and background events like system
maintenance functions. Events are recorded regardless of whether they are initiated by
a user from Web-Admin, Web-Search, Web-Reports (search and report events), or from
the Command Line Interface (CLI), or by the system itself.
Note:
When (email) Thread View is used to view search results, additional searches may
be automatically generated by the system to collect the Thread View data. This
may result in Search Auditing reporting more search events than expected (in
other words, more searches that just those generated by users).
Reports on audit history are available in both summary and detail forms. They can be
generated from either the GUIs and the CLI and can be exported to CSV files or sent
to an e-mail address.
256
Kazeon IS1200 Web-Admin User Guide
Auditing Overview
Note: While most system-initiated events are tracked, some system level events are
not tracked at this time including the following events:
Remove metadata / search indexes related commands
Any metadata maintenance activity
Report template changes
Report removals
Downloading objects via reports OR search
System configuration changes
Adding / removing authentication servers
Policy management changes
Extraction / Assignment rule-set changes
Backup / Restore operations
IS1200 upgrades
Linux commands ran from root OR other login.
Auditing and Legal eDiscovery
Auditing can be used to provide a defensible eDiscovery process. Because the IS1200
can be set to audit any or all system and user actions, the entire eDiscovery process
can be documented.
Audit reports can be used to document:
z
Discovery services used to determine network Datamaps
z
All reports run while generating Responsive Datamaps and Custodian lists
z
Crawls and searches, or Single-Step Collections, used to locate potentiallyresponsive documents
z
All files put on Legal Hold
z
All searches (query by query) used to identify privileged and/or responsive
documents
z
The individual files opened for review during culling
Note:
Kazeon recommends that all files opened for review be opened with the native
applications, not specialized viewers, although both are supported.
z
The movement of files (Actionable Services) in and out of legal holding areas as
potentially-responsive files are determined to be responsive
z
The collecting of responsive files into zip, CSV, or XML files for delivery to
production services
Being able to provide a comprehensive audit of the complete eDiscovery process is a
unique Kazeon feature.
Kazeon IS1200 Web-Admin User Guide
257
Chapter 21:
Auditing and Data Verification
Data Verification Overview
Data Verification builds on auditing and is only available when system auditing is
enabled. For job services like Actionable Services Copy or Move, Legal Hold Copy,
and Single-Step Collections, Data Verification generates an audit trail proving that
files were not altered during these actions. This is especially valuable in eDiscovery
situations.
Data Verification is applied to actionable service jobs with a checkbox option similar
to the following:
While the Data Verification option checkboxes are always visible in the copy, move,
or collection screens described above, they are only active when System Auditing is
enabled, otherwise the checkboxes are grayed out. The default state of the checkbox is
unchecked, but can be changed job-by-job as necessary. Once set, individual job
settings are retained for future and cron jobs, regardless of how the global value may
be reset.
When Data Verification is enabled, the source file’s hash value is compared with the
copied or moved file’s hash value, and the values are recorded in a database. The
database can then produce reports that provide an audit trail proving the files were not
altered during the action. For each file moved or copied, the reports list information
about both the original source file and the target (moved or copied) file. Information
includes: file path, size, hash value, and warnings if the hash values don’t match, or
messages about other errors that might occur.
WARNING!
A file is included in a Data Verification report ONLY if it is actually moved or
copied, allowing the before and after files to be compared. If access to the original
file fails for any reason (for example file password or encryption problems), the
comparison cannot be made and the file is not reported on. These files are
identified in the copy, move, or collection job report status listing as "failures".
Drill-down on the failures count identifies these files.
All the standard Data Verification reports are accessed only from Web-Reports and are
identified by job ID or run ID (run IDs are appended to job ID for cron jobs). Custom
reports are not available in this release.
Note:
Audit Reports for Single Step collections are listed as Deep Classification
Services in System Audit Reports and as Copy Services in Data Audit Reports.
Auditing Storage Requirements and Management
Auditing is off by default and must be manually enabled. Auditing requires a
considerable amount of metadata storage. Before enabling Auditing, be sure to
understand the storage requirements.
258
Kazeon IS1200 Web-Admin User Guide
Auditing Storage Requirements and Management
Auditing Storage Requirements
Auditing logs are automatically purged according to the retention-period settings. The
default is 60 days. However, 60 days can require significant storage. Different
retention periods can be set. See “Audit Pruning Settings” on page 259 for details.
Each time a crawl runs, the metadata repository must have an additional 2 gigabytes
per million objects crawled, for auditing to function correctly.
WARNING!
For example, if a recurring crawl occurs once a week, and crawls 2 million objects
every time it runs, an additional 4 gigabytes of space will be required each week.
Potentially, 60 days times 2 gigabytes, can require as much as 120 gigabytes of audit
log space.
The "cluster database" is the metadata repository used to store audit information and it
can be displayed using the "show database" CLI command.
The circled area shows where to read the name of the cluster database.
Before turning auditing on, be sure the appropriate metadata repository has enough
space available to accommodate the growing audit data log.
Managing Auditing
Auditing can be turned on or off globally, or by individual component or event.
Auditing is OFF by default. Auditing storage is controlled by a retention-period which
sets the number of days to keep audit logs.
Audit Pruning Settings
Automatic audit-pruning structures the Audit information tables into daily partitions.
Partitions are automatically purged (daily at 1AM) after their retention period is
exceeded. A new LDAP parameter called "retentionperiod", which controls how long
audit logs are kept, can be changed and checked using the following CLI commands:
To set the audit retention period, use:
set audit-retention period <#>,
where <#> identifies the number of days
To show the current retention period, use:
sh audit-retention
The time and frequency of purge is not set-able.
Kazeon IS1200 Web-Admin User Guide
259
Chapter 21:
Auditing and Data Verification
Enabling or Disabling Global Auditing
Auditing can be turned on globally using the following CLI command:
set audit config status enable|disable
When global auditing is enabled or disabled, ALL auditing components are
individually enabled or disabled, but can be individually changed (enabled or
disabled) afterwards.
Enabling or Disabling Auditing by Component:
The following CLI command is used to enable or disable auditing by components:
set audit config component <component name> status enable|disable
Supported <component name(s)>:
z
actionable-services
z
search
z
authentication
z
job-management
z
classification
z
repository-management
z
user-interface
z
cluster-management
z
deletion
Displaying Auditing Status
The following CLI command is used to display audit status:
sh audit config
And responds with:
eventid
description
status
-------
-----------
------
1401
Services: Crawled Documents
Enabled
1402
Services: Deep classification
Enabled
1502
Repository: Deleted
Enabled
1403
Services: Metadata classification
Enabled
1001
Copy
Enabled
1803
Cluster: Configuration Changed
Enabled
...
See “Audit Event Types” on page 262 for the complete listing.
260
Kazeon IS1200 Web-Admin User Guide
Auditing Storage Requirements and Management
Enabling or Disabling Auditing by Event:
The following CLI command is used to enable or disable auditing by event:
set audit config event <event name> status enable|disable
Supported <event name(s)>:
z
services-copy
z
service-move
z
service-erase
z
service-erase_expired
z
service-legalhold
z
service-tagging
z
service-lock
z
service-export
z
service-restore
z
search-query
z
user-login
z
user-sessionexpiry
z
addservice
z
deleteservice
z
suspendservice
z
resumeservice
z
startservice
z
suspendservice-force
z
killservice
z
service-basic
z
service-deep
z
service-mdclassification
z
repository-add
z
repository-delete
z
repository-offline
z
repository-disconnected
z
user-fileview
z
user-filedownload
z
cluster-start
z
cluster-stop
z
cluster-configurationchange
z
cluster-addnode
z
cluster-removenode
z
deletion-sync
Kazeon IS1200 Web-Admin User Guide
261
Chapter 21:
Auditing and Data Verification
Audit Event Types
Audit events status listings and reporting use the following IDs:
Event ID
262
Event Description
1401
Services: Crawled Documents
1402
Services: Deep classification
1502
Repository: Deleted
1403
Services: Metadata classification
1001
Copy
1803
Cluster: Configuration Changed
1701
UserInteraction: Object Viewed
1007
Object Locking
1702
UserInteraction: Object Downloaded
1504
Repository: Offline
1003
Erase
1302
Job: Deleted
1805
Cluster: Node removed
1301
Job: Added
1307
Job: Killed
1801
Cluster: Started
1901
Object Deleted
1503
Repository: Online
1304
Job: Resumed
1804
Cluster: Node added
1004
Erase expired objects
1305
Job: Started
1501
Repository: Added
1303
Job: Suspended
1802
Cluster: Stopped
1201
Authentication: Login
1008
Export
1306
Job: Force Suspended
1002
Move
1005
Legal hold
1006
Tagging
1101
Search: Query
1202
Authentication: Expired login session
1009
Restore
Kazeon IS1200 Web-Admin User Guide
Data Verification Management
Data Verification Management
Data Verification is off by default, because System Auditing is off by default. Once
System Auditing is enabled, Data Verification option checkboxes become available in
Actionable Service and Collection job dialogs.
Each job or service run with the Data Verification option selected consumes additional
metadata storage for the Data Verification results.
Data Verification Storage Requirements
Like data auditing, data verification also requires additional metadata storage each
time it is used on a copy, move, or collection job. However, because data verification
records both source and target file information (pathname, size, hash, etc), the storage
requirements are greater. Data verification requires between 1 and 9K storage per
object per job (copy, move, collection) depending on filepath lengths. As either, or
both, of the source and target filepaths get longer, the storage requirements increase.
Currently there are no automatic data retention limits or storage controls for Data
Verification data stored in the databases. However, each Data Verification report is
tied to the job it reports on, and is automatically deleted when the job or report is
deleted.
Enabling the Data Verification Checkbox
Data Verification is only available when System Auditing is enabled, see “Enabling or
Disabling Global Auditing” on page 260 for details on turning System Auditing on.
Once Data Verification is enabled (by System Auditing), it can be enabled on a jobby-job basis by checking the Data Verification option checkboxes in Actionable
Service copy or moves, or in One-Step Collections.
Audit and Data Verification Reporting
Once Auditing and Data Verification are enabled, recorded audit and Data Verification
information can be viewed as reports.
Audit Reports
From the Web-Reports navigation pane under Templates,
select Audit to display the standard Audit reports.
Kazeon IS1200 Web-Admin User Guide
263
Chapter 21:
Auditing and Data Verification
The System Audit reports return information about events initiated by the system or a
user, such as user login/logout, session start/ends, repository adds/deletes, and jobs
initiated by cron scheduling. The Data Audit reports return information at the file
object level, for example how many and what files were processed by crawls, and the
file access success/failure, or when the files were opened from search or report results.
The purpose of each report is described in its Description field under Report
Definition Details. Audit reports may be run, viewed, and exported just like any
standard report. See the Web-Reports User Guide for details.
Note:
The Activity History report returns all actions or events for a specified file.
Before using it, edit the filter section to specify the filename to report on.
Unlike other reports, Audit reports return event counts, not file counts, sizes, or percentages.
Drill-down
In the Summary Reports window,
the Perform Actions menu allows Drill-down and Export, both of which respond just
as all other report pages do.
View History
In the Detail Reports window,
the Perform Actions menu does not allow Drill-down, but does contain a new option,
View History, this is also available by selecting a file listing (checking its box) and
then right-clicking to display a pop-up menu.
264
Kazeon IS1200 Web-Admin User Guide
Audit and Data Verification Reporting
When View History is selected,
the View History page displays a listing of all events for that file.
Data Verification Reports
From the Web-Reports navigation pane under Results,
select Data Verification to display the standard Data Verification reports.
Click any Data Verification result listing once to expand the listing.
Click the Open Report button to open the report.
Kazeon IS1200 Web-Admin User Guide
265
Chapter 21:
Auditing and Data Verification
Drill-Down
Once a Data Verification report is displayed, details (like the filenames copied) can be
viewed by doing a drill-down on report rows. Select a row and right-click any column
entry (for example Objects) and select the Drill-down option from the menu.
When the Schedule Report dialog appears, click the Drilldown Directly button (or
schedule the drill-down job).
A drill-down report looks like the following:
Both target file information (circled) and destination file information are displayed.
You will probably need to scroll to the right to see all the information.
266
Kazeon IS1200 Web-Admin User Guide
Chapter 22:
eMail Solutions
This chapter discusses Kazeon Information Server features useful in managing eMail data.
Topics are as follows:
z
“eMail Management and Regulatory Requirements” on page 268
z
“Kazeon Standard Solutions” on page 268
z
“Kazeon Optional Solutions” on page 269
|
z
“The Enterprise Vault Optional Module” on page 269
“Use Cases” on page 270
|
“Legal Discovery” on page 270
|
“Data Privacy” on page 270
Kazeon IS1200 Web-Admin User Guide
267
Chapter 22:
eMail Solutions
eMail Management and Regulatory Requirements
Email management and regulatory compliance are relatively new business requirements.
Good business sense, as well as governmental regulations, require corporate email
management that protects intellectual property, and ensures corporate regulatory
compliance to regulations such as HIPAA, Sarbanes-Oxley, PCI, CA-SB1386, SEC,
and Gramm-Leach-Bliley. Good email management can also minimize problems in
complying with legal electronic discovery requirements.
Additionally, efficient management of the basic network resources and storage
requirements for email can save organizations significant costs.
The Kazeon Information Server provides both standard email solutions, and optional
solutions that work with specialized third party systems like Symantec’s Enterprise
Vault.
Kazeon Standard Solutions
The Kazeon Information Server base server license allows searches, reports, and
actionable services on a variety of email file types.
eMail searches can be based on file properties such as filename, filesize, or email
properties like the To, From, and CC fields, as well as file content such as specific
words, or unique patterns like phone numbers or social security numbers.
You can do searches and reports on the following kinds of email files:
z
Microsoft Exchange PST and OST files
|
Note:
PST files can sometimes be “live-locked” by applications like Microsoft Outlook,
making them ordinarily inaccessible by the IS1200. See “Working With PST
Files” on page 153 for details on resolving this issue.
z
268
PST and OST files can be thought of as “container” files. They contain other
files, sometimes hundreds or thousands of emails organized by user
preferences. Other file types, like ZIP, TAR, and JAR files also contain
multiple files. Starting with version 3.0, the Kazeon Information Server can
classify container files two ways:
z
As a single file—or physical object—classification saves a single
metadata entry for the physical object containing information about all the
individual files it contains.
z
As a collection of individual objects—or virtual files—saving individual
metadata entries for each virtual file that is separated out.
* Optionally, full-text indexes can be created for each virtual file.
* Files inside of emails—attachments, or other included emails—are
also broken into individual virtual files with all the same
classification rules applied.
* Individual virtual files that fail classification—because they are
encrypted, password protected, or otherwise un-openable—are
flagged for corrective action later.
Microsoft Exchange and SMTP Journaling files.
Kazeon IS1200 Web-Admin User Guide
Kazeon Optional Solutions
z
Simple single saved emails in .eml or .msg files.
z
Email contained in Lotus Domino or Lotus Notes files.
Breaking out virtual files from PST physical object files is only done in deep crawls.
However, once email in PST files has been deep classified, Actionable Services like
copy, move, and tag can be applied to search and report results for either the physical
object or the virtual files.
In legal eDiscovery situations, email pertinent to particular investigations can be
easily preserved and put into Legal Hold. Email that might compromise intellectual
property, or expose an organization legally, can be routinely identified allowing the
situations that generated them to be corrected. Duplicate, dated, or otherwise nonuseful email can be identified and easily moved to cost-effective storage or archival
volumes.
Kazeon Optional Solutions
Besides the eMail solutions available in the Kazeon Information Server base server
license, an optional module—requiring its own license—is available for working with
a Symantec eMail management solution called Enterprise Vault that customers may
also have.
The Enterprise Vault Optional Module
The Enterprise Vault™ (EV) from Symantec Corp. enables organizations to quickly
perform cost-effective supervisory review of email and other electronic
communications, helping ensure compliance with SEC and NASD regulations
requiring active supervision of electronic messaging systems. EV provides brokerdealers with a tool for enterprise-scale review of email, instant messages, Bloomberg
and digital fax messages.
Symantec Enterprise Vault supports a broad range of storage platforms, including
hardware from EMC, IBM, Network Appliance, Inc., Plasmon and StorageTek. The
Kazeon EV Module supports all platforms EV can be installed on.
How the IS1200 Works with Symantec EV
Kazeon's Enterprise Vault Connector (EV Connector) bridges Symantec Enterprise
Vault and Kazeon Systems by presenting a registered EV archive site as a standard file
system to the Kazeon IS1200 system. This enables the Kazeon IS1200 System to
classify an EV archive as a directory, and integrates the Enterprise Vault and Kazeon
Systems with only minor modifications to generic IS1200 components.
Kazeon's EV Connector enables the following capabilities:
z
Classification and indexing of archives located in Enterprise Vault
z
Searches and reports on the EV archives after classification and Indexing
z
Copying or moving files into the EV through actionable services on search and
report results
See the Enterprise Vault Optional Module User and Configuration Guide for more
details on using EV with the Kazeon Information Server.
Kazeon IS1200 Web-Admin User Guide
269
Chapter 22:
eMail Solutions
Use Cases
The IS1200’s ability to break out virtual files from physical objects like PST files can
be extremely useful in a number of situations. Two examples follow.
Legal Discovery
In Legal Discovery cases, administrators and auditors might search, identify and
extract individual responsive e-mails from PST files in the following steps.
Administrators
1. Register network file systems that should be searched for responsive documents.
These file systems can contain PST files of different sizes and created in different
Outlook Versions. Individual files—or individual file attachments—in the PST
files may be password protected, encrypted, or other PST files.
2. Run one-time or recurring deep crawls against one or more registered network file
systems containing PST files. The extraction rule set should include the full-text
rule and rules for extracting key mail header information.
3. Monitor the initial crawl to make sure all documents are successfully indexed.
Monitor recurring crawls to ensure all subsequent changes to PST files are
captured after they occur.
4. Run a report to show all e-mails or files that were partially processed.
5. Schedule a metadata synchronization service to capture file deletions.
Auditors
1. Run a simple or advanced search query against text in the e-mail subject, body or
attachment, or perform advanced searches against the metadata (using the e-mail
templates)
2. Open e-mails—contained in PST files—from Web-Search to review in Outlook
3. Tag specific e-mails contained in PST files
4. Download search results to a CSV file
5. Download e-mail results to PST file
6. Copy responsive e-mails to a CIFS share, EV Repository, or a SnapLock file
system with retention.
Data Privacy
Organization can use the Kazeon’s email solution to find confidential, non-public
information contained in e-mails or PST archives as part of their Data Privacy efforts
using the following steps.
Administrators
1. Register network file systems that might contain non-public information. These
file systems can contain PST files of different sizes and created in different
270
Kazeon IS1200 Web-Admin User Guide
Use Cases
Outlook Versions. Individual files—or individual file attachments—in the PST
files may be password protected, encrypted, or other PST files.
2. Start a one-time or recurring deep crawl against the registered network file
systems. The crawl extraction rule set should be the standard NPI rule set that
ships with the Kazeon server software.
3. Monitor the crawl(s) to make sure all files are successfully indexed. Monitor
recurring crawls to ensure that subsequent changes to the PST files are captured as
well.
4. Run a report to show all e-mails or files that were partially processed.
5. Schedule a metadata synchronization service to capture file deletions.
Auditors
1. Run a report (or search) to identify all non-public information. The report will
display the individual e-mails containing non-public information from the PST
files classified.
2. Open e-mails contained in PST files from the Web-Report to review in Outlook
3. Tag specific e-mails contained in PST files.
4. Download search results to a CSV file.
5. Download e-mail results to PST file.
6. Copy e-mails with non-public information to a CIFS share, EV Repository, or a
SnapLock file system with retention.
Kazeon IS1200 Web-Admin User Guide
271
Chapter 22:
272
eMail Solutions
Kazeon IS1200 Web-Admin User Guide
Chapter 23:
Encrypted Files
EFS Overview
Security features such as logon authentication or file permissions protect network
resources from unauthorized access. However, anyone with physical access to a
computer, such as a stolen laptop, can install a new operating system on that computer,
bypass the existing operating system's security, and expose sensitive data.
Encrypting sensitive files adds another layer of security. When files are encrypted,
their data is protected even if an attacker has full physical access to a computer's data
storage.
Windows uses an Encrypting File System (EFS) driver to encrypt files. Files can be
encrypted directly, or by placing them in an encrypted folder. After a folder is
encrypted, all files subsequently added to that folder are automatically encrypted.
EFS requires users to have an EFS certificate to encrypt files or folders. The certificate
contains the public and private keys used to encrypt and decrypt file and folder data. If
a user doesn’t have an EFS certificate the first time they attempt to encrypt a file or
folder, EFS automatically creates one for them and stores it in their current user
profile.
A file or folder is encrypted using simple checkboxes in its Properties dialog box.
Permissions allowing other users to access an encrypted folder—or file—may also be
controlled with the Properties dialog. Essentially the folder is set to allow certain
users permission to open the folder and the files it contains. If a username withOUT
permission tries to access the folder, they are denied. User’s WITH permissions are
granted access.
Encrypted files are not normally accessible to the IS1200 during classifications and
other services without special preparation. The preparation consists of creating an
identity—a username and password allowed to access the encrypted file(s)—and
specifying that identity when the file system is registered as a repository. See “The
Identity Vault” on page 73 for more details about identities.
Thereafter, the IS1200 can access the encrypted files or folders on that repository
using the specified identity to impersonate a user that has access to the files or folders.
Kazeon IS1200 Working With Encrypted Files
273
Chapter 23:
Encrypted Files
Impersonation Complications
The problem with using impersonation to access encrypted files, is deciding who to
impersonate.
When files are originally encrypted, a unique File Encryption Key (FEK) is created to
encrypt the files. The FEK is saved only inside the encrypted file, but it is in turn
encrypted with the encrypting-user’s public key and saved in the encrypted file’s
Data Decryption Field (DDF). The public key used to encrypt the FEK comes from
the user’s EFS certificate, stored in their currently active profile.
To decrypt the file when needed, the user’s private key is used to decrypt the FEK
which is in turn used to decrypt the file. The system is designed this way to allow
other users access to the file if needed.
To allow user2 access, the file is simply modified by adding another DDF that
encrypts the FEK using user2’s public key. Now user2 can also use their private key
to decrypt the FEK and in turn decrypt the file.
Further, to allow system administrator's to recover encrypted files if all allowed users
lose their keys; Data Recovery Agents (DRAs) may be defined for the network at
large. The DRAs are then applied to the individual encrypting systems by adding
Network Recovery Policies on those encrypting systems that specify the DRA’s
identities and the location of their EFS certificates. When a Network Recovery Policy
is in place, DRA’s are automatically allowed access to all encrypted files by adding the
file’s FEK—encrypted with the DRA’s public key —to the encrypted file’s Data
Recovery Field, just like adding an “allowed” user through the Data Decryption Field.
The diagram below shows a typical encrypted file’s structure.
Data
Decryption
Fields
FEK encrypted with orginal encryptor's public key.
FEK encrypted with allowed user_1's public key.
FEK encrypted with allowed user_2's public key.
Data
Recovery
Fields
FEK encrypted with Designated Recovery Agent 1's public key.
FEK encrypted with Designated Recovery Agent 2's public key.
File data, encrypted with FEK.
A user’s public and private keys are stored in their user profiles, and can be accessed
by anyone that has the user’s username and password, in other words, anyone that
can impersonate them.
The problem with this system is that EFS certificates are often created “on the fly” as
needed, for example when a user tries to encrypt a file for the first time and the system
discovers the user doesn’t already have an existing EFS certificate. For security
reasons, all encryption is done locally by the CPU of the physical computer the file is
located on and is never done remotely. Consequently, the EFS certificates required
274
Kazeon IS1200 Working With Encrypted Files
EFS Overview
must also be available locally to the encrypting system, either through a locally stored
profile or a roaming profile that is downloaded and temporarily stored locally when a
roaming user logs in. If a user tries to encrypt a file on a remote system, the remote
system must do the encryption, and it must have a local EFS certificate to do it with.
To store a local EFS certificate, the remote system creates a local profile for the user
on the remote system and creates a new EFS certificate in this profile, even if that user
has a different EFS certificate elsewhere on the network or on the local computer they
are currently logged into. This often causes multiple EFS certificates to be created for
users, one on their personal computer, and others on the remote systems they login
into and encrypt files on.
To make matters worse, user EFS certificates may also be added to the local
Active Directory (AD) and if an encrypted file’s owner chooses to allow other users
access to the file by importing them from AD, there is no guarantee that the EFS
certificate imported will match the imported user’s EFS certificates anywhere else (for
example, certificates created “on the fly” on other servers).
With all these potential multiple EFS certificates in mind, the significance of this
section’s original statement (“The problem with using impersonation to access
encrypted files, is deciding who to impersonate”) becomes apparent.
When deciding what user to specify as an impersonation identity when registering an
encrypting file repository on the IS1200, which user profile do you use?
For laptops and desktops the appropriate identity is the primary computer user, or the
network administrator that has backup/recovery privileges on that computer.
For file servers, many remote users may have logged in, created encrypted files or
folders, and left on that server many (perhaps hundreds or thousands) of EFS
certificates—and local profiles—that are needed to decrypt all the files on that server
during a classification service. If possible, the appropriate identity is a Data Recovery
Agent—specified by a Data Recovery Policy for that server—that has automatic
access to every file encrypted on that server.
Roaming Profiles
One way to lessen the identity problem when accessing encrypted files on remote
servers is to require network users to use “roaming profiles”.
Roaming user profiles are set up on the domain controller that user computers join at
login. When a user logs into a domain, their roaming user profile is downloaded to the
local login computer and temporarily applied. When the user logs off, any changes
made to the roaming profile are updated on the domain controller for use when the
user logs in elsewhere. This allows users to have a consistent profile (and EFS
Certificate) on every encrypting file system they access, including remote servers they
log onto from other computers.
However, since all encryption/decryption is done locally, in the case of encrypted files
on a remote server accessed with a roaming profile, the EFS services on the remote
service must be able to impersonate the user to obtain the user’s public and private
keys when files are encrypted or decrypted for use. This requires the following:
Kazeon IS1200 Working With Encrypted Files
275
Chapter 23:
Encrypted Files
z
The encrypting computer must be a domain member in a domain that uses
Kerberos authentication because impersonation relies on Kerberos authentication
and delegation.
z
The encrypting computer must be trusted for delegation.
z
The encrypting user must be logged on with a domain account that can be
delegated.
Delegation Issues
The IS1200 will only be able to impersonate a user (encrypt/decrypt files) if the user’s
account can be delegated. Additionally, any remote server the files are on must also be
trusted for delegation (otherwise, the EFS on the remote server will not be able to
impersonate the user to obtain the EFS keys needed to encrypt/decrypt files).
Basic Steps for Classifying Encrypted Files
To setup the IS1200 to classify systems with encrypted files—laptops, desktops, or
remote file servers—do the following:
1. Ensure all EFS file systems that will be registered with the IS1200 as data
repositories are properly setup for EFS. This includes doing the following:
a. Encrypt all the required files/folders before registering the repository.
See “Encrypting Files and Folders on Windows Machines” on page 277.
b. Share the parent volume or folder of the encrypted files on the network.
c. Ensure there is a single user account—with access to all the encrypted files or
folders on the share or server—that can be saved as an identity on the IS1200.
This is the identity that will be associated with the share when it is registered
as a data repository and used for impersonation when accessing encrypted
files on the data repository during classifications. For laptops and desktops,
this identity should be a user with administrative privileges to that computer.
For remote servers, the identity should be a Designated Recovery Agent for
the remote server. See “Impersonation Complications” on page 274 for details
on choosing an impersonation identity.
d. The users described in bullet c must have valid EFS Certificates, be Active
Directory users, and their EFS certificates must be registered with their AD
account. See “Obtaining and Registering Valid EFS Certificates” on page 280
for details.
e. The users described in bullet c, and the EFS shares or servers registered as
data repositories, must be trusted for delegation. See “Setting up Delegation
for Users and Remote Filers” on page 282 for details.
2. Register the EFS shares or file systems as repositories on the IS1200 using the
identities chosen in Step c above. These identities must be user accounts that can
impersonate a user with access to all the encrypted files on the registered
repository. See “Adding an EFS Remote Server as a Registered Repository” on
page 281 for details.
276
Kazeon IS1200 Working With Encrypted Files
Encrypting Files and Folders on Windows Machines
3. Classify the EFS repositories using standard classification procedures. See
“Scheduling a Basic Crawl” on page 187 or “Scheduling a Deep Crawl” on
page 192 for details.
Encrypting Files and Folders on Windows Machines
EFS is enabled by default on Windows 2000 and Windows XP systems. In its default
configuration, EFS enables users to encrypt files from My Computer with no
administrative effort.
Both individual files and folders can be encrypted. If a folder is encrypted, any files
subsequently added to it are also automatically encrypted.
From the user's point of view, encryption is simply a matter of setting an attribute in a
file or folder’s Properties dialog.
To encrypt a file or folder:
1. Open Windows Explorer and
select the file or folder to
encrypt.
2. Right-click the file or folder
and select Properties from
the context menu.
3. From the Properties dialog
that opens (shown top right),
click the Advanced button to
open the Advanced Attributes
dialog.
4. In the Advanced Attributes
dialog, make sure the
Compress contents to save
disk space checkbox is
unchecked. A file cannot be
both compressed and
encrypted at the same time.
5. Click to select the Encrypt
contents to secure data check
box as shown at right.
6. Click OK in the Advanced
Attributes dialog.
7. Click Apply in the Properties dialog.
If you are encrypting a file, a Confirm Attributes Change dialog appears asking if
you would like to encrypt the file only, or the folder containing it. If you are
encrypting a folder, the same dialog appears asking if you want to encrypt just the
folder, or all files and sub-folders it contains.
Select an appropriate choice and click OK. The Properties dialog reappears.
Kazeon IS1200 Working With Encrypted Files
277
Chapter 23:
Encrypted Files
8. In the Properties dialog, click OK to exit the dialog and encrypt the file.
Note: Encryption is not applied to files or folders until you click OK in the
Properties dialog. Additional users may not be granted access to the
encrypted files or folders until after the initial encryption is applied.
Granting Additional Users Permissions to Access Encrypted Files
EFS does not support group permissions to encrypted files. Also, support for multiple
users on folders is not provided in either Windows 2000 or Windows XP. However, in
Windows XP, EFS does support encrypted file sharing for multiple users.
Once a file is initially encrypted, file sharing is
enabled using a button called the Details button.
The Details button is found by opening a file’s
Properties dialog and clicking the Advanced Details
button to open the Advanced Attributes dialog
shown at right.The Details button is not available
until after a file is initially encrypted.
The Details button opens the Encryption Details
dialog shown below. This dialog allows sharing an
encrypted file with other Active Directory users (not groups), provided the user has a
valid EFS certificate.
Do the following to use the Encryption Details dialog to allow other users access to an
encrypted file:
1. Click the Add button shown below.
A new dialog box appears showing the existing users and certificates cached in the
Other People and Trusted People certificate stores of the local machine. EFS
generated certificates (self-signed certificates) are cached in the local machine’s
278
Kazeon IS1200 Working With Encrypted Files
Encrypting Files and Folders on Windows Machines
Trusted People Store. Certificates enrolled manually or automatically through autoenrollment for the user are also cached on the local machine’s Other People store. The
dialog also allows new users to be added from Active Directory by clicking the
Find User button.
Note: A user must have a valid EFS certificate (to get valid certificate refer section 6
to get valid certificates) in the Active Directory to be added.
2. Click the Find User button shown below.
The standard object picker dialog box is displayed for you to use to search for users
that will be allowed access to the encrypted file. Conduct a search.
A dialog box displays all the Active Directory users with valid EFS certificates that
match your search criteria. If no valid certificate are found, the dialog below is shown:
If users with valid certificates are found, they are displayed in the dialog shown below.
3. Select a user and click OK to add them to the list of users allowed to access the
encrypted file.
Kazeon IS1200 Working With Encrypted Files
279
Chapter 23:
Encrypted Files
This feature works best when a user has a roaming user profile and only one EFS
certificate is stored on their user account in Active Directory. If roaming user profiles
are not used, multiple certificates may be available on the user account and
subsequently, not available when encrypting files on some servers.
Note: Machine certificates (denoted by a machine name with a $ extension) may be
displayed if encrypted offline folders are in effect on the local machine.
Obtaining and Registering Valid EFS Certificates
Encryption is done using an EFS certificate. If a user does not have an EFS certificate
the first time they try to encrypt a file, EFS attempts to create one for them.
Two kinds of certificates can be used:
z
Certificates issued by a valid network Certificate Authority (CA)
z
Self-signed certificates.
EFS does not require a network CA to enable file encryption. If your network has no
assigned CAs, the EFS component issues a self-signed certificate.
However, there are advantages to using a CA to create EFS certificates if you're in a
high-security or enterprise environment. A CA allows the network administrator to
manage the certificates centrally, and using certificate services, they can revoke
certificates and specify the length of time that certificates are valid. It's also possible
to set up computers as dedicated Recovery Computers (similar to Recovery Agents for
users) and issue specific recovery certificates to them, instead of issuing the recovery
certificate to the domain controller.
Obtaining and Registering EFS Certificates Using MMC
If a CA is installed, EFS certificates can be obtained using Microsoft Management
Console (MMC).
1. From the desktop Start menu, click Run, enter “certmgr.msc”, and click OK.
2. In the MMC window shown below,
expand Certificates - Current User, and then expand Personal.
3. In the right pane, right-click, select All tasks, and click Request New Certificate.
4. On the first page of the Certificate Request Wizard that appears, click Next.
280
Kazeon IS1200 Working With Encrypted Files
Adding an EFS Remote Server as a Registered Repository
5. On the Certificate Types page,
click User in the Certificate types list, and then click Next.
6. On the Certificate Friendly Name and Description page, type a descriptive name
(such as Network Certificate) in the Friendly name box, type a description
(optional) in the Description box, and then click Next.
7. On the final page of the wizard, click Finish.
A dialog box appears confirming the certificate request was successful.
Verifying a User Certificate Was Added to Active Directory
1.
Click Start > All Programs
>Administrative Tools > Active
Directory Users > Computers.
2. Click View, and then click
Advanced Features.
3. In the left pane,
click the Users folder.
4. In the right pane,
double-click a user.
5. Select the Published Certificates
tab.
6. In the List of X509 certificates
published for the user account list,
you should see a list of all the
user's digital certificates. The EFS
certificate should be included.
Adding an EFS Remote Server as a Registered Repository
To add a file server, laptop or desktop, or other system using EFS as a registered data
repository on the IS1200, do the following:
1. Follow the lettered steps outlined step 1 of “Basic Steps for Classifying Encrypted
Files” on page 276 to prepare the EFS system for registration.
2. Register the user account identified in step c of step 1 of “Basic Steps for
Classifying Encrypted Files” on page 276 as an Identity on the IS1200 and as a
valid Active Directory user. This identity can be added two ways:
|
Use a CLI command as follows:
add identity <identity name> user <username>
for example: add identity admin user administrator
You will then be prompted for the user’s password twice.
|
Use the Web-Admin Authentication page to add that user as an Identity,
see “Adding Identities to the Identity Vault” on page 74 for details.
Kazeon IS1200 Working With Encrypted Files
281
Chapter 23:
Encrypted Files
3. Add the encrypted folder (EFS) as a repository to the IS1200 using the identity
just created. Adding the repository can be done two ways:
|
Use a CLI command as follows:
add datafs <dfs-name> mount <//server/folder> as <user>
for example:
add datafs dfs-enc mount //bobsPC/securedFolde as
administrator
|
Use the Web-Admin Repositories>Laptop/Desktop tab,
see “Adding a Laptop or Desktop Repository:” on page 105 for details.
With this done, standard services like classifications can be run on EFS folders and
include their encrypted files without error.
Setting up Delegation for Users and Remote Filers
To setup computers or users to be trusted for delegation, do the following:
1. Open Active Directory Users and Computers.
2. In the console tree, click Computers.
Where?
|
DomainName/Computers
3. In the details pane, right-click the computer you want to be trusted for delegation,
and click Properties.
4. Do one of the following.
|
In a Windows Server 2003 domain,
on the Delegation tab, click Trust this
computer for delegation to any service
(Kerberos only), and then click OK.
|
In a Windows 2000 native domain,
click the General tab, click Trust this
computer for delegation, and then click
OK.
PGP Encryption
PGP supports following type of encryption:
282
z
Email Encryption:
z
Whole Disk Encryption
z
File Encryption
z
Network File Encryption:
Kazeon IS1200 Working With Encrypted Files
Chapter 24:
Administrators Responsibilities for Legal Hold
This chapter discusses the duties administrators have in helping their organization response
to legal matters, or to eDiscovery situations.
Topics are as follows:
z
“Legal Hold and eDiscovery” on page 284
|
“Administrator’s Responsibilities” on page 284
“Types of Legal Hold” on page 285
“Legal Hold Limitations” on page 285
“Setting the Legal Hold Owner” on page 287
“Setting Security or Legal Hold” on page 288
“Using Legal Hold in Searches and Reports” on page 288
|
z
z
z
z
Kazeon IS1200 Web-Admin User Guide
283
Chapter 24:
Administrators Responsibilities for Legal Hold
Legal Hold and eDiscovery
When your company is required to respond to a legal matter, the company must
respond in a legally prescribed manner. The first legal step requires providing all
potentially responsive files and documents. This step is called legal discovery and
involves locating and making available all the facts, documents, and files that might
be pertinent to the case. When this step involves searching and producing computer
files and emails, it is often called eDiscovery. For a more complete discussion of
eDiscovery requirements, processes, and background see the Kazeon Legal
eDiscovery User Guide.
Once the appropriate responsive files are identified and located they are often put “onhold”. Files placed on-hold are either copied to a secure secondary location where
they can preserved for later use, or they are locked in their original locations against
further change until the legal matter is resolved. The Kazeon IS1200 refers to this
process as putting the files on legal hold, or on KazHold.
Besides copying the files to a secure location, or locking them in place, the file’s
ownership is usually changed to a single legally authorized administrative user, or
group, to prevent inadvertent file modifications while the legal matter is in progress.
A system administrator is usually responsible for moving, copying, and locking the
responsive files, and is often the new file owner. Kazeon refers to this ownership
responsibility as the legal-hold owner.
Administrator’s Responsibilities
When involved in helping a company through a legal matter, a Kazeon IS1200 system
administrator has several responsibilities they must be able to perform:
z
z
z
z
z
Setting the legal-hold owner (or group)
Setting the type of legal-hold (legal-hold, or security-hold)
Permanently setting the enable_delete_on_hold option for security-hold to
either true or false.
Performing a Single-Step Collection for responsive files
See “Single-Step Collections” on page 173 for details.
Placing responsive files on legal-hold
See the Web-Search User Guide, or the Legal eDiscovery User Guide for details.
The first four responsibilities are exclusively an administrator’s, while the last may be
shared with members of the legal response team who have an auditors or supervisor’s
role. See “Role Based Administration” on page 37 for more information about roles.
The following sections of this chapter provide the details of performing the first two
responsibilities. The details for performing the remaining two responsibilities are
covered in the references listed with the bullets above.
284
Kazeon IS1200 Web-Admin User Guide
Legal Hold and eDiscovery
Types of Legal Hold
Kazeon support two type of holds, legal-hold and security-hold.
Standard Legal hold
When legal-hold is placed on an object, the object cannot be deleted or modified by
any user except the legal hold owner(s) until the lock is removed. All users who had
read/execute access to the file prior to the hold continue to have read/execute,
including the original owner (the owner prior to the hold).
Security hold:
When a security-hold is placed on an object, the object cannot be read, modified or
deleted by any user except the legal-hold (Kaz hold) owner(s) until the lock is
removed. All users, including the original owner of the file, have no access to the file
regardless of the permissions they may have had prior to the hold.
The “enable deletion on hold” Option. If desired, security legal-holds may allow
file deletion using the option called enable deletion on hold. Set this option
to true and files may be deleted while on security-hold, set it to false and files are
NOT deletable on security-hold.
WARNING!
“enable deletion on hold” may only be set ONCE, and is permanent thereafter.
Legal Hold Limitations
Because it is impossible to place an absolute hold on any arbitrary file, the following
disclaimers are applicable to Kazeon’s Legal Hold:
z
The In-Place Legal Hold modifies the permissions and ownership of
corresponding files, email, or objects and their parent directories at the source.
Ownership of the file is set to a preconfigured user called the legal-hold owner.
The legal-hold owner is set by your System Administrator and should be set to a
valid administrator-level username before placing any files on Legal Hold. The
legal-hold owner should be someone who is not likely to leave the company, or
might be a group to ensure continuity.
z
Setting legal hold on an object means the object cannot be deleted or modified by
any user except the legal hold owner(s) until the hold is released. The original
owner (owner prior to the hold) will have read/execute permissions on the file
after the hold is placed. Additionally, all users who had read/execute access prior
to the hold will still have read/execute access to the file.
WARNING!
System Administrators always have full control of files on legal hold, as they can
change the ownership of any file. In-place Legal Hold does NOT guarantee that
objects on hold will not be altered if a user with Administrative (or similar)
privileges on the source device chooses to exercise these privileges on the file.
z
If the hold is configured to be a Security Hold (configurable via a parameter), then
the object cannot be read, modified or deleted by any user except the legal hold
owner(s) until the hold is released. All users, including the original file owner,
will have NO access to the file irrespective of permissions prior to the hold.
Kazeon IS1200 Web-Admin User Guide
285
Chapter 24:
Administrators Responsibilities for Legal Hold
z
z
z
z
z
z
z
Legal hold cannot be set on sub-objects (for example email attachments or
individual files in a .zip file.).
Once hold is set on an object with ‘enable-deletion-on-hold’ set to false (default),
CIFS will disable deletion or renaming of any file or directory.
The ‘enable-deletion-on-hold’ option may only be set to true ONCE, and is
thereafter permanent.
Files at a mount point root cannot be protected from deletion because there is no
directory above to set appropriate ACLs to deny deletion of child objects. Do not
register the root of a system as a data repository, always register only shares or
exports with a proper parent directory structure so no files are left on the root
directory of the mounted share.
Parent directories of registered shared or exported directories can not be renamed
or moved to other directories on the share, otherwise metadata will be lost.
Copies made of files on legal-hold (including copies made by an Actionable
Services copy), are not on legal-hold. Search queries may be written to exclude
files under legal hold using a boolean expression like the following:
AND NOT legalhold:yes
Once hold is set on an object with ‘enable-deletion-on-hold’ set to false (default),
CIFS will disable deletion or renaming of any file or directory in the hierarchy.
See the example below.
Consider the file system hierarchy above which represents data belonging to an
organization. KazHold is configured as follows:
KAZ hold owner
KAZ hold type
Enable delete on hold
: DemoOrg+John
: Legal
: false
If legal hold is set on "EastZone.doc", the following changes occur:
286
Kazeon IS1200 Web-Admin User Guide
Legal Hold and eDiscovery
|
The owner of the "EastZone.doc" is changed to "DemoOrg+John".
|
No users (excluding 'DemoOrg+John') have update/delete/rename privileges
on the document "EastZone.doc"
Deny delete is set on the following directories:
z
MyDocuments
* No files in this directory can be deleted, renamed or moved.
z
Joe
* No directories (MyDocuments & Payroll) in this directory can be
deleted, renamed or moved.
* However, documents in the directory "Payroll" can be used as usual.
z
Finance
* No directories (Joe, Mary) in this directory can be deleted, renamed
or moved.
* However files in the directory Mary are not affected by the hold.
No user except the owner (DemoOrg+John) or Administrators can change
ACLs or take ownership of the directories set on hold (MyDocuments, Joe,
Finance).
|
|
Configuring Legal Hold
Legal hold settings and options are all controlled with the following Command Line
Interface (CLI) command:
set kaz-hold config owner <domain+ownername> type <legalsecurity> enable-deletion-on-hold <true-false>
The three settings, (owner, type, and enable-deletion-on-hold) may be set
simultaneously or individually. The examples below show them set individually.
The following command is used to check the current legal-hold settings:
sh kaz-hold config
WARNING!
The legal-hold owner, type, and enable deletion on hold option
must all be set prior to placing any files on legal-hold, otherwise the hold will not
be set and users will receive a warning message.
See the Kazeon IS1200 Command Line Inteface Reference Guide for complete details
on using the CLI.
Setting the Legal Hold Owner
Setting the legal-hold owner can only be done using the CLI.
Be sure to have an appropriate user (or group) and password defined with your
authentication services to authorize as the legal-hold owner.
Use the following command to set the legal-hold owner.
set kaz-hold config owner <domain+ownername>
Where <domain+ownername> is a existing fully-qualified user or group name.
Kazeon IS1200 Web-Admin User Guide
287
Chapter 24:
Administrators Responsibilities for Legal Hold
Setting Security or Legal Hold
Setting the legal-hold type (legal or security) can only be done using the CLI.
Use the following command to set the legal-hold type.
set kaz-hold config type <type-value>
Where <type-value> is either the string “legal” or “security”.
Setting the “enable deletion on hold” Option
Setting the “enable deletion on hold” option can only be done from the CLI.
Use the following command to set the “enable deletion on hold” option.
set kaz-hold config enable-deletion-on-hold <ed-value>
Where <ed-value> is either the string “true” or “false”.
WARNING!
This option may only be set to “true” ONCE, and is permanent thereafter.
Using Legal Hold in Searches and Reports
Once files have been put on legal hold, they may be searched for or reported on using
the expression “legalhold:yes”.
Search for files on legal-hold by setting up a search query like this:
288
Kazeon IS1200 Web-Admin User Guide
Using Legal Hold in Searches and Reports
Create a report on files on legal-hold by creating a report that looks like this:
Kazeon IS1200 Web-Admin User Guide
289
Chapter 24:
290
Administrators Responsibilities for Legal Hold
Kazeon IS1200 Web-Admin User Guide
Appendix A:
Best Practices
This chapter discusses Best Practices, and Other Considerations the Administrator of
an IS1200 Server should practice or be aware of.
Topic include:
z
z
“Best Practices” on page 292
|
“Maximum Number of Concurrent Services” on page 292
|
“Avoiding Naming Conflicts with External Metadata (CSV) Files” on
page 292
|
“Managing Extended Attributes with Extraction Rules” on page 292
|
“Managing Metadata Repositories” on page 293
|
“Routine Password Expiration Exceptions” on page 293
|
“Post Upgrade Cleanup” on page 293
|
“Database Maintenance” on page 294
|
“Best Browser Settings for GUIs” on page 294
“Other Considerations” on page 296
|
“Turning Search Access Checks ON or OFF” on page 296
|
“Date Format Requirements” on page 296
|
“General Considerations” on page 297
Kazeon IS1200 Web-Admin User Guide
291
Appendix A:
Best Practices
Best Practices
Maximum Number of Concurrent Services
The recommended limit for running concurrent services (other than reports) is 8.
Concurrent services include: basic or deep-classifications, collections, cd-tagging, and
legal-exports, etc.
Further, concurrently services should not use the same data repository or case. If
multiple services on the same repository or case are required, run no more than 4.
Avoiding Naming Conflicts with External Metadata (CSV) Files
When creating CSV files to load external metadata, avoid possible naming conflicts
between custom metadata and external metadata by always prefixing all external
column names with a short identifier. For example, start all external metadata column
names with “EMD-” for external metadata.
Managing Extended Attributes with Extraction Rules
From version 2.1.3 up, the tracking of Extended Attributes in the server database can
be managed in a variety of ways.
Extended Attributes (EAs) refer to application-specific standard or custom documentproperties captured when applying Extraction Rules or Assignment Rules, during
deep classifications, or when tagging objects through actionable services. EAs are
different from native file attributes such as file name, filepath, mtime, and ctime that a
file system associates with a file. EAs based on standard or custom documentproperties are those attributes that can be viewed when application-specific Properties
dialogs are shown. For example in an MS Word document, the Properties dialog
shows application-specific standard-document properties such as Title, Subject, and
Author, and application-specific custom-document properties such as Checked By.
The recommend method for controlling how and what EAs are tracked is to write
extraction or assignment rules, see “Using Extraction Rules” on page 128 and “Using
RegEx to Set Configuration Properties from the GUI” on page 133 or “Using
Assignment Rules” on page 129 and for more detail. However, EAs may also be
managed by changing various variables in the parser.config file. See “Parser
Configuration” on page 317 for more details, this is not recommended.
The advantage of using extraction rules is that the parser.config file is overwritten
when installing IS1200 updates, while extraction rules are preserved. Rules can also
be grouped into rule sets allowing customized rule combinations to be used for
different classification jobs.
292
Kazeon IS1200 Web-Admin User Guide
Best Practices
Managing Metadata Repositories
A metadata repository share must support read/write permissions for the IS1200 and
the share and its permissions must not be changed, removed, or deactivated on its host
filer while the metadata repository is being actively used by the IS1200. If such
changes occur during active use, the metadata repository’s databases may crash, and
metadata may be lost or corrupted, or jobs may hang waiting for metadata repositories
to be normal.
Similarly, if a metadata repository loses power, active crawls or reports, as well as
other operations, may halt or hang until the metadata repository is up and running
normally.
Routine Password Expiration Exceptions
Security policies that require passwords to expire and be changed on a periodic basis
pose problems when the IS1200 uses Active Directory for authentication or to mount
CIFS shares. A best practice is to use an identity or user account, stored in the Kazeon
Identity Vault, that is excluded from this policy. If this is not feasible, the
administrator must change passwords in both locations (in the AD and the Identity
Vault) on a periodic basis.
Choosing a Leader Node
When starting a cluster the first time, pick and record one node to be the leader node.
For subsequent restarts, always issue the “start cluster” command from the chosen
leader node. If the cluster is started from Web-Admin, login into the designated leader
node to start the cluster. Failure to do this can lead to database damage.
The node from which a “start cluster” command is issued always becomes the
cluster’s leader node and all Kazeon specific configuration (for example the jobs
database) is synchronized from this node to the other nodes in the cluster.
In the event the designated leader node can't be part of the cluster (for example, due to
a hardware malfunction) run the “start cluster” command from the node that was
elected as a backup node in a previous run.
Maintaining Consistent Hash Values
Hash values must remain consistent from crawl to crawl, otherwise, unexpected
results can occur with other processes (for instance identifying file duplicates) that use
the computed hash-values. If a file system is initially crawled with one hash-value and
subsequent crawls require a hash-value change, all metadata for that file system
should be removed before doing the subsequent crawls to insure all files are re-hashed
with the new hash-value.
Post Upgrade Cleanup
Removing “leftover” upgrade files from all nodes should be done as a best practice
after any system upgrade, but is technically optional. Generally, upgrades are installed
Kazeon IS1200 Web-Admin User Guide
293
Appendix A:
Best Practices
from temporary locations like: /var/tmp/upgrade/. Remove the temporary directories
and upgrade files.
Database Maintenance
The IS1200 maintains a variety of metadata about the files in registered repositories,
for example standard file metadata, file-specific, custom, etc. Metadata is stored in a
metadata repository in a database. When files change between crawls, their metadata
must be replaced in the database. To keep database access quick and simple, “old”
metadata is simply marked as deleted and “new” metadata is added to the end of the
file. Overtime, the database grows in size. Eventually this becomes a storage space
issue if nothing is done to recapture the space that “old” (deleted) data occupies.
Database “vacuuming” attempts to recapture “old” data storage space by overwriting
it with current data. This only works as long as the “old” deleted spaces are big
enough to accommodate the current data overwrites. Because this is not always
possible, eventually significant amounts of un-reclaimable “old” deleted data
accumulate until they occupy more storage then necessary.
Vacuuming is done daily, and can be done while other processes (like crawls or
reports) are using the database. However, vacuuming is best scheduled when other
processes are not active, so they aren’t slowed down by vacuuming. See “Managing
the Database” on page 239 for details on setting or changing the vacuum schedule.
When vacuuming isn’t enough, database “maintenance” can completely rebuild the
databases. The maintenance procedure writes all current data to a new database copy
until all current data is copied and verified, and then erases the entire old database
(and all unrecoverable space). Of course this requires the metadata repository to have
sufficient space to temporarily build a second copy of the database. See “Managing
the Database” on page 239 for details on determining when and how to do database
maintenance.
Best Browser Settings for GUIs
If the following browser settings are not used, the GUI response times for rendering
new pages after clicking an item in the navigation menu may not be acceptable.
Render times can be improved by resetting the browser settings to its initial values,
resetting the cache, and cleaning un-needed temporary data as follows:
1. Reset the browser to it’s initial settings:
a. Launch IE7 browser
294
Kazeon IS1200 Web-Admin User Guide
Best Practices
b. Click Tools>Internet Options and click the Advanced tab to open:
c. Under Reset the IE Settings, click the Reset button, and click Reset again to
confirm.
d. Restart IE7
2. Set the cache and clean un-necessary files:
a. Launch IE7 browser
a. Click on Tools>Internet Options, and click the General tab:
Kazeon IS1200 Web-Admin User Guide
295
Appendix A:
Best Practices
b. Click the Settings button in the Browsing History section to open the
Temporary Internet Files and History Settings dialog.
c. Set disk space to 1024.
d. Select the first radio button (Every time I visit the web page.)
e. Click OK.
Other Considerations
The following headings cover the most important other considerations:
Turning Search Access Checks ON or OFF
All filers provide some way of limiting the files or folders users can access. These
limits are generally referred to as access privileges and are stored in Action Control
Lists (ACLs). When a search is performed using the Kazeon Information Server, the
results returned may be limited by the searchers access privileges. After the search, an
access check may be performed to see what files the user has privileges for. Files they
are not allowed to access, will not be displayed.
In previous versions of the IS1200 access checking was ON by default. In version 2.1
and forward, access checks are OFF by default.
When access checking is turned off, even searches across millions of files are very
fast. However, there are potential security risks involved in leaving access checks off.
WARNING! With access checking OFF by default, unless an administrator turns
access checking on, all searchers will see all search results regardless
of the searchers native access privileges on the filer(s) searched.
See “Controlling ACL Checking” on page 319 for details on setting ACL checks.
Date Format Requirements
Date information stored in metadata values (the value side of a metadata tag-value
pair) must match one of the following formats to be indexed properly and be
searchable:
296
z
“yyyy-MM-dd'T'HH:mm:ssZZZZZ”
z
"EEE MMM dd HH:mm:ss yyyy"
z
"EEE, d MMM yy HH:mm:ss Z"
z
"F, d MMM yy HH:mm:ss Z"
z
"EEE, d MMM yy HH:mm:ss z"
z
"yyyyMMddHHmmss"
z
"yyyy-MM-dd'T'HH:mm:ss"
z
"yyyy-MM-dd"
z
"ddMMMyyyy"
Kazeon IS1200 Web-Admin User Guide
Other Considerations
z
"MMMyyyy"
z
"MM/dd/yy"
z
"MM/dd/yy"
z
"dd/MM/yyyy"
z
"d MMM yy HH:mm:ss"
z
"d MMM yy HH:mm:ss zzzzz"
New metadata tags (such as dates) can be added to the search schema via Command
Line Interface or Web-Admin. When adding classification rules to via Web-Admin, the
Set Search Schema dialog box appears allowing the new tag to be added to the search
schema. Metadata dates added via this dialog must use the formats above.
General Considerations
The following are more general consideration to keep in mind:
z
When using Actionable Services to copy, move, or restore, there must be at least
100M free in the target filesystem for the action to work.
z
Never add (non-system or user created) files to the IS1200 /tmp directory. Overfilling this directory can cause inexplicable errors and system slow-downs.
Kazeon IS1200 Web-Admin User Guide
297
Appendix A:
298
Best Practices
Kazeon IS1200 Web-Admin User Guide
Appendix B:
Troubleshooting
This appendix answers common troubleshoot questions that users may encounter.
Topics are as follows:
z
“Terminal” on page 300
z
“Clusters and Nodes” on page 300
z
“Cluster Node SCSI Failures” on page 304
z
“Authentication Problems” on page 305
z
“File Systems” on page 306
z
“Extraction Rules” on page 308
z
“Data Classification Errors” on page 308
z
“Search” on page 311
z
“Reporting” on page 312
z
“System” on page 312
z
“System” on page 312
z
“System Response Problems” on page 313
z
“Diagnostics” on page 314
Kazeon IS1200 Web-Admin User Guide
299
Appendix B:
Troubleshooting
Terminal
1. Question: Why is my terminal frozen?
Answer: The common cause is that you may have pressed Ctrl + S, resulting in a
frozen terminal. Press Ctrl + Q to get the terminal working again.
Clusters and Nodes
1. Question: I attempted to start the cluster from the CLI with the following
command:
Nodename > start cluster nodeName1 nodeName2
but the command failed with the following error message:
Nodename > [380] command returned -10010, Too many
parameters.
Answer: If you have a cluster with two or more nodes, ensure that you enclose the
node names within double quotes as follows:
Nodename > start cluster “nodeName1 nodeName2”
2. Question: Why did my attempt to start the cluster fail?
Answer: Check the following:
|
Ensure the cluster name configured for each node is identical.
|
Ensure that you export the cluster-key of the node you are logged into to the
other nodes in the cluster. You must first export the cluster-key of the node
that you are logged into to itself and then export it to other nodes.
|
Login as root and check for the following:
z
Check the Ethernet connection to ensure that there are no duplicate IP
addresses amongst cluster nodes with the following command:
arp HostIPAddress
where HostIPAddress is the IP address of each node in the cluster.
If there is no IP address duplication, check the Network connectivity
status to ensure that the node interface (NIC) is running with the
following commands:
netstat -t
netstat -s
ping -i
10
-s 1500
DestinationNodeIP
where DestinationNodeIP is the IP address of the node to which you
want to connect.
traceroute destination_ip
3. Question: What does the following error message mean?
Invalid arguments: cannot start cluster without local
node being there in the nodelist.
Answer: When you start the cluster through the CLI, this error is displayed if the
node to which the user is logged on is not part of the list of nodes supplied to the
“start cluster” command. To fix this, ensure that the command is issued on a
300
Kazeon IS1200 Web-Admin User Guide
Clusters and Nodes
node which is also part of the cluster that is being formed. When the cluster is
started from the GUI, make sure that the user is logged into a node that will be
part of the cluster being formed.
4. Question: What does the following error message mean?
Could not determine the IP address of node nodeName
where nodeName is the name of the node.
Answer: When a hostname is supplied instead of an IP address to the “start
cluster”, “add node”, or “remove node” commands, a DNS lookup is
performed to determine the IP address of the hostname. This error displays when
there is no entry for this hostname in the DNS server.
To work around this in data centers without a DNS server, first add the hostname
of the node (s) to the hostmap database with the following command to start the
cluster or add a node to it.
add hostmap hostname hostName networkid IPaddress
where
hostName is the name of the machine where the node resides.
IPaddress is the IP address of the host machine.
5. Question: What does the error message "node nodeName not reachable"
mean?
Answer: Before starting a cluster or adding a new node to a running cluster the
node (s) supplied to the command is first pinged to ensure that it can be reached
over the network. This error message means that the node could not be
successfully pinged. To fix this, make sure that the cables are properly connected
to the right switch. The IP address, netmask and the gateway address are
configured in the correct subnet. Here are a few steps to follow to further diagnose
the problem:
a. Login to a node and ping the other nodes by first giving their host names. To
be doubly sure, ping again using the IP addresses. Also, traceroute to verify
that the route to the other node is correct.
Nodename > ping kazsys2
Nodename > traceroute kazsys2
If the ping does not succeed an error message is printed. If traceroute is hung
hit Ctrl-C to stop the command.
b. Next, login to every node and see if the health of the network interfaces is
correct by issuing the following command:
Nodename > show health
If the health for any interface is shown as “DOWN” there is something wrong.
c. Reboot the node and try again.
If the problem persists collect the diagnostic information by issuing the "save
diagnostics-data" command and contact Customer Support. If the health
is shown as “UP” and the node is still not reachable, login to the node as user
“root” and execute the following command:
Kazeon IS1200 Web-Admin User Guide
301
Appendix B:
Troubleshooting
root@nodeName# /bin/ip route get IPaddress-of-remotenode
This command displays the Ethernet NIC card over which the IPaddress of
the remote node is reached by the local node.
d. If this is incorrect, then there is something wrong with the routing table
entries. Try to fix this by issuing the following command:
root@Nodename# /opt/openkaz/bin/routemunge.sh
This command does not display any output if the routing table could be fixed.
e. Retry the "ip route get" command again. If this does not work collect the
diagnostic information and contact Customer Support.
6. Question: What does the error message "lamboot failed" mean?
Answer: This means that the cluster could not be started successfully. You would
usually not see this error message unless there is something else that is wrong.
Check the system log file for additional information by typing the following
command:
Nodename > show log-buffer
If the log file indicates a networking issue, then correct it using the steps
mentioned earlier. Else, login to the node as user "root" and view the /tmp/
lamboot.out log file.
root@Nodename# cat/tmp/lamboot.out
This should give a fairly good idea about why the cluster could not be started. If
the information is not sufficient to fix the problem check the IP addresses used
internally by the clustering layer to establish the cluster communication channel.
Execute the following command to get the list of these IP addresses:
root@Nodename# /opt/openkaz/bin/kazadmit.pl -i Nodename1
Nodename2 Nodename3
Notice that the node names are simply separated by a white space and are not
enclosed in quotes like in the "start cluster" command. If the IP addresses
printed by this command are not the IP addresses configured on the second
Ethernet NIC card, that is "eth2", there is something wrong. Ensure that the "eth2"
interface on all nodes is configured with an IP address and that these IP addresses
all belong to the same subnet. The subnet can be determined by executing the
following command:
root@Nodename# /bin/ipcalc --network IPaddress Netmask
If the network value printed is not the same for all nodes, correct the network
configuration and executing the /sbin/kaz_setup.pl script.
Finally, re-export the cluster-key to all the nodes -- including the node on which
the "start cluster" or "add node" command is executed.
7. Question: What does the following error message mean?
Could not add the nodes to the cluster. Cluster
membership issue. socket initialization failed for
IPaddress. Could not connect to IPaddress
302
Kazeon IS1200 Web-Admin User Guide
Clusters and Nodes
Answer: This means that the Cluster Manager daemon is not running on the node
with the specified IP address. The Cluster Manager should automatically restart
when it dies. But this error message indicates that the restart did not succeed.
Before manually restarting the daemon check the system log files on that node for
any error messages explaining the nature of the failure and report this information
to the Customer Support. To manually restart the Cluster Manager on a node,
login to that node as user “root” and execute the following command:
root@Nodename# /etc/init.d/clstmgr restart
Retry the "start cluster", "add node”, or “remove node" command again
after the Cluster Manager has successfully restarted.
8. Question: What does the following error message mean?
“cluster-key for node Nodename not found. Use the 'export
cluster-key' command to update the keys” mean?
Answer: This means that the local cluster-key is incorrect. Regenerate and export
the cluster-key locally by executing the following command:
Nodename > export cluster-key Nodename
Notice that the key is exported to the same node on which the command is
executed. If the problem is not solved even after doing this try the suggestions
given in the next question.
9. Question: What does the error message "Host key verification failed"
mean?
Answer: Usually this means that there is a mismatch in the cluster-key. In most
cases this can be fixed by re-exporting the cluster key (both locally and to the
remote node). In the worst case, the files where the cluster-keys are stored must be
recreated from scratch. To do this login to the node as user “root” and empty the
cluster-key files as shown below:
root@Nodename > echo "" > /etc/ssh/ssh_known_hosts
root@Nodename > echo "" > /root/.ssh/ssh_known_hosts
Now, logout and login back as user “admin” and re-export the cluster-keys (first
locally and then to the remote node).
10. Question: What does the error message "Could not get cluster-name"
mean?
Answer: The name assigned to the cluster by the administrator is stored in the /
opt/openkaz/config/cluster_name.cfg file. This error means either of the following
-- the permissions required to read and modify the file have changed (this can
happen only if someone modifies this file manually) or that the contents of this
file are corrupted (can happen sometimes when the system crashes). To fix this
login to the node as user "root" and overwrite the file as:
root@Nodename > echo "" > /opt/openkaz/config/
cluster_name.cfg
root@Nodename > chown kazeon:kazeon /opt/openkaz/config/
cluster_name.cfg
Logout and re-login as user “admin” and then set the cluster name using the "set
cluster-name" command.
Kazeon IS1200 Web-Admin User Guide
303
Appendix B:
Troubleshooting
11. Question: What does the error message "updating the node list failed"
mean?
Answer: Again, this could be due to a corrupted nodelist file - stored in /opt/
openkaz/config/cluster-nodelist. Manually overwrite this file as described above.
12. Question: What does the error message "node already member of
cluster" mean?
Answer: When a node is added to a cluster for the first time its membership
identity, which is composed of the cluster name and a unique ID, is recorded. This
ensures that this node can be added only to the same cluster in the future. This
error message means that a node that first belonged to one cluster is now being
added to another. To fix this the node must first be made to loose its membership
identity. This is done by logging into the node as user “admin” and executing the
following command:
Nodename > clear kazconfig
Be warned that doing this will erase all Kazeon specific configuration from this
node. System configuration like the IP address of the node, gateway address, etc.,
are still retained.
This error message can also be printed when a node is removed from a cluster,
then started as a cluster of its own and then attempted to rejoin the old cluster.
Here, even though the cluster name is the same the unique ID associate with the
cluster membership changes when nodes participating in a cluster are partitioned
into smaller sub-clusters with the same name.
13. Question: What does the following error message mean?
“Could not admit the node(s)to the cluster”
Answer: This means that either the cluster-key has not been successfully exported
to this node or there is a mismatch in the cluster membership. First export the
cluster-key and retry the command again. If the problem persists, it means that the
nodes being added to the cluster are/were part of another cluster. Reset the cluster
name as described earlier and try the “start cluster” or “add node”
command again.
Cluster Node SCSI Failures
1. Question: What is the best procedure for reacting to cluster node SCSI disk
errors, or replacing failed or failing cluster node SCSI drives?
Answer: The solution is to “break” the node’s RAID mirror (so it runs on just the
good drive temporarily) so the bad drive can be replaced and rebuilt from the good
drive by the underlying SCSI RAID manager.
Do the following:
a. Log into the node with the failed drive and remove the node from the cluster
b. Reboot the node, while it reboots press <cntrl-R> (before the BIOS messages)
to enter the SCSI RAID Configuration Utility
c. Navigate to the “PD Mgmt” tab (use the navigation hints at the bottom of the
screen)
304
Kazeon IS1200 Web-Admin User Guide
Authentication Problems
d. Highlight the problem disk and select the option to “force off-line”, the disk
activity light on the bad drive should go out and the IS1200 status LED
display should change from blue to orange
e. Physically remove the bad drive from the IS1200 and replace it with a known
good drive, shortly after the good drive is inserted it’s disk activity light
begins to flash rapidly indicating the disk is being (automatically) rebuilt by
the SCSI manager
f.
Exit the SCSI RAID Configuration Utility and reboot (or continue the boot)
of the node, as it reboots the boot status messages should indicate a
“degraded” drive, ignore the message
g. After the boot finishes, login to the node, and add the node back to the cluster
h. Once the node is operating successfully, and the activity lights on the new
disk stop flashing rapidly (indicating the rebuild is complete) stop and start
the cluster again to make sure the load balancing manager includes the
repaired node equally in the balancing
Authentication Problems
1. Question: Why won’t the IS1200 use Kerberos for AD Authentication, or why
does the automatic AD protocol discovery method (see “Determining Which
Protocol is Used to Communicate with AD Servers” on page 58 for details)
default to NTLMv1 or 2 instead of Kerberos?
Answer: There are two work arounds, always try a) first.
a. If your organization supports Kerberos (or if you are unsure if Kerberos is
supported) do the following:
i.
Login to the CLI as admin and run the kaz_update.pl script to add a
fully-qualified host name to the /etc/hosts file. The script
automatically determines the fully qualified name and corrects it in the
file /etc/hosts.
ii. Remove AD authentication and re-add it using the same fully-qualified
domain name in the “domain” field.
iii. From the CLI, issue the command “show authentication details, Kerberos
should be displayed as the protocol in use.
b. If your organization does not support Kerberos, or a) did not work, do the
following:
i.
Remove AD authentication from the CLI or the Administrative GUI.
ii. From a shell prompt, issue the following commands:
[shellPrompt] sudo kazldaputil -a set i /module/authentication/AD/
protocol ntlmv2
Status: Success!
[shellPrompt] sudo kazldaputil -a get i /module/authentication/AD/
protocol
/module/authentication/AD/protocol = ntlmv2 (or ntlm, keberos, or none)
Kazeon IS1200 Web-Admin User Guide
305
Appendix B:
Troubleshooting
iii. From the CLI or Administrative GUI, re-add AD authentication.
2. The AD server or NIS server has failed, or the IS1200 has lost connectivity to
Question: Why did external authentication fail?
Answer: Authentication may have failed because any of the following reasons:
|
The user name is invalid.
|
The AD server or NIS server has failed, or the IS1200 has lost connectivity to
these servers. Ensure that your server is running. If the server has failed,
specify a new server for authentication.
To ensure that authentication was successful for Active Directory, use the
following CLI command:
Nodename > test authentication active-directory
To ensure that authentication was successful for NIS, use the following CLI
command:
Nodename > test authentication nis
If authentication is successful, the system displays a message stating that the
cluster has been configured to belong to the AD or NIS domain.
3. Question: Why did my attempt to configure Active Directory fail?
Answer: Assuming that there are no networking issues, the failure might be
associated with authentication for any of the following reasons:
a. Wrong password.
b. Time skew between the date/time on IS1200 and the AD server.
c. Password expiration policies in the enterprise. Typically, password expire
every three months for security reasons.
Ensure that the password of the account user that was used to register the AD
domain on both the AD server and the IS1200 are identical.
File Systems
1. Question: Why did I get the following error message when I attempted to mount a
file system?
Failed to mount the filesystem. Check if the filer/mount/
share/credentials are valid and that the mount/share is
exported with the correct permissions.
Answer: This is the most common error. For NFS file systems, check if the file
server has exported the FS to all nodes in the cluster (you can get IP addresses
using the 'show cluster'). Ensure that the IP addresses used are for the external eth
interface (eth1) and not the internal cluster interface (eth2). For metadata file
systems, make sure the export is read-write and root accessible (that is, give root
permissions to all nodes in the cluster). For CIFS, ensure that the share has
appropriate permissions to be mounted by all nodes on the cluster. Make sure the
credentials you supplied when you added the file system -- either with the mountoptions or the identity used-- are accurate and have permissions to mount that
share.
306
Kazeon IS1200 Web-Admin User Guide
File Systems
2. Question: Why did the system display the following error message?
Failed to prepare the Kaz mount/share. Check to see if the
filer is responding, and if the FS has write and root
access permissions set for this cluster.
Answer: The metadata filesystem was mounted but when metadata structures
were being created, there was a failure. Often, this is because the permissions on
the file server do not give read-write and root access to all the nodes in the cluster.
Also, this may happen sometimes if the file server (NFS) is very slow in
responding and the client times out. In this case, try using TCP as a mount-option
or improve the file server connectivity.
3. Question: Why did the system display the following error message when I
attempted to mount a file system?
This object or filesystem configuration already exists.
Answer: You have either used the same name as a previously added filesystem or
are trying to add the same mount point or share again.
4. Question: Why did the system display the following error message when I
attempted to mount a file system as a metadata repository?
Invalid CD (Kaz) filesystem or no available Kaz
filesystems for this purpose.
Answer: When you add a data filesystem, you must specify the appropriate Kaz
filesystem to host the metadata and indexes relating to the data filesystem (or the
system will choose one for you). For this, you'll need a minimum amount of free
space and free inodes on the Kaz filesystem. Also the Kaz and Data file systems
must be of the same type (NFS or CIFS). If a Kaz filesystem hosts 16 data
filesystems than it cannot be used for any more data filesystems. You probably
need to add a new Kaz filesystem or choose another one.
5. Question: Why does my CIFS share fail to register?
Answer: Ensure that the server on which the metadata repository is located is in
the correct domain where the system access is allowed. Refresh the password on
AD or if this is on a NetApp file server, turn the options on, "options
cifs.weekly_W2K_password_change off".
6. Question: Why did the system display the following error message when I
attempted to register a file system?
Filesystem is unreachable/degraded. Check the filer and
try to set the FS online.
Answer: This means that the filesystem is extremely slow in responding (NFS not
responding errors) and applications may be timing out. You can set a filesystem
back online by using 'set fs fs-name online' command. However, if the root
cause is not fixed, it will go back to degraded mode. You cannot do anything
much with a degraded filesystem.
7. Question: What do I do when the system displays the following error message?
Critical. No more files left on a local disk
Answer: A local disk on a node is running out of free inodes. Stop the node and
call Customer Support.
Kazeon IS1200 Web-Admin User Guide
307
Appendix B:
Troubleshooting
8. Question: Why did the system display the following error message when I
attempted to register a metadata repository?
The FS mount/share failed a Metadata Repository
qualification test.
Answer: The first time you add a metadata filesystem from a specific file server,
it undergoes a set of qualification tests to make sure it is POSIX-compliant and is
able to host the indexes and databases that make up the metadata repository. Make
sure that the NFS/CIFS filesystem supports basic operations. Also, sometimes the
qualification step fails if the file server is slow in responding. Make sure the
connectivity is good.
As a last resort, you can use the “force” option to
9. Question: Why did my attempt to run a service fail with the message that the file
system is full?
Answer: This can happen for the following reasons:
|
The file system has less than 1 GB of space
|
In the case of NFS file system, the file system may have less than 500K
inodes.
To resume the service, either increase the file system size or increase the
number of inodes.
Extraction Rules
1. Question: The extraction rule that I created is returning incorrect results. What
should I do?
Answer: Check the regular expressions (regex) in your extraction rule to ensure
that they are correct.
Data Classification Errors
1. Question: How do I view errors that occurred during data classification?
Answer: Use the following command to view errors that occurred during job
execution:
Nodename > show service-failures job-id jobID
where jobID is the ID of the data classification job. If you do not specify the Job
ID, the system displays service failures for all jobs.
2. Question: What types of errors can occur during data classification?
Answer: You may see one of the following types of errors:
|
Basic Classification Failed
You will see this error message if basic classification fails. Basic classification
can fail due to various reasons such as file server error, failure to read, or
failure to write to the metadata repository. For example, the Kazeon
Information Server may not have the permission to read a file. This can also
happen if the Kazeon Information Server looses connections with the filer
308
Kazeon IS1200 Web-Admin User Guide
Data Classification Errors
being crawled, or the connection becomes intermittent and causes parser
timeout errors.
|
Deep Classification Failed
You will see this error message if deep classification fails. Deep classification
can fail for various reasons. For example, some files may be corrupt or may
be password-protected.
Extremely large files may also generate parser timeout errors such as “Parser
error - Internal error (parser process timed out)” because the time needed to
parse the file exceeds default system parse-time limits. See “Parser
Configuration” on page 317 for more details.
Parser errors can also occur if the Kazeon Information Server looses
connections with the filer being crawled, or the connection becomes
intermittent.
|
Unable to Access Object or Internal Error
You will see this error message if the system could not access a file or if there
were internal errors such as insufficient memory or process communication
errors.
|
Unable to update the database.
|
Operation was aborted by the service. This is because the system was unable
to parse some files due to a core dump.
|
“Internal error (parser process timed out)” or “Parser failure”
The problem may be due to a parser-time-out limit set too low. The job should
be rescheduled after setting the parser-time-out limit higher.
You can view the error details in Syslog as described in “To view Syslog contents”
on page 229. Call Customer Support for help.
3. Question: How can I stop a classification job that is scheduled to run forever?
Answer: When you stop a “forever” classification job, the system automatically
restarts it because the job is scheduled to run forever. To stop the job, you need to
remove it using the following command.
Nodename > remove service jobID|all path pathName
4. Question: Sometimes, an attempt to run a service fails with an error message.
Answer: Check to see if the /var/runtime directory is full using the following
command:
Nodename > show health
The system displays output that is similar to the example below:
healthchk
--------FILESYSTEM HEALTH
Filesystems monitored : 7
Last time monitored at : Mon Sep 19 08:32:32 2005
_______________________________________________________________
Type FSName BackendFS FSHealth FSState DBState Search AvlSpc
_______________________________________________________________
CIFS PublicShare corpnt02:public normal online UNKNOWN none 24G
CIFS GlobalShare corpnt01:global_sh normal online UNKNOWN none 4G
Kazeon IS1200 Web-Admin User Guide
309
Appendix B:
Troubleshooting
CIFS Kazeon kazeon02:kazeon01_md normal online UNKNOWN none 248G
LOCAL logs /var/log normal online none none 0B
LOCAL cores /var/runtime normal online none none 0B
LOCAL tmp /tmp normal online none none 1G
LOCAL root / normal online none none 2G
_______________________________________________________________
NETWORK HEALTH
Interfaces monitored : 2
Last time monitored at : Mon Sep 19 08:32:32 2005
_______________________________________________________________
Type ID State IPaddr Netmask MTU
_______________________________________________________________
NET lo UP 127.0.0.1 255.0.0.0 16436
NET eth1 UP 10.2.173.24 255.255.248.0 1500
To clean up the /var/temp and /var/runtime directories, do the following:
a. In the /var/log directory, run the following command:
“rm messages.?* ”
This removes all older message files such as messages.1, messages.2, files
etc., but retains the current one.
b. In the /var/runtime directory, run the following command:
“rm core.??? core.???? ”
This removes most of the cores while retaining the stack files.
5. Question: Why do services run slowly on my system?
Answer: The most common reason for this is that the network interfaces are set to
auto-negotiations and they resort into half-duplex mode. Use the following
command to set the interface to full-duplex:
Check for Network errors as follows:
1. Login as “root” and run the following command to look for errors:
ifconfig eth1
2. Run ethtool to ensure that the ports are correctly configured.
3. If the ports need to be reconfigured, run ethtool. The configuration will be
set across reboots.
6. Question: Why can’t I crawl Windows XP Service Pack 3 laptops or desktops ?
Answer: If Windows XP laptops and desktop shares using Service Pack 3 return
the following errors during a crawl:
NOT ENOUGH STORAGE or NT_STATUS_INSUFF_SERVER_RESOURCES
increase the IRPStackSize parameter and reboot the laptop or desktop as per
Microsoft Knowledge Base article 285089:
http://support.microsoft.com/kb/285089
310
Kazeon IS1200 Web-Admin User Guide
Search
Search
1. Question: Why was my search unsuccessful?
Answer: Search may be unsuccessful for any of these reasons:
|
The Search query syntax is incorrect.
|
The files that contain the information have not been classified yet.
|
The Search index for the file system that contains the information is
unavailable because it is corrupt.
Use the following command to view the status of the Search index:
Nodename > show search status
If the index size is 0, then the index is corrupt.
You can also use the “show services” command to check if any errors
were encountered. If so, search may be unsuccessful.
2. Question: When I ran a search query, I got an “access error” message. What
should I do?
Answer: You get this message if you do not have permissions to read a file.
3. Question: Why did I get an error message when I attempted to search for
documents with the following search query?
*.doc
Answer: You cannot use wild cards or regular expressions at the beginning of a
search query. Run a report instead as follows:
filepath ilike %.doc
4. Question: I think the search results are incomplete. What should I do?
Answer: Verify that the system has completed the process of classifying the data
using the following command:
Nodename > show services
If classification is complete, verify that the system has rebuilt the Search index
using the following command:
Nodename > show search status
The system displays the following information:
|
FileSystemName. The names of all classified file systems.
|
HealthPercentage. The percentage of correctly parsed files in the file system.
Note that if you did not run the test fs command, the healthPercentage will
always display as 100%.
|
ErrorCount. The number of files that were not indexed.
|
IndexingNode. The node responsible for the indexing.
|
DocumentCount. The number of files that were indexed in each file system.
|
SpoolSize. The number of documents in the queue for indexing.
|
indexSize. The size of the index for each file system.
Kazeon IS1200 Web-Admin User Guide
311
Appendix B:
Troubleshooting
Search for the information you require. The search results page will display any
errors as search error statistics on the Search Results page.
If there are errors, do the following:
a. Remove the file system.
b. Manually empty the metadata repository.
c. Add back the file system using the add datafs command.
d. Run a deep classification service to reclassify data.
e. Search for the information again.
Reporting
1. Question: I think the report output is incomplete. What do I do?
Answer: For reports, verify the status of the report database with the following
command:
Nodename > show database status
The system displays the file system name, the location of the database server, and
the database status. In case the database is corrupt, run the following command to
rebuild the database for a file system.
Nodename > add service dbrebuild url filePath schedule
now
where filePath is the relative path to a mounted file system.
2. Question: I ran a storage report that lists more files than my system currently
contains. What is wrong?
Answer: It is possible that after classification completed, files were deleted from
the system. Therefore the data and metadata file systems are no longer
synchronized. Use the following command to synchronize the data and metadata
file systems, and then run the report again:
Nodename > add service sync url filePath|all schedule
now|daily [at-hour hourValue]|weekly listOfDays [duration
durationLength] [description descText]
For a description of these parameters, see the Kazeon Information Server IS1200
Command Reference Guide.
3. Question: Why did my scheduled report fail?
Answer: This can happen for one of the following reasons:
|
Source or target file system is down or offline.
|
There is a network problem.
Login as root and run the show health command described in “Data Classification
Errors” on page 308 to observe the state of the file system.
System
1. Question: Why is the orange light on the IS1200 appliance blinking?
312
Kazeon IS1200 Web-Admin User Guide
System Response Problems
Answer: The orange light indicates a hardware failure. Check to ensure that the
power cord is plugged in. If the light is still on, call Kazeon Customer Support.
2. Question: Why could I not log into the system?
Answer: Ensure that you entered the correct username and password. For Active
Directory users, prepend the domain name and a ‘+’ sign.
3. Question: Why does test system install report the error that the package
kazapp-rel contains mismatched files in the /opt/openkaz/config directory?
For example:
qa1> test system install
SoftwareInstall
--------------[500] Package kazapp-rel check installation: FAIL
[200] Package kazos-rel check installation: OK
[200] Package kazui-rel check installation: OK
[200] Package kazinstall-rel check installation: OK
[200] Package kazrelease-rel check installation: OK
[500] 1 out of 5 packages are not installed properly.
[500] Detail report
Package: kazapp-rel:
S.5....T c /opt/openkaz/config/UserProfileServer.properties
S.5..... c /opt/openkaz/config/procmon.cfg
Package: kazos-rel:
kazos-rel-2.0.0.14-0Package: kazui-rel:
kazui-rel-2.1.0-0Package: kazinstall-rel:
kazinstall-rel-2.1.0-0Package: kazrelease-rel:
kazrelease-rel-2.1.0-0
Answer: Configuration files may have been modified by the system, by users, or
by SEs, and these differences can be safely ignored.
System Response Problems
1. Question: Why does the CLI freeze, or the Administrative GUI become slow to
respond?
Answer: Occasionally a NetApp filer can go off-line in a way that is not reported
recognized by the IS1200. To check for this, and correct the problem, do the
following:
a. Open a new kashell session.
b. Enter: show health, if any file system’s status is reported as UNMNT then
that filer is off-line.
c. Open an administrative interface for the affected filer and bring it back on
line.
d. Restart any Administrative GUI or CLI sessions previously open.
2. Question: Why are the interfaces, both CLI and Search GUIs, slow to respond?
Kazeon IS1200 Web-Admin User Guide
313
Appendix B:
Troubleshooting
Answer: This could be because of DNS mis-configuration or the load in the
system. If the Search GUI is slow, it could also be a browser cookie problem. Do
the following:
a. Ensure a correct IP and name entry in the DNS server for the node. Ensure
that reverse name resolution also works.
b. Login as root and run the command "service kaztomcat status" to
ensure it is running.
c. If the service has stopped, restart the service with the command "service
kaztomcat restart".
d. Ensure the cookie is enabled to accept URL indexing
e. Alternatively, delete the cookies and the history on your browser. Then, close
the page and reopen to refresh it
Diagnostics
1. Question: Why does the CLI command save diagnostics full not report on
all nodes?
Answer: The CLI command save diagnostics full only collects
diagnostics for nodes that are up. If diagnostics are required while any node of the
cluster is down, use save diagnostics full on any single node of the cluster
that is still up and once again on each node of the cluster that is down.
An active cluster collects diagnostics for all nodes that are up. A dead node
collects diagnostics only on itself.
314
Kazeon IS1200 Web-Admin User Guide
Appendix C:
Configuration Files and Utilities
This chapter discusses editing IS1200 system defaults using the various config files.
Topics include: Configuration Issues
z
“Editing System Parameters and Configuration Files Overview” on page 317
z
“Parser Configuration” on page 317
z
“Parser Timeouts” on page 317
z
“Skipping File Classification by Type or Category” on page 317
|
“Skipping JAR File Classifications” on page 318
z
“Setting iNode Limits” on page 319
z
“SIDs and UID/GID Resolution” on page 319
z
“Controlling ACL Checking” on page 319
z
“Configuring Actionable Services for Search Tab Visibility” on page 320
z
“Preserving File atimes After Opening Search Results” on page 321
z
“Setting the Orphan Cleanup Parameter” on page 321
z
“Setting Email Alerts for Scheduled Jobs and Database Maintenance” on page 322
z
“Setting Human Readable Filenames in Database: preserve_hierarchy” on page 322
z
“Changing the Default Permissions for Actionable Services” on page 322
z
“Automatically Bypassing Offline Repositories During Crawls” on page 323
z
“Setting Thread View Options Using LDAP” on page 324
z
“Setting the Mail Direction Parameter” on page 325
z
“Setting the XML Export Format” on page 325
z
“Setting Subobject Checkpointing” on page 326
z
“Changing Admin, Root, or IPMI Passwords” on page 327
z
“Configuring Batch Sizes” on page 326
z
“Changing chunksize for Local Device Collections” on page 327
Kazeon IS1200 Web-Admin User Guide
315
Appendix C:
Configuration Files and Utilities
Utilities:
316
z
“Using the IPMI Utility” on page 329
z
“Recreating Snapshot Catalog” on page 330
Kazeon IS1200 Web-Admin User Guide
Editing System Parameters and Configuration Files Overview
Editing System Parameters and Configuration Files Overview
The Kazeon Information Server uses a variety of configuration files to set system
options. These files are generally found in: /opt/openkaz/config. One of the most
important configuration files is parser.config.
Parser Configuration
When file classification is started, each file crawled is “parsed” for its internal
information. A parser opens each file and attempts to find matches between the file
data and various strings or patterns defined in the classification rule sets. Matches
found are recorded in a metadata repository.
Optional, or configured, parser behavior is controlled by setting properties in a
configuration file. Parser options are documented and recorded in the file
/opt/openkaz/config/parser.config.
Parser options can be set by editing this file and must be done on all cluster nodes.
Parser Timeouts
Parser timeouts control how long the parser will spend parsing a file before it gives up
with an error. Parser timeouts prevent corrupted files, or extremely large files, from
preventing timely classification services.
Parser timeouts include:
z
parsetimeout: governs smaller files (less than 1MB), defaults to 120 seconds
z
largeparsetimeout: affects larger file sizes, defaults to 300 seconds (5 min.)
z
largeparsecutoff: governs the cutoff size, default is 1 megabyte
A more flexible way of setting parser properties is to put the setting in an extraction
rule with a “regex” set to a single asterisk (“*”), for example:
add extraction-rule tl regex * field parsetimeout format 30
This setting will effect any service that uses an extraction rule set containing that rule
(anywhere in the cluster).
Skipping File Classification by Type or Category
The /opt/openkaz/config/parser.config file also allows a classification to
skip file processing files based on a file’s general category, file extension, or actual
detailed file type. These three situations are controlled by setting the following
variables, each of which may be a comma-delimited list:
skipFileTypeCategories
skipFileExtensions
skipFileTypes
skipFileTypeCategories allows grouping document types into broad categories;
these are are listed in parser.config as:
# audio document folder html image pdf presentation spreadsheet
# text video xml database binary unknown
Kazeon IS1200 Web-Admin User Guide
317
Appendix C:
Configuration Files and Utilities
These categories group file types as follows:
audio
document
folder
html
image
pdf
presentation
spreadsheet
text
video
xml
database
binary
unknown
- audio recording files
- word processing files (MS Word, MacWrite)
- archives (ZIP, tar, gzip, etc.)
- HTML files including Office files in HTML format
- graphic image files
- Adobe PDF files
- PowerPoint files etc.
- spreadsheet files (Excel, 123, etc.)
- plain text files
- video recording files
- XML format files
- database files (MS Access, MS Project, etc.)
- compiled object files (EXE, OBJ, etc.)
- files of unknown/unrecognized types
skipFileExtensions allows skipping file classification based on file extensions—
regardless of the actual file type (sometimes files deliberately have the wrong
extensions, and therefore skipFileExtensions should be used with caution).
skipFileTypes allows skipping file classification based on actual file types—as
specified by the internal numeric document type code used by Kazeon. As files are
crawled, the IS1200 opens each file and determines its type based on its content, not
its extension, and records a type id for the file. The type id numbers associated with
specific document types can be listed using the shell command below (showing a few
sample lines of output):
% parserdriver
1000: Word for
1001: Word for
1002: Wordstar
...
1807: UNIX Tar
...
-showtypes
DOS 4.x
DOS 5.x
5.0
The numeric codes above can be used as a base, added to 65536 (hex 10000), to
produce the type code to use with skipFileTypes, for example to skip UNIX Tar
files (code 1807 from above), the skip code is 1807+65536 = 67343.
Skipping JAR File Classifications
Starting with version 3.1.2, deep classification of files with extension .jar (JAR
files) is disabled by default. The Java® Archive (JAR) file format enables bundling
multiple files into a single archive file. Typically a JAR file contains the class files and
auxiliary resources associated with applets and applications. In simple cases it's a
hierarchy of .class files (compiled Java code equivalent to .o object code), but for
application packaging for J2EE etc. there can be manifest information, data files,
security files, etc, and the JAR file is then more comparable to an RPM file.
The skipFileExtensions parameter (explained above) is used to prevent JAR file
processing, as shown below.
skipFileExtensions=jar
318
Kazeon IS1200 Web-Admin User Guide
Editing System Parameters and Configuration Files Overview
To enable JAR file processing, comment-out the line above by putting a "#" in front of
the line (as shown below):
# skipFileExtensions=jar
Setting iNode Limits
The out-of-inode condition is set to 500K for each node in a cluster. Therefore, in
a two-node cluster, the out-of-inode condition is reported when the kazfs number
of available inodes falls below 1000K.
The resume-inode-availability condition is set to 700K for each node in a
cluster. resume-inode-availability determines when to clear the outof-inode condition and permits services suspended as a result of that condition to
resume. Therefore, if there is an out-of-inode condition for a two-node cluster, the
condition is cleared when the number of available kazfs inodes goes above 1400K.
These parameters can be customized for individual environments by modifying
SPACEMON_INODE_LIMIT (default is 500,000)
or
SPACEMON_RESUME_INODE_AVAILABILITY (default is 700,000)
in spacemon.cfg .
and
HEALTHMON_INODE_LIMIT (default is 500,000)
or
HEALTHMON_RESUME_INODE_AVAILABILITY (default is 700,000)
in healthmon.cfg in the /opt/openkaz/config directory.
For example, if the cluster has 8 nodes, the out-of-inode condition is reported
when the kazfs number of available inodes falls below 4000K (4 million). This may be
an unrealistic amount of space for some (kazfs) filers, and might need to be lowered.
SIDs and UID/GID Resolution
By default crawls always try to:
z
resolve SIDs to a username for AD
z
resolve uid/gids to a username for NIS
A configurable parameter determining whether SIDs or uid/gids are resolved
during crawls was implemented. The CLI command:
set config param /config/adnis/idlookup value false
controls the SID/uid/gid resolution.
Controlling ACL Checking
“ACL checks” is an IS1200 setting that determines whether a user’s access rights—as
determined by the Access Control List (ACL) on the repository being searched—
allows the searcher to see all search results.
Previous to v3.1.1, ACL checking could only be set for Search and
Actionable Services, ACL checking may now be controlled in new ways.
z
If Access checking is OFF, searchers always see all results.
Kazeon IS1200 Web-Admin User Guide
319
Appendix C:
Configuration Files and Utilities
z
If Access checking is ON and the searched repository defines specific ACL rights
for the searcher, then the searcher is allowed to see only the results permitted by
the searched repository ACL.
Note: IS1200 grant read authorization policies may be set up for by user that override result
file’s native ACL rights. See “Authorization Policies” on page 143 for details.
Access checking may now be controlled (set) in four ways:
z
Globally turn off Access checking
z
Turned on for Web-Search only
z
Turned on for File Download only
z
Turned on for Actionable Services only
Use the following Command Line Interface commands to control ACL checking:
z
Globally turn Access checking on or off
set config param /config/acl/globalacl/aclcheck value true
(or false)
When global checking is true, then component level Access checks are performed
and can be controlled for components as follows.
z
For Web-Search only
(Make sure /config/acl/globalacl/aclcheck
set search configuration aclenabled true
z
is set
to true.)
(or false)
For File Download only
(Make sure /config/acl/globalacl/aclcheck is set to true.)
set
config param /config/acl/casman/downloadaclcheck value true
(or false)
z
For Actionable Services only
(Make sure /config/acl/globalacl/aclcheck
is set
to true.)
set config param /module/config/actionableservices/enable_access_checks
value true
(or false)
Configuring Actionable Services for Search Tab Visibility
Prior to version 3.1.1, administrators could not restrict what services the Actionable
Services dialogs provided for search results. Now Web-Search checks LDAP for all
actions (except Export) to determine what Actionable Services tabs to display.
Actionable Services tabs are displayed when the following conditions exist:
z
a valid license is installed,
z
the user’s role allows the service, and
z
the LDAP property settings (below) do not prevent it.
Properties are stored under
kazeon/java/policy/rules/src/com/kazeon/util/kazldaputil.properties
320
Kazeon IS1200 Web-Admin User Guide
Editing System Parameters and Configuration Files Overview
To set individual Actionable Services off, run the following commands as root:
kazldaputil -a set -i /module/webui/action/tag off
kazldaputil -a set -i /module/webui/action/copy off
kazldaputil -a set -i /module/webui/action/emailtopst off
kazldaputil -a set -i /module/webui/action/delete off
kazldaputil -a set -i /module/webui/action/download off
kazldaputil -a set -i /module/webui/action/move off
kazldaputil -a set -i /module/webui/action/legalHold off
kazldaputil -a set -i /module/webui/action/lock off
kazldaputil -a set -i /module/webui/action/reclassify off
kazldaputil -a set -i /module/webui/action/policy off
To see the current Action display state use:
kazldaputil -a get -i /module/webui/action/*
These commands do not affect currently logged in users, but do effect them the next
time they log in. All changes are global (turning Tag Off turns off tagging for both
admin and auditor users).
Preserving File atimes After Opening Search Results
This option determines whether atime is preserved for files opened from search
results. To set this option, modify the CASMAN_FILE_PRESERVE_TS config option in
config/casman.cfg. The installed default setting preserves atime, i.e restores a
file’s original atime after opening from search results. Set to false to turn off.
#
# CASMAN_FILE_PRESERVE_TS - Determines if casman restores atime
# after accessing the file for file download purpose.
#
CASMAN_FILE_PRESERVE_TS = true
Setting the Orphan Cleanup Parameter
During incremental or differential deep classifications (see “Incremental and
Differential Crawls” on page 168 for details), if files—or sub-files in composite
objects like .zip files—are found to be deleted since the previous crawl, an attempt can
be made to remove the “orphaned” metadata left behind by the deleted file.
Removing orphans is controlled by the clear_orphans variable,
which can be set (and checked) as follows:
set config param /module/config/orphans/clear_orphans value false
Status: Success!
show config param /module/config/orphans/clear_orphans
/module/config/orphans/clear_orphans = false
If crawls are proceeding too slowly, turning clear_orphans off (setting it false) can
speed up the crawl, however this eventually results in wasted storage and increased
overhead in the system databases and search indexes.
Kazeon IS1200 Web-Admin User Guide
321
Appendix C:
Configuration Files and Utilities
Setting Email Alerts for Scheduled Jobs and Database Maintenance
While jobs that complete normally can have email completion notifications delivered
to a list of email recipients via a field in the job scheduling screen, notification for jobs
that fail or hang must be set up from the CLI. Besides job failures, email alerts also
notify when search indexes need cleanup or databases need vacuuming. These email
alerts can be scheduled to run at a fixed time of day, or at a regular hourly intervals.
These alerts are off by default.
Use the following commands
show alerts - displays the current email alerts settings
set alerts sendTo <email id> - specify the email address to send alerts to
set alerts
at-hr 01:30 - set alerts to send at 1:30 PM
set alerts at-interval 1 - set alerts to send every hour
clear alerts - disable alerts (but saves other settings)
set alerts - enable saved alerts configuration again
Setting Human Readable Filenames in Database: preserve_hierarchy
The IS1200 can be set to use filenames with human readable (identifiable) filenames
in the database if preserve_hierarchy is set to on in ldap.
When preserve_hierarchy is set to off, filenames look like:
FF9147461F000000001143E2A8A70000.
When it is set to on, they look like:
pbm_pri_1_FF9147461F000000001143E2A8A70000
(Note the “pbm_pri_1” prefix, which indicates the volume and sharename.)
To check preserve_hierarchy status, issue the following command as root:
sudo kazldaputil -a get -i /module/config/pbm/preserve_hierarchy
The system responds: /module/config/pbm/preserve_hierarchy = off|on
To set preserve_hierarchy on|off, issue the following command as root:
sudo kazldaputil -a set -i /module/config/pbm/preserve_hierarchy off|on
The system responds: Status: Success!
Changing the Default Permissions for Actionable Services
When actionable services are applied to create, copy, or move files to a new location,
the IS1200 allows a variety of options to determine what file permissions are applied
to the files created on the target filer. The default (SA_DEFAULT_PERMS_MODE)
specifies that all directories are created with full permissions (that is UNIX '777'), and
files copied or moved to the destination retain the permissions of the source files. The
default can be changed by altering the config file at: /opt/openkaz/config/
actionableservices.cfg.
The actionableservices.cfg property file contains its own documentation
about the defaults and enumerations supported and is reproduced below for reference.
322
Kazeon IS1200 Web-Admin User Guide
Editing System Parameters and Configuration Files Overview
Property file:
# This property determines what permissions to be set on the directories/files
# that we create/copy/move while preserving the source path hierarchy
# Values:
# SA_DEFAULT_PERMS_MODE
: All directories created will get '777' and files
#
copied/moved to the destination will retain permissions of
#
the source files.
# SA_PRESERVE_SOURCE_PERMS_MODE
: All directories/files created/copied/moved get the permissions
#
of the directory/files in the source file system respectively
# SA_RETAIN_PARENT_PERMS_MODE
: All directories/files created/copied/moved get immediate parent's perms.
# SA_USER_SPECIFIED_PERMS_MODE : All directories and files created get perms specified in
#
the 'SA_HIERARCHY_DIRS_PERMS' property
SA_MODE_OF_PERMS_ON_DIRS_CREATED_ON_COPY = SA_DEFAULT_PERMS_MODE
#
#
# This property will be applicable only if
# 'SA_MODE_OF_PERMS_ON_DIRS_CREATED_ON_COPY' is set to 'SA_USER_SPECIFIED_PERMS'
# Not applicable to NTFS data file system
SA_HIERARCHY_DIRS_PERMS = 750
#
#
# This property determines if permission and policy checks are made while performing actions.
# When true all required permission/policy checks are made prior to any action on the file.
SA_SET_ACCESS_CHECK_ON = true
#
#
# This property determines if create time needs to be preserved while copying CIFS files
# when set to 'false' create time will not be preserved
SA_PRESERVE_CREATE_TIME = true
#
#
# This property will determine if directory ACLs are to be preserved for CIFS
# when 'true' directory ACLs is preserved while copying/moving with preserve-hierarchy option.
# IF SRC DIRECTORY DOESN'T HAVE WRITE PERMISSIONS,
# THEN SETTING THIS OPTION COULD RESULT IN COPY/MOVE FAILURES BECAUSE OF PERMISSION ISSUES
SA_PRESERVE_CIFS_DIRECTORY_ACLS = false
Automatically Bypassing Offline Repositories During Crawls
When the IS1200 has laptops and desktops registered as repositories, they can be
included in crawls. If these laptops or desktops go “offline” while being crawled, the
IS1200 detects the status change and the crawl of those repositories is suspended until
they come back on line. Detecting when a repository goes offline, and detecting when
it returns online, can take some time and may slow crawls down.
Use the following procedure to automatically skip registered repositories (laptops or
desktops) that are offline with a crawl begins:
Open the configuration file: /opt/openkaz/config/crawler.cfg
Edit the file crawler.cfg to look like this:
# Skip offline files while CIFS file crawling
# when set to ‘true’ crawler will skip all files with offline bit set
# only on CIFS file system
skip_cifs_offline_files = false
Kazeon IS1200 Web-Admin User Guide
323
Appendix C:
Configuration Files and Utilities
And save the changes to crawler.cfg.
Setting Thread View Options Using LDAP
The following Thread View information options can be set:
z
Whether to show if an email in the thread has attachments, default is On
z
Whether to show if an email attachment is a search hit or not, default is On
z
Whether to generate threads for emails with no subject, default is Off.
The Thread View display is governed by three LDAP configuration options.
All options are set from kashell using the following command:
kashell> set config param <LDAP_Parameter> value <true/false>
Setting Whether to Show Email Attachments
Command to set the value:
set config param “/module/config/emailthreading/showattachments” value true
Option default is true.
When set to true:
z
Shows a thread top level view icon indicating that some thread email has an attachment
z
Shows an attachment icon by each email in the thread that has an attachment
When set to false:
z
Shows no attachment icons at the thread top level view
z
Shows no attachment icons for any emails
Regardless of this option’s setting, the preview pane always shows the attachments.
Setting Whether to Show Attachments Search Hits
Command to set the value:
set config param “/module/config/emailthreading/showattachmentsearchhits” value true
Option default is true.
When set to true:
z
Shows a bolded attachment icon at the thread top level view if an email in the
thread has an attachment which is a search hit
z
Highlights the attachment in the preview pane if the attachment is a search hit
When set to false:
z
z
324
If /module/config/emailthreading/showattachments == true
|
Shows an attachment icon but not a bolded attachment icon even if the
attachment is a search hit
|
Shows attachment in the preview but the search hit attachment is not highlighted
If /module/config/emailthreading/showattachments == false
Kazeon IS1200 Web-Admin User Guide
Editing System Parameters and Configuration Files Overview
|
No attachment icon is shown for the top level view / against each email
|
Preview still shows the attachment
Setting Whether to Show Threads for Email With No Subjects
Command to set the options is:
set config param “/module/config/emailthreading/shownosubjectthreads” value true.
Default value is false.
When set to true: Emails without subjects are threaded slowing down thread generation.
When set to false: Emails without subjects are skipped and no threads or emails for
these emails are shown in the thread view.
Setting the Mail Direction Parameter
The MailDerivedDirection metadata parameter is used to store information about
all classified email’s “direction”. Direction is determined by comparing the From:,
To:, CC:, and BCC: email fields to a list of domains that have been identified as
“internal”. For example, if “ACME.com” and “ACME_Inc.com” have been identified
as “internal”, then the direction of emails sent by users like “john@ACME.com” or
“sally@ACME_Inc.com” will be “internal”.
To set which domains should be considered internal, use the following CLI command:
set maildomains <domainList>
where <domainList> is a comma separated list of domain.
Example:
set maildomains ACME.com,ACME_Inc.local
Setting the XML Export Format
Search results may be exported (using Actionable Services, from either Web-Search or
Web-Results) to two XML formats, EDRM and Kazeon.
EDRM (Electronic Discovery Reference Model) XML provides a standard, generally
accepted XML schema to facilitate the movement of electronically stored information
from one step of the discovery process to the next, or one software program to the
another. The EDRM XML format option is new to version 4.2.0 and above.
Kazeon XML is a “legacy” option to continue using the same XML format as used by
IS1200 versions prior to v4.2.X.
The XML format is set with the following CLI command:
set config param /module/exportxmlformat value <format>
Where <format> is either "edrm" or "kazeon".
After executing the command, the CLI will ask for the administrator’s password to
confirm the change.
Kazeon IS1200 Web-Admin User Guide
325
Appendix C:
Configuration Files and Utilities
Setting Subobject Checkpointing
Starting with version 4.3.0, a job or service can be resumed from the middle of a batch
or from the middle of an object if it is a composite object. The work items of a batch
that was partially processed, or could not be processed when the service had to be
halted, will be processed at the end after all the remaining items are processed when
the service is resumed later.
This improved checkpointing logic saves time by not having to reprocess items that
were already processed. Checkpointing is a process that tracks crawl progress object
by object. With release 4.3.0, Checkpointing is refined to allow better granularity and
decrease the likelihood of the same set of objects being processed repeatedly during
crawls that are repeatedly interrupted and resumed for any reason.
While Checkpointing normally tracks whole objects (files, emails), some files are
composite objects and contain one or more sub-files. Examples are zip files and PST
files (email archives). Composite files may contain hundreds, or thousands, of subfiles, and if a crawl is interrupted in the middle of a processing a composite file
(especially if the crawl is very near the end of the composite object) reprocessing the
entire composite object again when the crawl is resumed can be very time consuming.
Consequently, as an option, Checkpointing can be set to track sub-object progress in
addition to objects.
SubObject level Checkpointing is controlled by the following ldap parameter.
/module/service/serviceprocess/cp_at_subobject_level
This parameter takes two values: Off (disabled) and On (enabled).
By default, SubObject level checkpointing is Off (disabled). When off, if a composite
object is partially processed at the time of service kill, the composite object is
processed from the beginning when the service is resumed later. When enabled, if a
composite object is partially processed at the time of service kill, the composite object
processing is resumed from where it was when the service was killed when the service
is resumed later.
Use the following CLI commands to set Subobject Checkpointing:
To display the currently configured value:
sh config param /module/service/serviceprocess/
cp_at_subobject_level
To turn it on:
set config param /module/service/serviceprocess/
cp_at_subobject_level value On
To set it to Off:
set config param /module/service/serviceprocess/
cp_at_subobject_level value Off
Configuring Batch Sizes
By default, the Queue Manager prepares batches of objects for service processing.
The default batch size is 20 objects and is determined by a configuration parameter
called ‘BatchSize’ in /opt/openkaz/config/dm_qmgr.cfg.
326
Kazeon IS1200 Web-Admin User Guide
Editing System Parameters and Configuration Files Overview
Starting in v4.3.2, a new enhancement allows for dynamic batch sizes. Three new
configuration parameters, ‘DynamicBatchSizes’, ‘MinBatchFileSize’, and
‘MaxBatchFileSize’, have been added to the same configuration file located at:
/opt/openkaz/config/dm_qmgr.cfg.
DynamicBatchSizes:
Defaults to ‘No’. When this value is 'No', batch sizes are fixed and determined by the
value in the ‘BatchSize' parameter. Setting this parameter to ‘Yes’ makes the
number of objects in a batch dynamic.
When batch sizes are dynamic, the number of objects put in a batch depends on the
size of the objects and the values of MinBatchFileSize and MaxBatchFileSize.
Objects are put in a batch as long as the total size of all objects in the batch is below
MinBatchFileSize. When the total size of objects in the batch goes beyond
MinBatchFileSize, the next object considered is added to the batch only if the
resulting batch size does not exceed MaxBatchFileSize. If the resulting batch size
does exceed MaxBatchFileSize, no more objects are put in the batch, and all
remaining objects are put in subsequent batches. MinBatchFileSize and
MaxBatchFileSize are only effective when DynamicBatchSizes is set to 'Yes'.
MinBatchFileSize:
Sets the minimum object size total a batch may contain. Values are given in bytes and
default to 100 KB. This prevents the creation of very small batches.
MaxBatchFileSize:
Sets the maximum object size total a batch may contain. Values are given in bytes and
default to 20 MB. This prevents the creation of excessive size batches.
Changing chunksize for Local Device Collections
When doing a collection from a local device in the eDiscovery Case Manager, if the
file to collect is greater than 2GB, it is split into smaller chunks while it is transfered to
the collection target. This requires the system drive of the platform performing the
collection to have at least a minimum of one chunk size of storage space available.
The default value of the chunksize is 50MB.
This value can be configured in LDAP by changing the parameter
/module/config/legal/loadImport_chunksize
The parameter value is set in megabytes. To change the chunksize to 32 megabytes,
login to the CLI on the IS1200 as admin and issue the command:
set config param /module/config/legal/loadImport_chunksize value 32
The chunksize parameter value is cached for each Case Manager session and if it is
changed, a new login is required to make it effective.
Changing Admin, Root, or IPMI Passwords
The standard IS1200 software installation configures three standard user accounts and
passwords, root, admin, and the IMPI password. These passwords should be
routinely changed after initial installation to preserve network security.
Kazeon IS1200 Web-Admin User Guide
327
Appendix C:
Configuration Files and Utilities
Changing the Root Password
Login in as root, to the Linux shell, and use the “passwd” command to change the
root password. It will require you to enter a new password twice.
Changing the Admin Password
Login in as admin, to the Command Line Interface (CLI), and use the
“set password” command to change the root password. It will require you to enter
a new password twice.
Changing the IPMI Password
The IPMI password may only be changed using the network setup utility when logged
in as root. Do the following:
1. STOP the Cluster: This can be done from the CLI using the “stop cluster”
command or from the Cluster Dashboard in Web-Admin.
You can do the following steps remotely using an ssh interface like PuTTY.
Note: Perform the following steps on EACH node in the cluster individually.
Be sure to set the same passwords across all nodes in the same cluster.
2. Login as root.
3. Execute the command: kaz_setup.pl (complete path is: /sbin/kaz_setup.pl),
accept the license agreement if prompted.
4. Select the “RAC/Management Address” option (usually #8) and enter the IP,
mask, gateway detail appropriately. When prompted, enter the new IPMI
password and confirm it a second time.
5. Select “Save Changes and Exit” (last option) to save changes and exit.
6. When asked for root password, enter a new password for root and confirm it a a
second time.
7. The node automatically reboots.
8. Open a duplicate putty session.
(PuTTY v0.59-and-up provides the option to reconnect using same window).
9. As the previous node reboots, repeat the steps above on the next node until all
nodes have been changed the same.
10. Login again to the node as root.
11. Execute the command:
resetssh_keys.sh
(complete path is: /opt/openkaz/bin/resetssh_keys.sh)
Now, restart the cluster. The following steps assume you are using Web-Admin:
1. Log out of the old Web-Admin session, if still open.
2. Login again.
328
Kazeon IS1200 Web-Admin User Guide
Utilities
3. From the Cluster Dashboard, use Export Cluster Key in the tool-bar to export the
cluster key to all nodes in the cluster.
4. Use Start Cluster in the tool-bar to start the cluster.
Utilities
From the server “manager” page, the Kazeon Utilities link opens a download page for
the IPMI utility tool. The tool may be used to reset a node, i.e. to shut down and restart
a node remotely.
From the download page, download and expand the ipmiutil-1.9.0.zip file.
The file unzips a folder containing the files:
z
hwreset.exe
z
libeay32.dll
z
LICENSE.txt
Save the files in a convenient location.
Using the IPMI Utility
Run this tool from a DOS command prompt. The tool must be run with the following
parameters, running the tool without these parameters may give unwanted results.
Use the following syntax:
hwreset.exe –N node-IPMI-IPAddr –U root –Y
The system responds with something similar to the following:
hwreset ver 1.27
Enter IPMI LAN Password: <enter password here>
******
Opening connection to node 10.10.150.234 ...
pong timeout, after bind complete
-- BMC version 1.14, IPMI version 2.0
hwreset: resetting ...
chassis_reset ok
hwreset: IPMI_Reset ok
To verify this resets the node:
z
login to the node as root
z
run the “uptime” command, it should report “up X min” where X is a single digit
number because the node has just rebooted.
Kazeon IS1200 Web-Admin User Guide
329
Appendix C:
Configuration Files and Utilities
Recreating Snapshot Catalog
If the show dashboard snapshot command indicates a catalog has incorrect or
garbled output or contains duplicate snapshot entries, the catalog file may be restored
from the data using the following steps:
1. Suspend all services running on the Snapshot file system containing the catalog to
restore.
2. As root, backup the original catalog files.
from /sideline/fs_<fsid>/cas/application/snapshot_app
[root@kazbangok1 snapshot_app]# ll
total 48
-rw-rw-rw- 1 root root 20436 Feb 25 07:14 ss_catalog
-rwxrw-rw- 1 root root 20436 Feb 25 07:14 ss_catalog.shadow
-rw-rw-rw- 1 root root
4060 Feb 25 07:14 ss_job_catalog
-rwxrw-rw- 1 root root
ss_job_catalog.shadow
4060 Feb 25 07:14
3. Take the output of show dashboard snapshot all fsname <fsname> for
reference.
4. Use the show database command from kashell to find the dbport of the file
system containing the catalog to restore.
5. Restore the snapshot catalog using the following command from bash shell:
sscmd --restore-from-db -f <fsname> -h <IP address of the
host where the DB for this FS exists> -k <dbport>
This restores the catalog from the database.
6. Verify the output using show dashboard snapshot command.
7. Do a snapshot catalog refresh <fsname> to sync with the latest on filer.
8. Resume the services.
330
Kazeon IS1200 Web-Admin User Guide
Appendix D:
Error Tables, Kazpartial
This appendix contains a table providing further details on errors recorded in the
“kazpartial” metadata tag.
Tables include:
z
“Job Status Listings and Kazpartial Reports” on page 332
z
“Kazpartial Errors Table” on page 332
Kazeon IS1200 Web-Admin User Guide
331
Appendix D:
Error Tables, Kazpartial
Job Status Listings and Kazpartial Reports
Job status listings for crawls list failures (errors) that occurred during the course of
the job or service, errors such as: unable to open file, file not found, Oracle
Outside In parser errors for objects, and problems with directory permissions. The
failures are reported first at the object level, and then in parens for the number of
sub-objects that failed.
The Kazpartial metadata field records errors, warnings, and informational
messages encountered during classifications or parsing such as: password
protected files, encrypted files, sub-object failures, and user configuration (i.e.,
skip .exe files), etc. Kazpartial Reports detail the metadata (errors) collected in
kazpartial metadata fields.
The job status listings and the Kazpartial Reports will not necessarily show the
same numbers as they serve different purposes.
Kazpartial Errors Table
Some files may encounter errors as they are parsed during crawls. If the error
results in the file being partially processed in any way, a “kazpartial” metadata tag
is added for that file containing a brief description of the error. Many of those
errors messages are explained further below:.
ERROR from kazpartial
332
Description
Content extraction error
Parser libraries could not extract the content, generated by vendor library.
Content size exceeded limit
(configuration)
Tag limit of 10M (the default) exceeded. With a 10M limit, when 10M fulltext is
extracted from an object, further fulltext is not accumulated. Default applies to
other tags as well (for example, with Social Security Numbers no more than
10M bytes of SSNs are extracted per object.)
Could not open MDB file
The MDB file could not be opened by the parser.
Embedded content could
not be read and was
skipped
Refers to embedded subobjects such as excel spread sheets embedded in
Word documents. Separate subobject entities are not created for these and
the error refers to the inability to read content from the embedded object.
Encoded or unreadable
Access database
The mdb file catalog could not be read. Refers to the indexes of mdb
database table. Exact cause difficult to identify because error is generated
from another library.
File is corrupt
The file could not be opened because the file was corrupt.
File is password protected
or encrypted
The file could not be opened because it was password protected or
encrypted.
No filter available for this file
type
Parser has no filter for this file type, or is unable to identify the code to parse it.
Rendering of this format is
not supported
Originates from vendor library.
Skipped content because it
was binary (configuration)
Skipped content because it was binary (configuration).
Kazeon IS1200 Web-Admin User Guide
Kazpartial Errors Table
ERROR from kazpartial
Description
Skipped content of unknown
file type (configuration)
Skipped content of unknown file type (configuration). Could not open file.
Skipped content of unknown
type subobject (configuration)
Skipped content because the subobject was binary (configuration).
Skipped file of unknown
type
Same as “Skipped content on unknown file type”, except that parser had an
error after opening the object.
Skipped subobject content
because it was binary
(configuration)
Skipped subobject content because it was binary (configuration)
Sub-object skipped due to
timeout or internal error
A subobject exceeded the maximum processing time allowed (a limit set to
prevent overly-large subobjects from consuming all system resources).This is
a parser.config parameter that must be set on all cluster nodes. There are two
timeouts, one for smaller objects, and another for larger objects (with values
of 300 and 600 respectively). Large objects default to 1M or more, but can
also be set by parser.config file. Subobjects inherit parent object “size” classification, however each subobject processing has its own timeout limit (either
300 or 600). This message also indicates when internal errors (core dumps)
from the vendor library prevent further processing.
Unable to parse (sub)object
due to doctype timeout
(Sub)Object document type timeout exceeded. Each document type has its
own timeout limit. This prevents situations where the vendor library has issues
resolving the document type inside a specified duration. Objects are skipped
beyond this point. This value is 10 seconds and configurable from the
parser.config file.
Unable to parse (sub)object
due to parser timeout
Same as “Sub-object skipped due to timeout or internal error“, but for subobjects.
Writing sub-object to file for
processing failed
During subobject processing, some subobjects must be extracted to a
separate file for parsing (because other vendor libraries are used to parse the
subdocument). May be caused when a subobject is copied/extracted as part
of an action.
KazNULL
A search reserved keyword situation where there is no kazpartial for an object
(or subject). So, if searching for objects that have any kazpartial, use
“<searchKeyWord> and NOT kaznull:kazpartial” in search, or if searching for
objects without kazpartial, then the query is “kazNULL:kazpartial”
Kazeon IS1200 Web-Admin User Guide
333
Appendix D:
334
Error Tables, Kazpartial
Kazeon IS1200 Web-Admin User Guide
Appendix E:
Installation and Configuration Checklists
This appendix lists the site requirements as well as the installation and configuration
information you need to gather before installing the Kazeon Information Server.
Topics are as follows:
z
“Site Requirements” on page 336
z
“System Installation and Configuration” on page 337
z
“External Authentication Configuration” on page 339
z
“File System Registration” on page 339
Kazeon IS1200 Web-Admin User Guide
335
Appendix E:
Installation and Configuration Checklists
Site Requirements
You need to meet the following site requirements for each node:
Rack Space
1U rack height, uses 19" rack
Height 1.75", Width 19.0", Depth 31" (34” deep with cables)
Weight 34 lbs
Tools & Accessories
z
Phillips No.2 screwdriver or powerdriver for rack mounting
z
Keyboard, video, and mouse (KVM)
You can replace the KVM with a serial console/terminal concentrator.
z
2 Cat6 ethernet cables of appropriate length.
Power and heat constraints
z
2 x 110 V outlets
z
2 x 550W (AC) power supplies
z
5 Amps (maximum), 3 Amps (nominal)
z
500 Watts (maximum), 350 Watts (nominal)
z
1671 BTU/hr heat dissipation
Network Connections
z
2 copper gigabit ethernet connections—Gigabit Ethernet is required on eth2
z
3 IP addresses (for eth1, eth2, and the third address is the RAC (or IPMI) address
used for cluster management, see “The Intelligent Platform Management Interface
(IPMI)” on page 51 for more details)
Software
SSH client for remote access to the Kazeon system (for example, PuTTY for
Windows).
Primary Data
One or more network file system containing unstructured data that needs to be
classified. These file systems must be accessible using either NFS or CIFS
Storage for Kazeon Metadata
One or more empty network file systems to store the Kazeon metadata. These file
systems should be accessible using either NFS or CIFS.
Optional
DNS Server
336
Kazeon IS1200 Web-Admin User Guide
System Installation and Configuration
DHCP Server
Active Directory Server
NIS Server
z
For each data file system, provide a minimum of one mount point to store the
Kazeon metadata. The space allocated for this metadata may need to be
approximately equal to the size of the data itself but this can vary depending on
the amount of metadata being extracted and the use case. Typically, the space
allocated for metadata must be at least 30% of the data size.
z
If the Kazeon metadata is to be hosted on a NetApp filer, the maxfiles parameter
on that volume should be increased to accommodate the creation of the metadata
files. As a rough guideline, the metadata can contain up to double the number of
files in the data. This can be done using the vol maxfiles command.
Best Practices
a. In order to protect your systems from power circuit failures, connect the
redundant power supplies to separate power circuits. If you are using a UPS to
protect against a site power outage, connect one of the power supplies from
each node to the UPS. Connect the other power supply to regular house
power. This prevents a UPS failure or a utility power failure from powering
down the node.
b. Keep a console connected to the Kazeon nodes to ensure that the system is
accessible in case the node has networking problems and is unable to
communicate over the network.
c. A single Kazeon node has two network connections, ethernet 1 and ethernet 2
(both are copper 10/100/1000—Gigabit Ethernet is required on eth2). To
ensure the highest availability, connect each of these to separate subnets.
Additional nodes should be connected to these same two subnets in like
fashion. This will protect the cluster from switch or network failures.
If separate subnets is not practical, configure two paths through different
switches that will fail over gracefully even though they're not on the same
subnet.
Note: For a single node cluster, configure only Eth1 and disable Eth2.
d. Ensure that the network interfaces on the filer, the ethernet switches, and the
Kazeon Information Server are all set to the same maximum transmission unit
(MTU). The default MTU size for the Kazeon Information Server is 1500
bytes. Some switches will drop any packet with a MTU greater than 1500.
System Installation and Configuration
Table 16 lists the information that you need to gather for each node before you begin installing and
configuring the Kazeon Information Server
Kazeon IS1200 Web-Admin User Guide
337
Appendix E:
Installation and Configuration Checklists
Note: * denotes required fields.
Table 16
System Installation and Configuration Checklist
Cage/Rack/Shelf Location
Service Tag for Node
*Host Name
*Default Domain Name (dns-suf)
*DNS Server IP Address (dns-srv)
*Time Zone (tz) (e.g: US/Pacific)
*Default gateway for all subnet traffic (def-gw)
*Static IP Address for Interface eth 1 (eth1-ipv4)
*Netmask for Interface eth1 (eth1-mask)
z
Switch manufacturer and model number:
z
Port type (gigabit, FE, 10bT):
z
Port details (fiber; copper; external GBIC):
z
Flow Control (on/off):
z
Auto Negotiation/GE/100/10:
z
Duplex (Full/Half):
z
Any other port details:
z
Static IP Address for Interface eth 2 (eth2-ipv4)
Note: For a single node cluster, disable Eth2.
z
Netmask for Interface eth 2 (eth2-mask)
z
Switch manufacturer and model number:
z
Port type (gigabit, FE, 10bT):
z
Port details (fiber; copper; external GBIC):
z
Flow Control (on/off):
z
Auto Negotiation/GE/100/10:
z
Duplex (Full/Half):
z
Any other port details:
Static IP Address for IPMI (rac-ipv4)
Netmask for Interface IPMI (rac-mask)
Gateway for the IPMI traffic (rac-gw)
Are jumbo frames supported on network & file servers?
If so, what is the MTU size for jumbo frames?
Note: To set up the DHCP server, use the MAC addresses printed on the chassis.
338
Kazeon IS1200 Web-Admin User Guide
External Authentication Configuration
External Authentication Configuration
Table 17 is a checklist for information that you need to gather before you begin configuring
external authentication.
Table 17
External Authentication Checklist
ACTIVE DIRECTORY
AD Password for authorized usera
Domain Name or NETBIOS group name.
AD Server Name (optional)
SUN NETWORK INFORMATION SERVICES
NIS server name and domain name.
(e.g: add authentication nis server
server_xyz domain domain_abc)
a.A user who is a member of any of the following groups: Account Operators, Domain Power Users,
or Administrators.
File System Registration
Table 18, and Table 19, are checklists for information that you need to gather before you begin
adding file systems to the Kazeon Information Server.
Table 18
NFS File System Registration Information
NFS File Systems
File System Name
(user-defined administrative
name)
Data Server
Name
Kazeon IS1200 Web-Admin User Guide
Data File
System Name
Metadata
Server Name
Metadata
Repository
Tier
339
Appendix E:
Installation and Configuration Checklists
Table 19
CIFS File System Registration Information
CIFS File Systems
User ID/Password
(to mount CIFS
shares)
340
File System Name
(user-defined
administrative
name)
Data Server Data Share Metadata
Name
Name
Server
Name
Metadata
Share Name
Tier
Kazeon IS1200 Web-Admin User Guide
Kazeon Information Server Regulatory Certifications
Kazeon Information Server Regulatory Certifications
FCC (U.S. only) Class A
ICES (Canada) Class A
CE Mark (EN 55022 Class A, EN55024, EN61000-3-2, EN61000-3-3)
VCCI (Japan) Class A
BSMI (Taiwan) Class A
C-Tick (Australia/New Zealand) Class A
SABS (South Africa) Class A
CCC (China) Class A
MIC (Korea) Class A
UL 60950
CAN/CSA C22.2 No. 60950
EN 60950
IEC60950
73/23/EEC (Low Voltage Directive)
89/336/EEC (EMC Directive)
WEEE
RoHS Compliant (Server Exemption)
Kazeon IS1200 Web-Admin User Guide
341
Appendix E:
342
Installation and Configuration Checklists
Kazeon IS1200 Web-Admin User Guide
Appendix F:
Kazeon Query Language (KQL)
This appendix explains how to use the Kazeon Query Language (KQL).
Topics include:
z
“Using KQL Queries with Assignment Rules” on page 345
z
“KQL Query Format” on page 345
z
“KQL Functions” on page 346
z
“Adding KQL Search Results to the Search Index” on page 348
Kazeon IS1200 Web-Admin User Guide
343
Appendix F:
Kazeon Query Language (KQL)
Classification Rule (Assignment) overview
Assignment-type classification rules are KQL expressions used by the
MetadataClassifier to perform assignments of metadata (ContextData) values based
on preexisting metadata values. This can be contrasted with ParseRules or Extractiontype classification rules, which are regular-expression based rules for extracting
metadata values from the textual content of documents. Like ParseRules,
Classification Rules can be organized in named sets; a particular rule set can be made
the current or default set.
A classification assignment rule is an expression in string form, for example:
z
"set visibility='confidential' where department='marketing'
and secret=true"
z
"drop secret"
(The double-quotes around the rule are not strictly part of the rule, but will often be
needed to enter it. String constant values such as 'confidential' in the example must be
enclosed in single quotes [double quotes will work also but single quotes should be
used for compatibility with SQL].)
Classification assignment rules are SET or DROP statements in KQL.
SET statements are similar to the assignment part of SQL UPDATE statements; in the
context of classification, the object being updated is always the context-data for a
particular document being classified, so the initial UPDATE part of the statement is
omitted. The syntax of a SET statement is:
SET field = expression [ , field = expression ]* [ WHERE
condition ]
This performs one or more assignments of a computed expression value to a field; if
the WHERE clause is given the assignments occur only if the condition evaluates to a
true value.
DROP statements remove a field and any associated value from a ContextData object.
The syntax of a DROP statement is:
DROP field [ , field ]* [ WHERE condition ]
A field is the name of a particular field in the ContextData? object being operated on
(the metadata for a specific document). ContextData fields are divided into named
Sections, such as the native section (which contains common file-oriented information
such as the document's FilePath, Size, etc.), the extracted section (the principle
metadata section populated by ParseRules), the assigned section (the section
populated by assignment ClassificationRules), or the usertags section (the section
populated by CD-tagging actions). A specific field is named by giving both its section
name and its field name, as in native.FilePath -- if the section name is omitted in an
expression and some single section contains a matching field name, that field is used
(e.g. "FilePath" may be specified instead of "native.FilePath" if no other section
contains a field named "FilePath"). If no section name is given in the left-hand side of
an assignment, "assigned" will be assumed (for assignment rules). For purposes of
DROP, a field name of "*" can be used to drop all field values in a section, e.g.
"DROP usertags.*". In future releases this section-oriented CD structure will be
344
Kazeon IS1200 Web-Admin User Guide
Using KQL Queries with Assignment Rules
replaced with a "flatter" naming structure more consistent with field-name usage in
search and database reporting.
Policy Groups
Are viewed as a special section containing a boolean-valued field for each defined
policy group. So if policy groups Default, HIPAA, Ephemeral, and Secret are defined,
a document in the Default and Ephemeral groups would see PolicyGroups.Default and
PolicyGroups.Ephemeral as TRUE, and PolicyGroups.HIPAA and
PolicyGroups.Secret as FALSE; a classification assignment rule can set the policy
group association of a document by assigning to those values, e.g. a classification
assignment rule might be:
"set PolicyGroups.Secret = true where visibility =
'confidential'"
Using KQL Queries with Assignment Rules
Assignment rules use a custom Kazeon query language (KQL) to tag files and assign
them to policy groups. A classification assignment rule is an expression in string form,
for example:
"set visibility='confidential' where department='marketing' and
secret=true"
Note: All values in KQL are treated as strings. String constants must be placed
between single quotes or double quotes; examples in this document use single
quotes. Single quotes are preferred around string constants inside KQL (for
compatibility with SQL).
The keywords true and false are equivalent to ‘1’ and ‘0’ respectively.
KQL has just one statement, SET. Classification rules are built using SET expressions.
SET statements allow an optional WHERE condition. WHERE activates the SET
expression only when the WHERE condition(s) evaluate(s) true.
Note: You cannot use the SET expression with file system metadata such as Owner
or FilePath. You can specify file system metadata values using the WHERE
condition.
KQL Query Format
A KQL query uses the following format to tag files:
SET field = expressionValue, ...* [WHERE condition]
wherein:
SET performs one or more assignments of a computed expression value to a field; if
the WHERE clause is given the assignments occur only if the condition evaluates to a
true value.
Kazeon IS1200 Web-Admin User Guide
345
Appendix F:
Kazeon Query Language (KQL)
field is the name of a metadata field in the metadata repository that is mapped to a
specific file. A field can be any file-system, kazeon-configured, or custom metadata.
Use these metadata fields to search the file system for information and to create
reports. For a list of file system and kazeon-configured metadata, see “About Kaz
Schema” on page 244.
expressionValue is a computed expression string. Specify multiple expression
strings using the comma delimiter.
...* denotes multiple comma-delimited occurrences of field = expressionValue pairs.
The [WHERE condition] specifies when to tag the files.
When using a conditional expression in the WHERE clause, you can compare the
expression to other expressions using the following operators:
=, <, >, +, <=, >=, <>, AND, OR, NOT, and EXISTS.
You can combine logical expressions using the AND, OR, NOT boolean operators:
KQL Functions
The following KQL functions can be used to build queries.
Query expressions can use the following functions:
z
concat (expression1, expression2, ...): returns the result of
concatenating the component expressions together.
The following example concatenates three expressions to return values for the
phoneNo field.
set phoneNo = concat (AreaCode, ‘/’, localPhoneNo)
z
locate (target, test): returns the position in the target string of the first
match of the test string, beginning at 1 and returning 0 if not found.
The following example tags all PowerPoint files that Smith created.
set Department = ‘Marketing’ where locate (Author,
‘Smith’)>0 AND locate (DocType.FileType, ‘PowerPoint’) >0
z
replace (keyword1, keyword2, keyword3): In the first keyword, all
occurrences of the second keyword are replaced with the third keyword.
The following example replaces John Smith with Mary Jones as the Author.
set Author = replace (Author, ‘John Smith’, ‘Mary Jones’)
where Department= ‘Marketing’
z
match(target, test) returns the first string matched by the test string
(regular expression) within the target string. match(’foo', 'o') returns 'o';
match('foo', 'o+') returns 'oo'; match('foo', 'bar') returns ''.
z
extract(target, test, format) returns the result of evaluating the format
string after matching the test string against the target string. The format string is
evaluated to expand $_n_ references to substrings matched by parenthesized
subexpressions in the test string. extract('the big boy', ' b[a-z]+', '$1') returns 'big'.
z
346
length(str) returns the length in characters of the parameter expression.
length('xyz') returns '3'.
Kazeon IS1200 Web-Admin User Guide
Using KQL Queries with Assignment Rules
z
validate_list(target, test) considers the target as a list of spacedelimited values, and tests each one for validity according to the rules associated
with test. It returns a string consisting of one instance of each valid value.
validate_list('123-45-6789 111561234 xxx-yy-zzzz', 'ssn'
returns '111561234'.
The test can be one of:
|
SSN (US Social Security Number)
|
NIN (UK National Insurance Number)
|
SIN (Canada Social Insurance Number)
|
AMEX, BANK, CREDIT, DINER, DISC, JCB, MAE, MC, VISA
(credit cards)
|
mdy, dmy, ymd (dates in formats MM/DD/YYYY, DD/MM/YYYY,
YYYY/MM/DD)
|
unique simply returns one instance of each space-delimited value (removing
duplicates) -- order is not preserved.
|
CUSIP (the 9-character alphanumeric security identifiers the Committee on
Uniform Security Identification Procedures distributes for all North American
securities to facilitate clearing and settlement of trades)
|
ISIN(International Securities Identifying Number) uniquely identifies a
security. Its structure is defined in ISO 6166. Securities for which ISINs are
issued include bonds, commercial paper, equities and warrants
|
ABA – American Bankers Association routing number
(that appears on checks)
|
VIN – Vehicle Identification Number (North America)
|
NPI – National (Health care) Provider Identification number
|
NHS – UK National Health Service number
|
UPN – UK Unique Pupil Number
Validate_list examples:
|
validate_list(“559-00-4611 000-78-4611 559-76-0000 76909-1234 565-78-3456”,”ssn”)
|
validate_list(“3787-344936-71000 3787-344836-71000 3787344936-71007 3787-344936-71000 3782-822463-10005”,
“amex”)
returns a single value “565-78-3456”
returns two values “3787-344936-71000 3782-822463-10005” (note that
3787-344936-71000 had been duplicated)
In a conditional expression, as in the WHERE clause, expressions can be compared
using <, >, = , <= , >= , and <> (not equal) operators; logical expressions can be
combined with AND, OR, or NOT.
The EXISTS function can test whether a symbol has any value at all:
EXISTS(indexed.secret) will return true if the “secret” symbol is defined at all
in the “indexed” section.
Kazeon IS1200 Web-Admin User Guide
347
Appendix F:
Kazeon Query Language (KQL)
Note: When creating a KQL query from the CLI, enclose the query in single or
double quotes. For example: “set Author = replace (Author, ‘John Smith’,
‘Mary Jones’) where Department= ‘Marketing’”. Do not enclose queries in
quotes when creating them from Web-Admin.
KQL Examples
The following examples use KQL to assign metadata tags and policy groups to files:
z
To tag salary records as confidential files:
set visibility =‘confidential’ where department =
‘Payroll’ AND document = ‘salary records’
z
To assign salary records to a policy group named TopSecret:
set PolicyGroups.TopSecret = true where visibility =
‘confidential’
z
To tag files that contain social security numbers:
set SSN = true where locate (FullText,‘(d\d\d-\d\d-\d\d\
d\d)’) >0
z
To use the OR operator to group under the Marketing department, all PowerPoint
and Word documents that Smith created:
set Department = ‘Marketing’ where locate (Author,
‘Smith’) >0 AND (locate (FileType, ‘PowerPoint’) > 0 OR
z
While KQL does not support arithmetic counting, this is an indirect way of
counting space-delimited strings
length(replace(“3787-344936-71000 3782-822463-10005”, '[^
]* *', 'x'))
returns “2”
Note: When a metadata value is a string, you need to enclose it within double
quotes. Do not use quotes if the value is true or false.
For information on policy groups, see “Maintaining Policy Groups” on page 143.
Adding KQL Search Results to the Search Index
If you want the results of any classification (including KQL based queries) to be
searchable after the job finishes, the new tag created by the KQL must be added to the
search index.
For example, an assignment ruleset called delete_dups which contains a single
assignment rule called delete_duplicates could be created to look for duplicates
of a specific filename (opdo-music-moonlight.dat).
The KQL might look like this:
SET delete_file=’delete_this_file’ where filepath=’file://
quotes/Jay/Music/opdo-music-moonlight.dat’
348
Kazeon IS1200 Web-Admin User Guide
Using KQL Queries with Assignment Rules
To make the new tag searchable after the classification is run, the new delete_file
tag must be added to the search schema before the classification is run (using the
delete_dups ruleset). Use the following CLI command:
set schema delete_file type string attributes indexed namespace
userdefined search-attributes "text"
For complete details see “Using ‘set schema’ to Add Tags to Kaz Schema” on
page 250.
Kazeon IS1200 Web-Admin User Guide
349
Appendix F:
350
Kazeon Query Language (KQL)
Kazeon IS1200 Web-Admin User Guide
Appendix G:
Regular Expressions (RegEx)
This appendix provides some very basic background for understanding and using
Regular Expressions (RegEx).
Topics include:
z
“Regular Expressions Overview” on page 352
z
“RegEx Syntax Basics” on page 352
z
|
“Meta-Characters” on page 353
|
“Quantifier Summary” on page 352
|
“Alternation” on page 354
|
“Grouping with Parentheses” on page 354
“Kazeon RegEx Examples” on page 354
|
“Confidential” on page 354
|
“Social Security Numbers” on page 355
|
“Master Card Credit Card Numbers” on page 356
|
“Individual Taxpayer Identification Numbers” on page 357
Kazeon IS1200 Web-Admin User Guide
351
Appendix G:
Regular Expressions (RegEx)
Regular Expressions Overview
You can use Regular Expressions (RegEx) in Kazeon Information Server extraction
rules to match patterns such as a sequence of digits resembling a social security
number or an account number to extract those digit patterns from a file.
___________________________________________________________________
From Wikipedia:
In computing, a regular expression is a string that is used to describe or match a set of
strings, according to certain syntax rules.
Regular expressions are used by many text editors and utilities to search and
manipulate bodies of text based on certain patterns. Many programming languages
support regular expressions for string manipulation. For example, Perl and Tcl have a
powerful regular expression engine built directly into their syntax. The set of utilities
(including the editor ed and the filter grep) provided by Unix distributions were the
first to popularize the concept of regular expressions. "Regular expression" is often
shortened in speech to regex, and in writing to regexp or regex (singular) or regexps,
regexes, or regexen (plural).
___________________________________________________________________
For more detail on understanding and using RegEx, perform an internet Google search
for “Regular Expressions Primer”.
For a wealth of useful examples, go to http://regexlib.com.
RegEx Syntax Basics
RegEx uses a variety of Quantifier and Meta-characters (and escaped characters) to
specify patterns. Quantifiers and Alternation can also be specified.
Quantifier Summary
Quantifiers determine if, and how many, times a pattern must exist to be matched.
Quantifier
?
Matches any preceding element 0 or 1 times, equivalent to {0,1}
*
Matches the preceding element 0 or more times, equivalent to {0,}
+
Matches the preceding element 1 or more times, equivalent to {1,}
{num}
{min, max}
352
Description
Matches the preceding element num times.
Matches the preceding element at least min times, but not more than max times.
{a,z}
Quantifier Matches if the previous group was found between a and z times.
{a,}
Quantifier Matches if the previous group was found at least a times.
{,z}
Quantifier Matches if the previous group was found no more than z times.
{n}
Quantifier Matches if the previous group was found exactly n times.
Kazeon IS1200 Web-Admin User Guide
RegEx Syntax Basics
Meta-Characters
Meta-characters are characters the regex engine reserves special meaning for. .
Meta-Character
Type Description
\
Escapes the character proceeded
.
Matches any single character
a|z
Matches a or z
^
Anchor Matches the beginning of a string
$
Anchor Matches the end of a string
*
Quantifier 0 or more of previous group or characters
+
Quantifier 1 or more of previous group or characters
?
Quantifier 0 or 1 of previous group or characters
[abcd]
Character Class Matches if the character in this position is either an a, b, c, or d
[^abcd]
Inverted Character Class Matches if the character in this position is not an a, b, c, or d
(abcd)
Grouping Groups the matches in the parentheses into a reference
Escape Characters
To match some special characters as themselves, it's necessary to prefix them with a
back slash "\". For example, to specify a match for a dollar sign, use “\$”, otherwise
the dollar sign is evaluated as an end of string requirement.
Some characters, like carriage returns and tabs, require specific escape sequences.
Search Char
Escape Sequence
\r
carriage return
\t
tab
\$
matches a dollar sign
\w
matches any word character, equivalent to [a-zA-Z_0-9]
\W
matches any non-word character, equivalent to [^a-zA-Z_0-9]
\b
matches a word boundary between word (\w) and non-word (\W) characters
\d
matches any decimal digit, equivalent to [0-9]
\D
matches any non-digit, equivalent to [^0-9]
\f
form feed
\n
new line (line feed)
\v
vertical tab
\s
matches any white-space character, equivalent to [\f\n\r\t\v]
\S
matches any non-white-space character, equivalent to [^\f\n\r\t\v]
Kazeon IS1200 Web-Admin User Guide
353
Appendix G:
Regular Expressions (RegEx)
Alternation
The vertical bar "|" is used to represent an "OR" condition. Use it to separate alternate
patterns or characters for matching. For example:
Regex: boy|girl
Matches: boy or girl, and doesn't match: person.
Grouping with Parentheses
Parentheses "()" are used to group characters and expressions within larger, more
complex regular expressions. Quantifiers that immediately follow the group apply to
the whole group.
Regex: (abc){2,3}
Matches: abcabc and abcabcabc, but doesn't match: abc or abccc.
Kazeon RegEx Examples
The following examples are both functional and demonstrative.
Confidential
The following RegEx can be used in extraction rules to find documents marked
“confidential”:
(?-i)(^|\b)((Confidential)|(CONFIDENTIAL))(\b|$)
The individual RegEx expressions break out as follows:
(?-i)
z
Do not save value as positional parameter
z
Ignore Kazeon case-insensitivity
(^|\b)
z
Start of string OR a word boundary (should precede first digit)
z
Sets value of positional parameter $1
((Confidential)|(CONFIDENTIAL))
z
String must exactly match Confidential OR CONFIDENTIAL
z
Sets returned digits as value of $2
($|\b)
z
End of string OR a word boundary (should succeed last digit)
z
Sets value of $5
$2 is the positional parameter of interest
354
Kazeon IS1200 Web-Admin User Guide
Kazeon RegEx Examples
Social Security Numbers
The following RegEx can be used in extraction rules to find Social Security numbers:
(^|\b)(?!000|666)(\d{3})([- ])(?!00)(\d{2})\3(?!0000)(\d{4})(\b|$)
The individual RegEx expressions break out as follows:
(^|\b)
z
Start of string OR a word boundary (should precede 1st digit)
z
Sets value of positional parameter $1
(?!000|666)
z
Do not save value as positional parameter
z
Next three characters must not be 000 OR 666
(\d{3})
z
Match a single digit 0...9, exactly three times
z
Sets returned digits as value of $2
([- ])
z
The separator character is hyphen or space
z
Sets value of $3
(?!00)
z
Do not save value as positional parameter
z
Next two characters must not be 00
(\d{2})
z
Match a single digit 0...9, exactly two times
z
Sets returned digits as value of $4
\3
z
Backreference to third parameter; separators must be identical
Note: This is not within parentheses and does not set a positional parameter
(?!0000)
z
Do not save value as positional parameter
z
Next four characters must not be 0000
(\d{4})
z
Match a single digit 0...9, exactly four times
z
Sets returned digits as value of $5
($|\b)
z
End of string OR a word boundary (should succeed last digit)
z
Sets value of $6
$0 is the entire matching string.
Kazeon IS1200 Web-Admin User Guide
355
Appendix G:
Regular Expressions (RegEx)
To provide a consistent format 999-99-9999, set the value to: $2-$4-$5
Note: Additional processing beyond RegEx is required to validate that the 2-digit
Group number is valid for the 3-digit Area number.
Master Card Credit Card Numbers
The following RegEx can be used in extraction rules to find Master Card Credit Card
numbers:
(^|\b)(5[1-5]\d{2})([- ])(\d{4})\3(\d{4})\3(\d{4})(\b|$)
The individual RegEx expressions break out as follows:
(^|\b)
z
Start of string OR a word boundary (should precede first digit)
z
Sets value of positional parameter $1
(5[1-5]\d{2}
z
First digit must be 5
z
Second digit must be in the range of 1 to 5, inclusive
z
Match a single digit 0...9, exactly two times
z
Sets returned digits as value of $2
([- ])
z
The separator character is hyphen or space
z
Sets value of $3
(\d{4})
z
Match a single digit 0...9, exactly four times
z
Sets returned digits as value of $4
\3
z
Backreference to third parameter; separators must be identical
Note: This is not within parentheses and does not set a positional parameter
(\d{4})
z
Match a single digit 0...9, exactly four times
z
Sets returned digits as value of $5
\3
z
Backreference to third parameter; separators must be identical
Note: This is not within parentheses and does not set a positional parameter
(\d{4})
356
z
Match a single digit 0...9, exactly four times
z
Sets returned digits as value of $6
Kazeon IS1200 Web-Admin User Guide
Kazeon RegEx Examples
($|\b)
z
End of string OR a word boundary (should succeed last digit)
z
Sets value of $7
$0 is the entire matching string.
To provide a consistent format 9999-9999-9999, set the value to: $2-$4-$5-$6
Note: Additional processing beyond regex is required to validate that the trailing
check-digit matches the value computed using the Luhn algorithm.
Individual Taxpayer Identification Numbers
The following RegEx can be used in extraction rules to find Individual Taxpayer
Identification numbers:
(^|\b)(9\d{2})([- ])([78]\d)\3(\d{4})(\b|$)
The individual RegEx expressions break out as follows:
(^|\b)
z
Start of string OR a word boundary (should precede first digit)
z
Sets value of positional parameter $1
(9\d{2})
z
First digit must be 9
z
Match a single digit 0...9, exactly two times
z
Sets returned digits as value of $2
([- ])
z
The separator character is hyphen or space
z
Sets value of $3
([78]\d)
z
First digit must be 7 or 9
z
Match a single digit 0...9, exactly one time
z
Sets returned digits as value of $4
\3
z
Backreference to third parameter; separators must be identical
Note: This is not within parentheses and does not set a positional parameter
(\d{4})
z
Match a single digit 0...9, exactly four times
z
Sets returned digits as value of $5
Kazeon IS1200 Web-Admin User Guide
357
Appendix G:
Regular Expressions (RegEx)
($|\b)
z
End of string OR a word boundary (should succeed last digit)
z
Sets value of $6
$0 is the entire matching string
To providing a consistent format 999-99-9999, set the value to: $2-$4-$5
358
Kazeon IS1200 Web-Admin User Guide
Appendix H:
Default Metadata Tags / Search Schema
This appendix contains tables listing all default metadata tags.
These also represent the default search schema.
Note:
Fields from MS Office templates are populated only if they contain values.
The following tables are included:
z
“Default File System Metadata Tags / Search Schema” on page 360
z
“Default Kazeon-configured Metadata Tags / Search Schema” on page 361
z
“Default Kazeon Internal Metadata Tags / Search Schema” on page 362
z
“Music File Metadata” on page 365
z
“Mail File Metadata” on page 363
z
“Graphic File Metadata” on page 365
Kazeon IS1200 Web-Admin User Guide
359
Appendix H:
Default Metadata Tags / Search Schema
Default Metadata Tags
Table 20
Default File System Metadata Tags / Search Schema
Field
Properties
Description
File System Metadata
atime
date, indexed
The time when the file was last accessed.
author
text, indexed, content The author of the document as specified by the
document filters.
category
text, indexed, content Microsoft Office field.
Category to which the file belongs as specified
by document filters.
company
text, indexed
Microsoft Office field.
The company to which the file belongs.
ctime
string, indexed,
saved
The time when the file permissions were
changed.
description
text, indexed,
content, uri
A brief application-generated description of the
file.
filepath
indexed
Path to the file location in URL format.
filesize
string, indexed
Size of the document.
filetype
text, indexed
The file type, such as Microsoft Word,
PowerPoint presentation, or Excel.
fulltext
text, indexed
Full text extracted from the file. When you
search by keyword, by default, the system looks
for the keywords in this field.
group
text, indexed
The group ID as captured from the file system.
groupname
text, indexed
The group to which the user belongs.
language
text, indexed
Language of the document.
lastsavedby
text, indexed
Microsoft Office field.
The user who last saved the file.
manager
text, indexed, content Microsoft Office field.
The group manager.
360
mtime
date, indexed,
sortable
Time when the file contents were modified.
name
text,indexed
Used for composite objects.
owner
text, indexed
The ID of the file owner, captured from the file
system.
ownername
text, indexed
The name of the file owner.
Kazeon IS1200 Web-Admin User Guide
Default Metadata Tags
Table 20
Default File System Metadata Tags / Search Schema
Field
Properties
Description
policygroups
text, indexed, content Policy groups to which the file belongs. For
information on policy groups, see “About
Policies and Policy Groups” on page 142.
project
text, indexed, content Microsoft Office field.
The project to which the file belongs.
publisher
text, indexed, content Microsoft Office and PDF field.
The publisher of the document.
source
text, indexed
Microsoft Office field.
The source field.
subject
text, indexed, content Microsoft Office field.
Topic of the document.
title
text, indexed, content Microsoft Office and PDF field.
Name given to the document by the author or
publisher.
typeextension
Table 21
text, indexed, content Extension for the file based on content type autogenerated by Kazeon.
Default Kazeon-configured Metadata Tags / Search Schema
Field
Properties
Description
Kazeon-configured Metadata
Confidential
text, indexed
Kazeon-configured field.
Used to tag a document as confidential.
EMail
text, indexed
Kazeon-configured field.
The email address of the person authoring or
modifying the document
ExtDate
date, indexed
Kazeon-configured field.
The date extracted from a file’s contents.
Name
string, indexed
Kazeon-configured field.
A user name.
PostalCode
text, indexed
Kazeon-configured field.
A zip code extracted from a file’s contents.
Price
string, indexed
Kazeon-configured field.
A dollar amount extracted from a file’s contents.
Kazeon IS1200 Web-Admin User Guide
361
Appendix H:
Default Metadata Tags / Search Schema
Table 21
Default Kazeon-configured Metadata Tags / Search Schema
Field
Properties
SocialSecurityNumber text, indexed
Description
Kazeon-configured field.
An individual’s social security number.
StockSymbol
text, indexed
Kazeon-configured field.
An organization’s stock symbol.
TelephoneNo
text, indexed
Kazeon-configured field.
The phone number for a user or organization.
URI
text, indexed
Kazeon-configured field.
The uniform resource indicator for the document,
if it exists.
Table 22
Default Kazeon Internal Metadata Tags / Search Schema
Field
Properties
Description
Kazeon Internal Metadata
CASID
CASIDIV
string, indexed,
saved
Internal field.
string, indexed
Internal field.
Kazeon-generated unique ID for a document.
Kazeon-generated unique ID for a document.
362
interface
text, content, indexed Internal field.
systemserviceaction
text, indexed
Internal field.
objecttype
string, indexed
Internal field. Used for composite objects.
parent
string, indexed,
saved
Internal field.
Kazeon IS1200 Web-Admin User Guide
Default Metadata Tags
Besides the standard metadata tags, the following optional metadata is also easily
extracted during clasifications by setting up extraction rules using the same
procedures as described in “Using DICOM File Attributes as Metadata” on page 368
for extracting DICOM metadata.
Mail File Metadata
For mail files like .pst, .ost, .eml, and .msg, the following tags can be extracted:
MailAlternateRecipientAllowed
MailAttachment
MailAttrHidden
MailAttrReadonly
MailAttrSystem
MailAutoForwarded
MailBcc
MailCategories
MailCc
MailCcme
MailClientSubmitTime
MailCompany
MailConversationIndex
MailConversationTopic
MailCreationTime
MailCreatorEntryid
MailCreatorName
MailDeferredDeliveryTime
MailDeleteAfterSubmit
MailEmail
MailExpires
MailExpiryTime
MailFlagsts
MailFrom
MailFullname
MailHomephone
MailImportance
MailInetMailOverrideFormat
MailInternetArticleNumber
MailInternetCpid
MailInternetMessageId
MailJobtitle
MailLastmodified
MailLastModifierEntryid
MailLastModifierName
MailLatestDeliveryTime
Kazeon IS1200 Web-Admin User Guide
MailLocation
MailMessageClass
MailMessageCodepage
MailMessageLocaleId
MailMessageSubmissionId
MailMsgEditorFormat
MailMsgflag
MailNewsgroups
MailNtSecurityDescriptor
MailOriginatorDeliveryReportRequested
MailPriority
MailProfileConnectFlags
MailRcvdByFlags
MailRcvdRepresentingAddrtype
MailRcvdRepresentingEmailAddress
MailRcvdRepresentingEntryid
MailRcvdRepresentingFlags
MailRcvdRepresentingName
MailRcvdRepresentingSearchKey
MailReadReceiptRequested
MailReceived
MailReceivedByAddrtype
MailReceivedByEmailAddress
MailReceivedByEntryid
MailReceivedByName
MailReceivedBySearchKey
MailRecipientReassignmentProhibited
MailReplyRequested
MailReplyTime
MailReportTag
MailResponseRequested
MailRtfbody
MailRtfInSync
MailRtfSyncBodyCount
MailRtfSyncBodyCrc
MailRtfSyncBodyTag
363
Appendix H:
Default Metadata Tags / Search Schema
MailRtfSyncPrefixCount
MailRtfSyncTrailingCount
MailSearchKey
MailSenderAddrtype
MailSenderEmailAddress
MailSenderEntryid
MailSenderFlags
MailSenderName
MailSenderSearchKey
MailSensitivity
MailSentRepresentingAddrtype
MailSentRepresentingEmailAddress
MailSentRepresentingEntryid
MailSentRepresentingFlags
MailSentRepresentingName
MailSentRepresentingSearchKey
MailSize
MailStop
MailSubject
MailSubmittime
MailTo
MailTransportMessageHeaders
MailTrustSender
MailUnknown
MailWebpage
MailWorkphone
Microsoft Office File Metadata:
The following Microsoft Office document metadata may be extracted.
Account
Address
Attachments
Author
Authorization
BackupDate
BaseFileLocation
BillTo
BlindCopy
CarbonCopy
Category
CharacterCount
CheckedBy
Client
Comments
Company
CompletedDate
Contributor
CountBytes
CountCharsWithSpaces
CountLines
CountMMClips
CountNotes
CountParas
364
CountSlides
CountSlidesHidden
CreationDate
Department
Description
Destination
KeyWords
Language
LastPrintDate
LastSaveDate
LastSavedBy
LinksDirty
Manager
Matter
MDBColumn,
MDBTable,
MinutesEdited
Office
Operator
Owner
PageCount
PresentationFormat
Project
Publisher
Purpose
ReceivedFrom
RecordedBy
RecordedDate
Relation
RevisionDate
RevisionNotes
RevisionNumber
ScaleCrop
Section
Security
Source
Status
Subject
Title
TitleOfParts
Typist
VersionDate
VersionNotes
VersionNumber
WordCount
WorkGroup
Kazeon IS1200 Web-Admin User Guide
Default Metadata Tags
Music File Metadata
When searching for music files, like MP3s, the following metadata can be extracted:
ID3_AENC
ID3_APIC
ID3_ASPI
ID3_COMM
ID3_COMR
ID3_ENCR
ID3_EQU2
ID3_EQUA
ID3_ETCO
ID3_GEOB
ID3_GRID
ID3_IPLS
ID3_LINK
ID3_MCDI
ID3_MLLT
ID3_OWNE
ID3_PCNT
ID3_POPM
ID3_POSS
ID3_PRIV
ID3_RBUF
ID3_RVA2
ID3_RVAD
ID3_RVRB
ID3_SEEK
ID3_SIGN
ID3_SYLT
ID3_SYTC
ID3_TALB
ID3_TBPM
ID3_TCOM
ID3_TCON
ID3_TCOP
ID3_TDAT
ID3_TDLY
ID3_TENC
ID3_TEXT
ID3_TFLT
ID3_TIME
ID3_TIPL
ID3_TIT1
ID3_TIT2
ID3_TIT3
ID3_TKEY
ID3_TLAN
ID3_TLEN
ID3_TMCL
ID3_TMED
ID3_TMOO
ID3_TOAL
ID3_TOFN
ID3_TOLY
ID3_TOPE
ID3_TORY
ID3_TOWN
ID3_TPE1
ID3_TPE2
ID3_TPE3
ID3_TPE4
ID3_TPOS
ID3_TPRO
ID3_TPUB
ID3_TRCK
ID3_TRDA
ID3_TRSN
ID3_TRSO
ID3_TSIZ
ID3_TSOA
ID3_TSOP
ID3_TSOT
ID3_TSRC
ID3_TSSE
ID3_TSST
ID3_TYER
ID3_UFID
ID3_USER
ID3_USLT
ID3_WCOM
ID3_WCOP
ID3_WOAF
ID3_WOAR
ID3_WOAS
ID3_WORS
ID3_WPAY
ID3_WPUB
Graphic File Metadata
For graphic images like JPEGS, the following tags can be extracted:
IPTCByline
IPTCBylineTitle
IPTCCaption
IPTCCaptionWriter
IPTCCategory
IPTCCity
IPTCCopyrightNotice
IPTCCountry
IPTCCredits
Kazeon IS1200 Web-Admin User Guide
IPTCDateCreated
IPTCHeadline
IPTCKeywords
IPTCObjectName
IPTCOriginalTransmissionReference
IPTCSource
IPTCSpecialInstructions
IPTCState
IPTCSupplementalCategories
365
Appendix H:
366
Default Metadata Tags / Search Schema
Kazeon IS1200 Web-Admin User Guide
Appendix I:
Using DICOM Tags
This appendix provides reference information useful when extracting DICOM
properties as extended attributes.
Topics include:
z
z
“Using DICOM File Attributes as Metadata” on page 368
|
“Selecting the DICOM Properties to Extract” on page 368
|
“Adding DICOM File Attributes to the Search Schema” on page 369
“DICOM Properties That Can Be Extracted As Extended Attributes” on page 370
Kazeon IS1200 Web-Admin User Guide
367
Appendix I:
Using DICOM Tags
Using DICOM File Attributes as Metadata
DICOM files contain hundreds of standard file attributes that are useful in searches.
Starting with version 3.1 Hotfix 3, recognition of DICOM files is OFF by default and
must be specifically enabled when desired. Even when recognition is enabled, only
the file-type DICOM is extracted unless specific DICOM properities are selected for
extraction using extraction rules and certian configuration file settings.
Note: The IS1200 only searches DICOM file headers for their attributes, it does not
open or parse the actual image data.
Enabling DICOM File Recognition
DICOM file processing (recognition) is optional, and OFF by default. As such,
DICOM files are considered unknown-type files.
To enable recognition and handling of DICOM files,
remove the # from the beginning of the "#handleDicomFiles=1" line in
/opt/openkaz/config/parser.config:
# If set (to 1 or true), then DICOM file handling is enabled. If
# not set, files will not be checked for DICOM filetype, nor will
# DICOM metadata be extracted (they will be treated as UNKNOWN).
#handleDicomFiles=1
Note: Do this on each node of the cluster. Normally, selecting what attributes are
processed is done using extraction rules, but since initial file recognition is
done during basic classification (when extraction rules do not apply), DICOM
file recognition must be controlled through configuration files.
Selecting the DICOM Properties to Extract
Once recognition is enabled, do the following to select the DICOM properities to
extract.
Then, do the following to setup DICOM file attribute classification:
1. Edit the file /opt/openkaz/config/parser.config to set
skipProperities=FALSE.
2. Edit the file /opt/openkaz/config/parser.config on each node to
uncomment and set:
DicomProperties=<list_of_DicomProperties_to_classify>
The list should be separated by commas, for example:
DicomProperties=DICOMPatientsName,DICOMPatientID,DICOMStudyD
ate
to collect only the three Dicom properties in the list above.
368
Kazeon IS1200 Web-Admin User Guide
Using DICOM File Attributes as Metadata
3. Edit the Search Index to add the desired Dicom attributes, see the following
section for details.
Adding DICOM File Attributes to the Search Schema
The Kazeon Information Server can extract most of the standard DICOM file
attributes as metadata. To make these attributes searchable, each attribute you want to
search by must be added to the Search Index, and then a deep classification must be
run. For example, to be able to search by the DICOM tag
DICOMTableTopEccentricAxisDistance, enter the following in the CLI:
set schema DICOMTable.TopEccentricAxisDistance attributes
string,indexed
and then run a deep classification.
After the classification finishes, the tag DICOMTableTopEccentricAxisDistance
will be available in the standard search index.
Kazeon IS1200 Web-Admin User Guide
369
Troubleshooting
DICOM Properties That Can Be Extracted As Extended Attributes
The following is a list of all DICOM tags that can be added to the search index:
DICOMAccessionNumber
DICOMAcquisitionContextDescription
DICOMAcquisitionContextSequence
DICOMAcquisitionDate
DICOMAcquisitionDeviceProcessingCode
DICOMAcquisitionDeviceProcessingDescription
DICOMAcquisitionGroupLength
DICOMAcquisitionMatrix
DICOMAcquisitionNumber
DICOMAcquisitionsinStudy
DICOMAcquisitionStartCondition
DICOMAcquisitionStartConditionData
DICOMAcquisitionTerminationCondition
DICOMAcquisitionTerminationConditionData
DICOMAcquisitionTime
DICOMActionTypeID
DICOMActiveSourceDiameter
DICOMActiveSourceLength
DICOMActualFrameDuration
DICOMActualHumanPerformersSequence
DICOMAdditionalDrugSequence
DICOMAdditionalPatientHistory
DICOMAdministrationRouteCodeSequence
DICOMAdmissionID
DICOMAdmittingDate
DICOMAdmittingDiagnosesDescription
DICOMAdmittingDiagnosisCodeSequence
DICOMAdmittingTime
DICOMAffectedSOPClassUID
DICOMAffectedSOPInstanceUID
DICOMAirKermaRateReferenceDate
DICOMAirKermaRateReferenceTime
DICOMAnatomicRegionModifierSequence
DICOMAnatomicRegionSequence
DICOMAnatomicStructureSpaceorRegionSequence
DICOMAngioFlag
DICOMAngularPosition
DICOMAngularStep
DICOMAngularViewVector
DICOMAnnotationContentSequence
DICOMAnnotationDisplayFormatID
DICOMAnnotationFlag
DICOMAnnotationPosition
DICOMAnodeTargetMaterial
DICOMApplicableFrameRange
DICOMApplicationSetupManufacturer
DICOMApplicationSetupName
DICOMApplicationSetupNumber
DICOMApplicationSetupSequence
DICOMApplicationSetupType
DICOMApplicatorDescription
DICOMApplicatorID
DICOMApplicatorSequence
DICOMApplicatorType
DICOMApprovalStatus
DICOMAttenuationCorrectionMethod
DICOMAttributeIdentifierList
DICOMAudioComments
DICOMAudioSampleData
DICOMAudioSampleFormat
DICOMAudioType
DICOMAveragePulseWidth
370
DICOMAxialAcceptance
DICOMAxialMash
DICOMAxisLabels
DICOMAxisUnits
DICOMBasicColorImageSequence
DICOMBasicGrayscaleImageSequence
DICOMBeamDescription
DICOMBeamDose
DICOMBeamDoseSpecificationPoint
DICOMBeamLimitingDeviceAngle
DICOMBeamLimitingDeviceAngleTolerance
DICOMBeamLimitingDevicePositionSequence
DICOMBeamLimitingDevicePositionTolerance
DICOMBeamLimitingDeviceRotationDirection
DICOMBeamLimitingDeviceSequence
DICOMBeamLimitingDeviceToleranceSequence
DICOMBeamMeterset
DICOMBeamName
DICOMBeamNumber
DICOMBeamSequence
DICOMBeamType
DICOMBeatRejectionFlag
DICOMBillingItemSequence
DICOMBillingProcedureStepSequence
DICOMBillingSuppliesandDevicesSequence
DICOMBiPlaneAcquisitionSequence
DICOMBitsAllocated
DICOMBitsStored
DICOMBlockData
DICOMBlockDivergence
DICOMBlockName
DICOMBlockNumber
DICOMBlockNumberofPoints
DICOMBlockSequence
DICOMBlockThickness
DICOMBlockTransmission
DICOMBlockTrayID
DICOMBlockType
DICOMBluePaletteColorLookupTableData
DICOMBluePaletteColorLookupTableDescriptor
DICOMBodyPartExamined
DICOMBodyPartThickness
DICOMBorderDensity
DICOMBrachyAccessoryDeviceID
DICOMBrachyAccessoryDeviceName
DICOMBrachyAccessoryDeviceNominalThickness
DICOMBrachyAccessoryDeviceNominalTransmission
DICOMBrachyAccessoryDeviceNumber
DICOMBrachyAccessoryDeviceSequence
DICOMBrachyAccessoryDeviceType
DICOMBrachyApplicationSetupDose
DICOMBrachyApplicationSetupDoseSpecificationPoint
DICOMBrachyControlPointSequence
DICOMBrachyReferencedDoseReferenceSequence
DICOMBrachyTreatmentTechnique
DICOMBrachyTreatmentType
DICOMBranchofService
DICOMBurnedInAnnotation
DICOMCalibrationDataSequence
DICOMCalibrationImage
DICOMCardiacNumberofImages
DICOMCassetteOrientation
Kazeon IS1200 Web-Admin User Guide
Troubleshooting
DICOMCassetteSize
DICOMCenterofCircularCollimator
DICOMCenterofCircularShutter
DICOMCenterofRotationOffset
DICOMChannelLength
DICOMChannelNumber
DICOMChannelSequence
DICOMChannelShieldID
DICOMChannelShieldName
DICOMChannelShieldNominalThickness
DICOMChannelShieldNominalTransmission
DICOMChannelShieldNumber
DICOMChannelShieldSequence
DICOMChannelTotalTime
DICOMCineRate
DICOMCodeMeaning
DICOMCodeValue
DICOMCodingSchemeDesignator
DICOMCoincidenceWindowWidth
DICOMCollationFlag
DICOMCollimatorgridName
DICOMCollimatorLeftVerticalEdge
DICOMCollimatorLowerHorizontalEdge
DICOMCollimatorRightVerticalEdge
DICOMCollimatorShape
DICOMCollimatorType
DICOMCollimatorUpperHorizontalEdge
DICOMColorImagePrintingFlag
DICOMColumnAngulation
DICOMColumns
DICOMCommandField
DICOMCommentsonRadiationDose
DICOMCommentsonthePerformedProcedureSteps
DICOMCommentsontheScheduledProcedureStep
DICOMCompensatorColumns
DICOMCompensatorID
DICOMCompensatorNumber
DICOMCompensatorPixelSpacing
DICOMCompensatorPosition
DICOMCompensatorRows
DICOMCompensatorSequence
DICOMCompensatorThicknessData
DICOMCompensatorTransmissionData
DICOMCompletionFlag
DICOMCompletionFlagDescription
DICOMCompressionForce
DICOMConceptCodeSequence
DICOMConceptNameCodeSequence
DICOMConfidentialityCode
DICOMConfidentialityConstraintonPatientDataDescription
DICOMConfigurationInformation
DICOMConstraintWeight
DICOMContentSequence
DICOMContentTemplateSequence
DICOMContinuityOfContent
DICOMContourData
DICOMContourGeometricType
DICOMContourImageSequence
DICOMContourOffsetVector
DICOMContourSequence
DICOMContourSlabThickness
DICOMContrastAllergies
DICOMContrastBolusAdministrationRouteSequence
DICOMContrastBolusAgent
DICOMContrastBolusAgentSequence
Kazeon IS1200 Web-Admin User Guide
DICOMContrastBolusIngredient
DICOMContrastBolusIngredientConcentration
DICOMContrastBolusRoute
DICOMContrastBolusStartTime
DICOMContrastBolusStopTime
DICOMContrastBolusTotalDose
DICOMContrastBolusVolume
DICOMContrastFlowDurations
DICOMContrastFlowRates
DICOMContrastFrameAveraging
DICOMControlPoint3DPosition
DICOMControlPointIndex
DICOMControlPointRelativePosition
DICOMControlPointSequence
DICOMConversionType
DICOMConvolutionKernel
DICOMCoordinateStartValue
DICOMCoordinateStepValue
DICOMCorrectedImage
DICOMCountRate
DICOMCountryofResidence
DICOMCountsAccumulated
DICOMCountsIncluded
DICOMCountsSource
DICOMCranialThermalIndex
DICOMCreationDate
DICOMCreationTime
DICOMCumulativeDoseReferenceCoefficient
DICOMCumulativeMetersetWeight
DICOMCumulativeTimeWeight
DICOMCurrentPatientLocation
DICOMCurrentRequestedProcedureEvidenceSequence
DICOMCurveDataDescriptor
DICOMCurveDataOW
DICOMCurveDate
DICOMCurveDescription
DICOMCurveDimensions
DICOMCurveLabel
DICOMCurveNumber
DICOMCurveRange
DICOMCurveTime
DICOMDataCollectionDiameter
DICOMDataInformationSequence
DICOMDataSetTrailingPadding
DICOMDataSetType
DICOMDataValueRepresentation
DICOMDate
DICOMDateofLastCalibration
DICOMDateOfLastDetectorCalibration
DICOMDateofSecondaryCapture
DICOMDateTime
DICOMdBdt
DICOMDeadTimeCorrectionFlag
DICOMDeadTimeFactor
DICOMDecayCorrection
DICOMDecayFactor
DICOMDeliveryMaximumDose
DICOMDeliveryWarningDose
DICOMDepthofScanField
DICOMDerivationDescription
DICOMDestinationAE
DICOMDetectorActivationOffsetFromExposure
DICOMDetectorActiveDimensions
DICOMDetectorActiveOringin
371
Troubleshooting
DICOMDetectorActiveShape
DICOMDetectorActiveTime
DICOMDetectorBinning
DICOMDetectorConditionsNominalFlag
DICOMDetectorConfiguration
DICOMDetectorDescription
DICOMDetectorElementPhysicalSize
DICOMDetectorElementSize
DICOMDetectorElementSpacing
DICOMDetectorID
DICOMDetectorInformationSequence
DICOMDetectorLinesofResponseUsed
DICOMDetectorMode
DICOMDetectorPrimaryAngle
DICOMDetectorSecondaryAngle
DICOMDetectorTemperature
DICOMDetectorTimeSinceLastExposure
DICOMDetectorType
DICOMDetectorVector
DICOMDeviceDescription
DICOMDeviceDiameter
DICOMDeviceDiameterUnits
DICOMDeviceLength
DICOMDeviceSequence
DICOMDeviceSerialNumber
DICOMDeviceVolume
DICOMDigitalImageFormatAcquired
DICOMDirectoryRecordSequence
DICOMDirectoryRecordType
DICOMDischargeDate
DICOMDischargeDiagnosisCodeSequence
DICOMDischargeDiagnosisDescription
DICOMDischargeTime
DICOMDistanceSourcetoDetector
DICOMDistanceSourcetoEntrance
DICOMDistanceSourcetoPatient
DICOMDistanceSourcetoSupport
DICOMDistributionAddress
DICOMDistributionName
DICOMDopplerCorrectionAngle
DICOMDopplerSampleVolumeXPosition
DICOMDopplerSampleVolumeYPosition
DICOMDoseCalibrationFactor
DICOMDoseComment
DICOMDoseGridScaling
DICOMDoseRateSet
DICOMDoseReferenceDescription
DICOMDoseReferenceNumber
DICOMDoseReferencePointCoordinates
DICOMDoseReferenceSequence
DICOMDoseReferenceStructureType
DICOMDoseReferenceType
DICOMDoseSummationType
DICOMDoseType
DICOMDoseUnits
DICOMDoseValue
DICOMDVHData
DICOMDVHDoseScaling
DICOMDVHMaximumDose
DICOMDVHMeanDose
DICOMDVHMinimumDose
DICOMDVHNormalizationDoseValue
DICOMDVHNormalizationPoint
DICOMDVHNumberofBins
DICOMDVHReferencedROISequence
372
DICOMDVHROIContributionType
DICOMDVHSequence
DICOMDVHType
DICOMDVHVolumeUnits
DICOMEchoNumbers
DICOMEchoTime
DICOMEchoTrainLength
DICOMEffectiveSeriesDuration
DICOMEmptyImageDensity
DICOMEndCumulativeMetersetWeight
DICOMEnergyWindowInformationSequence
DICOMEnergyWindowLowerLimit
DICOMEnergyWindowName
DICOMEnergyWindowNumber
DICOMEnergyWindowRangeSequence
DICOMEnergyWindowUpperLimit
DICOMEnergyWindowVector
DICOMEntranceDose
DICOMErrorComment
DICOMErrorID
DICOMEstimatedRadiographicMagnificationFactor
DICOMEthnicGroup
DICOMEventElapsedTimes
DICOMEventTimerNames
DICOMEventTypeID
DICOMExecutionStatus
DICOMExecutionStatusInfo
DICOMExposedArea
DICOMExposure
DICOMExposureControlMode
DICOMExposureControlModeDescription
DICOMExposureinuAs
DICOMExposureSequence
DICOMExposuresOnDetectorSinceLastCalibration
DICOMExposuresOnDetectorSinceManufactured
DICOMExposuresonPlate
DICOMExposureStatus
DICOMExposureTime
DICOMFailedSOPInstanceUIDList
DICOMFailedSOPSequence
DICOMFailureReason
DICOMFieldofViewDimensions
DICOMFieldOfViewHorizontalFlip
DICOMFieldOfViewOrigin
DICOMFieldOfViewRotation
DICOMFieldofViewShape
DICOMFileInformationGroupLength
DICOMFileMetaInformationVersion
DICOMFilesetConsistencyFlag
DICOMFilesetDescriptorFileID
DICOMFilesetID
DICOMFillerOrderNumberORImagingServiceRequest
DICOMFillerOrderNumberORImagingServiceRequest
DICOMFillerOrderNumberProcedure
DICOMFilmBoxContentSequence
DICOMFilmConsumptionSequence
DICOMFilmDestination
DICOMFilmOrientation
DICOMFilmSessionLabel
DICOMFilmSizeID
DICOMFilterMaterial
DICOMFilterThicknessMaximum
DICOMFilterThicknessMinimum
DICOMFilterType
DICOMFinalCumulativeMetersetWeight
Kazeon IS1200 Web-Admin User Guide
Troubleshooting
DICOMFinalCumulativeTimeWeight
DICOMFixationDeviceDescription
DICOMFixationDeviceLabel
DICOMFixationDevicePosition
DICOMFixationDeviceSequence
DICOMFixationDeviceType
DICOMFlipAngle
DICOMFocalDistance
DICOMFocalSpots
DICOMFocusDepth
DICOMFractionGroupNumber
DICOMFractionGroupSequence
DICOMFractionNumber
DICOMFractionPattern
DICOMFrameDelay
DICOMFrameIncrementPointer
DICOMFrameNumbersofInterest
DICOMFrameofReferenceRelationshipSequence
DICOMFrameofReferenceTransformationComment
DICOMFrameofReferenceTransformationMatrix
DICOMFrameofReferenceTransformationType
DICOMFrameofReferenceUID
DICOMFrameReferenceTime
DICOMFramesofInterestDescription
DICOMFrameTime
DICOMFrameTimeVector
DICOMFramingType
DICOMGantryAngle
DICOMGantryAngleTolerance
DICOMGantryDetectorSlew
DICOMGantryDetectorTilt
DICOMGantryRotationDirection
DICOMGatedInformationSequence
DICOMGeneratorPower
DICOMGraphicData
DICOMGraphicType
DICOMGreenPaletteColorLookupTableData
DICOMGreenPaletteColorLookupTableDescriptor
DICOMGrid
DICOMGridAbsorbingMaterial
DICOMGridAspectRatio
DICOMGridFocalDistance
DICOMGridFrameOffsetVector
DICOMGridPeriod
DICOMGridPitch
DICOMGridSpacingMaterial
DICOMGridThickness
DICOMHalfValueLayer
DICOMHardcopyCreationDeviceID
DICOMHardcopyDeviceManufacturer
DICOMHardcopyDeviceSoftwareVersion
DICOMHardcopyDevManufactModelName
DICOMHeartRate
DICOMHighBit
DICOMHighRRValue
DICOMHistogramBinWidth
DICOMHistogramData
DICOMHistogramExplanation
DICOMHistogramFirstBinValue
DICOMHistogramLastBinValue
DICOMHistogramNumberOfBins
DICOMHistogramSequence
DICOMHumanPerformerCodeSequence
DICOMHumanPerformersName
DICOMHumanPerformersOrganization
Kazeon IS1200 Web-Admin User Guide
DICOMIconImageSequence
DICOMIdenticalDocumentsSequence
DICOMIdentifyingGroupLength
DICOMIllumination
DICOMImageAreaDoseProduct
DICOMImageBoxContentSequence
DICOMImageBoxPresentationLUTFlag
DICOMImageComments
DICOMImageContentDate
DICOMImageContentTime
DICOMImageDisplayFormat
DICOMImagedNucleus
DICOMImageFrameOrigin
DICOMImageID
DICOMImageIndex
DICOMImageLaterality
DICOMImageOrientationPatient
DICOMImageOverlayBoxContentSequence
DICOMImageOverlayFlag
DICOMImagePlanePixelSpacing
DICOMImagePosition
DICOMImagePositionPatient
DICOMImagePresentationGroupLength
DICOMImagerPixelSpacing
DICOMImagesinAcquisition
DICOMImageTransformationMatrix
DICOMImageTranslationVector
DICOMImageType
DICOMImagingDeviceSpecificAcquisitionParameters
DICOMImagingFrequency
DICOMImagingServiceRequestComments
DICOMImplantPresent
DICOMImplementationClassUID
DICOMImplementationVersionName
DICOMImpressions
DICOMInstanceCreationDate
DICOMInstanceCreationTime
DICOMInstanceCreatorUID
DICOMInstanceNumber
DICOMInstitutionAddress
DICOMInstitutionalDepartmentName
DICOMInstitutionCodeSequence
DICOMInstitutionName
DICOMIntensifierSize
DICOMIntermarkerDistance
DICOMInterpretationApprovalDate
DICOMInterpretationApprovalTime
DICOMInterpretationApproverSequence
DICOMInterpretationAuthor
DICOMInterpretationDiagnosisCodeSequence
DICOMInterpretationDiagnosisDescription
DICOMInterpretationID
DICOMInterpretationIDIssuer
DICOMInterpretationRecordedDate
DICOMInterpretationRecordedTime
DICOMInterpretationRecorder
DICOMInterpretationStatusID
DICOMInterpretationText
DICOMInterpretationTranscriber
DICOMInterpretationTranscriptionDate
DICOMInterpretationTranscriptionTime
DICOMInterpretationTypeID
DICOMIntervalsAcquired
DICOMIntervalsRejected
373
Troubleshooting
DICOMInterventionalStatus
DICOMInterventionalTherapySequence
DICOMInterventionDrugCodeSequence
DICOMInterventionDrugDose
DICOMInterventionDrugInformationSequence
DICOMInterventionDrugName
DICOMInterventionDrugStartTime
DICOMInterventionDrugStopTime
DICOMInversionTime
DICOMIsocenterPosition
DICOMIssueDateofImagingServiceRequest
DICOMIssuerofAdmissionID
DICOMIssuerofPatientID
DICOMIssueTimeofImagingServiceRequest
DICOMKVP
DICOMLargestImagePixelValue
DICOMLargestImagePixelValueinPlane
DICOMLargestPixelValueinSeries
DICOMLastMenstrualDate
DICOMLaterality
DICOMLeafJawPositions
DICOMLeafPositionBoundaries
DICOMLookupTableNumber
DICOMLossyImageCompression
DICOMLossyImageCompressionRatio
DICOMLowRRValue
DICOMLUTDataUSor
DICOMLUTDescriptor
DICOMLUTExplanation
DICOMMagneticFieldStrength
DICOMMagnificationType
DICOMManufacturer
DICOMManufacturersModelName
DICOMMaskFrameNumbers
DICOMMaskOperation
DICOMMaskOperationExplanation
DICOMMaskPointers
DICOMMaskSubpixelShift
DICOMMaskSubtractionSequence
DICOMMaterialID
DICOMMaxDensity
DICOMMaximumCoordinateValue
DICOMMeasuredValueSequence
DICOMMeasurementUnitsCodeSequence
DICOMMeasuringUnitsSequence
DICOMMechanicalIndex
DICOMMediaStorageSOPClassUID
DICOMMediaStorageSOPInstanceUID
DICOMMedicalAlerts
DICOMMedicalRecordLocator
DICOMMediumType
DICOMMemoryAllocation
DICOMMessageID
DICOMMessageIDBeingRespondedTo
DICOMMetersetExposure
DICOMMilitaryRank
DICOMMinDensity
DICOMMinimumCoordinateValue
DICOMModalitiesinStudy
DICOMModality
DICOMModalityLUTSequence
DICOMModalityLUTType
DICOMMoveDestination
DICOMMoveOriginatorApplicationEntityTitle
DICOMMoveOriginatorMessageID
374
DICOMMRAcquisitionType
DICOMMRDRDirectoryRecordOffset
DICOMNameofPhysiciansReadingStudy
DICOMNamesofIntendedRecipientsofResults
DICOMNominalBeamEnergy
DICOMNominalInterval
DICOMNominalPriorDose
DICOMNormalizationPoint
DICOMNumberofAverages
DICOMNumberofBeams
DICOMNumberofBlocks
DICOMNumberofBoli
DICOMNumberofBrachyApplicationSetups
DICOMNumberofChannels
DICOMNumberofCompensators
DICOMNumberofCompletedSuboperations
DICOMNumberofContourPoints
DICOMNumberofControlPoints
DICOMNumberofCopies
DICOMNumberofDetectors
DICOMNumberofEnergyWindows
DICOMNumberofEventTimers
DICOMNumberofFailedSuboperations
DICOMNumberofFilms
DICOMNumberofFractionsPerDay
DICOMNumberofFractionsPlanned
DICOMNumberofFrames
DICOMNumberofFramesinOverlay
DICOMNumberofFramesinPhase
DICOMNumberofFramesinRotation
DICOMNumberofLeafJawPairs
DICOMNumberofPatientRelatedImages
DICOMNumberofPatientRelatedSeries
DICOMNumberofPatientRelatedStudies
DICOMNumberofPhaseEncodingSteps
DICOMNumberofPhases
DICOMNumberofPoints
DICOMNumberofPulses
DICOMNumberofReferences
DICOMNumberofRemainingSuboperations
DICOMNumberofRotations
DICOMNumberofRRIntervals
DICOMNumberofSamples
DICOMNumberofSeriesRelatedImages
DICOMNumberofSlices
DICOMNumberofStages
DICOMNumberofStudyRelatedImages
DICOMNumberofStudyRelatedSeries
DICOMNumberofTableBreakPoints
DICOMNumberofTableEntries
DICOMNumberofTemporalPositions
DICOMNumberofTimeSlices
DICOMNumberofTimeSlots
DICOMNumberOfTomoSynthesisSourceImages
DICOMNumberofTriggersinPhase
DICOMNumberofViewsinStage
DICOMNumberofWarningSuboperations
DICOMNumberofWedges
DICOMNumericValue
DICOMObservationDateTime
DICOMObservationNumber
DICOMOccupation
DICOMOffendingElement
DICOMOffsetofReferencedLowerLevelDirectoryEntity
DICOMOffsetoftheFirstDirectoryRecordoftheRootDirectoryEntity
Kazeon IS1200 Web-Admin User Guide
Troubleshooting
DICOMOffsetoftheLastDirectoryRecordoftheRootDirectoryEntity
DICOMOffsetoftheNextDirectoryRecord
DICOMOperatorsName
DICOMOrderCallbackPhoneNumber
DICOMOrderEnteredBy
DICOMOrderEnterersLocation
DICOMOrganatRiskFullvolumeDose
DICOMOrganatRiskLimitDose
DICOMOrganatRiskMaximumDose
DICOMOrganatRiskOverdoseVolumeFraction
DICOMOrganDose
DICOMOrganExposed
DICOMOriginalImageSequence
DICOMOriginator
DICOMOtherPatientIDs
DICOMOtherPatientNames
DICOMOtherStudyNumbers
DICOMOutputPower
DICOMOverlayBitPosition
DICOMOverlayBitsAllocated
DICOMOverlayColumns
DICOMOverlayData
DICOMOverlayDate
DICOMOverlayDescription
DICOMOverlayForegroundDensity
DICOMOverlayLabel
DICOMOverlayMagnificationType
DICOMOverlayMode
DICOMOverlayNumber
DICOMOverlayOrigin
DICOMOverlayPlaneOrigin
DICOMOverlayPlanes
DICOMOverlayRows
DICOMOverlaySmoothingType
DICOMOverlaySubtype
DICOMOverlayTime
DICOMOverlayType
DICOMOwnerID
DICOMPaletteColorLookupTableUID
DICOMPatientAdditionalPosition
DICOMPatientComments
DICOMPatientGantryRelationshipCodeSequence
DICOMPatientGroupLength
DICOMPatientID
DICOMPatientOrientation
DICOMPatientOrientationCodeSequence
DICOMPatientOrientationModifierCodeSequence
DICOMPatientOtherEvidenceSequence
DICOMPatientPosition
DICOMPatientsAddress
DICOMPatientsAge
DICOMPatientsBirthDate
DICOMPatientsBirthName
DICOMPatientsBirthTime
DICOMPatientSetupNumber
DICOMPatientSetupSequence
DICOMPatientsInstitutionResidence
DICOMPatientsInsurancePlanCodeSequence
DICOMPatientsMothersBirthName
DICOMPatientsName
DICOMPatientsPrimaryLanguageCodeSequence
DICOMPatientsPrimaryLanguageModifierCodeSequence
DICOMPatientsReligiousPreference
DICOMPatientsSex
DICOMPatientsSize
Kazeon IS1200 Web-Admin User Guide
DICOMPatientState
DICOMPatientsTelephoneNumbers
DICOMPatientSupportAngle
DICOMPatientSupportAngleTolerance
DICOMPatientSupportRotationDirection
DICOMPatientsWeight
DICOMPatientTransportArrangements
DICOMPauseBetweenFrames
DICOMPercentPhaseFieldofView
DICOMPercentSampling
DICOMPerformedActionItemSequence
DICOMPerformedLocation
DICOMPerformedProcedureStepDescription
DICOMPerformedProcedureStepEndDate
DICOMPerformedProcedureStepEndTime
DICOMPerformedProcedureStepID
DICOMPerformedProcedureStepStartDate
DICOMPerformedProcedureStepStartTime
DICOMPerformedProcedureStepStatus
DICOMPerformedProcedureTypeDescription
DICOMPerformedProcessingApplicationsCodeSequence
DICOMPerformedSeriesSequence
DICOMPerformedStationAETitle
DICOMPerformedstationGeographicLocationCodesequence
DICOMPerformedStationName
DICOMPerformedStationNameCodeSequence
DICOMPerformingPhysiciansName
DICOMPerformProcedureCodeSequence
DICOMPersonName
DICOMPhaseDelay
DICOMPhaseEncodingDirection
DICOMPhaseInformationSequence
DICOMPhaseVector
DICOMPhosphorType
DICOMPhotometricInterpretation
DICOMPhototimerSetting
DICOMPhysicalDeltaX
DICOMPhysicalDeltaY
DICOMPhysicalUnitsXDirection
DICOMPhysicalUnitsYDirection
DICOMPhysicianApprovingInterpretation
DICOMPhysiciansofRecord
DICOMPixelAspectRatio
DICOMPixelBandwidth
DICOMPixelComponentDataType
DICOMPixelComponentMask
DICOMPixelComponentOrganization
DICOMPixelComponentPhysicalUnits
DICOMPixelComponentRangeStart
DICOMPixelComponentRangeStop
DICOMPixelData
DICOMPixelDataGroupLength
DICOMPixelIntensityRelationship
DICOMPixelIntensityRelationshipSign
DICOMPixelPaddingValue
DICOMPixelRepresentation
DICOMPixelSpacing
DICOMPlacerOrderNumberORImagingServiceRequest
DICOMPlacerOrderNumberORImagingServiceRequest
DICOMPlacerOrderNumberProcedure
DICOMPlanarConfiguration
DICOMPlanes
DICOMPlannedVerificationImageSequence
DICOMPlateID
375
Troubleshooting
DICOMPlateType
DICOMPolarity
DICOMPositionerMotion
DICOMPositionerPrimaryAngle
DICOMPositionerPrimaryAngleIncrement
DICOMPositionerSecondaryAngle
DICOMPositionerSecondaryAngleIncrement
DICOMPositionerType
DICOMPositionReferenceIndicator
DICOMPostprocessingFunction
DICOMPredecessorDocumentsSequence
DICOMPreferredPlaybackSequencing
DICOMPregnancyStatus
DICOMPreMedication
DICOMPrescriptionDescription
DICOMPresentationIntentType
DICOMPresentationLUTContentSequence
DICOMPresentationLUTFlag
DICOMPresentationLUTSequence
DICOMPresentationLUTShape
DICOMPrimaryAnatomicStructureModifierSequence
DICOMPrimaryAnatomicStructureSequence
DICOMPrimaryDosimeterUnit
DICOMPrimaryPromptsCountsAccumulated
DICOMPrinterCharacteristicsSequence
DICOMPrinterName
DICOMPrinterStatus
DICOMPrinterStatusInfo
DICOMPrintJobDescriptionSequence
DICOMPrintJobID
DICOMPrintManagementCapabilitiesSequence
DICOMPrintPriority
DICOMPrintQueueID
DICOMPriority
DICOMPrivateInformation
DICOMPrivateInformationCreatorUID
DICOMPrivateRecordUID
DICOMPrivateSchemeCreatorUID
DICOMProcedureCodeSequence
DICOMProcessingFunction
DICOMProjectionEponymousNameCodeSequence
DICOMProposedStudySequence
DICOMProtocolName
DICOMPulseRepetitionFrequency
DICOMPulseRepetitionInterval
DICOMPVCRejection
DICOMQualityControlImage
DICOMQuantity
DICOMQuantitySequence
DICOMQueryRetrieveLevel
DICOMQueueStatus
DICOMRadialPosition
DICOMRadiationMachineName
DICOMRadiationMachineSAD
DICOMRadiationMachineSSD
DICOMRadiationMode
DICOMRadiationSetting
DICOMRadiationType
DICOMRadionuclideCodeSequence
DICOMRadionuclideHalfLife
DICOMRadionuclidePositronFraction
DICOMRadionuclideTotalDose
DICOMRadiopharmaceutical
DICOMRadiopharmaceuticalCodeSequence
DICOMRadiopharmaceuticalInformationSequence
376
DICOMRadiopharmaceuticalRoute
DICOMRadiopharmaceuticalSpecificActivity
DICOMRadiopharmaceuticalStartTime
DICOMRadiopharmaceuticalStopTime
DICOMRadiopharmaceuticalVolume
DICOMRadiusofCircularCollimator
DICOMRadiusofCircularShutter
DICOMRandomsCorrectionMethod
DICOMReasonforStudy
DICOMReasonfortheImagingServiceRequest
DICOMReasonfortheRequestedProcedure
DICOMReceivingCoil
DICOMRecognitionCode
DICOMRecommendedDisplayFrameRate
DICOMRecommendedViewingMode
DICOMReconstructionDiameter
DICOMReconstructionMethod
DICOMRecordInuseFlag
DICOMRectificationType
DICOMRedPaletteColorLookupTableData
DICOMRedPaletteColorLookupTableDescriptor
DICOMReferenceAirKermaRate
DICOMReferencedBasicAnnotationBoxSequence
DICOMReferencedBeamNumber
DICOMReferencedBeamSequence
DICOMReferencedBlockNumber
DICOMReferencedBolusSequence
DICOMReferencedBrachyApplicationSetupNumber
DICOMReferencedBrachyApplicationSetupSequence
DICOMReferencedCompensatorNumber
DICOMReferencedContentItemIdentifier
DICOMReferencedControlPointIndex
DICOMReferencedCurveSequence
DICOMReferencedDateTime
DICOMReferencedDoseReferenceNumber
DICOMReferencedDoseReferenceSequence
DICOMReferencedDoseSequence
DICOMReferencedFileID
DICOMReferencedFilmBoxSequence
DICOMReferencedFilmSessionSequence
DICOMReferencedFractionGroupNumber
DICOMReferencedFractionGroupSequence
DICOMReferencedFrameNumber
DICOMReferencedFrameNumbers
DICOMReferencedFrameofReferenceSequence
DICOMReferencedFrameofReferenceUID
DICOMReferencedImageBoxSequence
DICOMReferencedImageOverlayBoxSequence
DICOMReferencedImageSequence
DICOMReferencedInterpretationSequence
DICOMReferencedOverlayGroup
DICOMReferencedOverlayPlaneGroups
DICOMReferencedOverlayPlaneSequence
DICOMReferencedOverlaySequence
DICOMReferencedOverlaySequence
DICOMReferencedPatientAliasSequence
DICOMReferencedPatientSequence
DICOMReferencedPatientSetupNumber
DICOMReferencedPresentationLUTSequence
DICOMReferencedPrintJobSequence
DICOMReferencedProcedureStepSequence
DICOMReferencedReferenceImageNumber
DICOMReferencedReferenceImageSequence
DICOMReferencedRequestSequence
DICOMReferencedResultsSequence
Kazeon IS1200 Web-Admin User Guide
Troubleshooting
DICOMReferencedROINumber
DICOMReferencedRTPlanSequence
DICOMReferencedSamplePositions
DICOMReferencedSeriesSequence
DICOMReferencedSOPClassUID
DICOMReferencedSOPClassUIDinFile
DICOMReferencedSOPInstanceUID
DICOMReferencedSOPInstanceUIDinFile
DICOMReferencedSOPSequence
DICOMReferencedSourceNumber
DICOMReferencedStandaloneSOPInstanceSequence
DICOMReferencedStoredPrintSequence
DICOMReferencedStructureSetSequence
DICOMReferencedStudyComponentSequence
DICOMReferencedStudySequence
DICOMReferencedTimeOffsets
DICOMReferencedToleranceTableNumber
DICOMReferencedTransferSyntaxUIDinFile
DICOMReferencedVerificationImageSequence
DICOMReferencedVisitSequence
DICOMReferencedVOILUTBoxSequence
DICOMReferencedWaveformChannels
DICOMReferencedWedgeNumber
DICOMReferenceImageNumber
DICOMReferencePixelPhysicalValueX
DICOMReferencePixelPhysicalValueY
DICOMReferencePixelX0
DICOMReferencePixelY0
DICOMReferencetoRecordedSound
DICOMReferringPhysiciansAddress
DICOMReferringPhysiciansName
DICOMReferringPhysiciansTelephoneNumbers
DICOMReflectedAmbientLight
DICOMRegionDataType
DICOMRegionFlags
DICOMRegionLocationMaxX1
DICOMRegionLocationMaxY1
DICOMRegionLocationMinX0
DICOMRegionLocationMinY0
DICOMRegionofResidence
DICOMRegionSpatialFormat
DICOMRelatedFrameofReferenceUID
DICOMRelatedRTROIObservationsSequence
DICOMRelationshipGroupLength
DICOMRelationshipType
DICOMRelativeXrayExposure
DICOMRepeatFractionCycleLength
DICOMRepetitionTime
DICOMReportedValuesOrigin
DICOMReportingPriority
DICOMRepresentativeFrameNumber
DICOMReprojectionMethod
DICOMRequestAttributesSequence
DICOMRequestedContrastAgent
DICOMRequestedImageSize
DICOMRequestedProcedureCodeSequence
DICOMRequestedProcedureCodeSequence
DICOMRequestedProcedureComments
DICOMRequestedProcedureDescription
DICOMRequestedProcedureDescription
DICOMRequestedProcedureID
DICOMRequestedProcedureLocation
DICOMRequestedProcedurePriority
DICOMRequestedSOPClassUID
DICOMRequestedSOPInstanceUID
Kazeon IS1200 Web-Admin User Guide
DICOMRequestingPhysician
DICOMRequestingService
DICOMRescaleIntercept
DICOMRescaleSlope
DICOMRescaleType
DICOMResidualSyringeCounts
DICOMResultsComments
DICOMResultsDistributionListSequence
DICOMResultsID
DICOMResultsIDIssuer
DICOMRetrieveAETitle
DICOMReviewDate
DICOMReviewerName
DICOMReviewTime
DICOMROIArea
DICOMROIContourSequence
DICOMROIDescription
DICOMROIDisplayColor
DICOMROIGenerationAlgorithm
DICOMROIGenerationDescription
DICOMROIInterpreter
DICOMROIMean
DICOMROIName
DICOMROINumber
DICOMROIObservationDescription
DICOMROIObservationLabel
DICOMROIPhysicalPropertiesSequence
DICOMROIPhysicalProperty
DICOMROIPhysicalPropertyValue
DICOMROIStandardDeviation
DICOMROIVolume
DICOMRotationDirection
DICOMRotationInformationSequence
DICOMRotationVector
DICOMRouteofAdmissions
DICOMRows
DICOMRRIntervalVector
DICOMRTBeamLimitingDeviceType
DICOMRTDoseROISequence
DICOMRTImageDescription
DICOMRTImageLabel
DICOMRTImageName
DICOMRTImageOrientation
DICOMRTImagePlane
DICOMRTImagePosition
DICOMRTImageSID
DICOMRTPlanDate
DICOMRTPlanDescription
DICOMRTPlanGeometry
DICOMRTPlanLabel
DICOMRTPlanName
DICOMRTPlanRelationship
DICOMRTPlanTime
DICOMRTReferencedSeriesSequence
DICOMRTReferencedStudySequence
DICOMRTRelatedROISequence
DICOMRTROIIdentificationCodeSequence
DICOMRTROIInterpretedType
DICOMRTROIObservationsSequence
DICOMRTROIRelationship
DICOMRWavePointer
DICOMSampleRate
DICOMSamplesperPixel
DICOMSAR
377
Troubleshooting
DICOMScanArc
DICOMScanLength
DICOMScanningSequence
DICOMScanOptions
DICOMScanVelocity
DICOMScatterCorrectionMethod
DICOMScatterFractionFactor
DICOMScheduledActionItemCodeSequence
DICOMScheduledAdmissionDate
DICOMScheduledAdmissionTime
DICOMScheduledDischargeDate
DICOMScheduledDischargeTime
DICOMScheduledPatientInstitutionResidence
DICOMScheduledPerformingPhysiciansName
DICOMScheduledProcedureStepDescription
DICOMScheduledProcedureStepEndDate
DICOMScheduledProcedureStepEndTime
DICOMScheduledProcedureStepID
DICOMScheduledProcedureStepLocation
DICOMScheduledProcedureStepSequence
DICOMScheduledProcedureStepStartDate
DICOMScheduledProcedureStepStartTime
DICOMScheduledProcedureStepStatus
DICOMScheduledStationAETitle
DICOMScheduledStationName
DICOMScheduledStepAttributesSequence
DICOMScheduledStudyLocation
DICOMScheduledStudyLocationAETitles
DICOMScheduledStudyStartDate
DICOMScheduledStudyStartTime
DICOMScheduledStudyStopDate
DICOMScheduledStudyStopTime
DICOMSecondaryCaptureDeviceID
DICOMSecondaryCaptureDeviceManufacturer
DICOMSecondaryCaptureDeviceManufacturersModelName
DICOMSecondaryCaptureDeviceSoftwareVersions
DICOMSecondaryCountsAccumulated
DICOMSecondaryCountsType
DICOMSegmentedBluePaletteColorLookupTableData
DICOMSegmentedGreenPaletteColorLookupTableData
DICOMSegmentedRedPaletteColorLookupTableData
DICOMSensitivity
DICOMSequenceName
DICOMSequenceofUltrasoundRegions
DICOMSequenceVariant
DICOMSeriesDate
DICOMSeriesDescription
DICOMSeriesInstanceUID
DICOMSeriesinStudy
DICOMSeriesNumber
DICOMSeriesTime
DICOMSeriesType
DICOMSetupDeviceDescription
DICOMSetupDeviceLabel
DICOMSetupDeviceParameter
DICOMSetupDeviceSequence
DICOMSetupDeviceType
DICOMSetupReferenceDescription
DICOMSetupTechnique
DICOMSetupTechniqueDescription
DICOMShieldingDeviceDescription
DICOMShieldingDeviceLabel
DICOMShieldingDevicePosition
DICOMShieldingDeviceSequence
DICOMShieldingDeviceType
378
DICOMShutterLeftVerticalEdge
DICOMShutterLowerHorizontalEdge
DICOMShutterRightVerticalEdge
DICOMShutterShape
DICOMShutterUpperHorizontalEdge
DICOMSkipBeats
DICOMSlantAngle
DICOMSliceLocation
DICOMSliceSensitivityFactor
DICOMSliceThickness
DICOMSliceVector
DICOMSmallestImagePixelValue
DICOMSmallestImagePixelValueinPlane
DICOMSmallestPixelValueinSeries
DICOMSmokingStatus
DICOMSmoothingType
DICOMSoftTissuefocusThermalIndex
DICOMSoftTissuesurfaceThermalIndex
DICOMSoftTissueThermalIndex
DICOMSoftwareVersion
DICOMSOPClassUID
DICOMSOPInstanceUID
DICOMSourceApplicationEntityTitle
DICOMSourceApplicatorID
DICOMSourceApplicatorLength
DICOMSourceApplicatorManufacturer
DICOMSourceApplicatorName
DICOMSourceApplicatorNumber
DICOMSourceApplicatorStepSize
DICOMSourceApplicatorType
DICOMSourceApplicatorWallNominalThickness
DICOMSourceApplicatorWallNominalTransmission
DICOMSourceAxisDistance
DICOMSourceEncapsulationNominalThickness
DICOMSourceEncapsulationNominalTransmission
DICOMSourceImageSequence
DICOMSourceIsotopeHalfLife
DICOMSourceIsotopeName
DICOMSourceManufacturer
DICOMSourceMovementType
DICOMSourceNumber
DICOMSourceSequence
DICOMSourcetoBeamLimitingDeviceDistance
DICOMSourcetoBlockTrayDistance
DICOMSourcetoCompensatorTrayDistance
DICOMSourcetoReferenceObjectDistance
DICOMSourcetoSurfaceDistance
DICOMSourcetoWedgeTrayDistance
DICOMSourceType
DICOMSpacingBetweenSlices
DICOMSpatialResolution
DICOMSpecialNeeds
DICOMSpecificCharacterSet
DICOMSpecificCharacterSetofFilesetDescriptorFile
DICOMStageName
DICOMStageNumber
DICOMStartAngle
DICOMStartCumulativeMetersetWeight
DICOMStartTrim
DICOMStationName
DICOMStatus
DICOMSteeringAngle
DICOMStopTrim
DICOMStorageMediaFilesetID
DICOMStorageMediaFilesetUID
Kazeon IS1200 Web-Admin User Guide
Troubleshooting
DICOMStructureSetDate
DICOMStructureSetDescription
DICOMStructureSetLabel
DICOMStructureSetName
DICOMStructureSetROISequence
DICOMStructureSetTime
DICOMStudyArrivalDate
DICOMStudyArrivalTime
DICOMStudyComments
DICOMStudyCompletionDate
DICOMStudyCompletionTime
DICOMStudyComponentStatusID
DICOMStudyDate
DICOMStudyDescription
DICOMStudyID
DICOMStudyIDIssuer
DICOMStudyInstanceUID
DICOMStudyPriorityID
DICOMStudyReadDate
DICOMStudyReadTime
DICOMStudyStatusID
DICOMStudyTime
DICOMStudyVerifiedDate
DICOMStudyVerifiedTime
DICOMSurfaceEntryPoint
DICOMSyringeCounts
DICOMTableAngle
DICOMTableHeight
DICOMTableLateralIncrement
DICOMTableLongitudinalIncrement
DICOMTableMotion
DICOMTableofParameterValues
DICOMTableofPixelValues
DICOMTableofXBreakPoints
DICOMTableofYBreakPoints
DICOMTableTopEccentricAngle
DICOMTableTopEccentricAngleTolerance
DICOMTableTopEccentricAxisDistance
DICOMTableTopEccentricRotationDirection
DICOMTableTopLateralPosition
DICOMTableTopLateralPositionTolerance
DICOMTableTopLateralSetupDisplacement
DICOMTableTopLongitudinalPosition
DICOMTableTopLongitudinalPositionTolerance
DICOMTableTopLongitudinalSetupDisplacement
DICOMTableTopVerticalPosition
DICOMTableTopVerticalPositionTolerance
DICOMTableTopVerticalSetupDisplacement
DICOMTableTraverse
DICOMTableType
DICOMTableVerticalIncrement
DICOMTargetMaximumDose
DICOMTargetMinimumDose
DICOMTargetPrescriptionDose
DICOMTargetUnderdoseVolumeFraction
DICOMTemplateExtensionCreatorUID
DICOMTemplateExtensionFlag
DICOMTemplateExtensionOrganizationUID
DICOMTemplateIdentifier
DICOMTemplateLocalVersion
DICOMTemplateName
DICOMTemplateNumber
DICOMTemplateType
DICOMTemplateVersion
DICOMTemporalPositionIdentifier
Kazeon IS1200 Web-Admin User Guide
DICOMTemporalRangeType
DICOMTemporalResolution
DICOMTextString
DICOMTextValue
DICOMTherapyDescription
DICOMTherapyType
DICOMThermalIndex
DICOMThresholdDensity
DICOMTIDOffset
DICOMTime
DICOMTimeofLastCalibration
DICOMTimeOfLastDetectorCalibration
DICOMTimeofSecondaryCapture
DICOMTimeSliceVector
DICOMTimeSlotInformationSequence
DICOMTimeSlotTime
DICOMTimeSlotVector
DICOMTMLinePositionX0
DICOMTMLinePositionX1
DICOMTMLinePositionY0
DICOMTMLinePositionY1
DICOMToleranceTableLabel
DICOMToleranceTableNumber
DICOMToleranceTableSequence
DICOMTomoAngle
DICOMTomoClass
DICOMTomoLayerHeight
DICOMTomoTime
DICOMTomoType
DICOMTopicAuthor
DICOMTopicKeyWords
DICOMTopicSubject
DICOMTopicTitle
DICOMTotalBlockTrayFactor
DICOMTotalCompensatorTrayFactor
DICOMTotalNumberofExposures
DICOMTotalReferenceAirKerma
DICOMTotalTime
DICOMTotalTimeofFluoroscopy
DICOMTransactionUID
DICOMTransducerData
DICOMTransducerFrequency
DICOMTransducerOrientationModifierSequence
DICOMTransducerOrientationSequence
DICOMTransducerPositionModifierSequence
DICOMTransducerPositionSequence
DICOMTransducerType
DICOMTransferSyntaxUID
DICOMTransferTubeLength
DICOMTransferTubeNumber
DICOMTransmittingCoil
DICOMTransverseMash
DICOMTreatmentDeliveryType
DICOMTreatmentIntent
DICOMTreatmentMachineName
DICOMTreatmentMachineSequence
DICOMTreatmentProtocols
DICOMTreatmentSites
DICOMTriggerSourceorType
DICOMTriggerTime
DICOMTriggerVector
DICOMTriggerWindow
DICOMTrim
DICOMTypeofData
379
Appendix I:
Using DICOM Tags
DICOMTypeofDetectorMotion
DICOMTypeofFilters
DICOMUID
DICOMUltrasoundColorDataPresent
DICOMUnits
DICOMValueType
DICOMVariableFlipAngleFlag
DICOMVerificationDateTime
DICOMVerificationFlag
DICOMVerifyingObserverIdentificationCodeSequence
DICOMVerifyingObserverName
DICOMVerifyingObserverSequence
DICOMVerifyingOrganization
DICOMVerticesofthePolygonalCollimator
DICOMVerticesofthePolygonalShutter
DICOMVideoImageFormatAcquired
DICOMViewCodeSequence
DICOMViewModifierCodeSequence
DICOMViewNumber
DICOMViewPosition
DICOMVisitComments
DICOMVisitStatusID
DICOMVOILUTSequence
DICOMWedgeAngle
DICOMWedgeFactor
DICOMWedgeID
DICOMWedgeNumber
DICOMWedgeOrientation
DICOMWedgePosition
DICOMWedgePositionSequence
DICOMWedgeSequence
DICOMWedgeType
DICOMWholeBodyTechnique
DICOMWindowCenter
DICOMWindowCenterWidthExplanation
DICOMWindowWidth
DICOMXFocusCenter
DICOMXRayImageReceptorAngle
DICOMXRayOutput
DICOMXrayTubeCurrent
DICOMYFocusCenter
DICOMZoomCenter
DICOMZoomFactor
380
Kazeon IS1200 Web-Admin User Guide
Appendix J:
Server Security Certificates
This appendix explains how the Kazeon Information Server uses a security certificate
to ensure secure communications between Web-Search and the Kazeon IS1200, and
how to respond to the warning messages this certificate may generate when
encountered by new browsers like Internet Explorer 7.
Topics include:
z
“Why Security Certificates are Used on the IS1200” on page 382
z
“Security Options” on page 382
z
“Installing SSL and a New Certificate on the IS1200” on page 383
z
“Turning SSL Off on the IS1200” on page 386
Kazeon IS1200 Web-Admin User Guide
381
Appendix J:
Server Security Certificates
Why Security Certificates are Used on the IS1200
To ensure the security of communications between Web-Admin. Web-Search, and
Web-Reports and the IS1200 server, Kazeon requires Secure Socket Layer (SSL)
communications in standard installation configurations. SSL may be turned off if not
required.
SSL requires a server to have a unique security certificate installed containing the
encryption keys necessary to secure the communications between the server and the
web applications. Security certificates can be self generated, or obtained from Trusted
Certificate Authorities. Certificates obtained from Trusted Certificate Authorities are
easily authenticated using standard software services routinely available in most
modern operating systems. Self generated certificates may be problematic.
In new installations, the Kazeon installer installs both SSL and a self generated
security certificate to automatically provide minimal security. This certificate can be
replaced with a user supplied certificate from a Trusted Certificate Authority.
Security Certificate Warning Messages
Many newer browsers—like Microsoft’s Internet Explorer 7—automatically generate
warning messages if they cannot routinely authenticate a security certificate provided
by a server. The warnings look similar to those shown below:
Security Options
If warnings appear (like those above), there are three basic options to deal with them.
1. Simply ignore the warnings. The web applications will function normally but the
warnings will appear each time the web application log in screen is accessed.
2. Replace the self generated certificate with a unique certificate purchased from a
Trusted Certificate Authority. The new certificate will not generate any further
warnings. Each cluster node will require its own certificate.
3. Turn SSL off, and the certificates will be ignored, however communication
security is no longer assured.
382
Kazeon IS1200 Web-Admin User Guide
Installing SSL and a New Certificate on the IS1200
Installing SSL and a New Certificate on the IS1200
1. Obtain the following information required to install SSL:
|
SSL identifier. This could be the product name, for instance IS1200
This identifier will become the alias for the genkey
|
Full server name, or qualified IP name
(for instance Kazeon.local, or kazeon.com, …etc.)
|
Organizational Unit
(for instance Engineering, IT,…etc.)
|
Organizational name
(for instance the name of your company)
2. Login as root
3. Rename the existing.keystore file located at /root as a backup. If SSL
installation fails, use this file to restore .keystore.
4. Generate a new keystore for the IS1200:
(Bold indicates entries made by root, and should be replaced with answers
specific to your location.)
Enter the following command:
[sysprompt]# keytool -genkey -alias KazeonIS1200 -keyalg RSA
Note:
The alias “KazeonIS1200” is case sensitive and must be entered exactly as shown.
Note:
The keytool is located at: /usr/java/latest/bin/keytool
The user is prompted to enter the following information:
Enter keystore password:
changeit <your password>
What is your first and last name?
[Unknown]:
kazeon.local <your domain name>
What is the name of your organizational unit?
[Unknown]:
Engineering
What is the name of your organization?
[Unknown]:
Kazeon
What is the name of your City or Locality?
[Unknown]:
Mountain View
What is the name of your State or Province?
[Unknown]:
CA
What is the two-letter country code for this unit?
[Unknown]:
US
Is CN= kazeon.local, OU=Engineering, O=Kazeon, L=Mountain
View, ST=CA, C=US correct?
[no]:
yes
Kazeon IS1200 Web-Admin User Guide
383
Appendix J:
Server Security Certificates
5. Create a certificate request.
Enter the following command:
[sysPrompt]# keytool -certreq -keyalg RSA -alias
KazeonIS1200 -file certReqestFile.crt
Note:
The alias “KazeonIS1200” is case sensitive and must be entered exactly as shown.
The command stores Certificate Request information in the file
certReqestFile.crt (sample file contents shown below)
-----BEGIN NEW CERTIFICATE REQUEST----MIIBsTCCARoCAQAwcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFp
biBWaWV3MQ8wDQYDVQQKEwZLYXplb24xFDASBgNVBAsTC0VuZ2luZWVyaW5nMRYwFAYDVQQDEw0x
MC4xMC4xNDAuMTU2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEVMnqq6IE8ooGmRsSkOTx
3KKmlq7/pgIsAosTvLwZ7adHErq1J9um7+cYCfS+gUYaWkt+E8JknNCiBQfBSj1ccU3+eM7BMvxE
DdqSON+o2G0/gcqp6ueWVaVt2bgOXHgqD9KT3eGAwH8KEjR8fQlPEEMPJfpiMtrZskwFtbZONwID
AQABoAAwDQYJKoZIhvcNAQEEBQADgYEAKBMUMDorTIEXlFaOHvZ4YS+PJ+hnVEmmJsLVYXqk+FfC
AySzC1jMA9uKMfa3mHOYS6vyDj9x+g+xPJa7w3uyGsKVT//8P+3gWMQWqDpLuF58I0OhBHjVuwSI
G4Sz2CHkdnFvPJ7K4f10dBHoSUNFot6Qda1PCeFZKEQAUcLZjv4=
-----END NEW CERTIFICATE REQUEST-----
This file can be used to buy a certificate from a Certificate Authority.
6. Buy the certificate from a Certificate Authority (CA) using the CSR just
generated.
Browse to, and complete an SSL Certificate buying form from a valid agency
such as:
384
|
www.verisign.com
|
www.digicert.com
|
www.instantssl.com.
Kazeon IS1200 Web-Admin User Guide
Installing SSL and a New Certificate on the IS1200
The following screenshot was taken using www.instantssl.com
The text information, from the file created in the step above, was pasted into the
first circled field above.
Note:
The request above is for an INTRAnet certificate.
After the Certificate Request is placed, the CA returns a zip file by email
containing the certificate and instructions on how to install it.
7. Install the certificate.
After buying a certificate, you receive zip files and instructions on how to install
the certificate. For instance, in response to the request above, 3 files were required
to install the certificate. Use the steps below to install the certificate:
a. [sysprompt]# keytool -import -trustcacerts -alias root file AddTrustExternalCARoot.crt
b. [sysprompt]# keytool -import -trustcacerts -alias Inter file UTNAddTrustServerCA.crt
c. [sysprompt]# keytool -import -trustcacerts -alias
KazeonIS1200 -file kazeon_local.crt
Note:
The alias “KazeonIS1200” is case sensitive and must be entered exactly as shown.
Kazeon IS1200 Web-Admin User Guide
385
Appendix J:
Server Security Certificates
8. Restart the Tomcat Server.
Before restarting Tomcat, the process must first be killed using its pid. Use the
steps below:
a. [root@kazeonbox root]# ps -ef | grep tomcat
b. [root@kazeonbox root]# kill -p pid
c. Restart tomcat by invoking the following command:
d. [root@kazeonbox root]# service kaztomcat start
Turning SSL Off on the IS1200
To turn SSL (security) off for Web-Search, do the following:
1. Login as ROOT to the production server
2. Open the web.xml file located at /opt/tomcat/webapps/ROOT/WEB-INF
3. Comment the entire <security-constraint> xml tags section
This is what the code looks like before adding comments:
<jsp-config>
<taglib>
<taglib-uri>
http://www.kazeon.com/webui/search-taglib
</taglib-uri>
<taglib-location>
/WEB-INF/tld/search-taglib.tld
</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://jakarta.apache.org/taglibs/string-1.1</taglib-uri>
<taglib-location>/WEB-INF/tld/taglibs-string.tld</taglib-location>
</taglib>
</jsp-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
386
Kazeon IS1200 Web-Admin User Guide
Turning SSL Off on the IS1200
Here is the code after comments:
(The html tag “<!--” and “-->” are the commenting indicators.)
<jsp-config>
<taglib>
<taglib-uri>
http://www.kazeon.com/webui/search-taglib
</taglib-uri>
<taglib-location>
/WEB-INF/tld/search-taglib.tld
</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://jakarta.apache.org/taglibs/string-1.1</taglib-uri>
<taglib-location>/WEB-INF/tld/taglibs-string.tld</taglib-location>
</taglib>
</jsp-config>
<!-<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-->
<session-config>
<session-timeout>60</session-timeout>
</session-config>
4. Restart Tomcat
Command: kaztomcat restart
Kazeon IS1200 Web-Admin User Guide
387
Appendix J:
388
Server Security Certificates
Kazeon IS1200 Web-Admin User Guide
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
This appendix describes the setup and settings required for Windows laptops,
desktops, USB drives connected to laptops or desktops, and standard servers that
allows them to be discovered, registered, and classified by the IS1200.
Additionally, it discusses optional setup for laptops and desktops that can be used to
ensure that locked or open files are also classified when crawling laptops and
desktops.
Topics include:
z
z
z
“Overview of Setup Requirements for Laptops and Desktops” on page 390
|
“WINS Setup Requirements” on page 390
|
“File Access Requirements” on page 391
|
“Windows Operating System Requirements” on page 391
“WINS Setup Procedures” on page 392
|
“WINS Setup for Laptops and Desktops” on page 392
|
“WINS Setup for the IS1200” on page 392
“Overview of Setup Requirements for Laptops and Desktops” on page 390
|
“Windows XP Settings” on page 396
|
“Window Vista Settings” on page 400
|
“Active Directory Settings for Windows XP” on page 406
|
“References for Windows Servers 2008 and Windows Vista” on page 411
z
“Preparing Laptops and Desktops To Access Open Files” on page 412
z
“Registering and Classifying USB Repositories” on page 412
Kazeon IS1200 Web-Admin User Guide
389
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Overview of Setup Requirements for Laptops and Desktops
To register, classify, and work with Windows systems like laptops, desktops, or
servers, these Windows systems and the IS1200 must both be properly configured to
use the Windows Internet Naming Service (WINS).
Forest/Domian/Sub-Domain
WINS
AD
DHCP
Forest/Domian/Sub-Domain
WINS
AD
DHCP
Configured for all WINS
servers in all forests, etc.
Configured to register
with WINS in whatever
forest/domian it boots in.
Forest/Domian/Sub-Domain
WINS
AD
DHCP
Additionally, there are access requirements and Window Operating system
requirements, all described below.
Note:
Starting with version 4.3.0, the System Services monitor controls all services and
jobs, including Actionable Services, on laptops and desktops and is capable of
starting, pausing, and restarting jobs as necessary as these systems connect and
disconnect from the network.
WINS Setup Requirements
WINS is a Microsoft implementation of the IBM NetBIOS Name Service. The WINS
Server provides a central mapping of all hostnames (NetBIOS Names) to IP addresses.
Configuring a windows laptop or desktop to register with a WINS Server allows the
laptop or desktop to be referenced by other services (like the IS1200) using the laptop
or desktop’s NetBIOS name.
To be registered and classified by the IS1200, laptops or desktops must be configured
to automatically register themselves with DHCP to obtain an IP address. The DHCP
server automatically contacts a WINS server, and has that WINS server record the
new IP address with the laptop’s NetBIOS name. Configuring a laptop for WINS is
covered in “WINS Setup for Laptops and Desktops” on page 392.
When the laptop is registered as a data repository with the IS1200, the IS1200 records
the laptop’s NetBIOS name. When the IS1200 needs to find the laptop for
classification, it can send that NetBIOS name to the WINS server and get back the
390
Kazeon IS1200 Web-Admin User Guide
Overview of Setup Requirements for Laptops and Desktops
laptop’s current IP address. As long as the IS1200 can access every WINS server the
laptop might connect too, it can find the laptop, no matter what forest, domain, or subdomain the laptop is in. This means the IS1200 must be configured with all the
possible WINS server names the laptop might use. WINS server setup for the IS1200
is covered in “WINS Setup for the IS1200” on page 392.
Note:
If a laptop or desktop—registered as a data repository, and actively being
classified—is un-gracefully removed from the network (crashes, loses power, has
the network cable removed, etc), the IS1200 will pause the classification job as
soon as the connection loss is detected. However, it can take WINS 30 mins. or
longer to detect when that connection problem is corrected and allow the IS1200
to resume the classification.
File Access Requirements
Besides the WINS setup, the laptop and desktop’s firewalls and network settings must
be configured to allow the IS1200 privileges to access and classify those systems.
On the IS1200, the IS1200 must have a username and password with which to access
the directories and files on the laptops and desktops before it can discover, register, or
classify them. Usually this is an Administrator’s or Backup Operator’s username and
password. (See “Repository Registration and Management” on page 79 for details
about discovering or registering repositories, and “Job Scheduling and Classification
Services” on page 165 for more details about classification services).
This username and password are encrypted and stored in the IS1200 Identity Vault as
an identity. (See “The Identity Vault” on page 73 for details about identities.) This
identity is associated with a server, laptop, or desktop when it is registered as a data
repository, and used by the IS1200 whenever they are classified.
Before attempting to work with any Windows machine, be sure you have an
appropriate identity stored in the IS1200 Identity Vault.
Windows Operating System Requirements
Additionally, various firewall settings and other system parameters must be set in
specific ways so Windows servers, laptops, or desktops allow the IS1200 access (do
not ignore network connections and communications from the IS1200). These settings
are different for Window’s XP and Vista. The configuration steps may change if the
machine in question has been joined to an Active Directory (AD) domain depending
on how the Domain Administrator has configured the domain. For example, there may
be a Group Policy Object (GPO) defined that already enables file sharing.
Generally, for Windows XP and Vista, preparing a machine to be crawled by the
IS1200 involves the following preparation on the Windows machine:
1. Enable the Administrator account. The Administrator account must be enabled to
allow crawling of the "hidden" shares, C$, D$, etc.
2. Enable File sharing.
3. Open Firewall Settings. By default, neither XP nor Vista opens firewall settings
enough for complete IS1200 access even when File Sharing is enabled.
Kazeon IS1200 Web-Admin User Guide
391
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
WARNING!
All procedures described in this appendix assume the user making the changes has
administrative privileges on the machine in question.
WINS Setup Procedures
Proper WINS configuration is required by both the Windows laptops and desktops
that are to be registered as data repositories with the IS1200.
WINS Setup for Laptops and Desktops
Refer to the following Microsoft Knowledge Base article for the required WINS setup
for laptops and desktops:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/
prcc_tcp_gclb.mspx?mfr=true
WINS Setup for the IS1200
The IS1200 must also be configured to automatically register itself with at least one
WINS server. If the laptops or other systems that will be classified will regularly move
between network forests or domains, then all the WINS servers from all those forest or
domains must be registered.
The IS1200 must be configured for WINS using a dhcp-prefix. For example, if your
system administrators have all DHCP enabled computers prefixed under DNS using
“dhcp-”, then the IS1200’s dhcp-prefix should also be configured using the prefix
“dhcp-”.
This involves updating the IS1200 Configuration. Example values for WINS server
and dhcp-prefix are given below.
winsserver = 10.10.130.240,10.10.130.243
(Comma separated ip address’s of the WINS Servers in the network)
dhcp-prefix = dhcp(Laptops DHCP addresses are resolved as dhcp-<name>. So the dhcp-prefix is set
to “dhcp-”.)
392
Kazeon IS1200 Web-Admin User Guide
WINS Setup Procedures
Do the following to on the leader node (only) configure the IS1200 for winsserver and
dhcp-prefix:
1. Login the leader node as root.
2. Stop the cluster.
3. Run kaz_setup.pl
A screen similar to the following appears:
4. At the prompt “Choose (1-14) from menu?” enter 11 and press Enter.
The screen responds:
The following WINS Server is configured UNDEFINED. Do you want to keep it ([Y]/n)?
5. Enter N and press Enter.
The screen responds:
Set WINS Server Name (Fully Qualified Name or IP address[comma separated if
more than one]) ?
6. Enter a comma separated list of FQNs or IPs for your WINS servers, and press
Enter. (Enter all WINS servers that registered laptops might connect to.)
The screen returns to the main menu above.
7. At the prompt “Choose (1-14) from menu?” enter 12 and press Enter.
The screen responds:
Dhcp-prefix is configured UNDEFINED. Do you want to keep it ([Y]/n)?
8. Enter N and press Enter.
The screen responds:
Set Dhcp-prefix ?
9. Enter dhcp- and press Enter.
The screen returns to the main menu above.
10. Use option 16 to Save Changes and Exit, and the node reboots automatically.
Kazeon IS1200 Web-Admin User Guide
393
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Alternatively, you can configure the winsserver and dhcp-prefix values using CLI
commands by doing the following:
1. Login the leader node as admin.
2. Enter the command:
set discoveryconfig param winsserver value
<comma separated list of winservers ip addresses>
The screen responds:
OK
[220] Successfully updated configuration winsserver =
<your winsserver list>
3. Enter the command:
pbmclient1.kazeon.local> set discoveryconfig param
dhcp-prefix value "dhcp-"
The screen responds:
OK
[220]
Successfully updated configuration dhcp-prefix = dhcp-
4. Optionally, verify your WINS configuration using the first verification process in
the next section.
394
Kazeon IS1200 Web-Admin User Guide
WINS Setup Procedures
Verifying WINS Server and DHCP-Prefix Configuration
To verify your WINS server setup,
issue the following command as admin from the CLI:
show discoveryconfig
The screen responds:
winsserver
---------<your winsserver list>
dhcp-prefix
----------dhcp-
To verify if a given laptop resolves properly using WINS,
issue the following command as root from the CLI:
nmblookup -U <WINS SERVER> -R <NETBIOS NAME OF LAPTOP>
This generates a listing similar to the following:
nmblookup -U 10.10.130.240 -R T43SHK
querying T43SHK on 10.10.130.240
10.10.110.125 T43SHK<00>
To verify a laptop NetBIOS name,
issue the following command as root from the CLI:
Nmblookup –A <ipaddress of laptop>
This generates a listing similar to the following:
nmblookup -A 10.10.110.125
Looking up status of 10.10.110.125
T43SHK
<00> T43SHK
<20> WORKGROUP
<00> - <GROUP>
WORKGROUP
<1e> - <GROUP>
WORKGROUP
<1d> ..__MSBROWSE__.
<01> - <GROUP>
MAC Address = 00-05-9A-3C-78-00
Kazeon IS1200 Web-Admin User Guide
M
M
M
M
M
M
<ACTIVE>
<ACTIVE>
<ACTIVE>
<ACTIVE>
<ACTIVE>
<ACTIVE>
395
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Laptop/Desktop Setup Procedures for XP and Vista
The following sections detail the settings required by Windows XP and Vista and the
Network setup scenarios.
Windows XP Settings
To prepare a Windows server, laptop, or desktop system running Windows XP for
discovery or classification, the following setup is required:
z
EITHER, Use the Windows Firewall control panel to ensure the device has:
z
z
Firewall ports open for TCP – 139, 445, and UDP – 137, 138, OR
Allows traffic from the Kazeon Server IP address (or cluster nodes)
OR
396
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
Turn off the Windows XP Firewall in the Firewall control pane,
z
Before registering laptops or desktops as data repositories, open a Windows
Explorer window on the laptop or desktop and “uncheck”
Explorer-Tools-Folder Options-View-Use simple file sharing
for the drive being registered.
Kazeon IS1200 Web-Admin User Guide
397
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
z
If laptop or desktop CD, DVD, or other removable volumes (plugable USB or
Firewire drives for example), are to be discovered and crawled, they must first be
“shared” by the host system from the devices Properties panel Sharing tab.
Select either Maximum Allowed (recommended), or set Allow this number of
users to twice the number of cluster nodes plus the number that was already there.
z
Enable File and Printer Sharing for Microsoft Networks in network properties.
a. Select Control Panel > Network Connections > Any listed network
and right-click the network and select Properties.
A network connection properties dialog appears:
b. Check the File and Printer Sharing for Microsoft Networks box.
c. Repeat steps a and b above for all network connections on this computer.
398
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
z
Restart the Computer Browser service
a. Right-click My Computer and select Manage
(from either the Start Menu or your desktop).
b. Double-click Services under the Services and Applications heading.
c. Select Computer Browser Services and close the window.
d. Click the Start (or Restart) link to make sure the service is started.
Kazeon IS1200 Web-Admin User Guide
399
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Window Vista Settings
To prepare a Vista server, laptop, or desktop system for discovery or classification, the
system user or administrator must do one of the following:
Enabling the Administrator Account
Windows Vista is typically installed with the Administrator account disabled. Before
the IS1200 can crawl “hidden” shares, the Administrator account must be enabled.
Enable the Administrator account from the "Command Prompt" as Administrator.
1. Click the Windows "Start" icon.
2. If "Command Prompt" is already listed (left below), go to step #3.
If it is not listed, select Start->All Programs->Accessories to display the
Accessories menu. Command Prompt will be one of the Accessory choices.
3. Right-click Command Prompt and select Run as administrator from the
drop-down menu.
400
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
4. When the command prompt window appears,
enter the following:
net user Administrator /active:yes
5. And then, set a password for the Administrator account:
net user Administrator <password>.
(Note that <password> does not display when typed)
Enable File Sharing
File sharing is enabled using the Vista "Network and Sharing Center" control panel.
Also, you will need to note which Profile is in effect. In the screen shots, the "Private
Network" profile is being used.
1. Open the Control Panel.
2. Double-click the Network and Sharing Center icon.
3. Click the
icon to the right of File Sharing to expand those settings.
Kazeon IS1200 Web-Admin User Guide
401
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
4. Click Turn on File Sharing.
5. Click the Apply button.
6. Answer affirmatively to any dialogs warning about enabling file sharing.
7. Note that the Network (Private network) Profile is in effect in the dialog above,
the Firewall Settings in the next section must be applied to the same profile.
Opening Firewall Settings
The default Windows Vista firewall settings do not allow the IS1200 to access a PC’s
exported shares. Use these instructions to open the firewall to correct this:
1. Open the Vista Control Panel.
2. Open Administrative Tools.
3. Open Windows Firewall with Advanced Security.
402
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
Note which profile is active, it should be Private Profile is Active, as shown below.
This should match the profile noted in the previous step.
4. Select Inbound Rules (circled above) to display the following rules:
In the Inbound Rules list, enable and change the scope of the following rules by rightclicking the rule and selecting Properties to display dialogs similar to the following:
Kazeon IS1200 Web-Admin User Guide
403
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
For the File and Printer Sharing Echo Request - ICMPv4 - In rule:
Ensure that Enabled is checked on the General tab.
From the Scope tab,
Make sure Local IP Address is set to Any IP Address, and Remote IP Address is set to
These IP addresses, then click the Add button to display the following:
404
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
Enter either,
a series of specific IS1200 server IP addresses (as shown at left above),
or enter a range of IS1200 server IP addresses (as shown at right above).
then click OK on the IP Address dialog, and click the Apply button when the
Properties dialog returns.
Make the same changes as above to the following rules:
File and Printer Sharing (NB - Datagram - In)
File and Printer Sharing (NB - Name - In)
File and Printer Sharing (NB - Session - In)
File and Printer Sharing (SMB - In)
WARNING!
For security purposes, apply the least permissive IP permissions possible to Scope
tab settings, for example, do not use a range that includes IP addresses that are not
actually in use by an IS1200 server.
Kazeon IS1200 Web-Admin User Guide
405
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Active Directory Settings for Windows XP
By default, both Windows XP and Windows Vista firewalls disable file and print
sharing, and block most TCP and UDP ports. These defaults must be changed before
the IS1200 can discover, register, or crawl computers with these operating systems.
The process for this on individual computers is described above, for XP and Vista.
However, if a Windows XP or Vista computer is joined to a network through an
Active Directory (AD) server, then GPO settings imposed on the joined computer by
the AD server may change these defaults. The provides an opportunity to
automatically impose the settings required by the IS1200 using customized group
policies. This can make the discovery, registration, and classification of large numbers
of laptop or desktops far easier than manually correcting the settings on each
individual laptop or desktop.
This section describes how to use AD Group Policy to automatically configure
AD-joined XP laptops and desktops for IS1200 access. Similar procedures are used
for Windows Vista, and details may be found in the : “References for Windows
Servers 2008 and Windows Vista” on page 411 at the end of this appendix.
AD controllers support Windows 2000 and 2003, and the Windows Server 2008.
Additionally, this section describes GPO configuration for Windows 2000 and 2003,
and Windows Server 2008 domain controllers.
AD Group Policy
AD Group Policy defines how programs and resources behave on a given user
computer system or for a particular user. It can be used to control a wide variety of
system parameters ranging from the way a desktop looks to changing the way
communications occur over a network. Specifically, the Windows Firewall Control
Panel applet allows local administrators to change firewall settings of joined laptops
and desktops.
The basic steps for deploying Windows Firewall settings for Windows XP SP2 with
Active Directory are:
z
Creating a Group Policy on the Domain
z
Customizing the Windows Firewall Group Policy Settings
Creating a Group Policy on the Domain
The first step is to create a Group Policy specifically to control Windows Firewall
settings. The steps below are modified from those found on the Microsoft website in
the document “Deploying TCP/IP Windows Firewall Settings With Group Policy”.
In the example below, before creating the Group Policy on the Domain, the domain
member computer is freshly installed with Windows XP Service Pack 2 (SP2). Once
SP2 has been installed, and the system rebooted, log in to the machine using a domain
account with sufficient credentials to edit the domain Group Policy (usually a domain
administrator).
406
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
Do the following to create the group policy:
1. From a newly-installed Windows XP SP 2 desktop, click Start->Run
2. In the Run dialog that appears, type mmc and click OK.
This opens a blank MMC (Microsoft Management Console) console.
3. From the File menu, select Add/Remove Snap-in.
The Add/Remove Snap-In dialog opens.
4. From the Standalone tab click Add, the Add Standalone Snap-In dialog opens.
Kazeon IS1200 Web-Admin User Guide
407
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
5. In the Add Standalone Snap-in dialog,
scroll down to the Group Policy selection, click to select it, and click Add.
The Select Group Policy Object dialog appears.
6. In the Select Group Policy Object dialog, click Browse.
The Browse for a Group Policy Object dialog opens.
7. In the Browse for a Group Policy Object dialog:
a. Click the Domains/OU tab.
b. Select the appropriate domain from the Look in: drop-down menu.
c. Click the Create New Group Policy Object button (
).
d. Name the new Group Policy object.
For example, call it “XP2 Firewall Settings”.
8. Click OK, Finish, Close, and then OK.
The new Group Policy object is displayed in the MMC console window.
408
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
This finishes creating a new Policy Object. Select
Computer Configuration->Administrative Templates->Network->Network
Connections->Windows Firewall, to see the settings for the Windows Firewall.
Customize the Windows firewall Group Policy Settings
Once the new Group Policy Object is created, the next step is to customize the firewall
settings on the object. This is done from the MMC on the newly installed XP SP2
computer, or by customizing the settings on the MMC on the AD Domain Controller.
As seen above, there are two profiles: Domain Profile and Standard Profile.
This section focuses only on the Domain Profile. While identical settings could be
used for the Standard Profile, it is advisable to "lock down" those firewall settings
because the remote installation and communication features of Executive Software
products may not be needed when laptops are out of the office and using the Standard
Profile.
Populate the Domain Profile settings with the values indicated below:
Kazeon IS1200 Web-Admin User Guide
409
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Ensure that Protect all network connections is Enabled.
Ensure Allow file and printer sharing Exceptions is Enabled.
Ensure Allow ICMP Exceptions is Enabled.
410
Kazeon IS1200 Web-Admin User Guide
Laptop/Desktop Setup Procedures for XP and Vista
Here is how the Final Firewall Settings for the GPO should look:
The last step is to apply the policy. From the windows command prompt,
run gpupdate to ensure the policy takes effect.
References for Windows Servers 2008 and Windows Vista
For GPO configuration with windows server 2008 and Vista use the following links:
http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/
default.mspx
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
http://technet.microsoft.com/en-us/library/bb742376.aspx#EEAA
Kazeon IS1200 Web-Admin User Guide
411
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
Preparing Laptops and Desktops To Access Open Files
Some applications automatically open files they read and write to regularly, and leave
them open as long as they are running. An obvious example is Microsoft Outlook,
which opens the mail archives Outlook stores email in. These files are called personal
storage files (PST), or .pst files.
Files that are already opened by another application—like PST files— are not
ordinarily accessible by the IS1200 classifications. However, steps can be taken to
allow the IS1200 to classify these normally inaccessible files. See “Working With PST
Files” on page 153 for details.
Registering and Classifying USB Repositories
This section describes how to register and classify a USB storage device that is shared
from a laptop or desktop.
Classifying a USB Drive: Overview
Essentially, classifying a shared USB drive is no different than classifying any other
share or mountpoint. The following basic steps are involved:
1. Share the USB drive as a CIFS share on the network.
2. Register the USB drive with the IS1200.
3. Schedule a classification on the USB drive from the IS1200.
Some details for these steps are slightly different than the usual procedures for CIFS
shares on standard file servers. Those differences are described below.
Share the USB drive on the network.
To prepare a USB drive for classification, do the following:
1. Attach the USB storage device to a USB port on the laptop or desktop.
2. Turn the drive on and wait for the laptop or desktop to recognize the drive and add
it to “My Computer”. You may have to confirm various dialogs as Windows finds
and mounts the drive.
3. Share the USB drive as a CIFS share (this can only be done on Windows
platforms) by doing the following:
a. Open the My Computer window on the laptop or desktop the USB drive is
connected to.
412
Kazeon IS1200 Web-Admin User Guide
Registering and Classifying USB Repositories
b. Right-click the USB drive in the My Computer window and select Properties,
the following dialog opens:
c. Select the Share this folder: radio button and enter a ShareName:.
d. Select the Maximum allowed radio button and click OK.
The USB is shared on the laptop or desktop’s network.
Register the USB drive with the IS1200
Before the USB drive can be classified, it must be registered with the IS1200 as a data
repository. If you already know the complete NetBIOS name for the USB drive share,
then you can use Registering a USB Drive Share Using Its Host’s NetBIOS Name
(immediately following) to register it as a repository directly, otherwise, the USB
drive can be discovered and registered as a data repository from the Environment
Discovery results tab listing as described in “Discovering and Registering a USB
Drive” on page 414.
Registering a USB Drive Share Using Its Host’s NetBIOS Name. If you already
know the NetBIOS name of the laptop or desktop sharing the USB drive you want to
register (and do not need to discover it), do the following to register the USB drive as
a data repository:
Kazeon IS1200 Web-Admin User Guide
413
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
1. Open Web-Admin in a browser and go to the Laptop/Desktop tab under
Repositories.
2. Enter a descriptive name for the USB drive in the Name field.
3. Enter the NetBIOS or DNS name of the laptop or desktop hosting the USB drive
in the NetBIOS or DNS Name field.
4. Enter the name used to share the USB drive in the Share Name field.
5. Make sure an appropriate identity is selected (one that has access privileges for
the laptop or desktop).
6. Decide whether to Preserve Access Time or not.
7. Click Submit.
The USB drive is added to the list of IS1200 data repositories.
Discovering and Registering a USB Drive. If you do not know the NetBIOS name
of the laptop or desktop sharing the USB drive you want to register, then you can
“discover” and register the share by doing the following:
Note:
The complete discovery process is detailed in the IS1200 Web-Admin User Guide.
1. First you need to know the host name or IP address of the laptop or desktop the
USB is connected to. To find that, do the following:
a. On the laptop or desktop the USB is shared from, select Start > Programs >
Accessories > Command prompt, the command prompt window opens.
b. At the cursor in the Command Prompt window, enter “ipconfig”, press return.
414
Kazeon IS1200 Web-Admin User Guide
Registering and Classifying USB Repositories
Record the IP Address that is displayed and close the window.
c. From any administrative workstation, open Web-Admin in a browser and go to
the Environmental Discovery page under Repositories:
d. Click New in the tool-bar and select HostName/IP Range from the menu, the
following tab appears:
e. Enter the IP address you recorded in step a above in the HostName/IP Address
field, and click the Add button.
f.
Select CIFS from the Repository Type menu, and the tab reconfigures to show
a new Identity drop-down menu and an Add Identity button.
g. From the Identity drop-down menu, select an identity with Administrator
privileges for the laptop or desktop you want to discover. If one does not exist,
create it using the Add Identity button.
h. Click the Discover button and a new discovery job is launched.
2. Wait until the Discovery job is completed (a green checkmark appears preceding
the discovery job listing) and then click the plus sign that precedes that listing to
open its results.
Kazeon IS1200 Web-Admin User Guide
415
Appendix K:
Setup Requirements for Windows Laptops, Desktops, and Servers
3. From the opened results, click the plus sign preceding the discovered laptop/
desktop name to list the shares it has available.
4. Click the checkbox of the shared USB drive and then click Add Repository in the
tool-bar. The Add Repository tab appears.
5. Optionally, change the Name field if you want a more distinctive share name for
the IS1200 to display in repository listings.
6. Make sure an appropriate identity is selected (one that has access privileges for
the laptop or desktop).
7. Decide whether to Preserve Access Time or not.
8. Click Submit.
The USB drive is added to the list of IS1200 data repositories.
Schedule a Classification on the USB drive
Once the USB drive has been registered as a data repository it can be classified by
doing the following:
416
Kazeon IS1200 Web-Admin User Guide
Registering and Classifying USB Repositories
1. Open Web-Admin in a browser and go to the Deep Crawl tab under Jobs.
2. For Repository Type, select Laptop/Desktop. The left-hand Repositories scrollbox re-displays to show all repositories shared from laptops or desktops.
3. In the left-hand Repositories scroll-box, click the share name of the USB drive
you want to classify, then click the right-arrow to move that repository to the
right-hand scroll box.
4. If needed, click the arrow in the Advanced Options header-bar to open those
options, then make the necessary selections. See the IS1200 Web-Admin User
Guide for details on using and setting Advanced Options.
5. Click Submit to start the classification immediately, or Next to add extraction or
assignment rules, or to schedule the classification at a future time. See the IS1200
Web-Admin User Guide for details on using these additional options.
Once the job is submitted, it executes and can be monitored or controlled, just as any
other classification job.
Note:
While a classification is in-progress, if the USB drive is disconnected (or switched
off) from its laptop or desktop host, the job will wait until the USB drive is
reconnected to the laptop or desktop.
When it is reconnected, the original share name used for the USB drive must be
reused to enable the IS1200 to detect that the drive is back online and then resume
waiting jobs.
Kazeon IS1200 Web-Admin User Guide
417
Appendix K:
418
Setup Requirements for Windows Laptops, Desktops, and Servers
Kazeon IS1200 Web-Admin User Guide
Appendix L:
Supported File Formats
This appendix lists the supported file formats for data classification and includes the following
lists:
z
z
“Word Processing Formats” on page 420
|
“Generic Text” on page 420
|
“DOS Word Processors” on page 420
“Windows Word Processors” on page 421
|
“Macintosh Word Processors” on page 421
z
“Spreadsheet Formats” on page 422
z
“Presentation Formats” on page 422
z
“Graphics Formats” on page 423
z
“Compressed Formats” on page 425
z
“Database Formats” on page 425
Kazeon IS1200 Web-Admin User Guide
419
Appendix L:
Supported File Formats
Word Processing Formats
Generic Text
ANSI Text................................................................................................. 7 & 8 bit
ASCII Text................................................................................................ 7 & 8 bit
EBCDIC
HTML..........................................................................through 3.0 (some limitations)
IBM FFT...................................................................................................All versions
IBM Revisable Form Text........................................................................ All versions
Microsoft Rich Text Format (RTF)......................................................... All versions
Text Mail (MIME).......................................................................No specific version
Unicode Text......................................................................................... All versions
WML.................................................................................................... Version 5.2
DOS Word Processors
DEC WPS Plus (DX).............................................................................. through 4.0
DEC WPS Plus (WPL)............................................................................ through 4.1
DisplayWrite 2 & 3 (TXT)........................................................................All versions
DisplayWrite 4 & 5....................................................................... through Release 2.0
Enable................................................................................................3.0, 4.0 and 4.5
First Choice............................................................................................ through 3.0
Framework.........................................................................................................3.0
IBM Writing Assistant..........................................................................................1.01
Lotus Manuscript....................................................................................Version 2.0
MASS11....................................................................................Versions through 8.0
Microsoft Word..........................................................................Versions through 6.0
Microsoft Works.........................................................................Versions through 2.0
MultiMate.................................................................................Versions through 4.0
Navy DIF..................................................................................................All versions
Nota Bene................................................................................................Version 3.0
Novell WordPerfect.......................................................................Versions through 6.1
Office Writer................................................................................... Versions 4.0 - 6.0
PC-File Letter........................................................................... Versions through 5.0
PC-File+ Letter......................................................................... Versions through 3.0
PFS:Write..................................................................................Versions A, B and C
420
Kazeon IS1200 Web-Admin User Guide
Windows Word Processors
Professional Write..................................................................... Versions through 2.1
Q&A.....................................................................................................Version 2.0
Samna Word......................................................... Versions through Samna Word IV+
SmartWare II.......................................................................................... Version 1.02
Sprint.......................................................................................Versions through 1.0
Total Word............................................................................................Version 1.2
Volkswriter 3 & 4......................................................................Versions through 1.0
Wang PC (IWP)........................................................................Versions through 2.6
WordMARC.............................................................Versions through Composer Plus
WordStar................................................................................ Versions through 7.0
WordStar 2000........................................................................ Versions through 3.0
XyWrite.............................................................................Versions through III Plus
Windows Word Processors
Adobe FrameMaker (MIF).......................................................................Version 6.0
Hangul........................................................................Version 97 and 2002 (text only)
JustSystems Ichitaro.............................................. Versions 5.0, 6.0, 8.0 – 13.0, 2004
JustWrite.....................................................................................Versions through 3.0
Legacy........................................................................................Versions through 1.1
Lotus AMI/AMI Professional..................................................... Versions through 3.1
Lotus Word Pro..........................Versions 96 through Millennium Edition 9.6, text only
Microsoft Write...........................................................................Versions through 3.0
Microsoft Word.......................................................Versions through MS Office 2007
Microsoft WordPad...................................................................................All versions
Microsoft Works........................................................................Versions through 4.0
Novell Perfect Works..............................................................................Version 2.0
Novell/Corel WordPerfect......................................................... Versions through 12.0
Professional Write Plus........................................................................... Version 1.0
Q&A Write.............................................................................................Version 3.0
Star Office/Open Office Writer...........................Star Office Versions 5.2, 6.x, and 7.x
..............................................................................Open Office version 1.1 (text only)
WordStar..............................................................................................Version 1.0
Macintosh Word Processors
MacWrite II............................................................................................Version 1.1
Kazeon IS1200 Web-Admin User Guide
421
Appendix L:
Supported File Formats
Microsoft Word (Mac)............................................................. Versions 4.0 — 2007
Microsoft Works (Mac)............................................................ Versions through 2.0
Novell WordPerfect............................................................Versions 1.02 through 3.0
Spreadsheet Formats
Enable.................................................................................Versions 3.0, 4.0 and 4.5
First Choice..................................................................................Versions through 3.0
Framework.............................................................................................Version 3.0
Lotus 1-2-3 (DOS & Windows)..................................................Versions through 5.0
Lotus 1-2-3 (OS/2)....................................................................Versions through 2.0
Lotus 1-2-3 Charts (DOS & Windows)......................................... Versions through 5.0
Lotus 1-2-3 for SmartSuite............................................. Versions 97 – Millennium 9.6
Lotus Symphony.................................................................Versions 1.0,1.1 and 2.0
Microsoft Excel Charts................................................................... Versions 2.x - 7.0
Microsoft Excel (Mac)..................................................Versions 3.0 – 4.0, 98 — 2007
Microsoft Excel (Windows)................................................Versions 2.2 through 2007
Microsoft Multiplan..................................................................................Version 4.0
Microsoft Works (Windows)........................................................Versions through 4.0
Microsoft Works (DOS)............................................................ Versions through 2.0
Microsoft Works (Mac).............................................................. Versions through 2.0
Mosaic Twin............................................................................................Version 2.5
Novell Perfect Works...............................................................................Version 2.0
PFS: Professional Plan............................................................................Version 1.0
Quattro Pro (DOS)...................................................................Versions through 5.0
Quattro Pro (Windows)........................................................... Versions through 12.0
SmartWare II.......................................................................................Version 1.02
Star Office/Open Office Calc...............................Star Office Versions 5.2, 6.x, and 7.x
............................................................................Open Office version 1.1 (text only)
SuperCalc 5.............................................................................................Version 4.0
VP Planner 3D.......................................................................................Version 1.0
Presentation Formats
Corel/Novell Presentations........................................................Versions through 12.0
Harvard Graphics for DOS............................................................ Versions 2.x & 3.x
Harvard Graphics (Windows)........................................................Windows versions
422
Kazeon IS1200 Web-Admin User Guide
Graphics Formats
Freelance (Windows)................................................ Versions through Millennium 9.6
Freelance for OS/2....................................................................Versions through 2.0
Microsoft PowerPoint (Windows)......................................Versions 3.0 through 2007
Microsoft PowerPoint (Mac)........................................Versions 4.0, 98 through 2007
StarOffice / OpenOffice Impress......................................StarOffice 5.2, 6.x, and 7.x
....................................................................................... OpenOffice 1.1 (text only)
Graphics Formats
Adobe Photoshop (PSD)..........................................................................Version 4.0
Adobe Illustrator..................................................................Versions through 7.0, 9.0
Adobe FrameMaker graphics (FMV)....................................Vector/raster through 5.0
Adobe Acrobat (PDF)..............................................Versions 2.1, 3.0 – 6.0, Japanese
Ami Draw (SDW)................................................................................... Ami Draw
AutoCAD Interchange and Native Drawing formats.............................DXF and DWG
AutoCAD Drawing................................Versions 2.5 - 2.6, 9.0 - 14.0, 2000i and 2002
AutoShade Rendering (RND)...................................................................Version 2.0
Binary Group 3 Fax.................................................................................All versions
Bitmap (BMP, RLE, ICO, CUR, OS/2 DIB & WARP)...............................All versions
CALS Raster (GP4)....................................................................Type I and Type II
Corel Clipart format (CMX)........................................................Versions 5 through 6
Corel Draw (CDR).........................................................................Versions 3.x – 8.x
Corel Draw (CDR with TIFF header)..............................................Versions 2.x – 9.x
Computer Graphics Metafile (CGM)............................ANSI, CALS NIST version 3.0
Encapsulated PostScript (EPS).........................................................TIFF header only
GEM Paint (IMG)....................................................................... No specific version
Graphics Environment Mgr (GEM)....................................................Bitmap & vector
Graphics Interchange Format (GIF)............................................. No specific version
Hewlett Packard Graphics Language (HPGL)................................................Version 2
IBM Graphics Data Format (GDF).............................................................Version 1.0
IBM Picture Interchange Format (PIF).......................................................Version 1.0
Initial Graphics Exchange Spec (IGES).......................................................Version 5.1
JFIF (JPEG not in TIFF format)...............................................................All versions
JPEG (including EXIF)..............................................................................All versions
Kodak Flash Pix (FPX)............................................................................All versions
Kazeon IS1200 Web-Admin User Guide
423
Appendix L:
Supported File Formats
Kodak Photo CD (PCD)..............................................................................Version 1.0
Lotus PIC..............................................................................................All versions
Lotus Snapshot........................................................................................All versions
Macintosh PICT1 & PICT2.................................................................... Bitmap only
MacPaint (PNTG).......................................................................No specific version
Micrografx Draw (DRW)............................................................ Versions through 4.0
Micrografx Designer (DRW)...................................................... Versions through 3.1
Micrografx Designer(DSF)................................................... Windows 95, version 6.0
Novell PerfectWorks (Draw).................................................................... Version 2.0
OS/2 PM Metafile (MET)......................................................................... Version 3.0
Paint Shop Pro 6 (PSP).............................................Windows only, versions 5.0 – 6.0
PC Paintbrush (PCX and DCX)..................................................................All version
Portable Bitmap (PBM).............................................................................All versions
Portable Graymap (PGM).............................................................No specific version
Portable Network Graphics (PNG).............................................................Version 1.0
Portable Pixmap (PPM)................................................................ No specific version
Postscript (PS)...............................................................................................Level II
Progressive JPEG........................................................................No specific version
Sun Raster (SRS)........................................................................No specific version
Star Office/Open Office Draw....................................Star Office 5.2, 6.x, and 7.x and
.............................................................................OpenOffice version 1.1 (text only)
TIFF..........................................................................................Versions through 6
TIFF CCITT Group 3 & 4...........................................................Versions through 6
Truevision TGA (TARGA)......................................................................... Version 2
Visio (preview).......................................................................................... Version 4
Visio...................................................................................Versions 5, 2000 — 2003
WBMP........................................................................................No specific version
Windows Enhanced Metafile (EMF).............................................. No specific version
Windows Metafile (WMF)............................................................ No specific version
WordPerfect Graphics (WPG & WPG2).........................Versions through 2.0, 7 and 10
X-Windows Bitmap (XBM)............................................................... x10 compatible
X-Windows Dump (XWD)................................................................ x10 compatible
X-Windows Pixmap (XPM)................................................................ x10 compatible
424
Kazeon IS1200 Web-Admin User Guide
Compressed Formats
Compressed Formats
GZIP......................................................................................................All versions
LZA Self Extracting Compress.................................................................All versions
LZH Compress.......................................................................................All versions
Microsoft Binder................................................................................Versions 7.0-97
...................................................(conversion of Binder is supported only on Windows)
MIME Text Mail
UUEncode
UNIX Compress
UNIX TAR
ZIP....................................................................... PKWARE versions through 2.04g
Database Formats
Access......................................................................................Versions through 7.0
Note: The Oracle Outside In parser used to identify file types reports only
“Microsoft Access” or “Microsoft Access 7” for Microsoft Access files.
Variations such as “Microsoft Access 2000” are not reported.
dBASE.....................................................................................Versions through 5.0
DataEase............................................................................................... Version 4.x
dBXL.................................................................................................... Version 1.3
Enable.................................................................................Versions 3.0, 4.0 and 4.5
First Choice...............................................................................Versions through 3.0
FoxBase................................................................................................. Version 2.1
Framework............................................................................................ Version 3.0
Microsoft Works (Windows)........................................................Versions through 4.0
Microsoft Works (DOS)..............................................................Versions through 2.0
Microsoft Works (Mac)............................................................. Versions through 2.0
Paradox (DOS).......................................................................... Versions through 4.0
Paradox (Windows)..................................................................Versions through 1.0
Personal R:BASE....................................................................................Version 1.0
R:BASE 5000............................................................................Versions through 3.1
R:BASE System V....................................................................................Version 1.0
Reflex.................................................................................................... Version 2.0
Q & A..................................................................................... Versions through 2.0
Kazeon IS1200 Web-Admin User Guide
425
Appendix L:
Supported File Formats
SmartWare II........................................................................................Version 1.02
Executable (EXE, DLL)
Executable (Windows) NT
Microsoft Outlook Express (EML)...............................................No specific version
Microsoft Outlook Folder (PST)..................................Versions 97, 98, 2003, and 2007
Microsoft Outlook Message (MSG)...........................................................All versions
Microsoft Project......................................................... Versions 98 - 2003 (text only)
vCard.....................................................................................................Version 2.1
Note: To successfully open a PST file, you must save the file and open it in
Microsoft Outlook.
426
Kazeon IS1200 Web-Admin User Guide
Appendix M:
Supported Time Zones
This appendix lists the supported time zones for the IS1200.
Africa/Addis_Ababa
Africa/Lubumbashi
America/Belize
Africa/Abidjan
Africa/Lome
America/Boa_Vista
Africa/Accra
Africa/Luanda
America/Bogota
Africa/Blantyre
Africa/Mogadishu
America/Boise
Africa/Algiers
Africa/Lusaka
Africa/Asmera
Africa/Malabo
America/Indiana/
Indianapolis
Africa/Bamako
Africa/Maputo
Africa/Bangui
Africa/Maseru
Africa/Banjul
Africa/Mbabane
Africa/Bissau
Africa/Monrovia
Africa/Dar_es_Salaam
Africa/Nairobi
Africa/Brazzaville
Africa/Ndjamena
Africa/Bujumbura
Africa/Niamey
Africa/Casablanca
Africa/Nouakchott
Africa/Ceuta
Africa/Ouagadougou
Africa/Conakry
Africa/Porto-Novo
Africa/Dakar
Africa/Sao_Tome
Africa/Johannesburg
Africa/Timbuktu
Africa/Djibouti
Africa/Tunis
Africa/Douala
Africa/Windhoek
Africa/El_Aaiun
Africa/Tripoli
Africa/Freetown
Africa/Cairo
Africa/Gaborone
America/Buenos_Aires
Africa/Harare
America/Anguilla
Africa/Khartoum
America/Antigua
Africa/Kampala
America/Araguaina
Africa/Kinshasa
America/Aruba
Africa/Kigali
America/Asuncion
Africa/Libreville
America/Barbados
Africa/Lagos
America/Belem
Kazeon IS1200 Web-Admin User Guide
America/Indiana/Marengo
America/Indiana/Vevay
America/Indiana/Knox
America/Inuvik
America/Cambridge_Bay
America/Cancun
America/Caracas
America/Catamarca
America/Cayenne
America/Cayman
America/Chihuahua
America/Costa_Rica
America/Cuiaba
America/Curacao
America/Danmarkshavn
America/Dawson
America/Dawson_Creek
America/Dominica
America/Eirunepe
America/El_Salvador
America/Fortaleza
America/Glace_Bay
America/Godthab
America/Goose_Bay
427
Appendix M:
Supported Time Zones
America/Grand_Turk
America/Swift_Current
Antarctica/Davis
America/Grenada
America/Tegucigalpa
Antarctica/South_Pole
America/Guadeloupe
America/Thule
Antarctica/Mawson
America/Guatemala
America/Thunder_Bay
Antarctica/Palmer
America/Guayaquil
America/Tortola
Antarctica/Syowa
America/Guyana
America/Yakutat
Antarctica/Vostok
America/Hermosillo
America/Yellowknife
Antarctica/McMurdo
America/Kentucky/
Monticello
America/Winnipeg
Arctic/Longyearbyen
America/Whitehorse
Asia/Calcutta
America/Vancouver
Asia/Aden
America/Virgin
Asia/Almaty
America/Atka
Asia/Amman
America/St_Thomas
Asia/Anadyr
America/St_Johns
Asia/Aqtau
America/Sao_Paulo
Asia/Aqtobe
America/Santiago
Asia/Baghdad
America/Regina
Asia/Bahrain
America/Puerto_Rico
Asia/Baku
America/Indianapolis
Asia/Bangkok
America/Porto_Acre
Asia/Beirut
America/Phoenix
Asia/Bishkek
America/Noronha
Asia/Brunei
America/New_York
Asia/Kuala_Lumpur
America/Montreal
Asia/Choibalsan
America/Monterrey
America/Mexico_City
Asia/Colombo
America/Montevideo
America/Mazatlan
Asia/Damascus
America/Montserrat
America/Manaus
Asia/Dili
America/Nassau
America/Los_Angeles
Asia/Dubai
America/Nipigon
America/Louisville
Asia/Dushanbe
America/Nome
America/Jamaica
Asia/Gaza
America/Pangnirtung
America/Knox_IN
Asia/Harbin
America/Panama
America/Havana
Asia/Hovd
America/Port-au-Prince
America/Halifax
Asia/Irkutsk
America/Paramaribo
America/Tijuana
Asia/Jakarta
America/Rio_Branco
America/Edmonton
Asia/Jayapura
America/Adak
America/Fort_Wayne
Asia/Kabul
America/Port_of_Spain
America/Shiprock
Asia/Kamchatka
America/Porto_Velho
America/Ensenada
Asia/Karachi
America/Rainy_River
America/Detroit
Asia/Kashgar
America/Rankin_Inlet
America/Denver
Asia/Katmandu
America/Recife
America/Rosario
Asia/Krasnoyarsk
America/Santo_Domingo
America/Cordoba
Asia/Novosibirsk
America/Scoresbysund
America/Chicago
Asia/Kuching
America/St_Kitts
America/Anchorage
Asia/Kuwait
America/St_Lucia
Antarctica/
DumontDUrville
Asia/Magadan
America/Kentucky/
Louisville
America/Iqaluit
America/Jujuy
America/Juneau
America/Martinique
America/La_Paz
America/Lima
America/Maceio
America/Managua
America/Menominee
America/Mendoza
America/Miquelon
America/Merida
America/North_Dakota/
Center
America/St_Vincent
Asia/Manila
Antarctica/Casey
428
Kazeon IS1200 Web-Admin User Guide
Supported Time Zones
Asia/Muscat
Asia/Chongqing
Asia/Phnom_Penh
Asia/Ashkhabad
Asia/Omsk
Asia/Ashgabat
Asia/Oral
Atlantic/Cape_Verde
Asia/Yekaterinburg
Atlantic/Azores
Asia/Pontianak
Atlantic/Bermuda
Asia/Pyongyang
Atlantic/Canary
Asia/Qatar
Atlantic/South_Georgia
Asia/Qyzylorda
Atlantic/Faeroe
Asia/Rangoon
Atlantic/Madeira
Asia/Riyadh
Atlantic/St_Helena
Asia/Saigon
Atlantic/Stanley
Asia/Sakhalin
Atlantic/Reykjavik
Asia/Samarkand
Atlantic/Jan_Mayen
Asia/Tashkent
Australia/Lindeman
Asia/Tbilisi
Australia/West
Asia/Urumqi
Australia/LHI
Asia/Vientiane
Australia/Perth
Asia/Vladivostok
Australia/Victoria
Asia/Yakutsk
Australia/ACT
Asia/Ulaanbaatar
Australia/Melbourne
Asia/Yerevan
Australia/Lord_Howe
Asia/Ujung_Pandang
Australia/Tasmania
Asia/Ulan_Bator
Australia/Hobart
Asia/Tokyo
Australia/North
Asia/Thimphu
Australia/Darwin
Asia/Thimbu
Australia/Yancowinna
Asia/Tehran
Australia/Broken_Hill
Asia/Taipei
Australia/Queensland
Asia/Singapore
Australia/Brisbane
Asia/Shanghai
Australia/South
Asia/Seoul
Australia/NSW
Asia/Riyadh89
Australia/Adelaide
Asia/Riyadh88
Australia/Canberra
Asia/Riyadh87
Australia/Sydney
Asia/Nicosia
Brazil/DeNoronha
Asia/Tel_Aviv
Brazil/East
Asia/Istanbul
Brazil/Acre
Asia/Makassar
Brazil/West
Asia/Macau
Canada/Newfoundland
Asia/Macao
Canada/Central
Asia/Jerusalem
Canada/Yukon
Asia/Hong_Kong
Canada/Pacific
Asia/Dhaka
Canada/Saskatchewan
Asia/Dacca
Canada/Atlantic
Asia/Chungking
Canada/Eastern
Canada/EastSaskatchewan
Canada/Mountain
CET
Chile/EasterIsland
Chile/Continental
Etc/Universal
Etc/GMT+1
Etc/GMT+10
Etc/GMT+11
Etc/GMT+12
Etc/GMT+2
Etc/GMT+3
Etc/GMT+4
Etc/GMT+5
Etc/GMT+6
Etc/GMT+7
Etc/GMT+8
Etc/GMT+9
Etc/GMT-1
Etc/GMT-10
Etc/GMT-11
Etc/GMT-12
Etc/GMT+2
Etc/GMT+3
Etc/GMT+4
Etc/GMT+5
Etc/GMT+6
Etc/GMT+7
Etc/GMT+8
Etc/GMT+9
Etc/GMT-1
Etc/GMT-10
Etc/GMT-11
Etc/GMT-12
Etc/GMT-13
Etc/GMT-14
Etc/GMT-2
Etc/GMT-3
Etc/GMT-4
Etc/GMT-5
Etc/GMT-6
Etc/GMT-7
Etc/GMT-8
Etc/GMT-9
Etc/Zulu
Etc/GMT+0
Kazeon IS1200 Web-Admin User Guide
429
Appendix M:
430
Supported Time Zones
Etc/UCT
Europe/Tiraspol
Pacific/Marquesas
Etc/UTC
Europe/Oslo
Pacific/Midway
Etc/GMT-0
Europe/Chisinau
Pacific/Nauru
Etc/GMT0
Europe/Prague
Pacific/Niue
Etc/Greenwich
Europe/Bratislava
Pacific/Norfolk
Etc/GMT
Europe/Ljubljana
Pacific/Noumea
EET
Europe/Sarajevo
Pacific/Palau
Europe/Amsterdam
Europe/Skopje
Pacific/Ponape
Europe/Andorra
Europe/Zagreb
Pacific/Samoa
Europe/Athens
Europe/Dublin
Pacific/Rarotonga
Europe/Belfast
Europe/Nicosia
Pacific/Saipan
Europe/Berlin
Europe/Belgrade
Pacific/Tahiti
Europe/Brussels
Europe/Istanbul
Pacific/Tarawa
Europe/Bucharest
Indian/Antananarivo
Pacific/Tongatapu
Europe/Budapest
Indian/Chagos
Pacific/Truk
Europe/Copenhagen
Indian/Christmas
Pacific/Wake
Europe/Gibraltar
Indian/Cocos
Pacific/Wallis
Europe/Helsinki
Indian/Comoro
Pacific/Yap
Europe/Kaliningrad
Indian/Kerguelen
Pacific/Pitcairn
Europe/Kiev
Indian/Mahe
Pacific/Auckland
Europe/Luxembourg
Indian/Maldives
Pacific/Pago_Pago
Europe/Madrid
Indian/Mauritius
Pacific/Gambier
Europe/Malta
Indian/Mayotte
Pacific/Chatham
Europe/Minsk
Indian/Reunion
Pacific/Kwajalein
Europe/Monaco
Factory
Pacific/Honolulu
Europe/Paris
Mexico/BajaNorte
Pacific/Easter
Europe/Riga
Mexico/General
SystemV/PST8
Europe/Samara
Mexico/BajaSur
SystemV/YST9
Europe/Simferopol
MET
SystemV/HST10
Europe/Sofia
Mideast/Riyadh89
SystemV/CST6
Europe/Stockholm
Mideast/Riyadh88
SystemV/AST4
Europe/Tallinn
Mideast/Riyadh87
SystemV/MST7
Europe/Tirane
Pacific/Enderbury
SystemV/EST5EDT
Europe/Uzhgorod
Pacific/Apia
SystemV/PST8PDT
Europe/Vaduz
Pacific/Efate
SystemV/AST4ADT
Europe/Vienna
Pacific/Funafuti
SystemV/EST5
Europe/Vilnius
Pacific/Fakaofo
SystemV/MST7MDT
Europe/Zaporozhye
Pacific/Fiji
SystemV/CST6CDT
Europe/Zurich
Pacific/Port_Moresby
SystemV/YST9YDT
Europe/Warsaw
Pacific/Galapagos
US/Indiana-Starke
Europe/San_Marino
Pacific/Guadalcanal
US/Samoa
Europe/Vatican
Pacific/Guam
US/Hawaii
Europe/Moscow
Pacific/Johnston
US/Arizona
Europe/Rome
Pacific/Kiritimati
US/Eastern
Europe/London
Pacific/Kosrae
US/Pacific
Europe/Lisbon
Pacific/Majuro
US/East-Indiana
Kazeon IS1200 Web-Admin User Guide
Supported Time Zones
US/Michigan
posix/Africa/Maseru
posix/America/Curacao
US/Mountain
posix/Africa/Mbabane
US/Central
posix/Africa/Monrovia
posix/America/
Danmarkshavn
US/Alaska
posix/Africa/Nairobi
US/Aleutian
posix/Africa/Ndjamena
iso3166.tab
posix/Africa/Niamey
WET
posix/Africa/Nouakchott
posix/Africa/
Addis_Ababa
posix/Africa/
Ouagadougou
posix/Africa/Abidjan
posix/Africa/Porto-Novo
posix/Africa/Accra
posix/Africa/Sao_Tome
posix/Africa/Blantyre
posix/Africa/Timbuktu
posix/Africa/Algiers
posix/Africa/Tunis
posix/Africa/Asmera
posix/Africa/Windhoek
posix/Africa/Bamako
posix/Africa/Tripoli
posix/Africa/Bangui
posix/Africa/Cairo
posix/Africa/Banjul
posix/America/
Buenos_Aires
posix/America/Dawson
posix/America/
Dawson_Creek
posix/America/Dominica
posix/America/Eirunepe
posix/America/
El_Salvador
posix/America/Fortaleza
posix/America/Glace_Bay
posix/America/Godthab
posix/America/
Goose_Bay
posix/America/
Grand_Turk
posix/America/Grenada
posix/Africa/
Dar_es_Salaam
posix/America/Anguilla
posix/America/
Guadeloupe
posix/America/Antigua
posix/America/Guatemala
posix/Africa/Brazzaville
posix/America/Araguaina
posix/America/Guayaquil
posix/Africa/Bujumbura
posix/America/Aruba
posix/America/Guyana
posix/Africa/Casablanca
posix/America/Asuncion
posix/Africa/Ceuta
posix/America/Barbados
posix/America/
Hermosillo
posix/Africa/Conakry
posix/America/Belem
posix/Africa/Dakar
posix/America/Belize
posix/Africa/
Johannesburg
posix/America/Boa_Vista
posix/America/Kentucky/
Louisville
posix/America/Bogota
posix/America/Iqaluit
posix/America/Boise
posix/America/Jujuy
posix/America/Indiana/
Indianapolis
posix/America/Juneau
posix/Africa/Bissau
posix/Africa/Djibouti
posix/Africa/Douala
posix/Africa/El_Aaiun
posix/Africa/Freetown
posix/Africa/Gaborone
posix/Africa/Harare
posix/Africa/Khartoum
posix/America/Indiana/
Marengo
posix/America/Indiana/
Vevay
posix/America/Kentucky/
Monticello
posix/America/Martinique
posix/America/La_Paz
posix/America/Lima
posix/America/Maceio
posix/America/Managua
posix/Africa/Kampala
posix/America/Indiana/
Knox
posix/Africa/Kinshasa
posix/America/Inuvik
posix/Africa/Kigali
posix/America/
Cambridge_Bay
posix/America/Mendoza
posix/Africa/Libreville
posix/Africa/Lagos
posix/America/Cancun
posix/America/Merida
posix/Africa/Lubumbashi
posix/America/Caracas
posix/Africa/Lome
posix/America/Catamarca
posix/America/
North_Dakota/Center
posix/Africa/Luanda
posix/America/Cayenne
posix/America/Monterrey
posix/Africa/Mogadishu
posix/America/Cayman
posix/Africa/Lusaka
posix/America/Chihuahua
posix/America/
Montevideo
posix/Africa/Malabo
posix/America/
Costa_Rica
posix/Africa/Maputo
posix/America/Cuiaba
Kazeon IS1200 Web-Admin User Guide
posix/America/
Menominee
posix/America/Miquelon
posix/America/Montserrat
posix/America/Nassau
posix/America/Nipigon
431
Appendix M:
Supported Time Zones
posix/America/Nome
posix/America/
Pangnirtung
posix/America/Panama
posix/America/
Puerto_Rico
posix/Asia/Almaty
posix/America/
Indianapolis
posix/Asia/Anadyr
posix/Asia/Amman
posix/Asia/Aqtau
posix/America/Port-auPrince
posix/America/
Porto_Acre
posix/America/
Paramaribo
posix/America/Phoenix
posix/Asia/Baghdad
posix/America/Noronha
posix/Asia/Bahrain
posix/America/
Rio_Branco
posix/America/New_York
posix/Asia/Baku
posix/America/Montreal
posix/Asia/Bangkok
posix/America/
Mexico_City
posix/Asia/Beirut
posix/America/Mazatlan
posix/Asia/Brunei
posix/America/Manaus
posix/Asia/
Kuala_Lumpur
posix/America/Adak
posix/America/
Port_of_Spain
posix/America/
Porto_Velho
posix/America/
Rainy_River
posix/America/
Los_Angeles
posix/Asia/Aqtobe
posix/Asia/Bishkek
posix/Asia/Choibalsan
posix/America/Louisville
posix/Asia/Colombo
posix/America/Jamaica
posix/Asia/Damascus
posix/America/Recife
posix/America/Knox_IN
posix/Asia/Dili
posix/America/
Santo_Domingo
posix/America/Havana
posix/Asia/Dubai
posix/America/Halifax
posix/Asia/Dushanbe
posix/America/
Scoresbysund
posix/America/Tijuana
posix/Asia/Gaza
posix/America/Edmonton
posix/Asia/Harbin
posix/America/St_Lucia
posix/America/
Fort_Wayne
posix/Asia/Hovd
posix/America/St_Vincent
posix/America/Shiprock
posix/America/
Swift_Current
posix/America/Ensenada
posix/America/
Tegucigalpa
posix/America/Denver
posix/America/Thule
posix/America/Rosario
posix/America/
Rankin_Inlet
posix/America/St_Kitts
posix/America/
Thunder_Bay
posix/America/Detroit
posix/America/Cordoba
posix/America/Chicago
posix/America/Tortola
posix/America/Anchorage
posix/America/Yakutat
posix/Antarctica/
DumontDUrville
posix/America/
Yellowknife
posix/Antarctica/Casey
posix/Asia/Irkutsk
posix/Asia/Jakarta
posix/Asia/Jayapura
posix/Asia/Kabul
posix/Asia/Kamchatka
posix/Asia/Karachi
posix/Asia/Kashgar
posix/Asia/Katmandu
posix/Asia/Krasnoyarsk
posix/Asia/Novosibirsk
posix/Asia/Kuching
posix/Asia/Kuwait
posix/America/Winnipeg
posix/Antarctica/Davis
posix/America/
Whitehorse
posix/Antarctica/
South_Pole
posix/America/Vancouver
posix/Antarctica/Mawson
posix/Asia/Muscat
posix/America/Virgin
posix/Antarctica/Palmer
posix/Asia/Phnom_Penh
posix/America/Atka
posix/Antarctica/Syowa
posix/Asia/Omsk
posix/America/
St_Thomas
posix/Antarctica/Vostok
posix/Asia/Oral
posix/Antarctica/
McMurdo
posix/Asia/Yekaterinburg
posix/America/St_Johns
posix/America/Sao_Paulo
posix/America/Santiago
posix/America/Regina
posix/Arctic/
Longyearbyen
posix/Asia/Calcutta
posix/Asia/Aden
posix/Asia/Magadan
posix/Asia/Manila
posix/Asia/Pontianak
posix/Asia/Pyongyang
posix/Asia/Qatar
posix/Asia/Qyzylorda
posix/Asia/Rangoon
432
Kazeon IS1200 Web-Admin User Guide
Supported Time Zones
posix/Asia/Riyadh
posix/Atlantic/Faeroe
posix/Chile/EasterIsland
posix/Asia/Saigon
posix/Atlantic/Madeira
posix/Chile/Continental
posix/Asia/Sakhalin
posix/Atlantic/St_Helena
posix/Etc/Universal
posix/Asia/Samarkand
posix/Atlantic/Stanley
posix/Etc/GMT+1
posix/Asia/Tashkent
posix/Atlantic/Reykjavik
posix/Etc/GMT+10
posix/Asia/Tbilisi
posix/Atlantic/Jan_Mayen
posix/Etc/GMT+11
posix/Asia/Urumqi
posix/Australia/Lindeman
posix/Etc/GMT+12
posix/Asia/Vientiane
posix/Australia/West
posix/Etc/GMT+2
posix/Asia/Vladivostok
posix/Australia/LHI
posix/Etc/GMT+3
posix/Asia/Yakutsk
posix/Australia/Perth
posix/Etc/GMT+4
posix/Asia/Ulaanbaatar
posix/Australia/Victoria
posix/Etc/GMT+5
posix/Asia/Yerevan
posix/Australia/ACT
posix/Etc/GMT+6
posix/Asia/
Ujung_Pandang
posix/Australia/
Melbourne
posix/Etc/GMT+7
posix/Asia/Ulan_Bator
posix/Australia/
Lord_Howe
posix/Etc/GMT+9
posix/Asia/Tokyo
posix/Asia/Thimphu
posix/Asia/Thimbu
posix/Asia/Tehran
posix/Asia/Taipei
posix/Asia/Singapore
posix/Asia/Shanghai
posix/Australia/Tasmania
posix/Australia/Hobart
posix/Australia/North
posix/Australia/Darwin
posix/Australia/
Yancowinna
posix/Etc/GMT+8
posix/Etc/GMT-1
posix/Etc/GMT-10
posix/Etc/GMT-11
posix/Etc/GMT-12
posix/Etc/GMT-13
posix/Etc/GMT-14
posix/Australia/
Broken_Hill
posix/Etc/GMT-2
posix/Etc/GMT-4
posix/Asia/Riyadh88
posix/Australia/
Queensland
posix/Asia/Riyadh87
posix/Australia/Brisbane
posix/Asia/Nicosia
posix/Australia/South
posix/Asia/Tel_Aviv
posix/Australia/NSW
posix/Asia/Istanbul
posix/Australia/Adelaide
posix/Asia/Makassar
posix/Australia/Canberra
posix/Asia/Macau
posix/Australia/Sydney
posix/Asia/Macao
posix/Brazil/DeNoronha
posix/Asia/Jerusalem
posix/Brazil/East
posix/Asia/Hong_Kong
posix/Brazil/Acre
posix/Asia/Dhaka
posix/Brazil/West
posix/Asia/Dacca
posix/Canada/
Newfoundland
posix/Asia/Seoul
posix/Asia/Riyadh89
posix/Asia/Chungking
posix/Asia/Chongqing
posix/Asia/Ashkhabad
posix/Asia/Ashgabat
posix/Atlantic/
Cape_Verde
posix/Canada/Central
posix/Canada/Yukon
posix/Canada/Pacific
posix/Canada/
Saskatchewan
posix/Etc/GMT-3
posix/Etc/GMT-5
posix/Etc/GMT-6
posix/Etc/GMT-7
posix/Etc/GMT-8
posix/Etc/GMT-9
posix/Etc/Zulu
posix/Etc/GMT+0
posix/Etc/UCT
posix/Etc/UTC
posix/Etc/GMT-0
posix/Etc/GMT0
posix/Etc/Greenwich
posix/Etc/GMT
posix/EET
posix/Europe/Amsterdam
posix/Europe/Andorra
posix/Europe/Athens
posix/Canada/Atlantic
posix/Europe/Belfast
posix/Canada/Eastern
posix/Europe/Berlin
posix/Atlantic/Canary
posix/Canada/EastSaskatchewan
posix/Europe/Brussels
posix/Atlantic/
South_Georgia
posix/Canada/Mountain
posix/Atlantic/Azores
posix/Atlantic/Bermuda
posix/Europe/Bucharest
posix/Europe/Budapest
posix/CET
Kazeon IS1200 Web-Admin User Guide
433
Appendix M:
Supported Time Zones
posix/Europe/Copenhagen
posix/Indian/Chagos
posix/Pacific/Truk
posix/Europe/Gibraltar
posix/Indian/Christmas
posix/Pacific/Wake
posix/Europe/Helsinki
posix/Indian/Cocos
posix/Pacific/Wallis
posix/Europe/Kaliningrad
posix/Indian/Comoro
posix/Pacific/Yap
posix/Europe/Kiev
posix/Indian/Kerguelen
posix/Pacific/Pitcairn
posix/Europe/
Luxembourg
posix/Indian/Mahe
posix/Pacific/Auckland
posix/Indian/Maldives
posix/Pacific/Pago_Pago
posix/Indian/Mauritius
posix/Pacific/Gambier
posix/Indian/Mayotte
posix/Pacific/Chatham
posix/Indian/Reunion
posix/Pacific/Kwajalein
posix/Factory
posix/Pacific/Honolulu
posix/Mexico/BajaNorte
posix/Pacific/Easter
posix/Mexico/General
posix/SystemV/PST8
posix/Mexico/BajaSur
posix/SystemV/YST9
posix/MET
posix/SystemV/HST10
posix/Mideast/Riyadh89
posix/SystemV/CST6
posix/Mideast/Riyadh88
posix/SystemV/AST4
posix/Mideast/Riyadh87
posix/SystemV/MST7
posix/Pacific/Enderbury
posix/SystemV/EST5EDT
posix/Pacific/Apia
posix/SystemV/PST8PDT
posix/Pacific/Efate
posix/SystemV/
AST4ADT
posix/Europe/Madrid
posix/Europe/Malta
posix/Europe/Minsk
posix/Europe/Monaco
posix/Europe/Paris
posix/Europe/Riga
posix/Europe/Samara
posix/Europe/Simferopol
posix/Europe/Sofia
posix/Europe/Stockholm
posix/Europe/Tallinn
posix/Europe/Tirane
posix/Europe/Uzhgorod
posix/Europe/Vaduz
posix/Europe/Vienna
posix/Europe/Vilnius
posix/Europe/Zaporozhye
posix/Europe/Zurich
434
posix/Pacific/Funafuti
posix/Pacific/Fakaofo
posix/SystemV/EST5
posix/Pacific/Fiji
posix/SystemV/
MST7MDT
posix/Europe/Warsaw
posix/Pacific/
Port_Moresby
posix/Europe/San_Marino
posix/Pacific/Galapagos
posix/Europe/Vatican
posix/Pacific/Guadalcanal
posix/SystemV/
YST9YDT
posix/Europe/Moscow
posix/Pacific/Guam
posix/US/Indiana-Starke
posix/Europe/Rome
posix/Pacific/Johnston
posix/US/Samoa
posix/Europe/London
posix/Pacific/Kiritimati
posix/US/Hawaii
posix/Europe/Lisbon
posix/Pacific/Kosrae
posix/US/Arizona
posix/Europe/Tiraspol
posix/Pacific/Majuro
posix/US/Eastern
posix/Europe/Oslo
posix/Pacific/Marquesas
posix/US/Pacific
posix/Europe/Chisinau
posix/Pacific/Midway
posix/US/East-Indiana
posix/Europe/Prague
posix/Pacific/Nauru
posix/US/Michigan
posix/Europe/Bratislava
posix/Pacific/Niue
posix/US/Mountain
posix/Europe/Ljubljana
posix/Pacific/Norfolk
posix/US/Central
posix/Europe/Sarajevo
posix/Pacific/Noumea
posix/US/Alaska
posix/Europe/Skopje
posix/Pacific/Palau
posix/US/Aleutian
posix/Europe/Zagreb
posix/Pacific/Ponape
posix/NZ-CHAT
posix/Europe/Dublin
posix/Pacific/Samoa
posix/WET
posix/Europe/Nicosia
posix/Pacific/Rarotonga
posix/Kwajalein
posix/Europe/Belgrade
posix/Pacific/Saipan
posix/NZ
posix/Europe/Istanbul
posix/Pacific/Tahiti
posix/Poland
posix/Indian/
Antananarivo
posix/Pacific/Tarawa
posix/HST
posix/SystemV/
CST6CDT
posix/Pacific/Tongatapu
Kazeon IS1200 Web-Admin User Guide
Supported Time Zones
posix/Portugal
right/Africa/Brazzaville
right/America/Asuncion
posix/W-SU
right/Africa/Bujumbura
right/America/Barbados
posix/GB-Eire
right/Africa/Casablanca
right/America/Belem
posix/GB
right/Africa/Ceuta
right/America/Belize
posix/GMT+0
right/Africa/Conakry
right/America/Boa_Vista
posix/Universal
right/Africa/Dakar
right/America/Bogota
posix/Zulu
right/Africa/Johannesburg
right/America/Boise
posix/UCT
right/Africa/Djibouti
posix/UTC
right/Africa/Douala
right/America/Indiana/
Indianapolis
posix/Navajo
right/Africa/El_Aaiun
posix/GMT-0
right/Africa/Freetown
posix/GMT0
right/Africa/Gaborone
posix/Greenwich
right/Africa/Harare
posix/Eire
right/Africa/Khartoum
right/America/Indiana/
Knox
posix/Iran
right/Africa/Kampala
right/America/Inuvik
posix/GMT
right/Africa/Kinshasa
posix/Iceland
right/Africa/Kigali
right/America/
Cambridge_Bay
posix/Japan
right/Africa/Libreville
posix/ROC
right/Africa/Lagos
posix/Singapore
right/Africa/Lubumbashi
posix/PRC
right/Africa/Lome
posix/ROK
right/Africa/Luanda
posix/Israel
right/Africa/Mogadishu
posix/Turkey
right/Africa/Lusaka
posix/Hongkong
right/Africa/Malabo
posix/MST
right/Africa/Maputo
posix/EST5EDT
right/Africa/Maseru
posix/PST8PDT
right/Africa/Mbabane
posix/Jamaica
right/Africa/Monrovia
posix/Cuba
right/Africa/Nairobi
right/America/
Dawson_Creek
posix/EST
right/Africa/Ndjamena
right/America/Dominica
posix/MST7MDT
right/Africa/Niamey
right/America/Eirunepe
posix/CST6CDT
right/Africa/Nouakchott
posix/Libya
right/Africa/Ouagadougou
right/America/
El_Salvador
posix/Egypt
right/Africa/Porto-Novo
right/Africa/Addis_Ababa
right/Africa/Sao_Tome
right/Africa/Abidjan
right/Africa/Timbuktu
right/Africa/Accra
right/Africa/Tunis
right/America/Goose_Bay
right/Africa/Blantyre
right/Africa/Windhoek
right/America/
Grand_Turk
right/Africa/Algiers
right/Africa/Tripoli
right/Africa/Asmera
right/Africa/Cairo
right/Africa/Bamako
right/America/
Buenos_Aires
right/Africa/Bangui
right/Africa/Banjul
right/Africa/Bissau
right/Africa/
Dar_es_Salaam
Kazeon IS1200 Web-Admin User Guide
right/America/Anguilla
right/America/Antigua
right/America/Araguaina
right/America/Indiana/
Marengo
right/America/Indiana/
Vevay
right/America/Cancun
right/America/Caracas
right/America/Catamarca
right/America/Cayenne
right/America/Cayman
right/America/Chihuahua
right/America/Costa_Rica
right/America/Cuiaba
right/America/Curacao
right/America/
Danmarkshavn
right/America/Dawson
right/America/Fortaleza
right/America/Glace_Bay
right/America/Godthab
right/America/Grenada
right/America/
Guadeloupe
right/America/Guatemala
right/America/Guayaquil
right/America/Guyana
right/America/Hermosillo
right/America/Aruba
435
Appendix M:
Supported Time Zones
right/America/Kentucky/
Monticello
right/America/Kentucky/
Louisville
right/America/Denver
right/America/
Swift_Current
right/America/Rosario
right/America/Iqaluit
right/America/
Tegucigalpa
right/America/Jujuy
right/America/Thule
right/America/Juneau
right/America/
Thunder_Bay
right/America/Martinique
right/America/La_Paz
right/America/Tortola
right/America/Lima
right/America/Yakutat
right/America/Maceio
right/America/
Yellowknife
right/America/Managua
right/America/Winnipeg
right/America/
Menominee
right/America/Whitehorse
right/America/Mendoza
right/America/Vancouver
right/America/Miquelon
right/America/Merida
right/America/Virgin
right/America/Atka
right/America/Cordoba
right/America/Chicago
right/America/Anchorage
right/Antarctica/
DumontDUrville
right/Antarctica/Casey
right/Antarctica/Davis
right/Antarctica/
South_Pole
right/Antarctica/Mawson
right/Antarctica/Palmer
right/Antarctica/Syowa
right/Antarctica/Vostok
right/Antarctica/
McMurdo
right/America/
North_Dakota/Center
right/America/St_Thomas
right/America/St_Johns
right/Arctic/
Longyearbyen
right/America/Monterrey
right/America/Sao_Paulo
right/Asia/Calcutta
right/America/
Montevideo
right/America/Santiago
right/Asia/Aden
right/America/Regina
right/Asia/Almaty
right/America/
Puerto_Rico
right/Asia/Amman
right/America/
Indianapolis
right/Asia/Aqtau
right/America/Montserrat
right/America/Nassau
right/America/Nipigon
right/America/Nome
right/America/
Pangnirtung
right/America/Porto_Acre
right/America/Panama
right/America/Noronha
right/America/Port-auPrince
right/America/New_York
right/America/Paramaribo
right/America/
Mexico_City
right/America/
Rio_Branco
right/America/Phoenix
right/America/Montreal
right/Asia/Anadyr
right/Asia/Aqtobe
right/Asia/Baghdad
right/Asia/Bahrain
right/Asia/Baku
right/Asia/Bangkok
right/Asia/Beirut
right/Asia/Bishkek
right/America/Mazatlan
right/Asia/Brunei
right/America/Manaus
right/Asia/Kuala_Lumpur
right/America/
Los_Angeles
right/Asia/Choibalsan
right/America/Louisville
right/Asia/Damascus
right/America/Jamaica
right/Asia/Dili
right/America/Knox_IN
right/Asia/Dubai
right/America/
Rankin_Inlet
right/America/Havana
right/Asia/Dushanbe
right/America/Halifax
right/Asia/Gaza
right/America/Recife
right/America/Tijuana
right/Asia/Harbin
right/America/
Santo_Domingo
right/America/Edmonton
right/Asia/Hovd
right/America/
Fort_Wayne
right/Asia/Irkutsk
right/America/Adak
right/America/
Port_of_Spain
right/America/
Porto_Velho
right/America/
Rainy_River
right/America/
Scoresbysund
right/America/St_Kitts
right/America/St_Lucia
436
right/America/St_Vincent
right/America/Shiprock
right/America/Ensenada
right/Asia/Colombo
right/Asia/Jakarta
right/Asia/Jayapura
right/Asia/Kabul
right/America/Detroit
Kazeon IS1200 Web-Admin User Guide
Supported Time Zones
right/Asia/Kamchatka
right/Asia/Tel_Aviv
right/Australia/Canberra
right/Asia/Karachi
right/Asia/Istanbul
right/Australia/Sydney
right/Asia/Kashgar
right/Asia/Makassar
right/Brazil/DeNoronha
right/Asia/Katmandu
right/Asia/Macau
right/Brazil/East
right/Asia/Krasnoyarsk
right/Asia/Macao
right/Brazil/Acre
right/Asia/Novosibirsk
right/Asia/Jerusalem
right/Brazil/West
right/Asia/Kuching
right/Asia/Hong_Kong
right/Asia/Kuwait
right/Asia/Dhaka
right/Canada/
Newfoundland
right/Asia/Magadan
right/Asia/Dacca
right/Asia/Manila
right/Asia/Chungking
right/Asia/Muscat
right/Asia/Chongqing
right/Asia/Phnom_Penh
right/Asia/Ashkhabad
right/Asia/Omsk
right/Asia/Ashgabat
right/Asia/Oral
right/Atlantic/Cape_Verde
right/Asia/Yekaterinburg
right/Atlantic/Azores
right/Asia/Pontianak
right/Atlantic/Bermuda
right/Canada/EastSaskatchewan
right/Asia/Pyongyang
right/Atlantic/Canary
right/Canada/Mountain
right/Asia/Qatar
right/Atlantic/
South_Georgia
right/CET
right/Asia/Qyzylorda
right/Asia/Rangoon
right/Asia/Riyadh
right/Asia/Saigon
right/Asia/Sakhalin
right/Asia/Samarkand
right/Asia/Tashkent
right/Asia/Tbilisi
right/Asia/Urumqi
right/Asia/Vientiane
right/Asia/Vladivostok
right/Asia/Yakutsk
right/Asia/Ulaanbaatar
right/Atlantic/Faeroe
right/Atlantic/Madeira
right/Atlantic/St_Helena
right/Atlantic/Stanley
right/Atlantic/Reykjavik
right/Atlantic/Jan_Mayen
right/Australia/Lindeman
right/Australia/West
right/Australia/LHI
right/Australia/Perth
right/Australia/Victoria
right/Australia/ACT
right/Asia/Yerevan
right/Australia/Melbourne
right/Asia/
Ujung_Pandang
right/Australia/
Lord_Howe
right/Asia/Ulan_Bator
right/Asia/Tokyo
right/Asia/Thimphu
right/Asia/Thimbu
right/Asia/Tehran
right/Asia/Taipei
right/Asia/Singapore
right/Asia/Shanghai
right/Australia/Tasmania
right/Australia/Hobart
right/Australia/North
right/Australia/Darwin
right/Canada/Yukon
right/Canada/Pacific
right/Canada/
Saskatchewan
right/Canada/Atlantic
right/Canada/Eastern
right/Chile/EasterIsland
right/Chile/Continental
right/Etc/Universal
right/Etc/GMT+1
right/Etc/GMT+10
right/Etc/GMT+11
right/Etc/GMT+12
right/Etc/GMT+2
right/Etc/GMT+3
right/Etc/GMT+4
right/Etc/GMT+5
right/Etc/GMT+6
right/Etc/GMT+7
right/Etc/GMT+8
right/Etc/GMT+9
right/Etc/GMT-1
right/Etc/GMT-10
right/Etc/GMT-11
right/Etc/GMT-12
right/Australia/
Yancowinna
right/Etc/GMT-13
right/Australia/
Broken_Hill
right/Etc/GMT-2
right/Asia/Seoul
right/Australia/
Queensland
right/Asia/Riyadh89
right/Australia/Brisbane
right/Asia/Riyadh88
right/Australia/South
right/Asia/Riyadh87
right/Australia/NSW
right/Asia/Nicosia
right/Australia/Adelaide
Kazeon IS1200 Web-Admin User Guide
right/Canada/Central
right/Etc/GMT-14
right/Etc/GMT-3
right/Etc/GMT-4
right/Etc/GMT-5
right/Etc/GMT-6
right/Etc/GMT-7
right/Etc/GMT-8
437
Appendix M:
Supported Time Zones
right/Etc/GMT-9
right/Europe/Rome
right/Pacific/Kiritimati
right/Etc/Zulu
right/Europe/London
right/Pacific/Kosrae
right/Etc/GMT+0
right/Europe/Lisbon
right/Pacific/Majuro
right/Etc/UCT
right/Europe/Tiraspol
right/Pacific/Marquesas
right/Etc/UTC
right/Europe/Oslo
right/Pacific/Midway
right/Etc/GMT-0
right/Europe/Chisinau
right/Pacific/Nauru
right/Etc/GMT0
right/Europe/Prague
right/Pacific/Niue
right/Etc/Greenwich
right/Europe/Bratislava
right/Pacific/Norfolk
right/Etc/GMT
right/Europe/Ljubljana
right/Pacific/Noumea
right/EET
right/Europe/Sarajevo
right/Pacific/Palau
right/Europe/Amsterdam
right/Europe/Skopje
right/Pacific/Ponape
right/Europe/Andorra
right/Europe/Zagreb
right/Pacific/Samoa
right/Europe/Athens
right/Europe/Dublin
right/Pacific/Rarotonga
right/Europe/Belfast
right/Europe/Nicosia
right/Pacific/Saipan
right/Europe/Berlin
right/Europe/Belgrade
right/Pacific/Tahiti
right/Europe/Brussels
right/Europe/Istanbul
right/Pacific/Tarawa
right/Europe/Bucharest
right/Indian/Antananarivo
right/Pacific/Tongatapu
right/Europe/Budapest
right/Indian/Chagos
right/Pacific/Truk
right/Europe/Copenhagen
right/Indian/Christmas
right/Pacific/Wake
right/Europe/Gibraltar
right/Indian/Cocos
right/Pacific/Wallis
right/Europe/Helsinki
right/Indian/Comoro
right/Pacific/Yap
right/Europe/Kaliningrad
right/Indian/Kerguelen
right/Pacific/Pitcairn
right/Europe/Kiev
right/Indian/Mahe
right/Pacific/Auckland
right/Europe/Luxembourg
right/Indian/Maldives
right/Pacific/Pago_Pago
right/Europe/Madrid
right/Indian/Mauritius
right/Pacific/Gambier
right/Europe/Malta
right/Indian/Mayotte
right/Pacific/Chatham
right/Europe/Minsk
right/Indian/Reunion
right/Pacific/Kwajalein
right/Europe/Monaco
right/Factory
right/Pacific/Honolulu
right/Europe/Paris
right/Mexico/BajaNorte
right/Pacific/Easter
right/Europe/Riga
right/Mexico/General
right/SystemV/PST8
right/Europe/Samara
right/Mexico/BajaSur
right/SystemV/YST9
right/Europe/Simferopol
right/MET
right/SystemV/HST10
right/Europe/Sofia
right/Mideast/Riyadh89
right/SystemV/CST6
right/Europe/Stockholm
right/Mideast/Riyadh88
right/SystemV/AST4
right/Europe/Tallinn
right/Mideast/Riyadh87
right/SystemV/MST7
right/Europe/Tirane
right/Pacific/Enderbury
right/SystemV/EST5EDT
right/Europe/Uzhgorod
right/Pacific/Apia
right/SystemV/PST8PDT
right/Europe/Vaduz
right/Pacific/Efate
right/SystemV/AST4ADT
right/Europe/Vienna
right/Pacific/Funafuti
right/SystemV/EST5
right/Europe/Vilnius
right/Pacific/Fakaofo
right/Europe/Zaporozhye
right/Pacific/Fiji
right/SystemV/
MST7MDT
right/Europe/Zurich
right/Pacific/
Port_Moresby
right/Europe/Warsaw
right/Europe/San_Marino
right/Europe/Vatican
right/Europe/Moscow
438
right/SystemV/CST6CDT
right/SystemV/YST9YDT
right/Pacific/Galapagos
right/US/Indiana-Starke
right/Pacific/Guadalcanal
right/US/Samoa
right/Pacific/Guam
right/US/Hawaii
right/Pacific/Johnston
right/US/Arizona
Kazeon IS1200 Web-Admin User Guide
Supported Time Zones
right/US/Eastern
right/CST6CDT
right/US/Pacific
right/Libya
right/US/East-Indiana
right/Egypt
right/US/Michigan
Navajo
right/US/Mountain
zone.tab
right/US/Central
NZ-CHAT
right/US/Alaska
NZ
right/US/Aleutian
Kwajalein
right/NZ-CHAT
HST
right/WET
Poland
right/Kwajalein
W-SU
right/NZ
GB-Eire
right/Poland
GB
right/HST
Portugal
right/Portugal
Universal
right/W-SU
Zulu
right/GB-Eire
UCT
right/GB
UTC
right/GMT+0
GMT+0
right/Universal
GMT-0
right/Zulu
GMT0
right/UCT
Greenwich
right/UTC
Eire
right/Navajo
Iceland
right/GMT-0
GMT
right/GMT0
Japan
right/Greenwich
Iran
right/Eire
ROC
right/Iran
Singapore
right/GMT
PRC
right/Iceland
ROK
right/Japan
Israel
right/ROC
Turkey
right/Singapore
Hongkong
right/PRC
MST
right/ROK
posixrules
right/Israel
EST5EDT
right/Turkey
PST8PDT
right/Hongkong
Jamaica
right/MST
Cuba
right/EST5EDT
EST
right/PST8PDT
MST7MDT
right/Jamaica
CST6CDT
right/Cuba
Libya
right/EST
Egypt
right/MST7MDT
Kazeon IS1200 Web-Admin User Guide
439
Appendix M:
440
Supported Time Zones
Kazeon IS1200 Web-Admin User Guide
Appendix N:
DRAC Card Installation (Optional)
Introduction
This document describes installing a DRAC5 Card on a Kazeon IS1200 Appliance
and applies only to the DRAC5 (i.e., not DRAC4) cards and Dell PE1950 hardware.
This appendix is provided for customers whose IT infrastructure would like to use the
DRAC card for remote server control, in addition to the IPMI card, and already have
the network management systems in place to work with DRAC cards. The DRAC can
be used in addition to the IPMI card, but does not replace it. An IS1200 with a DRAC
card installed will continue to use it’s IPMI card for node control.
DRAC Card
Dell™ Remote Access Controller (DRAC) is a systems management hardware and
software solution designed to provide remote management capabilities, crashed
system recovery, and power control functions.
By communicating with the system's Baseboard Management Controller (BMC),
DRAC (when installed) can be configured to send e-mail alerts for warnings or errors
related to voltages, temperatures, intrusion, and fan speeds. DRAC also logs event
data and the most recent crash screen (for systems running the Microsoft Windows
operating system only) to help diagnose the probable cause of a system crash.
The DRAC and IPMI Cards Compared
The BMC interface with IPMI specification is a very rudimentary facility. Remote
Access Control (RAC) provides advanced (GUI) interfaces over the networks with
security to manage the server. See “The Intelligent Platform Management Interface
(IPMI)” on page 51 for more details on the IPMI card.
Kazeon IS1200 Web-Admin User Guide
441
Appendix N:
DRAC Card Installation (Optional)
Installation
Installation Pre-requisite
The hardware platform must be qualified and designed for DRAC and contain
underlying Broadbase Management Control (BMC) support.
Installation Post-requisite
Refer to Dell RAC Installation and User Guide for further information. This guide is
delivered with the DRAC hardware. While the Dell guide provides instructions for
installing various software on systems the card is installed in, Kazeon does NOT
support this software, and the IS1200 may not work correctly if it is installed!
Note:
Do NOT install OMSA software on the IS1200!
Installation Instructions
1. Before the card is installed, disconnect the system from AC power.
2. Remove the system top cover to expose the motherboard.
3. Locate the DRAC card installation slot highlighted below in yellow.
442
Kazeon IS1200 Web-Admin User Guide
Installation
4. Install the DRAC5 card in the slot shown above. The card has two connectors that
need to be inserted into adapters on the motherboard.
Kazeon IS1200 Web-Admin User Guide
443
Appendix N:
444
DRAC Card Installation (Optional)
Kazeon IS1200 Web-Admin User Guide
Installation
5. Ensure the Ethernet adapter of the DRAC card is correctly aligned with the slot on
the appliance chassis.
6. Close the cover. Reconnect the power cable and reboot the system.
7. Connect an ethernet cable to the DRAC. The connection must use a unique IP
address not already in use by the IS100 eth1 or eth2 connections.
DRAC Configuration
The following configuration instructions are taken from the Dell Support Web Site at:
http://support.dell.com/support/edocs/software/smdrac3/drac5/OM5.1/en/ug/racugc2.htm#wp3869
They are provided here as a time saver, but you should check the website for updates.
1. Connect an ethernet cable to the DRAC. The connection must use a unique IP
address not already in use by the IS100 eth1 or eth2 connections.
2. Turn on or restart your system.
3. Press <Ctrl E> when prompted during POST. If your operating system begins to
load before pressing <Crtl E>, allow the boot to finish, then restart and try again.
4. Configure the NIC.
a. Using the down-arrow key, highlight NIC Selection.
b. Using the left-arrow and right-arrow keys, select one of the following NIC
selections:
c. Dedicated — Select this option to enable the remote access device to utilize
the dedicated network interface available on the Remote Access Controller
(RAC). This interface is not shared with the host operating system and routes
the management traffic to a separate physical network, enabling it to be
separated from the application traffic. This option is available only if a DRAC
card is installed in the system.
d. Shared — Select this option to share the network interface with the host
operating system. The remote access device network interface is fully
functional when the host operating system is configured for NIC teaming. The
remote access device receives data through NIC 1 and NIC 2, but transmits
data only through NIC 1. If NIC 1 fails, the remote access device will not be
accessible.
Kazeon IS1200 Web-Admin User Guide
445
Appendix N:
DRAC Card Installation (Optional)
e. Failover — Select this option to share the network interface with the host
operating system. The remote access device network interface is fully
functional when the host operating system is configured for NIC teaming. The
remote access device receives data through NIC 1 and NIC 2, but transmits
data only through NIC 1. If NIC 1 fails, the remote access device fails over to
NIC 2 for all data transmission. The remote access device continues to use
NIC 2 for data transmission. If NIC 2 fails, the remote access device fails over
all data transmission back to NIC 1.
5. Configure the network controller LAN parameters to use DHCP or a Static IP
address source.
a. Using the down-arrow key, select LAN Parameters, and press <Enter>.
b. Using the up-arrow and down-arrow keys, select IP Address Source.
c. Using the right-arrow and left-arrow keys, select DHCP or Static.
d. If you selected Static, configure the Ethernet IP Address, Subnet Mask, and
Default Gateway settings.
e. Press <Esc>.
6. Press <Esc>.
7. Select Save Changes and Exit. The system automatically reboots.
446
Kazeon IS1200 Web-Admin User Guide
Glossary
Assignment Rule
A classification rule that tags files with metadata and assigns files to policy groups.
Authorization Rule
A policy that filters search results to ensure that the assigned files can only be viewed by
authorized users.
Authentication
The process of identifying users based on user name and password to ensure that only
authorized users can access the Kazeon Information Server.
CASID
A unique Kazeon ID for each classified file that the system generates during basic
classification.
Classification Rule
Rules that the system implements during data classification to extract metadata, tag files,
and assign files to policy groups. The two types of classification rules are extraction rules
and assignment rules.
Cluster
A set of one or more Kazeon Information Server appliance node. A cluster can contain a
maximum of 8 nodes.
Metadata
Data about data. Metadata is used to search for information and to create reports. Metadata
can be file system or custom metadata that the Kazeon Information Server extracts from
files during classification. file system metadata includes file type, and file path extracted
during basic classification. Custom metadata is generated during deep classification.
Data
A file of any type and size such as a short email, a word processor document, or a large
spreadsheet.
Kazeon IS1200 Web-Admin User Guide
447
Glossary
Data Classification
The process during which the Kazeon Information Server reads data on the data file
system. During basic classification, the Kazeon Information Server extracts file system
metadata. During deep classification, it extracts custom metadata and assigns files to
policy groups.
Data-Mount
The NFS file system that is accessed by the Kazeon Information Server to parse data and
extract metadata.
Data Server
The file server that exports an NFS or CIFS file system so that the Kazeon Information
Server can classify data on the file system to create metadata.
Data-Share
The CIFS file system to be accessed by the Kazeon Information Server to extract
metadata.
Extended Attributes
User-defined keywords that are extracted during data classification.
Extraction Rule
Extracts user-defined keywords (custom metadata) to add to the metadata file.
Filer
A file server that exports its file systems using NFS or CIFS protocol.
Kaz-mount
The NFS file system that is the Kazeon metadata repository. on which the Kazeon
Information Server stores metadata.
Kaz-server
The file server where the metadata repository is located.
Kaz-share
The CIFS file system on which the Kazeon Information Server stores metadata.
Logging rule
Logging rules audit user actions on files such as file access, creation, modification, and
deletion.
Node
A single Kazeon Information Server appliance.
Policy Group
Associates one or more authorization rule and logging rule with one or more files to
protect information and audit user actions on files.
448
Kazeon IS1200 Web-Admin User Guide
Index
A
B
Active Directory
external authentication, configuring 56
identities, adding 75
user accounts, specifying 57
add
a group to a role 42
add a user to a role 42
Adding a Laptop or Desktop Repository 105
Adding a Local Data Repository 107
Adding a Local USB Drive as a Data
Repository 108
adding repositories 108
Administration GUI, using 23
Advanced Attributes 278
Advanced Details 278
assignment rule sets
creating 129
deleting 132
Assignment rules
defined 126
assignment rules
creating 129, 134
definition 447
deleting 132
atime
preserving 321
Auditing
Overview 256
authentication
definition 447
external, configuring 54
overview 54
authorization policies
description 145
authorization rules
conflicts, resolving 145
definition 447
Browsers 26
Kazeon IS1200 Web-Admin User Guide
C
CA 280
CAS devices
about 38, 80
removing 114
CA-SB1386 268
CASID
definition 447
Certificate
verifying 281
Certificate Authority 280
Certificate Request Wizard 280
certificates
self-signed 280
Choosing a Leader Node 293
CIFS 83
classification
basic, description 121
deep, description 121
metadata, description 121
optimizing for large files 124
rule sets, creating 126
rules, creating 126
classification rule
definition 447
classifying
partial file 125
CLI
using 32
449
Index
CLI commands
add datafs 34
add kazfs 34
add service 34
common 33
completing 35
export cluster-key 34
moving between 36
remove fs 34
remove policy 35
remove schema 250
search 34
set cluster-name 51
set timezone 34
show cluster 34
show commands syntax 34
show fs 34
show hardware 34
show history 34
show search schema 245
show search status 34
show services 34
show terminal 35
show version 35
start cluster 34
syntax notation xxii
viewing command keywords 35
cluster
nodes,adding 50
clusters
about 46
definition 447
managing 48
migrating nodes 49
nodes,migrating 51
nodes,removing 50
renaming 51
starting 47
stopping 50
command-line interface
using 32
container files 268
current rule set 127
customer support xxi
D
data
definition 447
privacy 270
450
data classification
about 120
definition 448
Data Decryption Field 274
data migration, configuration 21
Data Model 121
Data Recovery Agent 275
Data Recovery Agents 274
Data Recovery Field 274
Data Recovery Policy 275
data server
definition 448
Data Verification
Overview 258
Database Maintenance required email
notifications 322
data-mount
definition 448
data-share
definition 448
DDF 274
Delegation 276
setting up 282
Delegation Issues 276
Desktop
registering 105
DICOM
Default Metadata Tag 368
selecting properities to extract 368
Distributed File Systems 82
DRA 274
E
eDiscovery 269
EFS 273, 274
EFS Certificates 280
EFS Overview 273
EFS Remote Server
registering 281
eMail
Management and Regulatory
Requirements 268
Email Alerts 322
Encrypting File System 273
Encrypting Files and Folders 282
Encryption Details 278
Enterprise Vault
Optional Module 269
Enterprise Vault Connector 269
Kazeon IS1200 Web-Admin User Guide
Index
EV 269
EV Connector 269
extended attributes
definition 448
external authentication
configuration checklist 339
extraction rule sets
creating 128
Extraction rules
defined 126
extraction rules
creating 128
definition 448
I
F
K
FEK 274
File Encryption Key 274
File Systems
registering 95
file systems
about 38, 80
classification, about 38, 80
discovering 90
editing or viewing 111
importing 112
registering 95
registration checklist 339
registration, rules and guidelines 82
removing 114
states, managing 116
filer
definition 448
kaz file systems
about 80
Kazeon Information Server
configuring 18
installation and configuration
checklists 337
site requirements 336
subsystems 228
Kazeon URL
description 126
kaz-mount
definition 448
kaz-server
definition 448
kaz-share
definition 448
key
private 274
KQL queries
creating 135, 345
examples 136, 348
G
Google Search Appliance 4
Gramm-Leach-Bliley 268
groups
add a group to a role 42
remove a group from a role 44
remove a user from a role 43
GUI, using 23
H
Hash Values
Maintaining Consistent 293
HIPAA 268
Kazeon IS1200 Web-Admin User Guide
identities
adding 75
impersonation 274
Importing File Systems 112
initial rule set 128
Intelligent Platform Management Interface 51
IPMI 51
definition 51
J
job failure email notifications 322
Job List Tab 174
L
Laptop
registering 105
Laptop/Desktop Setup Procedures by
Environment 396
Leader Nodes 293
Legal Service Providers 108
list role entitlements 42
local metadata repository 80
local USB drives 108
localdatafs 107
localkazfs 86
451
Index
logging rule
definition 448
LSP 108
M
metadata
definition 447
metadata classification
about 120
metadata repositories
about 80
CIFS, creating 85
moving 115
NFS, creating 85
registering, guidelines 82, 86
states, managing 116
synchronizing 172, 201
Metadata tags
DICOM default tags 368
Microsoft Exchange
PST and OST files 268
migrating
data, configuration for 21
nodes 49
MMC 280
N
named rule set 127
NetApp Retention Manager 4
Network Appliance 82
NFS
permissions 83
NIS
external authentication, configuring 55
nodes
about 46
definition 448
migrating 49, 51
removing 50
nodes,adding 50
O
Object Data Model 121
Optional Parser
for a full-text search indexes 134
Orphan Cleanup Parameter 321
OST 268
Overview 273
452
P
permisions 83
Permissions
NFS and CIFS 83
PGP Encryption 282
physical object 268
policies
about 142
policy groups
about 142
defining 143
definition 448
permission conflicts, resolving 145
removing 144
preserving atimes 321
privacy
data 270
private key 274
PST 268
R
RAP 108
RegEx
creating full-text indexes with optional
parser 134
Regex
using 133
registering
file systems,metadata repositories 95
regular expressions
creating 133
remove
remove a group from a role 44
remove a user from a role 43
Review and Analysis Product 108
Roaming Profiles 275
roles
add a group to a role 42
add a user to a role 42
list entitlements 42
remove a group from a role 44
remove a user from a role 43
rule set
current 127
initial 128
named 127
sample extraction rule set 128
rule sets
creating 126
Kazeon IS1200 Web-Admin User Guide
Index
rule-set
defined 127
S
Sarbanes-Oxley 268
search index
fulltext index for file subset 235
rebuilding 236
size, managing 234
search schema
about 244
adding DICOM tags to 368
customizing 250
default values 360, 361, 362
deleting field from 250
managing 250
SEC 268
Self-signed certificates 280
Snapshot Search 4
subsystems
debug level logging, managing 230
Symantec Enterprise Vault 269
Symbolic links 82
Syslog
managing 229
system configuration
backing up 216
restoring 217
U
users
add a user to a role 42
V
View History 264
virtual files 268
VMware Repositories 84
Kazeon IS1200 Web-Admin User Guide
453
Index
454
Kazeon IS1200 Web-Admin User Guide
Download PDF
Similar pages