advertisement
Hitachi Content Platform
Administering HCP
MK-95ARC011-21
© 2007–2015 Hitachi Data Systems Corporation. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or stored in a database or retrieval system for any purpose without the express written permission of Hitachi Data Systems Corporation (hereinafter referred to as “Hitachi Data Systems”).
Hitachi Data Systems reserves the right to make changes to this document at any time without notice and assumes no responsibility for its use. This document contains the most current information available at the time of publication. When new and/or revised information becomes available, this entire document will be updated and distributed to all registered users.
Some of the features described in this document may not be currently available. Refer to the most recent product announcement or contact Hitachi Data Systems for information about feature and product availability.
Notice: Hitachi Data Systems products and services can be ordered only under the terms and conditions of the applicable Hitachi Data Systems agreements. The use of Hitachi Data Systems products is governed by the terms of your agreements with Hitachi Data Systems.
By using this software, you agree that you are responsible for: a) Acquiring the relevant consents as may be required under local privacy laws or otherwise from employees and other individuals to access relevant data; and b) Ensuring that data continues to be held, retrieved, deleted, or otherwise processed in accordance with relevant laws.
Hitachi is a registered trademark of Hitachi, Ltd., in the United States and other countries. Hitachi Data
Systems is a registered trademark and service mark of Hitachi, Ltd., in the United States and other countries.
Archivas, Essential NAS Platform, HiCommand, Hi-Track, ShadowImage, Tagmaserve, Tagmasoft,
Tagmasolve, Tagmastore, TrueCopy, Universal Star Network, and Universal Storage Platform are registered trademarks of Hitachi Data Systems Corporation.
AIX, AS/400, DB2, Domino, DS6000, DS8000, Enterprise Storage Server, ESCON, FICON, FlashCopy,
IBM, Lotus, MVS, OS/390, RS6000, S/390, System z9, System z10, Tivoli, VM/ESA, z/OS, z9, z10, zSeries, z/VM, and z/VSE are registered trademarks or trademarks of International Business Machines
Corporation.
All other trademarks, service marks, and company names in this document or web site are properties of their respective owners.
Microsoft product screen shots reprinted with permission from Microsoft Corporation.
Notice on Export Controls. The technical data and technology inherent in this Document may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Reader agrees to comply strictly with all such regulations and acknowledges that Reader has the responsibility to obtain licenses to export, re-export, or import the Document and any Compliant Products.
Contents
1 Introduction to Hitachi Content Platform................................................ 1
Namespaces and tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Namespace access protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
HCP Namespace Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
HCP metadata query API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
HCP Search Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
HCP Data Migrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Data integrity and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Regulatory compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Storage usage optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Network bandwidth usage optimization. . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Contents
Administering HCP iii
System Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
System Management Console URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using the System Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Refreshing pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Submitting changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Viewing HCP documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Changing your password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3 Account administration ........................................................................ 51
Tenant-level administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Permissions granted by roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Understanding the user account list . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Managing the user account list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Creating a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Modifying a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
About the Groups page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Creating group accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Modifying a group account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deleting a group account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Changing user account and login settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4 System-level administration................................................................. 79
iv Contents
Administering HCP
5 Hardware administration...................................................................... 91
About the Nodes page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Monitoring individual HCP General Nodes . . . . . . . . . . . . . . . . . . . . . . . 99
Monitoring individual HCP S Series Nodes . . . . . . . . . . . . . . . . . . . . . . . 99
Modifying HCP S Series Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
About the Switches page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Adding a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
About individual HCP G Series Node pages . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Logical volume usage details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Core hardware details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
File systems on storage devices managed by a node . . . . . . . . . . . . . . 105
IPMI information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Network interface cards (NICs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
File system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Shutting down or restarting individual nodes. . . . . . . . . . . . . . . . . . . . . . . . . 109
Shutting down an individual node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Restarting an individual node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6 Storage administration....................................................................... 113
Primary storage components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Economy storage components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Extended storage components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Amazon S3 storage components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Google Cloud storage components . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Hitachi Cloud Service storage components . . . . . . . . . . . . . . . . . . . . . 124
Microsoft Azure storage components . . . . . . . . . . . . . . . . . . . . . . . . . 126
S3-compatible storage components . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Verizon Cloud storage components. . . . . . . . . . . . . . . . . . . . . . . . . . . 130
NFS storage components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Economy storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Contents
Administering HCP v
vi
Extended storage pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Amazon S3 storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Google Cloud storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Hitachi Cloud Service storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Microsoft Azure storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
S3-compatible storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Verizon Cloud storage pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
NFS storage pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Storing objects on extended storage tiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Considerations for moving objects from primary storage to extended storage. .
Encryption and compression of objects in storage pools . . . . . . . . . . . . . . 152
Working with HCP S Series Node storage components . . . . . . . . . . . . . . . . . . 153
What you need to know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Creating an HCP S Series Node component . . . . . . . . . . . . . . . . . . . . . . . 154
Modifying an HCP S Series Node storage component . . . . . . . . . . . . . . . . 156
Modifying basic component settings . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Modifying advanced component settings. . . . . . . . . . . . . . . . . . . . . . . 157
Working with buckets and accounts on an HCP S Series Node storage component .
Adding an existing bucket to an HCP S Series Node storage component. . . 160
Adding an existing HCP S Series Node user account. . . . . . . . . . . . . . . . . 160
Modifying an HCP S Series Node user account. . . . . . . . . . . . . . . . . . . . . 161
Deleting a HCP S Series Node user account. . . . . . . . . . . . . . . . . . . . . . . 162
Pausing and resuming an HCP S Series Node storage component . . . . . . . . . . 162
Deleting or abandoning an HCP S Series Node storage component . . . . . . . . . 163
Working with extended storage components . . . . . . . . . . . . . . . . . . . . . . . . . 164
Creating an extended storage component . . . . . . . . . . . . . . . . . . . . . . . . 164
Modifying an extended storage component . . . . . . . . . . . . . . . . . . . . . . . 166
Adding access points to an extended storage component . . . . . . . . . . . 169
Configuring a new user account for access to an extended storage endpoint
Deleting an unused access point from an extended storage component . 171
Deleting an unused user account from an extended storage component 172
Pausing and resuming an extended storage component . . . . . . . . . . . . . . 172
Deleting or abandoning an extended storage component . . . . . . . . . . . . . 173
Deleting an unused extended storage component . . . . . . . . . . . . . . . . 174
Abandoning an extended storage component . . . . . . . . . . . . . . . . . . . 174
Working with economy storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Creating an economy storage pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Modifying an economy storage pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Contents
Administering HCP
Modifying the configuration settings used for an economy storage pool . 177
Adding buckets to add an economy storage pool . . . . . . . . . . . . . . . . . 177
Deleting buckets from an economy storage pool . . . . . . . . . . . . . . . . . 177
Deleting an economy storage pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Working with extended storage pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Creating an extended storage pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Modifying an extended storage pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Modifying the configuration settings used for an extended storage pool. 182
Adding access points to an extended storage pool . . . . . . . . . . . . . . . . 183
Deleting access points from an extended storage pool . . . . . . . . . . . . . 183
Remounting an NFS volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Deleting an extended storage pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Retiring primary storage devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Before starting a primary storage retirement . . . . . . . . . . . . . . . . . . . . 187
Using the Retire Primary Storage wizard to perform a data migration . . 188
Retiring economy and extended storage pools, components, and volumes . 191
Monitoring storage pools and components . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Monitoring economy and extended storage component and pool usage . . . 195
Monitoring the HCP S Series Node operations . . . . . . . . . . . . . . . . . . . . . 196
Ingest tier data protection level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Storage tier properties specified in service plans . . . . . . . . . . . . . . . . . . . 199
How HCP uses the information found in service plans . . . . . . . . . . . . . . . 200
Metadata-only storage tiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Default service plan configuration settings . . . . . . . . . . . . . . . . . . . . . . . 204
General considerations for namespace service plans . . . . . . . . . . . . . . . . . . . 204
Object content stored on different types of storage . . . . . . . . . . . . . . . . . 205
Storage allocation for objects on an economy or extended storage tier . . . 205
Service plans and read requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Service plans for tenants and namespaces . . . . . . . . . . . . . . . . . . . . . . . 207
Service plans and replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Considerations for service plans on an upgraded system . . . . . . . . . . . . . . . . 207
Modifying a service plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Modifying basic configuration settings for a service plan. . . . . . . . . . . . 213
Adding a storage tier to a service plan . . . . . . . . . . . . . . . . . . . . . . . . 213
Removing one or more storage tiers from a service plan . . . . . . . . . . . 215
Assigning a service plan to one or more tenants . . . . . . . . . . . . . . . . . 216
Contents
Administering HCP vii
Upload a new storage license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7 Network administration ...................................................................... 223
Front-end network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Tagged and untagged networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Downstream DNS configuration settings for networks . . . . . . . . . . . . . . . 233
Advanced downstream DNS configuration . . . . . . . . . . . . . . . . . . . . . . 235
Isolating networks for storage tiering . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Considerations for virtual networking . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
About the Network View page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Understanding the network list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Managing the network list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
About the Node View page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Understanding the node list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Managing the node list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
About the Advanced Settings panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Assigning IP addresses to nodes for a network . . . . . . . . . . . . . . . . . . . . . . . 252
Using the Network View page to configure node IP addresses for a network252
Using the Node View page to assign network IP addresses to a node . . . . 254
Changing the default downstream DNS configuration settings for a network . . 256
Changing the advanced downstream DNS configuration settings for a network 257
Viewing and modifying properties of a network or network alias . . . . . . . . . . . 259
Viewing properties of a network or network alias on the Network View page260
Network and network alias properties displayed on the Settings panel . . 260
Viewing properties of a network on the Node View page . . . . . . . . . . . . . 264
Viewing the DNS zone definition for a network domain. . . . . . . . . . . . . . . 265
Viewing the DNS zone definition for a specific network. . . . . . . . . . . . . 265
Viewing the DNS zone definitions for all existing networks . . . . . . . . . . 266
Considerations for modifying properties of networks and network aliases. . 267
viii Contents
Administering HCP
Modifying a network on the Network View panel . . . . . . . . . . . . . . . . . 270
Modifying network IP address assignments for a node on the Node View page.
Modifying a network alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
8 Tenant administration ........................................................................ 277
Understanding the tenant list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Managing the tenant list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
About the tenant Overview panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Creating an HCP tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
HCP tenant properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
What you do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Creating the default tenant and namespace . . . . . . . . . . . . . . . . . . . . . . 297
Default tenant and namespace properties . . . . . . . . . . . . . . . . . . . . . . 297
What you do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Accessing the Tenant Management Console for a tenant . . . . . . . . . . . . . . . . 302
Setting the default protocol optimization option for new namespaces . . . . 309
Configuring protocol optimization settings for new namespaces . . . . . . . . 309
9 Search administration........................................................................ 311
About the metadata query engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Metadata query engine index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Metadata query engine management . . . . . . . . . . . . . . . . . . . . . . . . . 316
Configuring the metadata query engine . . . . . . . . . . . . . . . . . . . . . . . . . 317
Deleting the metadata query engine index . . . . . . . . . . . . . . . . . . . . . . . 318
About the HDDS search facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
HDDS search facility index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
HDDS search facility configuration information . . . . . . . . . . . . . . . . . . 319
Configuring the HDDS search facility . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Contents
Administering HCP ix
Metadata query engine indexing status. . . . . . . . . . . . . . . . . . . . . . . . . . 324
Enabling or disabling the Search Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Custom metadata XML checking policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Ingest tier data protection level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Protection service processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Content verification service processing . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Configuring the content verification service . . . . . . . . . . . . . . . . . . . . . . . 348
Shredding service processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Sending shredding messages to syslog servers . . . . . . . . . . . . . . . . . . . . 352
Understanding shredding statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Changing shredding settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Duplicate elimination and shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Shredding service trigger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Compression service processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Understanding compression statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Changing compression settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
What you do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Exclusion criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Duplicate elimination service processing . . . . . . . . . . . . . . . . . . . . . . . . . 359
Understanding duplicate elimination statistics . . . . . . . . . . . . . . . . . . . . . 361
x Contents
Administering HCP
Garbage collection service processing. . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Object deletions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Transaction log cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Other garbage collection service functions . . . . . . . . . . . . . . . . . . . . . 365
Configuring the garbage collection service . . . . . . . . . . . . . . . . . . . . . . . 366
Capacity balancing service processing. . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Maintaining capacity balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Moving copies of objects among storage tiers . . . . . . . . . . . . . . . . . . . . . 369
Maintaining the correct number of object copies on each tier . . . . . . . . . . 371
Making objects metadata-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Storage tiering service processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Understanding storage tiering statistics . . . . . . . . . . . . . . . . . . . . . . . . . 375
Considerations for migrations on RAIN systems . . . . . . . . . . . . . . . . . . . . 377
Target storage requirements for SAIN systems . . . . . . . . . . . . . . . . . . . . 377
Configuring a data migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Configuring a migration on a RAIN system . . . . . . . . . . . . . . . . . . . . . 380
Configuring a migration on a SAIN system . . . . . . . . . . . . . . . . . . . . . 381
Monitoring a data migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Information about the current data migration . . . . . . . . . . . . . . . . . . . 384
Information about the last data migration . . . . . . . . . . . . . . . . . . . . . . 385
Managing a data migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Changing the performance level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Pausing or resuming a migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Canceling a migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
How scheduled services work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
About the Service Schedule page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Service legend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Service log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Service schedule considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Creating a service schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Modifying a service schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Adding a time period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Modifying a time period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Contents
Administering HCP xi
Deleting a time period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Setting the active service schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Deleting a service schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Managing domains and SSL server certificates . . . . . . . . . . . . . . . . . . . . . . . 400
Domain names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Domains and DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
About SSL server certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Certificates for domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Common names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Certificate selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
About the Domains and Certificates page . . . . . . . . . . . . . . . . . . . . . . . . 407
Managing the domain list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Understanding the certificate list for a domain. . . . . . . . . . . . . . . . . . . 407
Adding a certificate to a domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Creating a certificate signing request . . . . . . . . . . . . . . . . . . . . . . . . . 409
Downloading a CSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Installing the certificate returned for an HCP-generated CSR. . . . . . . . . 411
Installing a certificate created outside HCP . . . . . . . . . . . . . . . . . . . . . 411
Deleting a certificate or CSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Controlling access to the System Management Console . . . . . . . . . . . . . . . . . 412
Adding and removing entries in Allow and Deny lists . . . . . . . . . . . . . . . . 413
Valid Allow and Deny list entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Allow and Deny list handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Controlling access to HCP through the management API . . . . . . . . . . . . . . . . 415
Controlling access to the Search Console for the default tenant . . . . . . . . . . . 417
Configuring Active Directory or Windows workgroup support . . . . . . . . . . . . . 418
About Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
User authentication with Active Directory . . . . . . . . . . . . . . . . . . . . . . 420
HCP configuration for Active Directory support . . . . . . . . . . . . . . . . . . 420
Considerations for the information you need to supply . . . . . . . . . . . . . 421
Service principal name attributes for HCP . . . . . . . . . . . . . . . . . . . . . . 422
Considerations for using Active Directory with HCP . . . . . . . . . . . . . . . 423
Configuring support for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . 423
Configuring support for Windows workgroups . . . . . . . . . . . . . . . . . . . . . 426
Configuring connections to RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . 427
Understanding the RADIUS server list. . . . . . . . . . . . . . . . . . . . . . . . . . . 427
xii Contents
Administering HCP
Adding a RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Testing the connection to a RADIUS server . . . . . . . . . . . . . . . . . . . . . . . 429
Modifying a RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Reordering RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Deleting a RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Setting the systemwide permission mask . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Understanding the HCP system log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Viewing the complete event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Viewing the system security log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Understanding log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Managing the message list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Log messages sent to syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Enabling syslog logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Testing syslog connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Log messages sent to SNMP managers. . . . . . . . . . . . . . . . . . . . . . . . . . 445
Testing SNMP connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Viewing and downloading the HCP-MIB.txt file . . . . . . . . . . . . . . . . . . . . 449
Using SNMP to view or change HCP settings . . . . . . . . . . . . . . . . . . . . . . 450
Enabling email notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Specifying the email server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Testing the connection to the email server . . . . . . . . . . . . . . . . . . . . . 453
Constructing the email message template . . . . . . . . . . . . . . . . . . . . . . . . 453
Email template variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Restoring the default template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Specifying email recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Understanding the recipients list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Adding, modifying, and deleting rows in the recipients list . . . . . . . . . . 458
About the resource usage graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Logical volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Managing the resource usage graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Switching graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Setting the scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Contents
Administering HCP xiii
Viewing details for a point in time . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Specifying a time period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Viewing system log messages on the Resources page . . . . . . . . . . . . . . . 468
About chargeback reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Generating a chargeback report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Chargeback statistics collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Chargeback report content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Sample chargeback report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Configuring the Hitachi Device Manager connection . . . . . . . . . . . . . . . . . . . . 478
Working with the HCP internal logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Adding a comment to the internal logs . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Downloading the internal logs for one or more storage nodes. . . . . . . . . . 491
A System Management Console alerts................................................. 495
Domains and Certificates page alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
B HCP system log messages ............................................................... 535
C Zero-copy failover behavior ............................................................... 575
D SNMP MIB support............................................................................ 581
xiv Contents
Administering HCP
E Configuring DNS for HCP.................................................................. 585
Secondary zones and stub zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Configuring an HCP secondary zone or stub zone in Windows. . . . . . . . . . . . . 589
Configuring an HCP secondary zone in Windows . . . . . . . . . . . . . . . . . . . 589
Configuring an HCP stub zone in Windows . . . . . . . . . . . . . . . . . . . . . . . 590
Configuring an HCP secondary zone or stub zone in Unix . . . . . . . . . . . . . . . . 591
DNS considerations for service by remote systems. . . . . . . . . . . . . . . . . . . . . 593
F Configuring Active Directory to support HCP .................................... 597
Prerequisites for configuring support for HCP in AD . . . . . . . . . . . . . . . . . . . . 598
Required permissions for Active Directory Domain . . . . . . . . . . . . . . . . . . . . . 599
Step 1 (optional): Create the SSL certificate. . . . . . . . . . . . . . . . . . . . . . . . . 600
Step 2 (conditional): Export the SSL certificate. . . . . . . . . . . . . . . . . . . . . . . 606
Step 5: Create the AD user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Step 6: Create the reverse lookup zone for the AD domain . . . . . . . . . . . . . . 617
Step 7: Configure support for AD in HCP . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
G Browser configuration for single sign-on with Active Directory.......... 623
Configuring Windows Internet Explorer for single sign-on. . . . . . . . . . . . . . . . 624
Configuring Mozilla Firefox for single sign-on. . . . . . . . . . . . . . . . . . . . . . . . . 625
H SSL server certificate providers......................................................... 627
Chapter A: Contents
Administering HCP xv
xvi Chapter A: Contents
Administering HCP
Preface
This book explains how to use Hitachi Content Platform (HCP) to monitor and manage a digital object repository. It discusses the capabilities of the HCP system, as well as its hardware and software components. The book presents both the concepts and instructions you need to configure the system, including creating the tenants that administer access to the repository. It also covers the processes that maintain the integrity and security of the repository contents.
Note: Throughout this book, the word Unix is used to represent all
UNIX ® -like operating systems (such as UNIX itself or Linux ® ), except where Linux is specifically required.
Intended audience
This book is intended for system administrators who configure, monitor and manage HCP systems. It assumes you are familiar with your client operating system and the web browser you use to run the HCP System
Management Console.
Product version
This book applies to release 7.1 of HCP.
Preface
Administering HCP xvii
Syntax notation
Syntax notation
The table below describes the conventions used for the syntax of commands, expressions, URLs, and object names in this book.
Notation boldface italics
|
[ ]
( )
-path
Meaning Example
Type exactly as it appears in the syntax (if the context is case insensitive, you can vary the case of the letters you type)
This book shows:
https://admin.hcp-domain-name:8000
You enter: https://admin.hcp-ma.example.com:8000
Replace with a value of the indicated type
Vertical bar — Choose one of the elements on either side of the bar, but not both
This book shows:
dig|nslookup
You enter: dig or: nslookup
Square brackets —
Include none, one, or more of the elements between the brackets
Parentheses — Include exactly one of the elements between the parentheses
This book shows:
[/namespace-directory-path/] object-name-pattern
You enter: /corporate/hr/benefits/*.ppt
or: *.ppt
This book shows:
(admin|nfs|cifs|www)
You enter: admin or: nfs or: cifs or: www
Replace with a directory path with no file or object name
This book shows:
/namespace-directory-path
You enter: /corporate/employees
Related documents
The following documents contain additional information about Hitachi
Content Platform:
• Managing a Tenant and Its Namespaces — This book contains complete information for managing the HCP tenants and namespaces created in an HCP system. It provides instructions for creating namespaces, setting up user accounts, configuring the protocols that allow access to namespaces, managing search and indexing, and downloading installation files for HCP Data Migrator. It also explains how to work with retention classes and the privileged delete functionality.
xviii Preface
Administering HCP
Related documents
• Managing the Default Tenant and Namespace — This book contains complete information for managing the default tenant and namespace in an HCP system. It provides instructions for changing tenant and namespace settings, configuring the protocols that allow access to the namespace, managing search and indexing, and downloading installation files for HCP Data Migrator. It also explains how to work with retention classes and the privileged delete functionality.
• Replicating Tenants and Namespaces — This book covers all aspects of tenant and namespace replication. Replication is the process of keeping selected tenants and namespaces in two or more HCP systems in sync with each other to ensure data availability and enable disaster recovery. The book describes how replication works, contains instructions for working with replication links, and explains how to manage and monitor the replication process.
• HCP Management API Reference — This book contains the information you need to use the HCP management API. This RESTful HTTP API enables you to create and manage tenants and namespaces programmatically. The book explains how to use the API to access an
HCP system, specify resources, and update and retrieve resource properties.
• Using a Namespace — This book describes the properties of objects in
HCP namespaces. It provides instructions for accessing namespaces by using the HTTP, WebDAV, CIFS, and NFS protocols for the purpose of storing, retrieving, and deleting objects, as well as changing object metadata such as retention and shred settings. It also explains how to manage namespace content and view namespace information in the
Namespace Browser.
• Using the HCP HS3 API — This book contains the information you need to use the HCP HS3 API. This S3™-compatible, RESTful, HTTP-based
API enables you to work with buckets and objects in HCP. The book introduces the HCP concepts you need to understand in order to use
HS3 effectively and contains instructions and examples for each of the bucket and object operations you can perform with HS3.
• Using the HCP OpenStack Swift API — This book contains the information you need to use the HCP OpenStack Swift API. This
S3™-compatible, RESTful, HTTP-based API enables you to work with containers and objects in HCP. The book introduces the HCP concepts
Preface
Administering HCP xix
Related documents you need to understand in order to use HSwift effectively and contains instructions and examples for each of the container and object operations you can perform with HSwift.
• Using the Default Namespace — This book describes the file system
HCP uses to present the contents of the default namespace. It provides instructions for accessing the namespace by using the HCP-supported protocols for the purpose of storing, retrieving, and deleting objects, as well as changing object metadata such as retention and shred settings.
• HCP Metadata Query API Reference — This book describes the HCP metadata query API. This RESTful HTTP API enables you to query namespaces for objects that satisfy criteria you specify. The book explains how to construct and perform queries and describes query results. It also contains several examples, which you can use as models for your own queries.
• Searching Namespaces — This book describes the HCP Search Console
(also called the Metadata Query Engine Console). It explains how to use the Console to search namespaces for objects that satisfy criteria you specify. It also explains how to manage and manipulate queries and search results. The book contains many examples, which you can use as models for your own searches.
• Using HCP Data Migrator — This book contains the information you need to install and use HCP Data Migrator (HCP-DM), a utility that works with HCP. This utility enables you to copy data between local file systems, namespaces in HCP, and earlier HCAP archives. It also supports bulk delete operations and bulk operations to change object metadata. Additionally, it supports associating custom metadata and
ACLs with individual objects. The book describes both the interactive window-based interface and the set of command-line tools included in
HCP-DM.
• Installing an HCP System — This book provides the information you need to install the software for a new HCP system. It explains what you need to know to successfully configure the system and contains step-by-step instructions for the installation procedure.
• Deploying an HCP-VM System — This book contains all the information you need to install and configure an HCP-VM system. The book also includes requirements and guidelines for configuring the VMWare ® environment in which the system is installed.
xx Preface
Administering HCP
Getting help
• Third-Party Licenses and Copyrights — This book contains copyright and license information for third-party software distributed with or embedded in HCP.
• HCP-DM Third-Party Licenses and Copyrights — This book contains copyright and license information for third-party software distributed with or embedded in HCP Data Migrator.
• Installing an HCP SAIN System — Final On-site Setup — This book contains instructions for deploying an assembled and configured single-rack HCP SAIN system at a customer site. It explains how to make the necessary physical connections and reconfigure the system for the customer computing environment. It also contains instructions for configuring Hi-Track ® Monitor to monitor the nodes in an HCP system.
• Installing an HCP RAIN System — Final On-site Setup — This book contains instructions for deploying an assembled and configured HCP
RAIN system at a customer site. It explains how to make the necessary physical connections and reconfigure the system for the customer computing environment. The book also provides instructions for assembling the components of an HCP RAIN system that was ordered without a rack and for configuring Hi-Track Monitor to monitor the nodes in an HCP system.
Getting help
The Hitachi Data Systems ® customer support staff is available 24 hours a day, seven days a week. If you need technical support, call:
• United States: (800) 446-0744
• Outside the United States: (858) 547-4526
Note: If you purchased HCP from a third party, please contact your authorized service provider.
Comments
Please send us your comments on this document:
Preface
Administering HCP xxi
Comments
Include the document title, number, and revision, and refer to specific sections and paragraphs whenever possible. All comments become the property of Hitachi Data Systems.
Thank you!
xxii Preface
Administering HCP
1
Introduction to Hitachi Content
Platform
Hitachi Content Platform (HCP) is a distributed storage system designed to support large, growing repositories of fixed-content data. An
HCP system consists of both hardware (physical or virtual) and software.
HCP stores objects that include both data and metadata that describes that data. HCP distributes these objects across the storage space. HCP represents objects either as URLs or as files in a standard file system.
An HCP repository is partitioned into namespaces. Each namespace consists of a distinct logical grouping of objects with its own directory structure. Namespaces are owned and managed by tenants.
HCP provides access to objects through a variety of industry-standard protocols, as well as through various HCP-specific interfaces.
This chapter:
• Contains an overview of Hitachi Content Platform
• Describes the HCP hardware architectures
• Highlights some of the product features
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
1
About Hitachi Content Platform
About Hitachi Content Platform
Hitachi Content Platform is the distributed, fixed-content, data storage system from Hitachi Data Systems ® . HCP provides a cost-effective, scalable, easy-to-use repository that can accommodate all types of data, from simple text files to medical images to multigigabyte database images.
A fixed-content storage system is one in which the data cannot be modified. HCP uses write-once, read-many (WORM) storage technology and a variety of policies and services to ensure the integrity of the stored data and the efficient use of storage capacity. HCP also provides easy access to the repository for adding, retrieving, and deleting or shredding data.
HCP has an open architecture that insulates stored data from technology changes, as well as from changes in HCP itself due to product enhancements. This open architecture ensures that users will have access to their data long after it’s been added to the repository.
HCP runs on a networked redundant array of independent nodes (RAIN) or on a SAN-attached array of independent nodes (SAIN). SAN stands for storage area network.
RAIN systems use the internal storage in each node. SAIN systems use the storage in Fibre Channel SAN arrays.
HCP 300 systems use a RAIN configuration. HCP 500 systems use a SAIN configuration. To optimize performance, nodes in an HCP 500 system can have internal storage in addition to being connected to SAN storage.
HCP-VM systems (called VM systems) run on virtual machines in a
VMware ® environment. In this environment, HCP functions mostly as a
RAIN system, with the virtual storage emulating internal storage.
Object-based storage
HCP stores objects in a repository. Each object permanently associates data HCP receives (for example, a document, an image, or a movie) with information about that data, called metadata.
An object encapsulates:
• Fixed-content data — An exact digital reproduction of data as it existed before it was stored in HCP. Once it’s in the repository, this fixed-content data cannot be modified.
2 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
About Hitachi Content Platform
• System metadata — System-managed properties that describe the fixed-content data (for example, its size and creation date). System metadata includes policies, such as retention and data protection level, that influence how transactions and services affect the object.
For information on policies, see
Chapter 10, “HCP policies,” on
page 327. For information on services, see Chapter 11, “HCP services,” on page 331.
• Custom metadata — Optional metadata that a user or application provides to further describe the object. Custom metadata is specified as one or more annotations, where each annotation is a discrete unit of information about the object. Annotations are typically specified in
XML format.
You can use custom metadata to create self-describing objects. Users and applications can use this metadata to understand and repurpose object content.
• Access control list (ACL) — Optional metadata consisting of a set of grants of permissions to perform various operations on the object.
Permissions can be granted to individual users or to groups of users.
ACLs are provided by users or applications and are specified in either
XML or JSON format.
HCP also stores directories and symbolic links. These items have system metadata but no fixed-content data, custom metadata, or ACLs.
HCP can store multiple versions of an object, thus providing a history of how the data has changed over time. Each version is a separate object, with its own system metadata and, optionally, its custom metadata and
ACL.
HCP supports appendable objects. An appendable object is one to which data can be added after it has been successfully stored. Appending data to an object does not modify the original fixed-content data, nor does it create a new version of the object. Once the new data is added to the object, that data also cannot be modified.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
3
About Hitachi Content Platform
Namespaces and tenants
An HCP repository is partitioned into namespaces. A namespace is a logical grouping of objects such that the objects in one namespace are not visible in any other namespace.
Namespaces provide a mechanism for separating the data stored for different applications, business units, or customers. For example, you could have one namespace for accounts receivable and another for accounts payable.
Namespaces also enable operations to work against selected subsets of objects. For example, you could perform a query that targets the accounts receivable and accounts payable namespaces but not the employees namespace.
Namespaces share the same underlying physical storage. This, together
with the multitenancy feature described under “Tenants” below, enables
HCP to provide support for cloud storage services.
HCP and default namespaces
An HCP system can have a maximum of 10,000 locally defined namespaces, including one special namespace called the default
namespace. Applications are typically written against namespaces other than the default; these namespaces are called HCP namespaces. The default namespace is most often used with applications that existed before release 3.0 of HCP.
Note: Replication can cause an HCP system to have more than 10,000 namespaces. For information on replication, see Replicating Tenants and
Namespaces.
The table below outlines the major differences between HCP namespaces and the default namespace.
Feature
Storage usage quotas
Object ownership (not related to POSIX UID)
Access control lists (ACLs) for objects
Object versioning
Multiple custom metadata annotations
Namespace ownership by users
HCP namespaces
Default namespace
4 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
About Hitachi Content Platform
(Continued)
Feature
RESTful HTTP/HTTPS API for data access
Non-RESTful HTTP/HTTPS protocol for data access
Data access authentication with HTTP/HTTPS
RESTful HS3 API for data access (compatible with
Amazon ® S3)
NDMP protocol for backup and restore
HCP namespaces
Default namespace
Tenants
Namespaces are owned and managed by administrative entities called
tenants. A tenant typically corresponds to an organization, such as a company or a division or department within a company.
HCP supports two types of tenants:
• HCP tenants, which own HCP namespaces. An HCP system can have multiple HCP tenants, each of which can own multiple namespaces.
You can limit the number of namespaces each HCP tenant can own.
In addition to being owned by a tenant, each HCP namespace can have an owner that corresponds to an individual HCP user. The owner of a namespace automatically has permission to perform certain operations on that namespace.
• The default tenant, which owns the default namespace and only that namespace. An HCP system can have only one default tenant.
An HCP system can have a maximum of 1,000 locally defined tenants, including the default tenant.
Note: Replication can cause an HCP system to have more than 1,000 tenants. For information on replication, see Replicating Tenants and
Namespaces.
An HCP system has both system-level and tenant-level administrators:
• System-level administrators are concerned with monitoring the HCP system hardware and software, monitoring overall repository usage, configuring features that apply across the HCP system, and managing system-level users.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
5
About Hitachi Content Platform
• Tenant-level administrators are concerned with monitoring namespace usage at the tenant and namespace level, configuring individual tenants and namespaces, managing tenant-level users, and controlling access to namespaces.
System-level administrators create tenants. Tenant-level administrators create HCP namespaces. The default namespace is created automatically when the default tenant is created.
Note: You can create the default tenant and namespace only if allowed to do so by the system configuration.
Data access methods
HCP supports access to namespace content through:
• Namespace access protocols
• The HCP Namespace Browser
• The HCP metadata query API
• The HCP Search Console
• HCP Data Migrator
Namespace access protocols
HCP supports access to namespace content through several industry-standard protocols:
• For HCP namespaces only:
– A RESTful HTTP API (simply referred to as HTTP in the HCP documentation).
– HS3, which is a RESTful, HTTP-based API that’s compatible with
Amazon S3. With HS3, namespaces are called buckets.
– Hswift, which is a RESTful, HTTP-based API that’s compatible with
OpenStack Swift. With HSwift, namespaces are called containers.
• For the default namespace only, a non-RESTful implementation of HTTP
• For all namespaces:
6 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
About Hitachi Content Platform
– WebDAV
– CIFS
– NFS
These protocols support various operations: storing data, creating directories, viewing object data and metadata, viewing directories, modifying certain metadata, and deleting objects. You can use these protocols to access data with a web browser, third-party applications,
Windows ® Explorer, and other native Windows and Unix tools.
HCP allows special-purpose access to namespaces through the SMTP protocol. This protocol is used only for storing email.
For backup of the default namespace, HCP supports the NDMP protocol.
Objects are backed up in OpenPGP format, which uses a tar file to package the files that represent an object. This standard format, which can be both signed and encrypted, allows backup objects to be restored to other storage systems.
HCP tenant administrators can create secure namespaces by enabling only the HTTP and CIFS protocols, configured to require authentication, and the
HS3 and HSwift API, which always require authentication.
HCP Namespace Browser
The HCP Namespace Browser lets you manage content in and view information about HCP namespaces. With the Namespace Browser, you can:
• List, view, and retrieve objects, including old versions of objects
• View custom metadata and ACLs for objects, including old versions of objects
• Store and delete objects
• Create empty directories
• Display namespace information, including:
– The namespaces that you own or can access
– Retention classes available for a given namespace
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
7
About Hitachi Content Platform
– Permissions for namespace access
– Namespace statistics such as the number of objects in a given namespace or the total capacity of the namespace
The Namespace Browser is not available for the default namespace.
However, you can use a web browser to view the contents of that namespace.
For information on using the Namespace Browser, see Using a Namespace.
HCP metadata query API
The HCP metadata query API lets you search HCP for objects that meet specified criteria. The API supports two types of queries:
• Object-based queries search for objects based on object metadata.
This includes both system metadata and the content of custom metadata and ACLs. The query criteria can also include the object location (that is, the namespace and/or directory that contains the object). These queries use a robust query language that lets you combine search criteria in multiple ways.
Object-based queries search only for objects that currently exist in the repository. For objects with multiple versions, object-based queries return only the current version.
• Operation-based queries search not only for objects currently in the repository but also for information about objects that have been deleted by a user or application, deleted through disposition, purged, or pruned. For namespaces that support versioning, operation-based queries can return both current and old versions of objects.
Criteria for operation-based queries can include object status (for example, created or deleted), change time, index setting, and location.
The metadata query API returns object metadata only, not object data.
The metadata is returned either in XML format, with each object represented by a separate element, or in JSON format, with each object represented by a separate name/value pair. For queries that return large numbers of objects, you can use paged requests.
8 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
About Hitachi Content Platform
For information on using the metadata query API, see HCP Metadata Query
API Reference.
HCP Search Console
The HCP Search Console is an easy-to-use web application that lets you search for and manage objects based on specified criteria. For example, you can search for objects that were stored before a certain date or that are larger than a specified size. You can then delete the objects listed in the search results or prevent those objects from being deleted. Similar to the metadata query API, the Search Console returns only object metadata, not object data.
By offering a structured environment for performing searches, the Search
Console facilitates e-discovery, namespace analysis, and other activities that require the user to examine the contents of namespaces. From the
Search Console, you can:
• Open objects
• Perform bulk operations on objects
• Export search results in standard file formats for use as input to other applications
• Publish feeds to make search results available to web users
The Search Console works with either of these two search facilities:
• The HCP metadata query engine — This facility is integrated with
HCP and works internally to perform searches and return results to the
Search Console. The metadata query engine is also used by the metadata query API.
Note: When working with the metadata query engine, the Search
Console is called the Metadata Query Engine Console.
• The Hitachi Data Discovery Suite (DDS) search facility — This facility interacts with HDDS, which performs searches and returns results to the HCP Search Console. To use the HDDS search facility,
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
9
About Hitachi Content Platform you need to first install and configure HDDS, which is a separate product from HCP. The HDDS search facility works only with version
2.x of HDDS.
Note: Currently, HDDS does not support the use of IPv6 networks for communication with HCP.
The Search Console can use only one search facility at any given time. The search facility is selected at the HCP system level. If no facility is selected, the HCP system does not support use of the Search Console to search namespaces.
Each search facility maintains its own index of objects in each search-enabled namespace and uses this index for fast retrieval of search results. The search facilities automatically update their indexes to account for new and deleted objects and changes to object metadata.
Console, see Searching Namespaces.
HCP Data Migrator
HCP Data Migrator (HCP-DM) is a high-performance, multithreaded, client-side utility for viewing, copying, and deleting data. With HCP-DM, you can:
• Copy objects, files, and directories between the local file system, HCP namespaces, default namespaces, and earlier HCAP archives
• Delete individual objects, files, and directories and perform bulk delete operations
• View the content of current and old versions of objects and the content of files
• Purge all versions of an object
• Rename files and directories on the local file system
• View object, file, and directory properties
• Change system metadata for multiple objects in a single operation
• Add, replace, or delete custom metadata for objects
10 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
About Hitachi Content Platform
• Add, replace, or delete ACLs for objects
• Create empty directories
HCP-DM has both a graphical user interface (GUI) and a command-line interface (CLI).
For information on downloading HCP-DM, see Managing a Tenant and Its
Namespaces or Managing the Default Tenant and Namespace. For information on installing and using HCP-DM, see Using HCP Data Migrator.
Object representation
HCP represents objects differently based on the namespace access protocol the client is using.
Object representation with the RESTful HTTP API
With the RESTful HTTP API, HCP represents each object as a URL. The root of the object path in the URL is always rest
.
Here’s an example of the URL for an object named wind.jpg
in the images directory in a namespace named climate in a tenant named geo in an HCP system named hcp.example.com: http://climate.geo.hcp.example.com/rest/images/wind.jpg
Users and applications represent system metadata and identify custom metadata by using query parameters appended to the URLs. HCP returns system metadata in HTTP response headers and returns custom metadata in the format in which it was originally specified.
For more information on object representation with the RESTful HTTP API, see Using a Namespace.
Object representation with the HS3 API
With the HS3 API, HCP represents each object as a URL. The exact format of this URL depends on how the application used to access the object handles user authentication.
HS3 does not have the concept of directories. Slashes in object names are simply part of the name and are not directory separators. Thus, objects in
HS3 do not have paths.
Here’s an example of one of the possible URLs for an object named images/wind.jpg
in a namespace named climate in a tenant named geo in an HCP system named hcp.example.com:
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
11
About Hitachi Content Platform http://climate.geo.hcp.example.com/hs3/images/wind.jpg
Users and applications represent system and custom metadata by using
HTTP request headers. HCP returns system and custom metadata in HTTP response headers.
For more information on object representation with the HS3 API, see Using
the HCP HS3 API.
Object representation with the HSwift API
With the HSwift API, HCP represents each object as a URL. The exact format of this URL depends on how the application used to access the object handles user authentication.
HSwift does not have the concept of directories. Slashes in object names are simply part of the name and are not directory separators. Thus, objects in HSwift do not have paths.
Here’s an example of one of the possible URLs for an object named images/fire.jpg
in a namespace named climate in a tenant named geo in an HCP system named hcp.example.com: http://api.climate.geo.hcp.example.com/swift/v1/geo/climate/images/fire.jpg
Users and applications represent system and custom metadata by using
HTTP request headers. HCP returns system and custom metadata in HTTP response headers.
For more information on object representation with the HSwift API, see
Using the HCP OpenStack HSwift API.
Object representation with other namespace access protocols
For namespace access protocols other than the RESTful HTTP and HS3
APIs, HCP includes a standard POSIX file system called HCP-FS that represents each object as a set of files. One of these files has the same name as the object. This file contains the fixed-content data. When downloaded or opened, this file has the same content as the originally stored item.
The other files that HCP-FS presents contain object metadata. These files, most of which are plain text, are called metafiles.
For the WebDAV, CIFS, and NFS protocols in HCP namespaces, all files containing fixed-content data are in a directory hierarchy headed by data
.
All metafiles are in a directory hierarchy headed by metadata
.
12 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
HCP nodes and storage
For the HTTP, WebDAV, CIFS, and NFS protocols in the default namespace, all files containing fixed-content data are in a directory hierarchy headed by fcfs_data
. All metafiles are in a directory hierarchy headed by fcfs_metadata
.
With this view of objects as conventional files and directories, HCP supports routine file-level calls and enables users and applications to find fixed-content data in familiar ways.
For more information on object representation with protocols other than the RESTful HTTP and HS3 APIs, see Using a Namespace or Using the
Default Namespace.
HCP nodes and storage
An HCP system includes multiple nodes that are networked together, where each node is either an individual server, a blade in a blade server, or a virtual machine. Each physical node can have multiple internal drives and/or can connect to SAN storage. Each virtual node emulates a server that has only internal drives.
The physical storage that’s managed by the nodes in the HCP system is called primary storage. By default, primary storage consists entirely of
running storage, which is storage on continuously spinning disks.
However, an HCP SAIN system can be configured to use SAN storage that includes both running storage and spindown storage, which is storage on disks that can be spun up or spun down as needed. HCP uses primary spindown storage for tiering purposes.
You can also add HCP S Series Nodes to an HCP system for tiering purposes. HCP S Series Nodes are highly efficient, highly available, cost-effective storage devices that support very large amounts of data. An
S Series Node uses commodity hardware which ensures that the costs of growth and repair remain low. To protect data, S Series Nodes use erasure coding. S Series Nodes also use several internal processes to continuously check the integrity of the stored data and the storage media.
HCP S Series Nodes serve as storage tiering platforms, known as
economy storage, for HCP systems. HCP uses the S Series HS3 API, which is compatible with Amazon® S3™, to write, retrieve, and otherwise manage objects in an S Series Node. A single HCP system can seamlessly tier data across multiple S Series Nodes, thereby enabling scalability in both capacity and performance.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
13
HCP nodes and storage
Additionally, for tiering purposes HCP systems can be configured to use storage that’s managed by devices outside the HCP system. This type of storage is called extended storage.
Each node has its own set of logical volumes. Logical volumes on storage managed by HCP are local storage volumes. Logical volumes can also be NFS volumes (also called external volumes). These are volumes that are stored on extended storage and are accessed using NFS
mount points. For more information on NFS volumes, see “NFS storage components” on page 133.
General nodes
General nodes are the core components of an HCP system. These nodes manage the objects that reside in HCP system storage. To ensure data integrity and continuous availability in case of a hardware or software failure, HCP uses RAID technology for its primary storage and can also be configured to store the data and metadata for each object in multiple locations.
Each storage node runs all the HCP software. The nodes work together to serve both as a repository manager and as a gateway that enables access to the data in the repository.
All runtime operations are distributed among the storage nodes, thereby ensuring reliability and performance as capacity grows. If a node fails, the
HCP system adapts by redirecting processing to other nodes, so the stored data remains available to users.
Linear scalability
A repository can accumulate a great deal of data over time. To accommodate more data, you can add nodes and storage to HCP. HCP capacity can grow smoothly from hundreds of gigabytes to terabytes to petabytes.
Because HCP uses a distributed processing scheme, primary storage in the
HCP system can scale linearly as the repository grows in size and in the number of clients that have access to it. When you install HCP on new nodes, the system automatically integrates those nodes into the overall workflow, without manual intervention.
14 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
HCP architecture
HCP architecture
HCP hardware consists of:
• Servers
• Internal and/or SAN storage
• Networking components such as cables and switches
• Additional infrastructure items such as racks and power distribution units
HCP uses both back-end and front-end networks. The isolated back-end network connects the HCP nodes to each other through two redundant back-end Ethernet switches. Each node has a pair of bonded Ethernet ports that are used to connect the node to these switches.
Each storage node is configured with an additional pair of bonded Ethernet ports that allows external applications to access the system. The recommended configuration options are:
• Two independent Ethernet switches that connect the ports to the front-end network
• One Ethernet switch, with both HCP and the switch configured for active-active bonding
Note: For VM systems, this hardware configuration applies to the physical environment in which HCP-VM runs.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
15
HCP architecture
RAIN system architecture
The figure below shows the architecture of an HCP system that uses internal storage. This system has four storage nodes, two back-end switches (on the left), and two front-end switches (on the right).
The table below describes the cables in this figure.
Cable Connects from Connects to
Red and blue Ethernet Back-end network interface cards (NICs) in each node
Back-end switches
Green and yellow Ethernet Front-end NICs in each node
Front-end switches
Purple Ethernet
Black power
Back-end switches
Each node
Each back-end switch
Each other
Two PDUs
One PDU
16 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
HCP architecture
SAIN system architecture
The figure below shows the architecture of an HCP system that uses a
Fibre Channel SAN array. This system has four storage nodes, two modular storage trays, two back-end switches (on the left), and two front-end switches (on the right). Each node has multipathed access to the shared SAN storage.
The table below describes the cables in this figure.
Cable Connects from
Red and blue Ethernet Back-end NICs in each node
Green and yellow Ethernet Front-end NICs in each node
Purple Ethernet
Orange Fibre Channel
Black power
Back-end switches
Each node
Each node
Each back-end switch
Each storage tray
Connects to
Back-end switches
Front-end switches
Each other
SAN array
Two PDUs
One PDU
Two PDUs
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
17
HCP architecture
Notes:
• Nodes in HCP SAIN systems are either individual servers or individual blades in blade servers. The figure above shows individual servers.
• Some HCP SAIN systems include Fibre Channel switches between the nodes and the SAN arrays.
VM system architecture
The physical environment for an HCP VM system has the same architecture as an HCP SAIN system. That is, the servers that host the virtual machines on which HCP runs have multipathed access to shared SAN storage. The physical switch and port configurations are the same as for
SAIN systems.
Depending on the number of physical servers and the capabilities of those servers, a VM system can have one or more HCP nodes running on an ESXi host on each server. The figure below shows the physical environment for a VM system with four HCP nodes, each running in its own physical server.
For information about the hardware configuration in this figure, see
“SAIN system architecture” above.
18 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management
ESXi host
HCP node
(virtual machine)
ESXi host
HCP node
(virtual machine)
ESXi host
HCP node
(virtual machine)
ESXi host
HCP node
(virtual machine)
Repository management
Repository management requires:
• Maintaining the integrity and security of stored data
• Ensuring the continuous availability of that data
• Keeping the data in compliance with local regulations
• Optimizing the use of storage and network bandwidth
HCP supports these requirements through:
• The hardware and network configuration of the system
• Software configuration options (both installation and runtime)
• Automated processes
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
19
Repository management
• Individual namespace and object settings
• Object storage and retrieval options
Data integrity and security
HCP includes many features specifically designed to protect the integrity and ensure the security of stored data:
• Write-once, read-many (WORM) storage — Once the data for an object is stored in the repository, HCP prevents that data from being modified or overwritten.
• Node login prevention — HCP does not allow system-console logins on its nodes. This provides a basic level of protection not only for the stored data but also for the system software.
• Secure Sockets Layer (SSL) — HCP can use SSL to ensure the privacy of HTTP and WebDAV access to namespaces. It always uses
SSL to secure the Management and Search Consoles. Additionally, use of the HCP management API requires SSL.
For information on using SSL with HCP, see “Managing domains and
SSL server certificates” on page 400.
• Content verification service — Each object has a cryptographic
hash value that’s calculated from the object data. The content verification service ensures the integrity of each object by periodically checking that its data still matches its hash value.
For more information on the content verification service, see
“Content verification service” on page 344.
• Scavenging service — The scavenging service protects namespaces from the loss of system metadata. If the service encounters an object with invalid metadata, it restores the correct metadata by using a copy from another location.
For more information on the scavenging service, see
“Scavenging service” on page 349.
• Retention policy — Each object has a retention setting that specifies how long the object must remain in the repository before it can be deleted; this duration is called the retention period. HCP ensures that objects are kept until their retention periods expire. The only exception to this behavior occurs in namespaces in enterprise
20 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management mode. In these namespaces, users with explicit permission to do so can delete objects that are under retention. Such deletions are recorded in the tenant log.
For more information on enterprise mode, see the description of
retention mode on page 26. For more information on the retention
policy, see
“Retention policy” on page 328.
• Shredding policy — Objects can be marked for shredding. When such an object is deleted, HCP overwrites its storage location in such a way as to completely remove any trace that the object was there.
For more information on the shredding policy, see “Shredding policy” on page 329.
• Data access authentication — The HTTP, HS3, WebDAV, and CIFS protocols can be configured to require authentication for access to an
HCP namespace. If these are the only protocols enabled for the namespace, users and applications must present valid credentials for access to the namespace content.
HCP supports both local and remote authentication methods. For remote authentication, HCP supports Windows Active Directory ® and
RADIUS.
For more information on configuring namespace access protocols to require authentication, see Managing a Tenant and Its Namespaces.
For information on local and remote authentication, see “User authentication” on page 64.
• Data access permission masks — Data access permission masks determine which operations are allowed in a namespace. These masks are set at the system, tenant, and namespace levels. The effective permissions for a namespace are the operations that are allowed by the masks at all three levels.
• Data access permissions — Data access permissions determine which operations a user or application can perform on the objects in an
HCP namespace. These permissions can be:
– Associated with a tenant-level user or group account, in which case they apply to all objects in the namespace
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
21
Repository management
– Specified in the namespace configuration as the minimum permissions for authenticated or unauthenticated users, in which case they apply to all objects in the namespace
– Specified in an ACL, in which case they apply to the individual object for which the ACL is defined
For more information on data access permissions that apply to all objects in a namespace, see Managing a Tenant and Its Namespaces.
For more information on ACLs, see Using a Namespace.
• Virtual networking — Virtual networking is a technology that enables you to define multiple logical networks over which clients can communicate with HCP. You can assign different networks to different tenants, thereby segregating network traffic to and from the namespaces owned by one tenant from network traffic to and from the namespaces owned by other tenants. This segregation enhances the privacy and security of data transmitted between clients and the HCP system.
For more information on virtual networking, see Chapter 7, “Network administration,” on page 223.
Data availability
HCP has these features that help ensure the continuous availability of stored data:
• Multipathing — In a SAIN system, a single node can connect to more than one port on a storage array, either directly or through multiple
Fibre Channel switches. This creates multiple physical paths between the node and any given logical volume that maps to it. With this setup, if one component of a physical path connecting such a node to the array fails, the node still has access to the logical volume through another physical path.
Multiple means of access to a logical volume from a single node is called multipathing.
• Zero-copy failover — In a SAIN system, one node can automatically take over management of storage previously managed by another node that has failed. This process is called zero-copy failover.
22 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management
To support zero-copy failover, each logical volume that stores objects or the metadata query engine index must map to two different storage nodes. The pair of nodes forms a set such that the volumes that map to one of the nodes also map to the other. This is called
cross-mapping.
For more information on zero-copy failover and cross-mapping, see
Appendix C, “Zero-copy failover behavior,” on page 575.
• Service plans — Each namespace has a service plan that defines both a data protection strategy and a storage tiering strategy for the objects in that namespace. At any given point in the lifecycle of an object, its data protection strategy specifies the number of copies of the object that must exist in the HCP repository and the type of storage on which each copy must be stored.
Because some types of storage are more highly available than others, you can use the service plan for a namespace to control both data redundancy and data availability for the objects in that namespace.
For more information on using service plans to define a data protection
strategy for objects in a namespace, see Chapter 6, "About service plans," on page 196.
• Protection service — HCP uses the protection service to maintain the correct number of copies of each object in the HCP repository. When the number of existing copies of an object goes below the number of object copies specified in the applicable service plan (for example, because of a logical volume failure), the protection service automatically creates a new copy of that object in another location.
When the number of existing copies of an object goes above the number of object copies specified in the applicable service plan, the protection service automatically deletes all unnecessary copies of that object.
For more information on the protection service, see “Protection service” on page 336.
• Protection sets — To protect data availability against concurrent node failures, HCP stores multiple copies of each object on different nodes in an automatically predetermined set of nodes, called a protection set.
If a node (or one of its logical volumes) fails, objects stored on its associated volumes (or on the failed volume) are still available through other nodes in the set.
For information on protection sets, see “Protection sets” on page 339.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
23
Repository management
• Replication — Replication is the process of keeping two or more HCP systems in sync with each other. The replication service on each system automatically copies selected HCP tenants and namespaces and default-namespace directories to one or more of the other systems to form a replication topology. Both configuration information and namespace content are copied.
Replication enables HCP to support a cloud storage model, where any type of client request can be serviced equally by any system in the topology. If the systems are in geographically disperse locations, each system may be able to provide faster data access for some applications than the other systems can, depending on where the applications are running.
If a system in a replication topology fails, other systems in the topology can both provide continued namespace availability and serve as sources for disaster recovery.
For more information on replication, see Replicating Tenants and
Namespaces.
Note: Replication is an add-on feature to HCP. If your HCP system doesn’t include this feature and you would like to add it, please contact your HCP sales representative.
• Read from remote — If an object in a replicated HCP namespace or default-namespace directory is unavailable on one system in a replication topology (for example, because a node is unavailable), HCP can try to read the object from another system in the topology. HCP tries this only if the namespace has the read-from-remote feature enabled and the object has already been replicated.
For information on enabling the read-from-remote feature for a namespace, see Managing a Tenant and Its Namespaces or Managing
the Default Tenant and Namespace.
• Automatic redirection to other systems in a replication topology
— HTTP requests for access to an unavailable HCP system can be automatically redirected to any other system in a replication topology in which the unavailable system participates. This means that, to be satisfied, the request does not need to be reissued with a different URL.
For another system to satisfy the request, the target HCP namespace or default-namespace directory must be replicated to that system. Also, the namespace must be configured to accept requests directed to other
HCP systems. Additionally, the DNS must be configured to support
24 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management redirection between HCP systems in the replication topology, and the unavailable system must be configured to allow this redirection.
For information on:
– Configuring namespaces to accept requests directed to other systems, see Managing a Tenant and Its Namespaces or Managing the Default Tenant and Namespace
– Configuring HCP in your DNS, see
Appendix E, “Configuring DNS for
– Configuring an HCP system to support redirection of client requests, see Replicating Tenants and Namespaces
Regulatory compliance
HCP includes features that enable you to comply with local regulations regarding data storage and maintenance:
• Data privacy — At HCP installation time, you can choose to encrypt all data and metadata stored in the repository, thereby ensuring data privacy in a compliance context. Encryption prevents unauthorized users and applications from directly viewing namespace content. Lost or stolen storage devices are useless to parties without the correct encryption key.
HCP handles data encryption and decryption automatically, so no access or process changes are required.
• Retention classes — Some government regulations require that certain types of data be kept for a specific length of time. For example, local law may require that medical records be kept for a specific number of years.
A retention class is a named duration that can be used as the retention setting for an object. When an object is assigned to a retention class, the object cannot be deleted until the specified length of time past its creation date. For example, a retention class named
HlthReg-107 could have a duration of 21 years. Objects assigned to that class then could not be deleted for 21 years after they were created.
For more information on retention classes, see Managing a Tenant and
Its Namespaces or Managing the Default Tenant and Namespace.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
25
Repository management
• Retention mode — A namespace can be created in either of two modes: enterprise or compliance. The retention mode determines which operations are allowed on objects that are under retention:
– In enterprise mode, users and applications can delete objects under retention if they have explicit permission to do so. This is called privileged delete (see below).
Also, in enterprise mode, authorized administrative users can delete retention classes and shorten retention class durations.
– In compliance mode, objects that are under retention cannot be deleted through any mechanism. Additionally, retention classes
(see above) cannot be deleted, and retention class durations cannot be shortened.
• Privileged delete — Some localities require that certain data be destroyed in response to changing circumstances. For example, companies may be required to destroy particular information about employees who leave.
Privileged delete is an HCP feature that enables authorized users to delete objects even if they are under retention. This feature is available only in namespaces that are in enterprise mode. In compliance mode, objects can never be deleted while they are under retention.
When performing a privileged delete operation, the user is required to specify a reason for the deletion. HCP logs each privileged delete operations along with its specified reason, thereby creating an audit trail.
For more information on privileged delete, see Managing a Tenant and
Its Namespaces or Managing the Default Tenant and Namespace.
• Retention hold — To support legal discovery, users and applications can place a hold on selected objects. While an object is on hold, it cannot be deleted through any mechanism, regardless of its retention setting.
For more information on retention hold, see Using a Namespace or
Using the Default Namespace.
26 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management
Storage usage optimization
HCP uses these features to reclaim and balance storage capacity:
• Compression service — The compression service makes more efficient use of HCP storage by compressing object data, thereby freeing space for storing more objects.
For more information on the compression service, see “Compression service” on page 354.
• Duplicate elimination service — A repository can contain multiple objects that have identical data but different metadata. When the duplicate elimination service finds such objects, it merges their data to free storage space occupied by all but one of the objects.
For more information on the duplicate elimination service, see
“Duplicate elimination service” on page 358.
• Disposition service — The disposition service automatically deletes objects with expired retention periods. To be eligible for disposition, an object must have a retention setting that’s either a date in the past or a retention class with automatic deletion enabled and a calculated expiration date in the past.
For more information on the disposition service, see
“Disposition service” on page 362. For more information on retention classes, see
Managing a Tenant and Its Namespaces or Managing the Default
Tenant and Namespace.
• Version pruning — An HCP namespace can be configured to allow storage of multiple versions of objects. Version pruning is the automatic deletion of previous versions of an object that are older than a specified amount of time.
For more information on versioning and version pruning, see Managing
a Tenant and Its Namespaces and Using a Namespace.
• Garbage collection service — The garbage collection service reclaims storage space both by completing logical delete operations and by deleting objects left behind by incomplete transactions.
For more information on the garbage collection service, see
“Garbage collection service” on page 363.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
27
Repository management
• Capacity balancing service — The capacity balancing service ensures that the percentage of space used is roughly equivalent across all the storage nodes in the system. Balancing storage usage across the nodes helps HCP balance the processing load.
• Service plans — Each namespace has a service plan that defines both a storage tiering strategy and a data protection strategy for the objects in that namespace. At any given point in the lifecycle of an object, its storage tiering strategy specifies the types of storage on which copies of that object must be stored and specifies the number of object copies that must be stored on each type of storage.
By default, throughout the lifecycle of an object, HCP stores that object only on primary running storage, which is storage that’s managed by the nodes in the HCP system and consists of continuously spinning disks. However, you can configure HCP to use other types of storage for tiering purposes.
Every service plan defines primary running storage as the initial storage tier, called the ingest tier. The default storage tiering strategy specifies only that tier.
Primary running storage is designed to provide both high data availability and high performance for object data storage and retrieval operations. To optimize data storage price/performance for the objects in a namespace, you can configure the service plan for that namespace to define a storage tiering strategy that specifies multiple storage tiers.
• Storage tiering service — HCP uses the storage tiering service to maintain the correct number of copies of each object in a namespace on the storage tiers that are defined by the storage tiering strategy for that namespace. When the number of object copies on a storage tier goes below the number of object copies specified for that tier in the applicable service plan, the storage tiering service automatically creates a new copy of that object on that tier. When the number of copies of an object on a storage tier goes above the number of object copies specified for that tier in the applicable service plan, the storage tiering service automatically deletes all unnecessary copies of that object from that tier.
• Primary spindown storage — On a SAIN system, HCP can be configured to use primary spindown storage, which is primary storage that consists of disks that can be spun down when not being accessed, for tiering purposes. You can then configure the service plan
28 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management for any given namespace to define primary spindown storage as a storage tier for the objects in that namespace. Using primary spindown storage to store object data that’s accessed infrequently saves energy, thereby reducing the cost of storage.
HCP moves object data between primary running storage, primary spindown storage, and other types of storage that are used for tiering purposes according to rules that are specified in storage tiering strategies defined by service plans.
For more information on primary spindown storage, see
HCP systems” on page 115. For more information on service plans, see
“About service plans” on page 196.
• Economy storage — HCP can be configured to use economy
storage, which is storage on external HCP S Series Nodes that are separate from the HCP system. The S Series Nodes are used for tiering purposes, and the HCP system communicates with them through the
HS3 API and management API.
• Extended storage — HCP can be configured to use extended
storage, which is storage that’s managed by devices outside of the
HCP system, for tiering purposes. HCP can be configured to use up to six different types of extended storage:
– NFS — Volumes that are stored on extended storage devices and are accessed using NFS mount points
– Amazon S3 — Cloud storage that’s accessed using an Amazon Web
Services user account
– Google Cloud — Cloud storage that’s accessed using a Google
Cloud Platform user account
– Hitachi Cloud Service — Cloud storage that’s accessed using a
Hitachi Cloud Service user account
– Microsoft Azure — Cloud storage that’s accessed using a Microsoft
Azure user account
– S3-compatible — Any physical storage device or cloud storage service that’s accessed using a protocol that’s compatible with the
Amazon S3 access protocol
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
29
Repository management
Moving object data from primary storage to extended storage frees up
HCP system storage space so that you can ingest additional objects.
NOTE: While all of the data for an object can be moved off of primary running storage and stored only on extended storage, at least one copy of the system metadata, custom metadata, and ACL for that object must always remain on primary running storage.
In addition, you can optimize data storage price/performance for the objects in a namespace by configuring the service plan for that namespace to define a storage tiering strategy that defines storage tiers for multiple types of extended storage.
HCP moves object data between primary running storage, primary spindown storage (if it’s used), and one or more types of extended storage according to rules specified in the storage tiering strategies defined by service plans.
“About service plans” on page 196.
• Metadata-only objects — With multiple HCP systems participating in a replication topology, you may not need to store object data in every system. A metadata-only object is one from which HCP has removed the data, leaving the system metadata, custom metadata, and ACL for the object in place. HCP makes an object metadata-only only if at least one copy of the object data exists elsewhere in the topology.
Metadata-only objects enable some systems in a replication topology to have a smaller storage footprint than other systems, even when the same namespaces are replicated to all systems in the topology.
HCP makes objects metadata-only according to the rules specified in service plans. If the rules change, HCP can restore data to the objects to meet the new requirements.
see “About service plans” on page 196.
30 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
Repository management
Network bandwidth usage optimization
HCP offers these features to help maximize network throughput and reduce the use of network bandwidth by read and write operations:
• Link aggregation — Each node in an HCP system has two bonded ports for connecting to the front-end network. When using a single front-end switch, you can take advantage of this setup by using two cables per node to connect to the switch and configuring both HCP and the applicable ports on the switch for active-active (802.3ad) bonding.
The redundant ports and cables help ensure a high-availability connection to the front-end network, and the active-active bonding allows for increased network throughput.
• 10Gb Ethernet connectivity — Optionally, for SAIN systems, HCP supports 10Gb Ethernet connectivity to the front-end network. The
10GbE network interface allows for greater network throughput than does the 1GbE interface option.
Systems with the 10GbE network interface on the front end also use
10GbE for the back-end network. This enables the HCP nodes to transmit data among themselves at a rate that supports the higher front-end throughput.
• Compressed data transmission — Clients that use the HTTP protocol to communicate with HCP can reduce network bandwidth usage by sending and receiving data in a compressed format. Before sending data to HCP, the client uses the publicly available gzip utility to compress the data. Upon receiving the data, HCP uncompresses it automatically before storing it. When requested to do so, HCP uses gzip to compress data before sending it to the client. The client then uses gunzip to uncompress the data.
For more information on compressed data transmission, see Using a
Namespace and Using the Default Namespace.
• Combined data and custom metadata on reads and writes —
Clients that use the HTTP protocol for namespace access can store or retrieve both the data and custom metadata for an object with a single request. Issuing a single request instead of separate requests for the data and custom metadata reduces the network load.
This feature can be used in conjunction with compressed data transmission to further reduce the network load.
Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
31
Repository management
For more information on combining data and custom metadata on reads and writes, see Using a Namespace and Using the Default
Namespace.
32 Chapter 1: Introduction to Hitachi Content Platform
Administering HCP
2
HCP administration
As an HCP system-level administrator, you play a role in ensuring the continued viability and accessibility of the HCP system. The primary tool for these purposes is a web application called the System Management
Console.
Note: Tenant-level administrators use a separate web application called the Tenant Management Console to configure and manage tenants and namespaces.
Depending on the permissions you have, you can use the System
Management Console to configure various aspects of the system and manage administrative user accounts, as well as monitor system activity.
Additionally, the Console reports hardware problems as they occur, so you can initiate repairs in a timely manner.
This chapter:
• Presents basic information about using the System Management
Console
• Describes the responsibilities of HCP system administrators
Chapter 2: HCP administration
Administering HCP
33
System Management Console
System Management Console
The System Management Console is a system-specific web application that lets you monitor and manage HCP and its individual nodes. The Console shows you the status of the system in real time, so you can take action when necessary to ensure system health (for example, restarting a node that has failed). Through the Console, you can also modify various system settings, create tenants, and monitor repository usage across all namespaces. Changes you make through the Console take effect immediately.
Access to the System Management Console is available only through HTTP with SSL security (HTTPS).
Note: For you to access the HCP System Management Console in Internet
Explorer ® on a Windows server, Internet Explorer Enhanced Security
Configuration must be disabled for administrators on that server.
Console access
To use the System Management Console, you need either:
• A system-level user account defined in HCP.
• If the HCP system is configured to support Windows Active Directory
(AD), an AD user account for a user that belongs to one or more AD groups for which corresponding system-level group accounts are defined in HCP. In this book, such an AD user account is referred to as a recognized AD user account.
Your HCP user account or group account configuration includes settings that specify what you have permission to do in the Console. The menu options, pages, and panels that you see in the Console depend on the permissions that have been configured for your user or group account.
If an AD user belongs to multiple AD groups for which HCP group accounts exist, that user has all the permissions associated with all those group accounts.
For more information on user and group accounts, see “About user and group accounts”
on page 52. For information on AD, see “Configuring
Active Directory or Windows workgroup support” on page 418.
34 Chapter 2: HCP administration
Administering HCP
System Management Console
Console sessions
A System Management Console session begins when you take one of these actions:
• Log into the Console using an HCP user account or recognized AD user account.
• Access a Console page while logged into Windows with a recognized AD user account. This is called single sign-on. With single sign-on, you don’t need to explicitly log into the Console.
For single sign-on to work, your web browser must be configured to
A session ends when you log out. During a session, you can perform any actions for which you have permission.
During a session, if you don’t take any action for a certain amount of time, the Console displays the Idle Timeout page. If you explicitly logged into the session, the Console automatically logs you out and, when you click on any tab on the Idle Timeout page, displays the login page. If you started the session by using single sign-on, when you click on any tab, the Console displays the requested page. The exact amount of idle time allowed is configurable. For information on setting this value, see
“Changing user account and login settings” on page 76.
Note: Logging into or out of the System Management Console has no effect on HCP operation.
HCP management API
HCP includes an RESTful HTTP interface to a subset of its administrative functions. Using this interface, called the management API, you can create, modify, and delete tenants and manage replication. If a tenant has been configured to allow system-level users to manage it and search its namespaces, you can also view available service plans that can be assigned to that tenant, and you can create, modify, and delete namespaces, user and group accounts, and content classes for that tenant.
Additionally, you can create, modify, and delete retention classes for namespaces owned by the tenant.
You use the HCP System Management Console to enable the management
API. To use the management API, you need a user account that includes the applicable permissions for the actions you want to take.
Chapter 2: HCP administration
Administering HCP
35
System Management Console
If HCP is configured to support Active Directory authentication, applications can also use recognized AD user accounts to access HCP through the management API. To do this, however, an application must use the SPNEGO protocol to negotiate the AD user authentication itself.
For more information on SPNEGO, see http://tools.ietf.org/html/rfc4559 .
using the HCP management API, see HCP Management API Reference.
Hitachi Device Manager and Hitachi Tiered Storage Manager
As an alternative to the System Management Console, you can use
Hitachi Device Manager (HDvM) to report on HCP storage usage.
Additionally, when using USP or USP-V storage, you can use Hitachi
Tiered Storage Manager to migrate repository content to different storage tiers.
You cannot make changes to the HCP configuration through HDvM or
Hitachi Tiered Storage Manager.
HCP supports IPv4 and IPv6 network connections to HDvM servers.
However, HDvM support for IPv6 network connections varies based on the
HDvM server operating system. For information on requirements for HDvM servers that support IPv6 networks, see the applicable Hitachi Command
Suite documentation.
For information on connecting HCP to HDvM, see
Device Manager connection” on page 478.
Hi-Track
Hi-Track ® is an HDS product that enables both you and HCP support personnel to monitor your HCP system remotely. With Hi-Track, you can monitor nodes, back-end switches, and front-end switches. For SAIN systems, you can also monitor SAN arrays and Fibre Channel switches.
Hi-Track is for monitoring and error notification purposes only. It does not allow any changes to be made to the HCP system.
HCP supports IPv4 and IPv6 network connections to Hi-Track servers.
However, Hi-Track support for IPv6 network connections varies based on the Hi-Track server operating system. For information on requirements for
Hi-Track servers that support IPv6 networks, see the applicable Hi-Track documentation.
36 Chapter 2: HCP administration
Administering HCP
System Management Console
System Management Console URL
The URL for the System Management Console has this format:
https://admin.hcp-domain-name:8000
In this format, hcp-domain-name
is the name of the domain associated with the [hcp_system] network. For information on this network, see
“About virtual networking with HCP” on page 224.
For example, for access to the System Management Console for the HCP system with the domain name hcp-ma.example.com, you would use this
URL: https://admin.hcp-ma.example.com:8000
Normally, you specify the HCP system domain name in the System
Management Console URL and let HCP choose the node on which the
Console application runs. However, in certain situations, you may need to access the Console on a specific node. To do so, you specify a System
Management Console URL that includes a valid [hcp_system] network IP address for the node on which you want to access the Console.
For example, if a node has the IPv4 address 192.168.210.16 and the IPv6 address 2001:0db8::101 defined for the [hcp_system] network, you can access the System Management Console on that specific node by entering either of these URLs in your browser address field: https://192.168.210.16:8000 https://[2001:0db8::101]:8000
Regardless of whether you access the System Management Console by specifying a domain name or a node IP address, the Console provides administrative capabilities for the entire system.
Using a hosts file
Typically, the HCP system is included as a subdomain in your DNS. If this is not the case, you can specify an IP address in the System Management
Console URL, as described above. Alternatively, you can specify the HCP system domain name in the URL and use a hosts
file to define mappings of one or more node IP addresses to the domain name.
The location of the hosts
file depends on the client operating system:
• On Windows, by default: c:\windows\system32\drivers\etc\hosts
Chapter 2: HCP administration
Administering HCP
37
System Management Console
• On Unix: /etc/hosts
• On Mac OS ® X: /private/etc/host
Note: Every HCP system has a domain that’s associated with the
[hcp_system] network. If HCP is not included in your DNS, this is a dummy domain with a name that follows the conventions for well-formed
DNS names.
Hostname mappings
Each entry in a hosts
file is a mapping of an IP address for a system to a fully qualified domain name (FQDN) for that system.
Each hosts
file entry that you create for access to the HCP System
Management Console must include:
• A valid [hcp_system] network IP address for an HCP node
• The FQDN used to access the HCP System Management Console, which consists of the prefix admin. followed by the HCP system domain name
For example, if the [hcp_system] network domain name is hcp-ma.example.com and one of the HCP nodes has the IPv4 address
192.168.210.16 and the IPv6 address 2001:0db8::101 defined for that network, you could add either or both of these lines to the hosts
file on the client:
192.168.210.16
2001:0db8::101 admin.hcp-ma.example.com
admin.hcp-ma.example.com
You can include comments in a hosts
file either on separate lines or following a mapping on the same line. Each comment must start with a number sign (#). Blank lines are ignored.
Hostname mapping considerations
In the hosts
file, you can map IP addresses for any number of nodes to a single domain name. The way a client uses multiple IP address mappings for a single domain name depends on the client platform. For information on how your client handles hosts
file entries that define multiple IP address mappings for a single domain name, see your client documentation.
If any of the HCP nodes listed in the hosts
file are unavailable, timeouts may occur when you use a hosts
file to access the System Management
Console.
38 Chapter 2: HCP administration
Administering HCP
System Management Console
Sample hosts file
Here’s a sample hosts file that contains mappings for both IPv4 and IPv6 addresses:
192.168.210.16
192.168.210.17
192.168.210.18
192.168.210.19
2001:0db8::101
2001:0db8::102
2001:0db8::103
2001:0db8::104 admin.hcp-ma.example.com
admin.hcp-ma.example.com
admin.hcp-ma.example.com
admin.hcp-ma.example.com
admin.hcp-ma.example.com
admin.hcp-ma.example.com
admin.hcp-ma.example.com
admin.hcp-ma.example.com
Logging in
Depending on the HCP system configuration, you can log into the System
Management Console with an HCP user account or a recognized AD user account. For the user account to use when first logging into the Console
for a new HCP system, see “Starter account” on page 66.
To log into the System Management Console:
1. Open a web browser.
2. In the address field, enter the URL for the System Management Console for your HCP system.
Note: If you inadvertently use http instead of https in the URL, the browser returns an error. Enter the URL again, this time using https.
One of these happens:
– If all of these are true, you are automatically logged into the System
Management Console, and the Console Overview page appears:
• You are currently logged into Windows with a recognized AD user account.
• HCP is configured to support AD.
• Your web browser is configured to support single sign-on with
This is single sign-on. No further action is required.
Chapter 2: HCP administration
Administering HCP
39
System Management Console
– If HCP is configured to support AD but any of the following apply, a message appears indicating that single sign-on was not possible:
• You are not currently logged into Windows with a recognized AD user account.
• Your web browser is not configured to support single sign-on.
• You are not on a Windows computer.
In these cases, you need to click on the Console login page link in the message to display the System Management Console login page.
– If HCP is not configured to support AD, the System Management
Console login page appears.
Note: The System Management Console login page shows the specific version of the HCP release, the version numbers of any hotfixes that have been applied to the HCP system, and the serial number for the
HCP system. Once you enter the Console, this information appears at the bottom of each page.
3. In the Username field, type your username.
4. In the Password field, type your case-sensitive password.
When using an HCP user account, if you try to log in with an invalid password multiple times in a row, you are locked out of the Console.
The exact number of times is configurable. For information on setting
this value, see “Changing user account and login settings” on page 76.
Note: AD can also be configured to disable user accounts after a given number of authentication attempts with an invalid password.
Important: If you’re using a locally authenticated HCP user account, you should change your password as soon as possible the first time you log into the System Management Console.
5. If HCP is configured to support AD, in the Domain field, select the appropriate domain your user account:
– If you’re using an HCP user account, select the domain name of the
HCP system.
40 Chapter 2: HCP administration
Administering HCP
System Management Console
– If you’re using a recognized AD user account, select the AD domain in which your user account is defined.
If HCP is not configured to support AD, the login page does not display the Domain field.
6. Click on the Log In button.
The Console displays the Overview page or, if you’re using an HCP user account and are required to change your password, the Change
Password page.
During system startup, you can log into the System Management Console before startup processing is complete. However, until more than half of the nodes have completed their startup processing, the Console displays only the Hardware page.
The Console automatically switches to the Overview page or Change
Password page, as applicable, when the required number of nodes is available.
For information on the Overview page, see
“About the Overview page” on page 80. For information on changing your password, see
“Changing your password” on page 43.
Using the System Management Console
System Management Console pages display information about the HCP system. Some pages also let you configure various aspects of the system.
Console pages have menus and hyperlinks for navigation. Each page shows a horizontal menu at the top. Some of the menu options display a secondary menu when you mouse over them. To navigate to a page, you click on the corresponding menu option.
You can also use shortcut keys to navigate to pages in the System
Management Console. Each link that has a shortcut key has the applicable letter underlined. To use the shortcut key, follow the convention for the browser you’re using.
Each page of the System Management Console shows the username of the currently logged-in user in the upper right corner.
Chapter 2: HCP administration
Administering HCP
41
System Management Console
Notes:
• If you’re an AD user and your username changes in AD while you’re using the System Management Console, the Console may not reflect the new username until you log out and back in. If you’re currently using any other HCP interfaces, you need to log out of those as well.
Alternatively, you can force the Console to reflect the new username immediately by clearing the AD cache. For information on this, see
“Clearing the Active Directory cache” on page 426.
• While the system is experiencing a heavy load, the System
Management Console may be slower to present certain information.
• If the HCP system restarts while you’re using the System Management
Console, clicking on any menu option, hyperlink, or button causes the
Console to display the Hardware page. The Console automatically switches to the Overview page when the system becomes available again.
Refreshing pages
System Management Console pages do not automatically refresh themselves while they remain open. To see the most recent values on a page, click again on the menu option that opens that page.
Note: Using the browser reload button to refresh a page that lets you create or modify an entity causes the Console to resubmit values you previously entered on the page.
Submitting changes
Most System Management Console pages and panels on which you can modify information have action buttons (such as Update Settings and
Create Tenant ) that submit your changes. Action buttons make the changes on a page permanent. These changes take effect immediately.
You need to submit the changes you make before switching to a different page or panel. If you switch without submitting your changes, the Console does not retain them.
For some checkbox options, selecting or deselecting the checkbox causes that change to take effect immediately.
42 Chapter 2: HCP administration
Administering HCP
System Management Console
After you submit changes, the Console displays a message indicating whether HCP successfully made the changes. To hide the message, click on Dismiss in the message area.
Viewing HCP documentation
HCP documentation is available online in PDF format. To view a document from the System Management Console:
1. In the top right corner of the System Management Console window, mouse over the documentation control ( ) to open a menu of the available documents.
2. In the dropdown menu, click on the document you want.
Changing your password
Depending on how your HCP user account is set up, HCP may authenticate your username and password locally or remotely when you log in. If your account is set up for local authentication, you can change your password in the System Management Console. When you change your password in this
Console, it also changes for any other HCP interfaces to which your user account gives you access.
If your account is set up for remote authentication or if you use an AD user account to access the Console, you use a method outside HCP to change your password.
For information on local and remote authentication, see “User authentication” on page 64.
To change your locally authenticated password in the System Management
Console:
1. Log into the System Management Console using your existing password.
2. In the top right corner of the Console window, click on the Password link.
3. On the Change Password page:
– In the Existing password field, type your current password.
– In the New password field, type your new password. Passwords can be up to 64 characters long, are case sensitive, and can contain any valid UTF-8 characters, including white space.
Chapter 2: HCP administration
Administering HCP
43
HCP administrative responsibilities
To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other.
The minimum length for passwords is system specific. Typically, it’s six or eight characters. For information on changing the minimum
length for passwords, see “Changing user account and login settings” on page 76.
When changing your password, you cannot reuse your current password.
– In the Confirm New Password field, type your new password again.
4. Click on the Update Password button.
Logging out
To log out of the System Management Console:
1. In the top right corner of the Console window, click on the Log Out link.
2. If you explicitly logged in, close the browser window to ensure that other users cannot go back into the System Management Console using the credentials you used to log in.
Tip: For extra security, clear the browser cache before closing the window.
HCP administrative responsibilities
HCP administrative responsibilities consist of:
• Managing HCP user and group accounts
• Monitoring the HCP system
• Configuring the system
• Managing the system hardware
• Managing tenants
• Managing repository access across all namespaces
44 Chapter 2: HCP administration
Administering HCP
HCP administrative responsibilities
• Ensuring HCP system recovery
• Helping with troubleshooting
Most system configuration activities are one-time operations that you perform when HCP is first installed. Most monitoring and management activities are ongoing.
You perform configuration, monitoring, and management activities in the
HCP System Management Console. For information on using this Console,
see “System Management Console” on page 34.
Managing user and group accounts
HCP user and group accounts determine whether you can log into the HCP
System Management Console, Tenant Management Console for the default tenant, or Search Console for access to the default namespace. For the
System and Tenant Management Consoles, they also determine which actions you’re allowed to perform after logging in.
You use the System Management Console to create, modify, and delete system-level user and group accounts. For each HCP user account, you specify whether it’s authenticated locally or by RADIUS. To enable RADIUS authentication, you need to configure connections to one or more RADIUS servers.
You also use the System Management Console to configure login settings for the Console as a whole.
Additionally, you use the System Management Console to clear the AD cache. You may need to do this, for example, to immediately discontinue system access by a user whose AD user account is no longer valid.
For information on:
• Managing user and group accounts and configuring login settings, see
Chapter 3, “Account administration,” on page 51
• Configuring connections to RADIUS servers, see
“Configuring connections to RADIUS servers” on page 427
•
Clearing the AD cache, see “Clearing the Active Directory cache” on page 426
Chapter 2: HCP administration
Administering HCP
45
HCP administrative responsibilities
Monitoring the system
HCP is a self-monitoring, self-healing system that automatically alerts you to problems it cannot resolve itself. It also provides the means for you to monitor it. This type of monitoring entails:
• Periodically checking the status of hardware, system resources, services, and available storage
• Watching for alerts that may indicate conditions requiring human intervention
• Periodically reviewing system resource usage and the system log to ensure that HCP is running smoothly and not exceeding its storage license.
• Reviewing and, if required, responding to system log messages received through syslog servers, SNMP managers, or email
• If SNMP is enabled, evaluating and, if required, responding to trap-generated event notifications
You can also generate chargeback reports. Typically, these reports are used as input to billing applications that need to determine charges for capacity and bandwidth usage at the tenant or namespace level. However, they are also a good source of information for system analysis, enabling you to adjust storage and bandwidth allocations based on usage patterns.
For information on these activities, see:
•
Chapter 4, “System-level administration,” on page 79
•
Chapter 5, “Hardware administration,” on page 91
•
Chapter 13, “System monitoring,” on page 435
•
Appendix A, “System Management Console alerts,” on page 495
Configuring the system
Configuring HCP entails:
• Optionally, making extended storage components such as NFS storage volumes and Amazon S3 cloud storage known to HCP so that content can be offloaded from primary storage onto each type of extended
storage (see Chapter 6, “Storage administration,” on page 113)
46 Chapter 2: HCP administration
Administering HCP
HCP administrative responsibilities
• Optionally, configuring user-defined networks so that you can
segregate network traffic for different purposes (see Chapter 7,
“Network administration,” on page 223)
•
Enabling or disabling access to the HCP nodes (see “Setting network security” on page 400)
•
• Controlling access to the System Management Console (see
“Controlling access to the System Management Console” on page 412)
• Controlling access to the HCP management API (see
“Controlling access to HCP through the management API” on page 415)
• Configuring support for Windows AD or Windows workgroups (see
“Configuring Active Directory or Windows workgroup support” on page 418)
• Enabling or disabling the use of SNMP for modifying system settings
(see
“Configuring SNMP” on page 444)
• Optionally, configuring HCP to send system log messages to syslog servers, SNMP managers, and/or specified email addresses (see
“Configuring syslog logging” on page 440,
“Configuring SNMP” on page 444, and
“Configuring email notification” on page 450)
• Scheduling and configuring HCP services to manage system load, ensure data and metadata integrity and availability, and optimize storage usage (see
Chapter 11, “HCP services,” on page 331)
Managing the system hardware
An HCP system or any of its individual nodes may occasionally need to be shut down or restarted for a variety of reasons, including for hardware maintenance. When you want to retire a node or SAN array, you first need to migrate stored data off that device.
For information on these activities, see:
•
“Shutting down or restarting HCP” on page 87
•
“Shutting down or restarting individual nodes” on page 109
•
“Migration service” on page 376
Chapter 2: HCP administration
Administering HCP
47
HCP administrative responsibilities
Managing tenants
HCP system-level administrators create all tenants. Once a tenant is created, you can change only some of its features. Tenant-level administrators are responsible for most tenant management.
In addition to creating and modifying tenants, you can delete tenants, but only if they don’t own any namespaces.
For information on creating, modifying, and deleting tenants, see Chapter
8, “Tenant administration,” on page 277.
Managing repository access
Managing repository access entails:
• Setting the systemwide permission mask, which provides the highest level of control over namespace access (see
“Setting the systemwide permission mask” on page 431)
• Optionally, enabling and configuring the metadata query engine and
API and the HDDS search facility (see Chapter 9, “Search administration,” on page 311)
• Controlling access to the Search Console for the default tenant (see
“Controlling access to the Search Console for the default tenant” on page 417)
Ensuring HCP system recovery
Through its services, the HCP system is self-healing, so your intervention is not often required for recovery from unexpected events. Events that may require your intervention, however, include power outages and hardware failures.
To protect against a catastrophic failure of an HCP system, you can implement replication. When you do this, you are responsible not only for configuring the connection between the two systems involved but also for managing failover and recovery should that become necessary. For information on using replication for business continuity and disaster recovery, see Replicating Tenants and Namespaces.
Note: Default tenant administrators can use the NDMP protocol to back up and restore the default namespace.
48 Chapter 2: HCP administration
Administering HCP
HCP administrative responsibilities
Troubleshooting
From the system console for any HCP node, you can run selected diagnostics that can help you analyze and resolve issues with interactions between the node and other components in the HCP environment. Using these diagnostics, for example, you can troubleshoot problems with physical networks, virtual networking, external storage, and DNS.
Occasionally, you may need help resolving problems that occur with the
HCP system. In such cases, your authorized service provider may ask you to download the logs HCP maintains internally and send them to the HCP support center.
You download the HCP internal logs from the System Management
Console. You can also use the Console to insert comments into these logs to indicate when problems occur and describe their symptoms.
For information on:
•
Running diagnostics, see “Running diagnostics” on page 482
• Adding comments to and downloading the HCP internal logs, see
“Working with the HCP internal logs” on page 489
Chapter 2: HCP administration
Administering HCP
49
HCP administrative responsibilities
50 Chapter 2: HCP administration
Administering HCP
3
Account administration
As an HCP security administrator, you are responsible for creating and managing HCP system-level user and group accounts. These accounts give users permission to access the HCP System Management Console, the
Tenant Management Console for the default tenant, the HCP management
API, the HCP metadata query API, and/or the HCP Search Console for the default tenant. For the System and Tenant Management Consoles and the management API, these accounts also determine which actions the user is allowed to perform through the applicable interface.
When creating a user or group account, you associate roles with the account. For a user account, you also specify whether the account is authenticated locally or by RADIUS when used to access an HCP interface.
To enable RADIUS authentication, you need to set up connections to one or more RADIUS servers.
You can create group accounts only if HCP is configured to support Active
Directory.
This chapter explains how to:
• Create and manage user and group accounts
• Change System Management Console login settings
For information on setting up connections to RADIUS servers, see
“Configuring connections to RADIUS servers” on page 427. For
information on configuring support for AD, see
Directory or Windows workgroup support” on page 418.
51 Chapter 3: Account administration
Administering HCP
About user and group accounts
About user and group accounts
HCP uses system-level user and group accounts to control access to these interfaces:
• HCP System Management Console
• Tenant Management Console for managing the default tenant and namespace
• HCP management API for creating and managing tenants
• HCP metadata query API for querying the default namespace
• Search Console to search in the default namespace
Note: System-level user and group accounts do not control access to stored data and metadata other than through the metadata query API and
Search Console.
User accounts
An HCP user account is a set of credentials that gives a user access to one or more of the interfaces listed above. You create and manage user accounts in the HCP System Management Console.
When you create a user account, you specify a username and password.
You also associate roles with the account and specify whether the user credentials are authenticated locally or by RADIUS. Additionally, for locally authenticated users, you specify whether the account password must be changed the next time the account is used to access one of the Consoles.
You can enable and disable user accounts, as needed. While an account is disabled, it cannot be used to access any of the applicable interfaces. You might decide to disable an account, for example, while the user for whom you created it is on vacation.
Multiple people can use the same user account concurrently for the same or different interfaces. To prevent this from happening, you should create a separate account for each user, and users should keep their passwords confidential.
An HCP system can have at most 200 system-level user accounts.
52 Chapter 3: Account administration
Administering HCP
About user and group accounts
Group accounts
An HCP group account is a representation of an Active Directory group.
The group account enables AD users in the AD group to access one or more of the interfaces listed in
“About user and group accounts” on page 52. You create and manage group accounts in the HCP System
Management Console.
When you create a group account, you associate roles with it. When an AD user accesses HCP, that user has all the roles associated with all the group accounts that correspond to AD groups to which the user belongs.
An HCP system can have at most 100 system-level group accounts.
Roles and permissions
A role is a named collection of permissions that are granted to a user either through an HCP user account or through one or more HCP group accounts. Each permission in a role lets the user perform some specific interaction or set of interactions with the HCP system. Roles generally correspond to job functions.
You can associate any number of roles with a user or group account. The account user then has all the permissions granted by each of those roles.
Tip: Before associating roles with a user or group account, make sure the permissions granted by those roles are consistent with the job functions of the user or group of users for whom you’re creating the account.
Note: An AD user can be added to an AD group while that user is using the System Management Console. If the AD group corresponds to an existing HCP group account, the user may not automatically get the roles associated with that group account for up to eight hours. To get the roles immediately, the user needs to log out of the System Management
Console and then log back in. If the user is also currently using the Tenant
Management Console or Namespace Browser, logging out of either of those interfaces has the same effect.
Alternatively, you can force the roles to be recognized immediately by
clearing the AD cache. For information on this, see “Clearing the Active
Chapter 3: Account administration
Administering HCP
53
About user and group accounts
Available roles
The roles that you can associate with a user or group account are:
• Monitor — Grants permission to use the System Management Console to view the HCP system status and most aspects of the system configuration, including tenant configurations. The monitor role does not grant permission to view user or group accounts.
• Administrator — Grants permission to use the System Management
Console to view the HCP system status, perform most system configuration activities, create and manage tenants, and download the
HCP internal logs. The administrator role does not grant permission to view or configure user or group accounts.
• Security — Grants permission to use the System Management Console to view the HCP system status, create and manage user accounts, configure remote authentication, modify system security settings, configure syslog and SNMP logging and email notification, and view security events in the system log.
• Compliance — Grants permission to use the Tenant Management
Console to work with retention classes and retention-related settings and perform privileged deletes, as well as to use the System
Management Console to view the HCP system status. Using the Tenant
Management Console is possible only for the default tenant and for HCP tenants that are configured to allow system-level users to manage
them and search their namespaces (see “Tenant-level administration” on page 55).
• Service — Grants permission to use the System Management Console to view the HCP system status and perform advanced system reconfiguration and management activities. The service role does not grant permission to view or configure user or group accounts.
Important: You should perform activities restricted to the service role only after consulting your authorized HCP service provider.
54 Chapter 3: Account administration
Administering HCP
About user and group accounts
• Search — Grants permission to use the metadata query API and
Search Console to query or search the default namespace and any namespaces owned by HCP tenants that are configured to allow system-level users to manage them and search their namespaces. (see
“Tenant-level administration” on page 55).
Note: To use the metadata query API or Search Console for access only to the HCP namespaces owned by a specific tenant, a user must have a tenant-level user account or an AD user account that’s recognized at the tenant level. For more information on these accounts, see Managing a Tenant and Its Namespaces.
The monitor, administrator, security, and compliance roles also grant access to use the HCP management API for specific activities. For more information, see HCP Management API Reference.
Tenant-level administration
Tenants, except the default tenant, have their own user and group accounts that can enable access to the Tenant Management Console and
HCP management API. The roles available for these accounts are monitor, system, security, and compliance. Tenant security administrators define tenant-level user and group accounts in the Tenant Management Console.
HCP system-level users with the monitor, administrator, security, or compliance role automatically have access to the Tenant Management
Console and HCP management API functions for the default tenant. The default tenant does not have user or group accounts of its own.
A tenant-level user with the administrator role can configure an HCP tenant to allow system-level users to manage it and search its namespaces. This enables system-level users with the monitor, administrator, security, or compliance role to log into the Tenant Management Console or use the HCP management API for the tenant. System-level users with the monitor or administrator role can also access the Tenant Management Console directly from the System Management Console. For the default tenant, access by system-level users is enabled automatically and cannot be disabled.
Note: If a tenant-level user account has the same username and password as your system-level user account, you cannot use your system-level account to log into the Tenant Management Console for that tenant. You can, however, access that Console directly from the System
Management Console, in which case, you are still using your system-level user account.
Chapter 3: Account administration
Administering HCP
55
About user and group accounts
After accessing the Tenant Management Console or HCP management API for a tenant that is configured to allow system-level users to manage it and search its namespaces, system-level users can perform the activities allowed by the tenant-level roles that correspond to their system-level roles.
An AD user can belong to AD groups for which corresponding HCP group accounts exist at both the system and tenant levels. When such a user accesses the Tenant Management Console, that user has the roles associated with both the applicable system-level group accounts and the applicable tenant-level group accounts.
When logged into the Search Console for the default tenant, system-level users with the search role can search the namespaces owned by HCP tenants that are configured to allow system-level users to search their namespaces. These system users can also use the metadata query API to query those namespaces.
Permissions granted by roles
The following tables show the user permissions that each role grants for the System Management, Search, and Tenant Management Consoles.
System Management and Search Console permissions
The table below lists the permissions that apply to the System
Management and Search Consoles. Checkmarks indicate the permissions granted by each role.
Role
56
Permission
Create, view, modify, delete, and otherwise manage user accounts
Create, view, modify, and delete group accounts
Specify message text for the System Management and
Search Console login pages
Configure support for Active Directory
Clear the Active Directory cache
View and modify the RADIUS server configuration
View the system overview
Chapter 3: Account administration
Administering HCP
(Continued)
About user and group accounts
Role
Permission
Stop and restart the system
View the system hardware status
View individual nodes
Stop and restart individual nodes
Eject the CD tray from a node
Remove a node from the HCP system
View storage pools, components, and volumes
Create, modify, and delete storage pools, components, and volumes
View networks
Set global IP mode support for front-end networks
Modify the [hcp_system] and [hcp_backend] networks
Enable creation of user-defined networks
Create, modify, and delete user-defined networks
Create, modify, and delete tenants
View the tenant list
View individual tenants, including tenant settings
Reset tenant security
View metadata query engine and HDDS search facility settings
Modify the metadata query engine and HDDS search facility settings
Select a search facility for the Search Console
View service status and settings
Modify service settings, including configuring and managing data migrations and setting up and managing replication
View the current service schedule
Chapter 3: Account administration
Administering HCP
57
About user and group accounts
(Continued)
Role
58
Permission
Create, modify, activate, and delete service schedules
View service plans
Create, modify, retire, and delete service plans
Assign service plans to tenants
Start, stop, enable, and disable services
View network security settings
Modify network security settings
View the current SSL server certificate
Manage SSL server certificates
View and modify System Management Console security settings
View and modify HCP management API security settings
View and modify Search Console security settings
View the systemwide permission mask
Modify the systemwide permission mask
View HCP system log messages about all events except security events
View HCP system log messages about security events
View the syslog configuration
Modify the syslog configuration and test syslog connections
View SNMP settings
Modify SNMP settings and test SNMP connections
View email notification settings
Modify email notification settings and test email server connections
View the Hitachi Device Manager connection configuration
Chapter 3: Account administration
Administering HCP
(Continued)
About user and group accounts
Role
Permission
Configure the Hitachi Device Manager connection
Monitor system resource usage
Generate chargeback reports
Add comments to the HCP internal logs
Download the HCP internal logs
Modify the system DNS settings, time settings, serial number, HTTP persistent connection timeout interval, custom thread count for replication, and SNMP broken-link reporting interval
Enable creation of the default tenant and namespace
Make back-end switches known to HCP
Commit an HCP system upgrade
Use the Search Console for the default tenant
Change your own locally authenticated password in the
System Management Console
Change your own locally authenticated password in the
Search Console
View HCP documentation from the System
Management Console
View HCP documentation from the Search Console
Renewing the Storage license
Optimize for cloud
Update and create networks
Chapter 3: Account administration
Administering HCP
59
About user and group accounts
Tenant Management Console permissions
The table below lists the permissions that apply to the Tenant Management
Console. Checkmarks indicate the permissions granted by each role.
Role
60
Permission
View the user account list (HCP tenants only)
View the full definition of individual user accounts (HCP tenants only)
View the description, allow namespace management property, and data access permissions for individual user accounts (HCP tenants only)
Create, associate roles with, delete, and otherwise manage user accounts, except modifying the allow namespace management property and data access permissions (HCP tenants only)
Modify the allow namespace management property and manage data access permissions for user accounts (HCP tenants only)
View the group account list (HCP tenants only)
View the full definition of individual group accounts (HCP tenants only)
View the description, allow namespace management setting, and data access permissions for individual group accounts (HCP tenants only)
Create, associate roles with, and delete group accounts, (HCP tenants only)
Modify the allow namespace management setting and manage data access permissions for group accounts (HCP tenants only)
Specify message text for the Tenant Management and Search
Console login pages (HCP tenants only)
View the tenant overview
Modify the tenant contact information, permission mask, and description
Allow or disallow access to the Tenant Management Console by
HCP system-level users (HCP tenants only)
View and modify Tenant Management Console security settings
(HCP tenants only)
Chapter 3: Account administration
Administering HCP
(Continued)
About user and group accounts
Role
Permission
View and modify HCP management API security settings (HCP tenants only)
View and modify Search Console security settings (HCP tenants only)
View content classes and content properties
Create, modify, and delete content classes and content properties
View namespace associations with content classes
Modify namespace associations with content classes
View tenant log messages about all events except compliance and security events
View tenant log messages about compliance events
View tenant log messages about security events
View syslog and SNMP logging options
Enable or disable syslog and SNMP logging
View email notification settings
Modify email notification settings
Generate chargeback reports (HCP tenants only)
Create and delete namespaces (HCP tenants only)
View the namespace list (HCP tenants only)
View namespace overviews
Modify namespace names and quotas (HCP tenants only)
View namespace permission masks and descriptions
Modify namespace permission masks and descriptions
View namespace owners (HCP namespaces only)
Change namespace owners (HCP namespaces only)
View the tags associated with namespaces (HCP namespaces only)
Chapter 3: Account administration
Administering HCP
61
About user and group accounts
(Continued)
Role
62
Permission
Modify the tags associated with namespaces (HCP namespaces only)
View namespace default retention settings (HCP namespaces only)
Modify namespace default retention settings (HCP namespaces only)
View namespace default shred settings (HCP namespaces only)
Modify namespace default shred settings (HCP namespaces only)
View namespace default index settings (HCP namespaces only)
Modify namespace default index settings (HCP namespaces only)
View minimum data access permissions (HCP namespaces only)
Modify minimum data access permissions (HCP namespaces only)
View namespace ACL settings (HCP namespaces only)
Manage the use of ACLs in namespaces (HCP namespaces only)
View namespace retention-related settings
Modify namespace retention-related settings
View the custom metadata XML checking setting for namespaces
Modify the custom metadata XML checking setting for namespaces
View namespace object versioning configurations (HCP namespaces only)
Configure object versioning in namespaces (HCP namespaces only)
View namespace compatibility settings
Modify namespace compatibility settings
View namespace disposition settings
Modify namespace disposition settings
View namespace replication-related settings
Modify namespace replication-related settings
Chapter 3: Account administration
Administering HCP
(Continued)
About user and group accounts
Role
Permission
View the service plans associated with namespaces
Associate service plans with namespaces
View namespace retention modes
Modify namespace retention modes
View default settings for namespace creation (HCP namespaces only)
Modify default settings for namespace creation (HCP namespaces only)
View the maximum number of namespaces per user (HCP namespaces only)
Modify the maximum number of namespaces per user (HCP namespaces only)
View namespace access protocol configurations
Configure namespace access protocols for namespaces
View search and indexing options for namespaces
Modify search and indexing options for namespaces
Reindex namespaces
Monitor replication
Select namespaces for replication (HCP namespaces only)
View all namespace log messages except messages about compliance events
View namespace log messages about compliance events
View the list of irreparable objects
Acknowledge irreparable objects
Create, modify, and delete retention classes
View the list of retention classes
View individual retention classes
Perform privileged delete operations
Chapter 3: Account administration
Administering HCP
63
About user and group accounts
(Continued)
Role
Permission
Download HCP Data Migrator
Change your own locally authenticated password in the Tenant
Management Console
View HCP documentation from the Tenant Management Console
Optimize namespaces for cloud
User authentication
To use the System Management Console or the Search Console for the default tenant, a user needs to supply a username and password for authentication. User authentication is the process of checking whether the combination of the specified username and password is valid.
For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD.
RADIUS and AD authentication are types of remote authentication.
To use the HCP management API with an HCP user account, the user specifies the account credentials in each request. To use the API with a recognized AD user account, applications must use the SPNEGO protocol to negotiate the AD user authentication themselves. For more information on using the management API, see HCP Management API Reference. For more information on SPNEGO, see http://tools.ietf.org/html/rfc4559 .
Local authentication
For locally authenticated users, the user account password is stored in the
HCP system. At user login, HCP checks the submitted username and password internally.
HCP lets the user into the target Console if these conditions are true:
• The combination of the specified username and password is valid.
• The user account is enabled.
64 Chapter 3: Account administration
Administering HCP
About user and group accounts
• The user account is associated with a role that grants permission to access the target Console.
If any of these conditions is not true, HCP doesn’t let the user in.
You can change the passwords of locally authenticated users in the System
Management Console. These users can also change their own passwords in the System Management Console, if they have access to it, or in the
Search Console, if they have access to that.
RADIUS authentication
For RADIUS-authenticated users, the user account password is stored outside the HCP system. At user login, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.
HCP lets the user into the target Console if these conditions are true:
• The combination of the specified username and password is valid.
• The user account is enabled.
• The user account is associated with a role that grants permission to access the target Console.
If any of these conditions is not true, HCP doesn’t let the user in.
All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the System Management Console to set or change the passwords of RADIUS-authenticated users.
Active Directory authentication
For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search
Console login page, HCP securely sends the specified username and password to AD for authentication.
Chapter 3: Account administration
Administering HCP
65
About user and group accounts
HCP lets an authenticated user into the target Console only if these conditions are true:
• The user belongs to at least one AD group for which a corresponding group account exists in HCP.
Note: Alternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.
• At least one such group account is associated with a role that grants permission to access the target Console.
If either of these conditions is not true, HCP doesn’t let the user in.
All password management for AD-authenticated users is handled by the
AD. You cannot use the System Management Console to set or change the passwords of AD-authenticated users.
Starter account
When HCP is first installed, one user account is already defined. The username and password for this account are:
Username: security
Password: Chang3Me!
This account has only the security role and is authenticated locally.
You need to use the security account the first time you log into the System
Management Console after HCP is installed. When you log in, you are immediately required to change the password for this account. Then you can create new accounts as needed, including new accounts with the security role.
You can delete the security account as long as at least one other locally authenticated HCP user account has the security role and is enabled.
Note: Your authorized HCP service provider may have changed the password and roles for the security account while verifying and completing the installation of the HCP system. If this is the case, you need to get the new password for the security account from the service provider.
66 Chapter 3: Account administration
Administering HCP
Working with user accounts
Working with user accounts
To view, create, and manage user accounts, you use the Users page in the
HCP System Management Console. To display this page:
1. In the top-level menu, mouse over Security to display a secondary menu.
2. In the secondary menu, click on Users .
Roles: To view, create, and manage user accounts, you need the security role.
About the Users page
The Users page lets you create, modify, and delete user accounts. It also lists the existing user accounts. For information on this list, see
“Understanding the user account list”
and
“Managing the user account list” below.
Understanding the user account list
The Users page lists existing user accounts. For each account, the list shows:
• The username
• Whether the account is enabled or disabled
• The full name of the account user
• Whether the user login is authenticated locally or by RADIUS
To view additional information about an individual user account, click on the account username.
Managing the user account list
By default, the user account list on the Users page includes all existing user accounts. The accounts are listed 20 at a time in ascending order by username.
You can page through, sort, and filter the list of user accounts. The Users page indicates which accounts are shown out of the total number of accounts in the current list.
Chapter 3: Account administration
Administering HCP
67
Working with user accounts
Paging
You can change the number of user accounts shown at a time on the Users page. To do this, in the Items per page field, select the number of user accounts you want. The options are 10, 20, and 50.
To page forward or backward through the user account list, click on the next ( ) or back ( ) control, respectively.
To jump to a specific page in the user account list:
1. In the Page field, type the page number you want.
2. Press Enter.
Sorting
You can sort the user account list in ascending or descending order by username. To change the sort order, click on the Username column heading. Each time you click on the column heading, the sort order switches between ascending and descending.
Filtering
You can filter the user account list by username. The filtered list includes only those user accounts with a username that begins with or is the same as a specified text string.
To filter the user account list:
1. In the entry field above the list, type the text string you want to use as a filter. This string can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. It is not case sensitive.
2. Click on the find control ( ).
To redisplay the entire list of user accounts after filtering it, click on the clear filter control ( ).
Creating a user account
To create a user account:
1. On the Users page in the System Management Console, click on Create
User Account .
68 Chapter 3: Account administration
Administering HCP
Working with user accounts
2. In the Create User Account panel:
– Optionally, deselect the Enable account option to have the user account initially disabled.
– In the Username field, type a unique login name for the user account. Usernames must be from one through 64 characters long and can contain any valid UTF-8 characters but cannot start with an opening square bracket ([). White space is allowed.
Usernames are not case sensitive.
You can reuse usernames that are not currently in use. So, for example, if you delete the account for a user, you can create a new account for that user with the same username as before.
Tip: Consider using email addresses as usernames. This enables users to more easily remember their HCP usernames. It also gives you easy access to email addresses should you need to contact any users.
– In the Full Name field, type the name of the person for whom you’re creating the user account. This name must be from one through 64 characters long and can contain any valid UTF-8 characters, including white space.
– For the Authentication option, select either Local or, for remote authentication, RADIUS .
If you select Local , the panel displays the Password and Confirm
Password fields and Force change on next login option. If you select
RADIUS , these fields are hidden.
For local authentication:
• In the Password field, type a password for the user account.
Passwords can be up to 64 characters long, can contain any valid
UTF-8 characters, including white space, and are case sensitive.
To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other.
Chapter 3: Account administration
Administering HCP
69
Working with user accounts
The minimum length for passwords is system specific. Typically, it’s six or eight characters. For information on changing the
minimum length for passwords, see “Changing user account and login settings” on page 76.
Note: HCP does not save passwords in a recoverable format. If a user forgets his or her password, you need to assign a new one.
• In the Confirm Password field, type the password again.
• Optionally, select the Force change on next login option.
When this option is selected, the next time a user uses the account to log into the System Management or Search Console, as permitted, the Console automatically displays the Change
Password page. The user cannot do anything else in the Console until the password is changed.
Once the user changes the password, the Force change on next login option is automatically deselected.
– In the Roles section, select any number of roles for the user account, including none. For descriptions of the available roles, see
“Roles and permissions” on page 53.
– Optionally, specify a description for the user account:
1.
Click on Description .
2.
In the Description field, type a description of the user account.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
3. Click on the Create User Account button.
Modifying a user account
You can change this information about a user account:
• The username.
• The full name.
• The password.
70 Chapter 3: Account administration
Administering HCP
Working with user accounts
• The roles associated with the account.
• Whether the account is enabled. If you disable an account while the user is currently logged in, the user is immediately prevented from taking any further actions.
Note: You can disable your own account. Once you disable it, however, you cannot reenable it yourself.
• Whether to force a password change at the next login.
You cannot change the user ID or type of authentication. (The user ID is displayed with other account details when you view an individual account as a user with the security role.)
To modify an existing user account:
1. In the list of user accounts on the Users page, click on username for the account you want to modify.
2. In the panel that opens, make the changes you want. For information
on the fields and options in this panel, see “Creating a user account” above.
Notes:
• When changing the password for a user account, you can reuse the current password. You cannot do this when changing your own password on the Change Password page.
• If you leave the Password field empty, the previously set password remains in effect.
3. Click on the Update Settings button.
If you are modifying the user account you used to log into the Console and:
– You changed the roles associated with the user account, a message appears indicating that the page will be reloaded. Click on the Close button in the message window to reload the page.
– You selected the Force change on next login option, the Console displays the Change Password page. You need to change your password on this page in order to continue working in the Console.
Chapter 3: Account administration
Administering HCP
71
Working with group accounts
Deleting a user account
You can delete a user account at any time. If you delete an account while the user is currently logged in, the user is immediately prevented from taking any further action. After you delete the account, the user can no longer log in.
Tip: For a RADIUS-authenticated user, if the user account becomes invalid on the RADIUS server while the user is logged in, the user may still be able to take action in the current Console session for as long as ten minutes. To ensure that the user is immediately prevented from taking further action, delete the user in HCP before deleting the remote account.
You cannot recreate a deleted account. However, you can reuse the username from the deleted account to create a new account. The new account will have different user ID from the deleted account.
You cannot delete the account you used to log into the current System
Management Console session. Additionally, if no existing AD group has the security role, you cannot delete the last locally authenticated user account with the security role.
To delete a user account:
1. In the list of user accounts on the Users page, click on the delete control ( ) for the account you want to delete.
2. In response to the confirming message, click on the Delete button.
Working with group accounts
To view, create, and manage HCP group accounts, you use the Groups page in the HCP System Management Console. This page is available only while support for AD is enabled. For information on enabling AD support, see
“Configuring Active Directory or Windows workgroup support” on page 418.
Note: If you disable HCP support for AD, HCP does not delete existing group accounts. If you subsequently reenable AD support, the group accounts become accessible again.
To display the Groups page:
1. In the top-level menu, mouse over Security to display a secondary menu.
72 Chapter 3: Account administration
Administering HCP
Working with group accounts
2. In the secondary menu, click on Groups .
Roles: To view, create, and manage group accounts, you need the security role.
About the Groups page
The Groups page lets you create, modify, and delete HCP group accounts.
It also lists the existing group accounts.
By default, the group account list includes all existing group accounts. The accounts are listed 20 at a time in ascending order by group name.
You can page through, sort, and filter the list of group accounts. The
Groups page indicates which accounts are shown out of the total number of accounts in the current list.
To view additional information about an individual group account, click on the group name.
Paging
You can change the number of group accounts shown at a time on the
Groups page. To do this, in the Items per page field, select the number of group accounts you want. The options are 10, 20, and 50.
To page forward or backward through the group account list, click on the next ( ) or back ( ) control, respectively.
To jump to a specific page in the group account list:
1. In the Page field, type the page number you want.
2. Press Enter.
Sorting
You can sort the group account list in ascending or descending order by group name. To change the sort order, click on the Name column heading.
Each time you click on the column heading, the sort order switches between ascending and descending.
Filtering
You can filter the group account list by group name. The filtered list includes only those group accounts with a name that begins with or is the same as a specified text string.
Chapter 3: Account administration
Administering HCP
73
Working with group accounts
To filter the group account list:
1. In the entry field above the list, type the text string you want to use as a filter. This string can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. It is not case sensitive.
2. Click on the find control ( ).
To redisplay the entire list of group accounts after filtering it, click on the clear filter control ( ).
Creating group accounts
You create group accounts by first displaying a list of AD groups and then selecting the ones from which you want to create HCP group accounts.
After selecting the groups you want, you select the roles you want to associate with those group accounts.
You can create up to the maximum supported number of group accounts in a single operation (that is, 100).
In HCP, each AD group is identified by both the group name and the name of the AD domain in which the group is defined (for example, [email protected]). The HCP group account created from an
AD group has the same name as the AD group, including the domain name. Internally, however, the HCP group account is associated with the security ID (SID) of the AD group.
You can create an HCP group account from any group defined in the AD forest that HCP uses for user authentication. The only exceptions are predefined groups such as Administrators that have the same SID in all domains.
You can use a single operation to both create new group accounts and change the roles associated with existing group accounts. In this case, all the accounts involved end up with the same roles.
To create group accounts:
1. On the Groups page in the System Management Console, click on Add
Active Directory Groups .
The Find and Select Groups section lists all the AD groups HCP knows about. Groups for which system-level HCP group accounts already exist are marked with a checkmark ( ).
74 Chapter 3: Account administration
Administering HCP
Working with group accounts
2. Optionally, filter the list of AD groups: a.
In the Find and Select Groups field, type a text string to use as a filter for the list of AD groups. This string can be up to 64 characters long and can contain any valid UTF-8 characters, including white space. It is not case sensitive.
b.
Click on the find control ( ).
To redisplay the entire list of AD groups after filtering it, click on the clear filter control ( ).
3. For each AD group from which you want to create an HCP group account, click on the add control ( ) to select the group. The group row turns green.
Also, for each AD group with an existing HCP group account for which you want to change the associated roles, click on the add control ( ) to select the group. The group row turns green.
To select all the groups in the list, click on the Select All button.
To deselect a selected group, click on the remove control ( ) for the group.
To deselect all the selected groups, click on the Clear button.
4. In the Assign Roles to Selected Groups section, select the roles you want to associate with all the new group accounts you’re creating and all the existing group accounts for which you’re changing the associated roles.
You can select any number of roles, including none.
5. Click on the Add Groups button.
Modifying a group account
You can change the roles associated with HCP group accounts at any time.
You can do this for an individual group account, as described below, or for
multiple group accounts in a single operation, as described in “Creating group accounts” above.
To change the roles associated with an individual group account:
1. In the list of HCP group accounts on the Groups page in the System
Management Console, click on the name of the group account you want to modify.
Chapter 3: Account administration
Administering HCP
75
Changing user account and login settings
2. In the Roles section, select or deselect roles as applicable.
3. Click on the Update Group button.
Deleting a group account
You can delete a group account at any time. Deleting a group account has no effect on the corresponding group in AD.
When you delete a group account, AD users in the corresponding AD group immediately lose the roles granted by that group account.
When a group is deleted in AD, the corresponding HCP group account is not automatically deleted. However, the name of the group account changes to the SID of the deleted AD group. HCP group accounts that correspond to deleted AD groups serve no purpose and should be deleted.
Note: The System Management Console may not immediately reflect the change to the HCP group account name. To force the displayed name to change, you can clear the AD cache. However, this also affects any AD users currently using HCP interfaces.
For information on clearing the AD cache, see “Clearing the Active
To delete a group account:
1. In the list of group accounts on the Groups page in the System
Management Console, click on the delete control ( ) for the group account you want to delete.
2. In response to the confirming message, click on the Delete button.
Changing user account and login settings
Several system settings affect user accounts and logins to the HCP System
Management Console and Search Console (for the default namespace only). To view and change these settings, you use the Console Security page in the System Management Console.
To display the Console Security page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
76 Chapter 3: Account administration
Administering HCP
Changing user account and login settings
2. In the secondary menu, click on Console Security .
Roles: To view and change user account and login settings, you need include the security role.
User account and login settings control:
• The minimum password length for locally authenticated HCP user accounts. Valid values are two through 64 characters. The default is six.
• The number of days after which locally authenticated users are automatically forced to change their passwords. Valid values are integers in the range zero through 999,999. The default is 180 days. A value of zero means users are never automatically forced to change their passwords.
Note: Password expiration affects the use only of the System
Management Console, Tenant Management Console, and Search
Console. Users with expired passwords can continue to use those passwords with the HCP management API and metadata query API.
Password changes, however, affect all the HCP interfaces.
• The consecutive number of times a locally authenticated or
RADIUS-authenticated user can enter an incorrect password before the user account is automatically disabled. Valid values are integers in the range zero through 999. The default is five. A value of zero means accounts are never disabled due to failed login attempts.
After a user account is automatically disabled, you need to reenable it manually to allow the user to log in again. For information on doing
this, see “Modifying a user account” on page 70.
If the last locally authenticated user account with the security role is disabled due to failed login attempts, it is reenabled automatically after one hour.
• The number of days an HCP user account can remain inactive before it’s automatically disabled. Valid values are integers in the range zero through 999. The default is 180 days. A value of zero means accounts are never automatically disabled due to inactivity.
The last locally authenticated user account with the security role is never automatically disabled due to inactivity.
Chapter 3: Account administration
Administering HCP
77
Changing user account and login settings
• The number of minutes a System Management Console or Search
Console session can be inactive before it times out. Valid values are integers in the range zero through 999. The default is ten minutes. A value of zero means Console sessions never time out due to inactivity.
If HCP is configured to use Active Directory, domain user sessions always time out after fifteen minutes while using the System
Management Console or Search Console. The Active Directory inactivity timer does not reset when you use HCP.
When a session times out, the Console displays the Idle Timeout page.
If you then select a page to display:
– If the user explicitly logged in, the Console login page appears.
– In the case of single sign-on, the Console displays the selected page in the System Management Console or the Simple Search page in the
Search Console, as applicable.
Tip: If the HCP system supports AD and has no HCP user accounts, the recommended session timeout interval is eight hours. In this case,
AD users should ensure that their screens are set to lock automatically after a short amount of idle time.
• Message text to appear on the login pages of the System Management
Console and the Search Console for the default tenant. This text is optional. If specified, it can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
The text you specify appears at the bottom of the login pages. You can use this text, for example, for messages such as “Authorized Users
Only” or “Welcome to the Example Corporation HCP System.
To change one or more login settings, on the Console Security page:
• In the Login Settings section:
1.
Make the changes you want.
2.
Click on the Update Settings button.
• In the Login Message section:
1.
Type the message you want.
2.
Click on the Update Login Message button.
78 Chapter 3: Account administration
Administering HCP
4
System-level administration
To monitor the HCP system as a whole, you use the Overview page in the
System Management Console. You use this page to view system activity, including service runs, repository usage, and search facility indexing progress. Additionally, this page notifies you of conditions that may require intervention, such as physical drive failures and low storage capacity.
This chapter:
• Provides detailed descriptions of the information available on the
Overview page
• Explains how to interpret this information to make informed decisions about HCP management
• Contains instructions for stopping and restarting the HCP system
Chapter 4: System-level administration
Administering HCP
79
About the Overview page
About the Overview page
When you log into the System Management Console, the first page you see is the Overview page. This page lets you monitor the health of the HCP system as a whole.
The System Management Console Overview page performs these functions:
• Provides notification of problems with hardware, capacity, object integrity, and various aspects of the system configuration
• Displays current service status
• Displays a capsule view of the system log
• Contains graphs that show:
– The ingested object count and the indexed object count
– The total storage capacity of all primary storage volumes, the amount of primary storage capacity that’s currently being used, and the total amount of object data that has been ingested in the HCP repository
The Overview page also shows the HCP system time.
Note: HCP can be configured to maintain the system time internally or to synchronize the system time to one or more external time servers. In the latter case, if either of the following events occurs, the HCP system automatically restarts:
• The time on the time server is changed by more than 1,000 seconds.
• The HCP system starts using a new time server whose time differs from the original time server by more than 1,000 seconds.
To return to the Overview page from other Console pages, click on
Overview in the top-level menu.
Roles: To view the Overview page, you need the monitor, administrator, security, service, or compliance role.
80 Chapter 4: System-level administration
Administering HCP
About the Overview page
Alerts
To ensure the continuous availability of the HCP repository:
• A strict majority of the HCP storage nodes must be running and healthy. For example, a six-node system requires at least four running nodes.
If this condition is not true, namespaces cannot accept write requests, including requests to store new data or change object metadata.
• At any given time, the unused HCP storage space must be sufficient to allow the creation of new objects and to ensure proper behavior in the event that a node fails.
The top section of the Overview page serves as an early warning system for violations of these requirements. It also reports system configuration issues and provides other system status information, such as notification that the system is rebalancing metadata. When the system is functioning normally, this section indicates that no problems exist.
The information in this section is represented by icons that are associated with text. These are called alerts. To see the text that accompanies an alert icon, mouse over the icon. The text appears below the icon.
This section contains three categories of alerts:
• Hardware Status — Alerts in this category identify nodes that are reporting problems relating to drives, network interface cards (NICs),
HCP S Series Node tiering, and other internal components.
For more information on the types of problems reported, see “Hardware status” on page 102.
• System Status — Alerts in this category report on storage usage and indicate systemwide conditions such as a high rate of page swapping.
Note: When the amount of primary storage that’s used reaches 90 percent of primary storage capacity, HCP will not store any new objects or any new or replacement custom metadata or ACLs. HCP will, however, continue to allow changes to system metadata.
In a SAIN system with primary spindown storage, the 90 percent capacity limit applies to primary running storage usage only.
Chapter 4: System-level administration
Administering HCP
81
About the Overview page
Tip: If the amount of primary storage that’s used is approaching 75 percent of primary storage capacity, consider adding more storage capacity to HCP. By adding capacity before the 75 percent threshold is reached, you can prevent interruptions in namespace availability due to insufficient space.
In a SAIN system with primary spindown storage, this tip applies to primary running storage usage only.
• Object Integrity — Alerts in this category report on the state of object data and metadata. They also identify situations in which the protection or content verification service is fixing errors or has found errors it cannot fix.
The background color in an alert icon indicates the status of the relevant component:
• A green background indicates that the component is within normal operating parameters.
• An orange background indicates that the component is disabled or needs attention in some way. The text that accompanies icons with an orange background appears automatically below the icon area. This text may contain links to Console pages that you can use to view more information about the problem and, in some cases, change one or more specific configuration settings in order to resolve the problem. For example, the text may contain a network name that’s a link to the page on which you can view and change the IP configuration settings for that network.
• A red background indicates that the component is malfunctioning. The text that accompanies icons with a red background appears automatically below the icon area. This text may contain links to more information about the problem and, in some cases, change one or more specific configuration settings in order to resolve the problem. For example, the text may contain a node number that’s a link to more detailed information about a problem with the hardware on that node.
82 Chapter 4: System-level administration
Administering HCP
About the Overview page
For more information on the alerts that can appear on the Overview page,
see “Overview page alerts” on page 496.
Note: If the entire HCP system is read-only due to metadata unavailability, a message about the situation appears at the top of every
System Management Console page. While the system is read-only, configuration changes and changes to namespace content are not allowed.
Additionally, in this situation, statistics that describe repository content may be inaccurate.
If the message says that the system has limited functionality and the situation persists, contact your HCP support center for help.
Current service status
The Services section on the Overview page displays the status of each HCP service except shredding, migration, and replication. The information in this section is rolled up from all the HCP storage nodes. For example, if the content verification service is running on at least one storage node, the status of the service is running, regardless of whether it’s running on any other nodes.
For each service, the Services section shows:
• Service — The name of the service.
• Status — The current status of the service. Possible values are:
– Running — The service is currently running.
– Completed — The service stopped running because it completed all of its work before the end of its scheduled run time period.
– Stopped — The service stopped running at the end of its scheduled run time period.
– Stopping — The service is in the process of transitioning from
Running to Completed or Stopped.
– Waiting — The service has never run.
– Fixing — The service is fixing violations that it has detected.
– Irreparable — The service failed to fix violations. This is a severe condition and should be evaluated immediately.
Chapter 4: System-level administration
Administering HCP
83
About the Overview page
– Disabled — The service cannot run because it has been manually disabled (for example, during problem resolution) or because another service that has precedence is currently running.
If unforeseen or user-initiated events violate a service setting at the object, node, or system level, the status of the service changes as HCP detects the violation and attempts to correct it.
• Time — The time of the most recent change to the service status, shown for the time zone that’s used for the HCP system time. The service was enforced until the specified time. For example, if the protection service finishes at 10:00 PM on March 9, 2011 and the status of the service is Completed, the Time column displays:
10:00 PM 03/09/2011
The only exception to this is while a service is waiting for its first run.
During this time, the Time column shows the current time.
For more information on services, see Chapter 11, “HCP services,” on page 331.
Major events
The Major Events section on the Overview page lists log messages about major events that have occurred since the HCP system was installed (for example, the addition or failure of a node). The list of messages in this section is a subset of the messages in the HCP system log. You can view all the messages in the system log in the All Events panel on the System
Events page. For more information on this panel, see
“Viewing the complete event log” on page 437.
By default, the messages in the Major Events section are listed ten at a time in reverse chronological order. For information on managing the message display, see
“Managing the message list” on page 440.
For a description of the information provided by each log message, see
“Understanding the HCP system log” on page 436. For information on the
messages that can appear in the system log and how to respond to them,
see Appendix B, “HCP system log messages,” on page 535.
84 Chapter 4: System-level administration
Administering HCP
About the Overview page
Object count
The Objects section on the Overview page contains a graph showing the number of objects that were stored in the repository during the past 30 days (or since HCP was installed if that was less than 30 days ago). This is the total number of objects stored in all namespaces. Multiple versions of an object are each counted as a separate object.
While either of the two search facilities is selected for use with the Search
Console, the graph also shows the total number of indexed objects in the repository during the past 30 days. For any point in time for which the indexed object count is shown, the count reflects the index maintained by the search facility that was selected for the Search Console at that time.
Note: While the HDDS search facility is selected for use with the Search
Console:
• The graph shows the number of indexed objects only if that facility is configured to show statistics.
• For any period during which HCP cannot retrieve statistics from the
HDDS server (for example, because the network connection is broken), the graph shows the number of indexed objects as zero.
The x-axis in the Objects graph marks the passage of time. The y-axis marks the number of objects. As the number of objects increases, the intervals on the y-axis get larger. The section heading indicates the current measurement unit (for example, thousands or millions).
The graph legend shows the most recent value for the number of objects stored ( Ingested object count ) and, if applicable, the number of indexed objects ( Indexed object count ).
Below the Storage Volume section (see below), the Overview page shows the date and time the Objects and Storage Volume sections were last updated. To show the most current information in these sections, click on the Refresh Now link.
Chapter 4: System-level administration
Administering HCP
85
About the Overview page
Capacity and usage
The Storage Volume section on the Overview page contains a graph showing the total primary storage capacity and the amount of primary storage capacity that was in use during the past 30 days (or since HCP was installed if that was less than 30 days ago). In a SAIN system with primary spindown storage, the storage capacity and usage being measured includes both primary running storage and primary spindown storage.
The x-axis in the Storage Volume graph marks the passage of time. The y-axis marks the volume in gigabytes, terabytes, or petabytes, depending on the system capacity. The section heading indicates the current measurement unit (gigabytes (GB), terabytes (TB), or petabytes (PB)).
The Storage Volume graph shows:
• Total storage capacity — The total amount of primary storage space, excluding the space required for system overhead and the operating system. This is the total amount of primary storage space that’s available for storing object data, object metadata (except ACLs), the redundant object data and metadata that’s required to satisfy the data protection level (DPL) and metadata protection level (MPL) settings defined in each namespace service plan, and the metadata query engine index.
For information on the protection service, see “Protection service” on page 336.
• Used storage capacity — The total amount of primary storage space currently occupied by object data, metadata (except ACLs), any redundant data and metadata required to satisfy the DPL and MPL settings defined in each namespace service plan, and the metadata query engine index.
• Ingested volume — The total size of the stored data and custom metadata before it was added to the repository. This value tells you how much data has been stored.
Due to compression, the ingested volume can be greater than the used storage capacity.
The graph legend shows the current value for each item.
Below the Storage Volume section, the Overview page shows the date and time the Objects and Storage Volume sections were last updated. To show the most current information in these sections, click on the Refresh Now link.
86 Chapter 4: System-level administration
Administering HCP
Shutting down or restarting HCP
For details on the use of the use of primary running storage, primary spindown storage, and extended storage, click on the Storage Tiering link below the graph. (This link is present only if you have the administrator or monitor role.)
Note: When the duplicate elimination service merges data from identical objects, it flags the redundant data for deletion. Similarly, when the compression service compresses an object, it flags the uncompressed version for deletion. The Storage Volume graph doesn’t reflect space reclaimed by either service until the flagged data is actually deleted.
For more information on the duplicate elimination service, see
“Duplicate elimination service” on page 358. For more information on the
compression service, see “Compression service” on page 354.
Shutting down or restarting HCP
Shutting down HCP means shutting down the system and powering off the nodes. After shutting down HCP, you need to manually power the nodes back on to start it again.
Restarting HCP means shutting down and restarting the system without powering off the nodes.
While HCP is shut down or in the process of restarting, clients have no access to the data in it, and the System Management Console is unavailable.
Under normal operating conditions, you don’t need to shut down or restart
HCP. However, situations where shutting down the system may be appropriate include:
• You are physically moving the HCP system to another location and need to shut it down first.
• You need to perform maintenance on the HCP power sources.
When you shut down or restart the HCP system, you are required to specify a reason for the action.
Important: Restarting HCP without shutting it down is very rarely necessary. If you believe you need to take this action, please contact your authorized HCP service provider before you do so.
Chapter 4: System-level administration
Administering HCP
87
Shutting down or restarting HCP
Roles: To shut down or restart the HCP system, you need the administrator or service role.
For information on shutting down and restarting individual HCP nodes, see
“Shutting down or restarting individual nodes” on page 109.
Shutting down HCP
When you shut down HCP, the hardware configuration determines whether the nodes power off automatically. To complete the action, you may need to power off each node manually after shutting down the system.
To ensure that HCP has enough time to shut down cleanly, wait a few minutes before powering nodes off manually. If a node is connected to a console, the console displays “System halted” when you can safely power off the node.
Important: If you shut down HCP while objects are being stored, the repository may then contain incomplete objects. Therefore, if possible, before shutting down HCP, you should notify all tenant administrators about the upcoming shutdown. The tenant administrators can then notify namespace users to suspend all client activity before the shutdown occurs.
88
Note: If you take an entire SAIN system offline, including the storage array, you need to power the array and, if applicable, the Fibre Channel switches back on before powering on the nodes.
To shut down HCP:
1. In the top-level menu in the System Management Console, click on
Hardware .
2. At the bottom of the Hardware page, click on the Shut Down System button.
The Shut Down System window appears.
3. In the Reason field, type the reason why you’re shutting down the system. This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
4. Click on the Shut Down System button.
The nodes shut down HCP and, if possible, power off.
If HCP doesn’t shut down, please contact your authorized HCP service provider.
Chapter 4: System-level administration
Administering HCP
Shutting down or restarting HCP
Restarting HCP
Restarting an HCP system causes all the nodes in it to reboot. To restart
HCP:
1. In the top-level menu in the System Management Console, click on
Hardware .
2. At the bottom of the Hardware page, click on the Restart System button.
The Restart System window appears.
3. In the Reason field, type the reason why you’re restarting the system.
This text can be up to 1,024 characters long and can contain any valid
UTF-8 characters, including white space.
4. Click on the Restart System button.
Chapter 4: System-level administration
Administering HCP
89
Shutting down or restarting HCP
90 Chapter 4: System-level administration
Administering HCP
5
Hardware administration
The System Management Console offers both a summary view of all the nodes in the HCP system and a detailed view of each node on the Hardware and Storage Node pages, respectively. The Hardware page also provides a view of other hardware components used in the system. Using these pages, you can monitor both system hardware and system storage.
This chapter:
• Provides detailed descriptions of the information available on the
Hardware and Storage Node pages
• Explains how to interpret this information to make informed decisions about hardware management
• Contains instructions for shutting down and restarting individual nodes
Chapter 5: Hardware administration
Administering HCP
91
About the Hardware page
About the Hardware page
The Hardware page of the HCP System Management Console lists all the nodes in the HCP system, including HCP S Series Nodes, and provides general information about each one. If the nodes in the system are blades in Hitachi CB 320 servers, the page shows the status of the fans and power supplies in the CB 320 chassis under its own subsection labeled, chassis.
The Hardware page also shows the status of all other hardware components of the HCP system that can be monitored in the System
Management Console.
To display the Hardware page, click on Hardware in the top-level menu.
Roles: To view the Hardware page, you need the monitor, administrator, security, service, or compliance role.
About the Nodes page
The Hardware Nodes page lists all of the HCP General Nodes and HCP S
Series Nodes in the HCP system. General Nodes remain listed on this page regardless of whether they’re running, starting up, stopping, or not running at all. Nodes that have been permanently removed from the system do not appear on the list.
For each node in the HCP system, the General Node list on the
Hardware Nodes page shows:
• Node ID — The unique number assigned to the node.
• Model — The type of node. Possible models are:
– 300
– 500
– 500XL
– VM
• Status — The node status. Possible values are:
– Available — The node is running.
92 Chapter 5: Hardware administration
Administering HCP
About the Hardware page
– Unavailable — The node is either not running, starting up but not yet able to perform HCP functions, or shutting down and no longer able to perform HCP functions. If a node is unavailable due to a hardware problem, you may be able to determine the cause by reviewing the Hardware Status section on the individual Storage
Node page.
– Migrating — The node is available, and the migration service is currently migrating data off the storage managed by the node.
– Alert — The node is unavailable, and HCP can detect which components are experiencing problems. In this case, one or more alerts identifying the problems appear in the Alerts column for the node.
Important: If the status of a node changes spontaneously from available to unavailable and the node does not restart automatically, please contact your authorized HCP service provider. Do not try to restart the node manually, as that may cause the loss of information needed to diagnose the problem.
• Alerts — None, one, or more icons representing components that are experiencing problems. To see the text that accompanies an icon, mouse over the icon.
For more information on any problems that are occurring, click on the node number.
For information on the alerts that can appear on the Hardware Nodes
page, see “Hardware page alerts” on page 515.
• Logical Volumes — The status of the logical volumes managed by the node. Each logical volume can be one of these:
– Data volume — Primary running storage that stores object data, but does not store the metadata query engine index. Primary
running storage is storage that’s managed by the nodes in the
HCP system and consists of continuously spinning disks.
Data volumes have numeric IDs in the range 1 (one) through 63.
– Index volume (SAIN systems only) — Primary running storage that stores only the metadata query engine index. All storage nodes should have the same number of index volumes.
Index volumes have numeric IDs in the range 64 through 95.
Chapter 5: Hardware administration
Administering HCP
93
About the Hardware page
– Shared volume — Primary running storage that stores both object data and the metadata query engine index. All storage nodes have one shared volume.
The shared volume for each node has a numeric ID in the same range as data volumes.
– Spindown volume (SAIN systems only) — Primary spindown storage that’s used for tiering purposes. Primary spindown
storage is storage that’s managed by the nodes in the HCP system and consists of disks that can be spun down and spun up as needed.
Primary spindown storage stores object data, but does not store the metadata query engine index. All storage nodes should have the same number of spindown volumes.
Spindown volumes have numeric IDs in the range 96 through 127.
The volume numbering starts from 96 and goes up.
A SAIN system can have spindown volumes only if both of these conditions are true:
• One or more logical volumes used by the system are capable of being spun down. This means that they are on storage arrays that support spindown.
For information on storage arrays that support spindown, see the applicable array documentation.
• The system is configured to use one or more of the spindown-capable logical volumes as primary spindown storage.
– NFS volume (also called an external volume)— Extended storage that’s accessed using an NFS mount point. Extended storage is storage that’s managed by devices outside of the HCP system and is used for storage tiering purposes. NFS storage is one of six types of extended storage that HCP can be configured to use. NFS storage can be used to store object data only.
NFS volumes have numeric IDs in the range 96 through 127. The volume numbering starts from 127 and goes down.
For information on primary running storage and primary spindown
storage, see “Storage tiering service” on page 368. For information on
the metadata query engine index, see
“Metadata query engine index” on page 312. For information on NFS volumes and other types of
extended storage, see
“Storage for HCP systems” on page 115.
94 Chapter 5: Hardware administration
Administering HCP
About the Hardware page
The Logical Volumes column displays a status icon for each volume managed by the node. The mouse-over text for each icon shows the volume type and ID and, for NFS volumes, the share path and the name of the extended storage pool that contains the NFS volume.
The table below describes these status icons.
Icon Volume type Volume status
Data Available — The volume is available and functioning properly
Data
Data
Data
Unavailable — The volume is unavailable, most likely because the node is not running. If the volume does not become available soon, contact your authorized
HCP service provider for help.
Initializing — The volume is starting up but is not yet available for access.
Shutting down — The volume is shutting down and is no longer available for access.
Data
Data
Index
Index
Index
Index
Index
Index
Broken — The volume is experiencing errors (or has failed completely) and needs to be replaced. Contact your authorized HCP service provider for help.
Migrating — The migration service is migrating data off of the volume.
Available — The volume is available and functioning properly.
Unavailable — The volume is unavailable, most likely because the node is not running. If the volume does not become available soon, contact your authorized
HCP service provider for help.
Initializing — The volume is starting up but is not yet available for access.
Shutting down — The volume is shutting down and is no longer available for access.
Broken — The volume is experiencing errors (or has failed completely) and needs to be replaced. Contact your authorized HCP service provider for help.
Migrating — The migration service is migrating data off of the volume.
Chapter 5: Hardware administration
Administering HCP
95
About the Hardware page
(Continued)
Icon Volume type Volume status
Shared Available — The volume is available and functioning properly.
Shared
Shared
Shared
Shared
Shared
Spindown
Spindown
Unavailable — The volume is unavailable, most likely because the node is not running. If the volume does not become available soon, contact your authorized
HCP service provider for help.
Initializing — The volume is starting up but is not yet available for access.
Shutting down — The volume is shutting down and is no longer available for access.
Broken — The volume is experiencing errors (or has failed completely) and needs to be replaced. Contact your authorized HCP service provider for help.
Migrating — The migration service is migrating data off of the volume.
Available — The volume is spun up, available, and functioning properly.
Spun down — The volume is spun down.
Spindown
Spindown
Spindown
Spindown
Spindown
Spindown
Unavailable — The volume is unavailable, most likely because the node is not running. If the volume does not become available soon, contact your authorized
HCP service provider for help.
Initializing — The volume is starting up but is not yet available for access.
Shutting down — The volume is shutting down and is no longer available for access.
Spinning up — The volume is in the process of spinning up but is not yet available for access.
Spinning down — The volume is in the process of spinning down and is no longer available for access.
Error spinning up — The volume is experiencing errors while in the process of spinning up. Contact your authorized HCP service provider for help.
96 Chapter 5: Hardware administration
Administering HCP
About the Hardware page
(Continued)
Icon Volume type Volume status
Spindown
Spindown
Error spinning down — The volume is experiencing errors while in the process of spinning down. Contact your authorized HCP service provider for help.
Broken — The volume is experiencing errors (or has failed completely) and needs to be replaced. Contact your authorized HCP service provider for help.
Spindown Migrating — The migration service is migrating data off of the volume.
NFS
(External)
NFS
(External)
NFS
(External)
NFS
(External)
Available — The volume is mounted, available, and functioning properly.
Initializing — The volume is starting up but is not yet available for access.
Broken — HCP can cannot mount the volume, most likely because the exported share is not configured correctly or because the NFS server is not running on the device. Check the export configuration and verify that the NFS server is running. If the configuration is correct and the NFS server is running, ensure that the device is functioning properly and that the network connecting HCP to the device is healthy. For additional possible resolutions to the problem, see
“Considerations for using NFS volumes” on page 146.
If this status persists, contact your authorized HCP service provider for help.
Unavailable — HCP is in the process of mounting, updating, or deleting the volume. If you just created or updated the volume and the volume status does not change to available or broken within a short amount of time, try remounting the volume.
If this status persists, contact your authorized HCP service provider for help.
These considerations apply to the logical volume display:
– Each node also has a logical volume for the operating system, but that logical volume is not included in this display.
– For HCP SAIN systems that also have internal storage, this display does not include the logical volumes on the internal drives.
Chapter 5: Hardware administration
Administering HCP
97
About the Hardware page
– When a logical volume is removed from a node, the System
Management Console may not show the change immediately.
Heavy read or write activity causes more access to HCP storage and, therefore, results in faster detection of the volume removal.
• Volume Usage — A graphical representation of the amount of primary storage that’s currently in use compared to the total amount of primary storage that’s managed by the node. The Volume Usage column also displays text indicating the total number of bytes of primary storage and the percent of primary storage space that’s currently in use.
For each node that has been permanently removed from the system, the first column in the display shows Removed .
For each HCP S Series Node associated with the HCP system, the S Series
Nodes list on the Hardware Nodes page shows:
• Name — The name of to the S Series Node.
• Serial Number — The serial number of the HCP S Series Node.
• Model — The S Series Node model.
• Status — The node status. Possible values are:
– Normal — The S Series Node is running and has no problems that require attention.
– Degraded — The S Series Node has one or more noncritical problems that may require attention.
– Critical — The S Series Node has one or more critical problems that require attention.
– Unavailable — The S Series Node is either not running, starting up but not yet able to perform functions, or shutting down and no longer able to perform functions. If an S Series Node is unavailable due to a hardware problem, you may be able to determine the cause by reviewing the Hardware Status section on the individual
Overview page.
• Alerts — None, one, or more icons representing components that are experiencing problems. To see the text that accompanies an icon, mouse over the icon.
98 Chapter 5: Hardware administration
Administering HCP
About the Hardware page
• Capacity — A graphical representation of the amount of storage that’s currently in use compared to the total amount of storage that’s on the node. The Capacity column also displays text indicating the total number of bytes of storage and the percent of storage space that’s currently in use.
For more information on working with HCP S Series Nodes, see
“Isolating networks for storage tiering” on page 238.
Monitoring individual HCP General Nodes
Each HCP General Node has its own page on the HCP System Management
Console which shows detailed information about the node. The page title indicates the node number and the node status.
Roles: To view an individual HCP General Node page, you need the monitor, administrator, security, service, or compliance role.
To open the Storage Node page, go to the Hardware Nodes page and click on the node that you want to examine. For information on the Hardware
page, see “About the Hardware page” on page 92.
Monitoring individual HCP S Series Nodes
The Overview panel on the page for an individual HCP S Series Node provides information about various components of the node. The pie chart at the top right of the page shows the total storage capacity of the S Series
Node (dark blue) and the total storage capacity used (light blue).
The License section displays information about the current economy storage license of the HCP S Series Node. A storage license shows how much data you can tier to your HCP S Series Node and when the license expires. For more information about your economy storage license, see
HCP S Series Help.
The Server Modules section lists the names and statuses of HCP S Series
Node server modules. Server modules run the software that manages the
HCP S Series Node, provide data access, and ensure data protection.
The Enclosure section lists names and statuses of S Series Node enclosures. The enclosure is a container for the power, cooling, and server modules, along with the hard disk drives inside the node.
The Events section shows the messages about warning-level and error-level alerts that occur on the HCP S Series Nodes. The messages in this panel are a subset of all the messages on the HCP system log.
Chapter 5: Hardware administration
Administering HCP
99
About the Hardware page
To see more detailed information about the HCP S Series Node, click on the
HCP S Series Node URL located above the pie chart. This opens the HCP S
Series Management Console.
Modifying HCP S Series Nodes
To modify an HCP S Series Node:
1. On the Hardware Nodes page, click on the Settings tab.
2. In the Name field, type the new name you want to give the S Series
Node.
3. In the Description field, type the new description you want to give the S
Series Node.
4. Optionally, if Storage Network field is visible, select a network for tiering.
For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
5. In the Domain Name or Virtual IP field, type the new domain or virtual IP address of the S Series Node.
6. Select Compliant if the S Series Node meets the compliancy expectations of your service plan.
7. Select Use HTTPS for management to use HTTP with SSL security for S
Series Node management requests.
8. Click on the Update Settings button.
Clicking the Advanced Settings button redirects you to the Advanced tab on the S Series Node Storage Components page. For more information about advanced settings, see
Chapter 6, “Modifying advanced component settings,” on page 157.
About the Switches page
On the Hardware Switches page you can add, delete, and monitor your
HCP system switches. With the Service role enabled you can add and delete switches. With the Administrator role you can monitor the status of existing switches, but you cannot add or delete them.
For each switch, the page displays the following information:
• Type — The type of component.
100 Chapter 5: Hardware administration
Administering HCP
About the Hardware page
• Model — The make and model of the component (for example, Dell
®
PowerConnect™ 2824).
• IP address — The IP address of the switch.
• Status — The status of the component. Possible values are:
– Normal — The component is available and functioning properly.
– Warning — The component has detected an error. For switches, possible causes include:
• A fan in the switch is not operating normally.
• A sensor in the switch is detecting an abnormal temperature.
• One of two power supplies in the switch is not connected.
• One or more ports in the switch are malfunctioning.
– Unavailable — HCP does not have connectivity to the component.
HCP also reports a component as unavailable if it has not yet contacted the component for status information. To determine whether this is the reason for the unavailable status, refresh the
Hardware Switches page in five minutes.
If the status of a component is unhealthy or if a component remains unavailable for more than five minutes, contact your authorized HCP service provider for help.
Adding a switch
To add a switch:
1. Click on the drop down menu located in the top right of the Switches tab and select the switch type you want to add.
2. Click the Add button.
A new switch, highlighted in green, appears in the window.
3. Click on the Model drop down menu in the new switch, and select the appropriate model.
4. Type the IP address.
Chapter 5: Hardware administration
Administering HCP
101
About individual HCP G Series Node pages
5. Click on the Update Settings button.
Switches can be deleted by clicking on the garbage can icon on the left hand side of the switch and confirming that you want the switch removed.
About the Chassis tab
For HCP SAIN systems that use CB 320 servers, the Hardware Chassis page shows the IPMI sensor information for the fans and power supplies on
the server chassis. For information on IPMI sensor information, see “IPMI information” on page 106.
Note: HCP uses SNMP to retrieve the IPMI sensor information from the
CB 320 servers. To enable this, for each server, you need to add the lowest-numbered storage node in the HCP system to the list of SNMP managers in the server configuration. To identify the node, use a valid
[hcp_system] network IP address for the node. For the community name, use public.
If the lowest-numbered node changes at any time (for example, due to prolonged node unavailability or the addition of a node with a lower number), you need to update the each CB 320 server configuration accordingly.
For information on configuring CB 320 servers, see the applicable Hitachi documentation.
About individual HCP G Series Node pages
On the Hardware Nodes page you can click on any of the General Nodes to go to their individual page. The General Node page contains information about the node’s hardware status and events.
Hardware status
The Hardware Status section of an individual General node page summarizes the current operating conditions of various components of the node you’re examining, and provides links to more detailed information about each component.
To display more detailed information about a given component, click on the table row containing the component summary. To hide the details, click again on the row.
102 Chapter 5: Hardware administration
Administering HCP
About individual HCP G Series Node pages
If any component is malfunctioning, the Hardware Status section automatically displays detailed information about that component.
For information about the status messages that can appear in the
Hardware Status section and what to do in response to problems, see
Appendix A, “System Management Console alerts,” on page 495.
Logical volume usage details
When you click on Logical volume usage , the Console displays the following information for each logical volume that’s managed by the node you’re currently viewing:
• Volume ID — The logical volume type and ID and, for NFS volumes, the share path and the name of the extended storage pool that contains the NFS volume. The volumes are not necessarily listed in numeric order.
• Status — The logical volume status. For the possible statuses, see
“About the Nodes page” on page 92.
• Capacity — The total number of bytes of storage on the logical volume.
• Used — The number of bytes of storage that are currently in use on the volume.
• Percent Used — The percentage of storage space that’s currently in use on the volume.
Notes:
• Each node also has a logical volume for the operating system, but that logical volume is not included in this display.
• For HCP SAIN systems that also have internal storage, this display does not include the logical volumes on the internal drives.
Core hardware details
When you click on Core hardware , the Console displays the following information about the core hardware for the node you’re currently examining:
• Platform Hardware — The type of hardware used for the node:
Chapter 5: Hardware administration
Administering HCP
103
About individual HCP G Series Node pages
– For a standalone server, this is the type of server, as reported by the server.
– For a blade in a CB 320 server, this is Hitachi CB 320 .
– For a node in an HCP-VM system, this is VMware, Inc. VMware Virtual
Platform .
• Status — The status of the node. Possible values are:
– Available — The node is running.
– Unavailable — The node is either not running, starting up but not yet able to perform HCP functions, or shutting down and no longer able to perform HCP functions.
– Migrating — The migration service is currently migrating data out of the storage managed by the node.
Important: If the status of a node changes spontaneously from available to unavailable and the node does not restart automatically, please contact your authorized HCP service provider. Do not try to restart the node manually, as that may cause the loss of information needed to diagnose the problem.
• Last Status Update Time — The time of the last update to the node status.
• Node ID — The number assigned to the node.
• [hcp_system] — All IPv4 and IPv6 addresses assigned to the node for the [hcp_system] network.
• [hcp_backend] — The IP address assigned to the node for the
[hcp_backend] network.
• Boot Time — The date and time the node last started.
• Usage/Capacity — The total amount of storage space on all of the primary storage volumes managed by the node and the amount of that primary storage space that’s currently in use.
• Memory — The amount of RAM in the node.
104 Chapter 5: Hardware administration
Administering HCP
About individual HCP G Series Node pages
• Swap — The status of the swappable memory in the node:
– Using — The amount of storage set aside for swappable memory, in
GB, and the percentage of that amount that’s currently in use
– Pages In — The number of pages currently swapped in
– Pages Out — The number of pages currently swapped out
• Load Average — The average process workload on the node over the past minute, five minutes, and 15 minutes. The load average is based on all processes, regardless of their current state (for example, running, waiting for CPU time, or sleeping).
• CPU — Make and model of the CPUs in the node, listed one per line.
The CPUs are numbered and are listed in numeric order starting with
CPU 0.
File systems on storage devices managed by a node
The Hardware Status section on the Storage Node page for any given node shows the number of file systems the node supports on primary storage and the number of physical storage devices to which those file systems are mapped. When you click on X file systems on Y storage devices , the Console displays the following information for each file system on the physical storage that’s managed by the node you’re currently examining:
• The directory path that identifies the file system
• Whether or not the file system is currently mounted
• Each level of mapping that ultimately associates the file system with one or more low-level block devices
• Some device diagnostic information, if available
• Additional RAID-specific information, if available
Chapter 5: Hardware administration
Administering HCP
105
About individual HCP G Series Node pages
Additionally, for SAIN systems, the details include this information for each low-level block device: vendor, array type, serial number, device number, and worldwide port number.
Notes:
• For SAIN systems that also have internal storage, the number of file systems includes those located on the internal drives.
• For SAIN systems, if multipathing is degraded, one or more of the low-level block devices will be missing from the display details.
IPMI information
Intelligent Platform Management Interface (IPMI) is a specification that defines a method of monitoring the internal hardware components of a server. If IPMI is implemented on a node, sensors in that node can detect abnormal conditions such as a high fan speed or a failed power supply.
The IPMI data that’s displayed on the Storage Node page for a given node is organized by sensor type. The list of sensors that you see for each sensor type depends on the specific IPMI implementation.
The details displayed, by sensor type, are:
• Temperatures — For each temperature sensor, the current temperature reading, and for some sensors, the normal range for the temperature.
• Power Supplies — For each power supply sensor, a text string read from the applicable power supply. If only one power supply is working, this section displays the message, “No redundancy.”
• Fans — For each fan sensor, the current fan speed.
• Processors — For each processor sensor, a text string giving the status of the applicable processor.
106 Chapter 5: Hardware administration
Administering HCP
About individual HCP G Series Node pages
• Voltages — For each voltage sensor, the current voltage reading.
Notes:
• For fans and power supplies in CB 320 server chassis, IPMI information appears on the Hardware page. Nodes that are individual blades do not have their own fans and power supplies.
• HCP does not report IPMI information for nodes in HCP-VM systems.
Network interface cards (NICs)
Each HCP node has two pairs of bonded ports:
• One pair of ports is used for connecting to the front-end networks, including the [hcp_system] network and all user-defined networks.
These ports share all front-end network IPv4 and IPv6 addresses assigned to the node.
• One pair of ports is used for connecting to the back-end network.
These ports share the back-end IP address assigned to the node.
The name assigned to each front-end and back-end port includes the NIC port number (for example, eth0 and eth1). By default, HCP uses the lower-numbered port in each bonded pair. If the lower-numbered port for a network fails, HCP automatically switches to the other port in the pair.
On the Storage Node page for a given node, the Console displays information about each of the NICs in the node. The NIC information is organized by network. For each port assigned to a network, the Console displays these details:
• Interface — The name assigned to the port.
• Active — An indication of whether the port is available for use.
Possible values are true and false .
• Duplex — An indication of whether the port is full-duplex ( full ) or half-duplex ( half ).
• Active in Bond — An indication of whether the port is currently the one being used. Possible values are true and false .
• Speed — The current rate of data transmission through the port.
Chapter 5: Hardware administration
Administering HCP
107
About individual HCP G Series Node pages
• Maximum Supported Speed — The maximum supported rate of data transmission for the port.
File system status
Each node in an HCP system has multiple file systems on its primary storage. At installation time, a fixed amount of space and a fixed number of inodes are allocated to each of those file systems. Each NFS volume associated with a node has a single file system with a fixed amount of space and a fixed number of inodes.
Inodes determine the total number of files and directories a file system can have. (These files and directories do not have a direct correspondence to the objects and directories that users create.)
On the Storage Node page for a given node, when you click on the row that shows the file system status summary, the Console displays the following information about each file system on each primary storage volume and
NFS volume that’s managed by the node:
• Path — The directory path
• Free 1K Blocks — The amount of available storage associated with the file system, in one-KB blocks
• Total 1K Blocks — The total amount of storage associated with the file system, in one-KB blocks
• Block Usage — The percent of the storage blocks currently in use
• Inode Usage — The percent of the allocated inodes currently in use
Note: The file systems listed include those used for the operating system.
Therefore, the total amount of storage associated with all the file systems for a node is greater than the total amount of storage associated with the logical volumes displayed for that node.
Node events
The Node Events section on the Storage Node page for a given General
Node lists all event messages logged for that node since the HCP system was installed. The list of messages in this section is a subset of the messages in the HCP system log. You can view all the messages in the
108 Chapter 5: Hardware administration
Administering HCP
Shutting down or restarting individual nodes system log in the All Events panel on the System Events page. For more information on this panel, see
“Viewing the complete event log” on page 437.
For a description of the information provided by each log message, see
“Understanding the HCP system log” on page 436. For information on the
messages that can appear in the system log and how to respond to them,
see Appendix B, “HCP system log messages,” on page 535.
By default, the messages are listed ten at a time in reverse chronological
order. For information on managing the message display, see “Managing the message list” on page 440.
Shutting down or restarting individual nodes
Under normal operating conditions, the HCP nodes manage themselves.
However, because hardware failures are possible, the System Management
Console provides controls for shutting down and restarting individual nodes.
• Shutting down a node means shutting down the HCP software on it and powering it off. After shutting down a node, you need to manually power it back on to start HCP on it again.
• Restarting a node means shutting down and restarting the HCP software on it without powering it off.
Shutting down or restarting a node has no effect on the data in the primary storage volumes and the NFS volumes that are associated with the node.
However, while a node is shut down or in the process of restarting, clients have no access to that node.
Shutting down or restarting a node is rarely necessary and can cause extra service activity, which increases the load on the system. However, situations in which shutting down a node may be appropriate include:
• A hardware failure has occurred.
• The node requires maintenance.
• You plan to remove the node from the system.
The most frequent reason for restarting a node is that your authorized HCP service provider has requested it during the assessment or resolution of a problem.
Chapter 5: Hardware administration
Administering HCP
109
Shutting down or restarting individual nodes
When you shut down or restart a node, you are required to specify a reason for the action.
Note: After a node shuts down, HCP may perform a file-system check when the node reboots. This can take several hours to complete.
Roles: To shut down or restart a node, you need the administrator or service role.
Shutting down an individual node
When you shut down a node, the hardware configuration determines whether it powers off automatically. To complete the action, you may need to power off the node manually after stopping it.
To ensure that HCP has enough time to shut down cleanly, wait a few minutes before powering the nodes off manually. If the node is connected to a console, the console displays “System halted” when you can safely power off the node.
To shut down a node:
1. Take one of the following actions:
– On the Hardware Nodes page, click on the shutdown icon for the node.
– On the Storage Node page for the node, click on the Shut Down Node button.
The Shut Down Node window appears.
2. In the Reason field, type the reason why you’re shutting down the node. This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
3. Click on the Shut Down Node button.
The nodes shut down and, if possible, powers off.
110 Chapter 5: Hardware administration
Administering HCP
Shutting down or restarting individual nodes
Restarting an individual node
Restarting an HCP node causes it to reboot. While the node is in the process of restarting, clients have no access to it.
Note: When you restart a node in a system with zero-copy failover enabled, the storage managed by the node fails over to the paired node during the shutdown part of the restart. The failover process always finishes before the restarted node completes its shutdown process.
Therefore, the data outage caused by the failover lasts less than three minutes.
When the node comes back up, the failback process extends the reboot by
15 to 30 seconds. The data outage caused by the failback lasts less than five minutes.
To restart a node:
1. Take one of these actions:
– On the Hardware Nodes page, click on the restart icon for the node.
– On the Storage Node page for the node, click on the Restart Node button.
The Restart Node window appears.
2. In the Reason field, type the reason why you’re restarting the node.
This text can be up to 1,024 characters long and can contain any valid
UTF-8 characters, including white space.
3. Click on the Restart Node button.
The node reboots. When the node has finished rebooting, it is again available for client access.
Chapter 5: Hardware administration
Administering HCP
111
Shutting down or restarting individual nodes
112 Chapter 5: Hardware administration
Administering HCP
6
Storage administration
By default, HCP stores all objects in a repository on primary running storage. However, HCP supports the use of primary spindown storage (
SAIN systems only), economy storage, and extended storage for tiering purposes.
HCP is automatically configured to access and use primary running storage and primary spindown storage. To enable HCP to store objects on economy or extended storage, however, you need to manually configure
HCP to access each physical storage device and cloud storage service endpoint. When tiering from HCP, data can be moved off of primary running storage but a copy of the metadata always remains in the system.
A service plan defines one or more storage tiers that can be used to store objects in a namespace. For each object, at any given point in the object lifecycle, the service plan specifies the criteria that determines which storage tiers are used to store copies of that object and the number of copies of that object that must be stored on each tier.
This chapter provides:
• An overview of the types of storage that can be used to store objects in an HCP repository
• An explanation of how HCP uses storage components and storage pools to represent various types of storage
• Instructions on monitoring the health, availability, capacity, and usage of the storage that’s represented by storage pools and components
• Instructions on creating, modifying, retiring, abandoning, and deleting economy and extended storage pools and components
• An explanation of how service plans are used to define storage tiers for a namespace and specify rules that determine how HCP stores objects in that namespace on each storage tier
• Instructions on creating, modifying, retiring, and deleting service plans
Chapter 6: Storage administration
Administering HCP
113
• Instructions on assigning a service plan to one or more tenants
114 Chapter 6: Storage administration
Administering HCP
Storage for HCP systems
Storage for HCP systems
An HCP system includes multiple nodes that are networked together, where each node is either an individual server, a blade in a blade server, or a virtual machine. Each physical node can have multiple internal drives and/or can connect to SAN storage. Each virtual node emulates a server that has only internal drives.
The physical storage that’s managed by the nodes in the HCP system is called primary storage. By default, primary storage consists entirely of
running storage, which is storage on continuously spinning disks.
However, an HCP SAIN system can be configured to use SAN storage that includes both running storage and spindown storage, which is storage on disks that can be spun up or spun down as needed. If primary spindown storage is enabled on an HCP SAIN system, you can configure HCP to use that storage for tiering purposes.
You can also add HCP S Series Nodes to your HCP system and tier to them.
This is known as economy storage. The amount of objects you can tier to an HCP S Series Node is limited to the total storage capacity of the node. If you want more storage capacity, you need to purchase more HCP
S Series Nodes. The HCP system communicates with the HCP S Series
Nodes through HS3 and the management API.
You can also configure any HCP system to use extended storage, which is additional storage that’s managed by devices outside of the HCP system, for tiering purposes.
You can configure HCP to access and store object data on up to seven different types of extended storage:
• NFS — Volumes that are accessed on physical storage devices using
NFS mount points
• Amazon S3 — Cloud storage that’s accessed using an Amazon Web
Services user account
• Google Cloud — Cloud storage that’s accessed using a Google Cloud
Platform user account
• Hitachi Cloud Service — Cloud storage that’s accessed using a Hitachi
Cloud Service user account
• Microsoft Azure — Cloud storage that’s accessed using a Microsoft
Azure user account
Chapter 6: Storage administration
Administering HCP
115
Storage for HCP systems
• S3-compatible — Any physical storage device or cloud storage service that’s accessed using a protocol that’s compatible with the Amazon S3 access protocol
• Verizon Cloud— Cloud storage that’s accessed using a Verizon Cloud
Service user account
Important: Extended storage is intended to increase the amount of storage that’s available to HCP. Extended storage does not function as backup storage. You should secure, back up, and monitor the health and availability of each extended storage device and cloud storage service that you use to store data in an HCP repository.
HCP initially stores each object in a repository on primary running storage.
By default, throughout the lifecycle of an object, HCP continues to store all copies of the data and metadata for that object only on primary running storage. However, you can configure HCP to offload object content from primary running storage and store that content on primary spindown storage (if it’s available), on HCP S Series Nodes, or any of the supported types of extended storage that you have configured HCP to access and use.
Using primary spindown storage to store object content that’s accessed infrequently saves energy, thereby reducing the cost of storage.
Note: While all copies of the data, custom metadata, ACL, and secondary metadata for an object can be moved onto primary spindown storage, all copies of the primary metadata for an object must always remain on primary running storage.
For information about how HCP creates, manages, and uses copies of the data, primary metadata, secondary metadata, and ACL for each object in an HCP repository, see “Metadata storage” on page 298.
NOTE: While all of the data for an object can be moved off of primary running storage, and stored only on economy or extended storage, at least one copy of the system metadata, custom metadata, and ACL for that object must always remain on primary running storage.
HCP moves object content from primary running storage onto one or more other types of storage according to rules specified in service plans.
116 Chapter 6: Storage administration
Administering HCP
About storage components
Each namespace has a service plan that defines one or more tiers of storage that can be used to store objects in that namespace. For each object in a given namespace, at any given point in the object lifecycle, the service plan specifies the criteria that determine which storage tiers must be used to store copies of that object and the number of copies of that object that must be stored on each tier.
Because HCP initially stores every object on primary running storage, every service plan automatically defines primary running storage as the initial storage tier, called the ingest tier. By default, each service plan defines only the ingest tier, so that HCP stores all objects in a given namespace on primary running storage throughout the entire object lifecycle.
Primary running storage is designed to provide both high data availability and high performance for object data storage and retrieval operations. To optimize data storage price/performance for the objects in a namespace, you can configure the service plan for that namespace to define a storage tiering strategy that specifies multiple storage tiers.
About storage components
In the System Management Console, HCP uses storage components to represent primary running storage, primary spindown storage, and each physical device and cloud storage service that’s used to access a specific type of extended storage. Each storage component is intended to represent all storage devices that share a common access point (whether that’s the HCP system, an external device, or a cloud storage service) and that provide a specific set of data availability, price, and performance characteristics.
HCP uses storage components to provide you with an interface to:
• Configure HCP to provide the information that HCP needs to use to access specific extended storage devices and cloud storage service endpoints.
• Configure HCP to monitor, manage, and use all of the storage that’s represented by one or more storage components of the same type as a single storage pool.
• Monitor the health, availability, capacity, and usage of the storage that’s represented by each component (primary running storage, primary spindown storage, and each extended storage device and cloud service endpoint), and appropriately provision storage.
Chapter 6: Storage administration
Administering HCP
117
About storage components
• Retire extended storage that’s represented by a single storage component or retire all of the extended storage that’s represented by the components in a single storage pool.
Primary storage components
Every HCP system has a pre-configured storage component for each type of primary storage that the system is configured to use. The primary running storage component represents all continuously spinning disks that are currently managed by the HCP nodes. For SAIN systems with spindown storage, the primary spindown storage component represents all spindown-capable disks that are currently managed by the HCP nodes.
In the System Management Console, you can use the Storage page to view information about the current hardware configuration, health status, availability, capacity, and usage of the storage that’s represented by each primary storage component.
You can also use the Storage page to view current and historical storage usage statistics for each individual primary storage component, and you can view a comparison of the current and historical storage capacity usage statistics for all components that are defined on the HCP system, including the two primary storage components.
118 Chapter 6: Storage administration
Administering HCP
About storage components
You can use the information that you can view on the Storage page to monitor the health and usage of each type of primary storage and determine when you need to add primary storage to an HCP system or replace storage devices that are used for primary running storage or primary spindown storage.
Note: You cannot modify a primary storage component in order to add, retire, or upgrade primary running storage or primary spindown storage.
To add primary storage to an HCP system either to increase primary storage capacity or to replace one or more retired storage devices, contact your authorized HCP service provider for help.
On a RAIN or SAIN system, you can use either the Storage page or the
Migration page in the System Management Console to retire one or more primary storage devices. When you retire primary storage, HCP automatically updates each primary storage component as necessary to reflect the changes in the total storage capacity and in the total number of disks represented by each primary storage component.
For more information on retiring primary storage using the Storage page, see “Retiring primary storage devices” on page 165.
For more information on retiring primary storage using the Migration page, see “Migration service” on page 339.
Economy storage components
HCP can tier to separate HCP S Series Nodes added to the system. To connect the S Series Nodes to the HCP system, you need to add them to the HCP system on the Hardware page of the System Management
Console. For more information on adding HCP S Series Nodes, see
“Creating an HCP S Series Node component” on page 154.
Once an economy storage component had been added, you can use the
Storage page to view information about the storage component’s health status, availability, and capacity. You can also use the Storage page to view current and historical storage usage statistics for each individual economy storage component.
Although economy storage behaves like extended storage, it has a storage capacity limit. You can use the Storage page to monitor the health and usage of economy storage components and determine when you need to add more S Series Nodes to the HCP system.
Chapter 6: Storage administration
Administering HCP
119
About storage components
Extended storage components
HCP supports the use of the following types of extended storage: Amazon
S3, Google Cloud, Hitachi Cloud, Microsoft Azure, S3-compatible, Verizon
Cloud and NFS storage. To enable HCP to use a specific type of extended storage, you need to create and configure one or more storage components of the appropriate type.
For each storage component you create, you need to specify the name of the component, the type of extended storage that’s represented by the component, and the information that HCP needs to use to access that storage.
Amazon S3 storage components
Each Amazon S3 component represents a single endpoint that’s used to access cloud storage using one or more Amazon S3 Web Services user accounts.
To enable HCP to access the storage that’s represented by an Amazon S3 storage component, when you create that component, you specify the following information:
• The component name.
• Optionally, a description of the component.
• Optionally, the network you want HCP to use for communication with storage component. This field is only visible if Virtual network management is enabled. For more information on selecting a network,
see “Isolating networks for storage tiering” on page 238.
• Whether you want HCP to use the default endpoint, s3.amazonaws.com, to connect to Amazon S3 Web Services, and if not, the fully qualified domain name (FQDN) of the endpoint that you want HCP to use instead of the default.
• Optionally, any of these advanced configuration settings:
– Whether you want HCP to use HTTPS to access the endpoint, and if so, the HTTPS port you want to use to connect to the endpoint
(default is 443)
– The HTTP port you want to use to connect to the endpoint (default is
80)
120 Chapter 6: Storage administration
Administering HCP
About storage components
– Whether you want to use a proxy server to connect to the endpoint, and if so, the following information about the proxy server:
• The hostname or IP address of the proxy server
• The port number you want to use to connect to the proxy server
(default is 0)
• The username, password, and AD domain of the user account that HCP needs to use to access the proxy server
– Whether you want HCP to use path-style URLs to access the storage that’s represented by the storage component, and if so, the region that includes the Amazon S3 Web Services datacenter that hosts the storage that’s represented by this component
Note: If you select this option, you need to specify a region-specific endpoint instead of using the default endpoint.
– The region that includes the Amazon S3 Web Services datacenter that hosts the storage that’s represented by this component
(default is us-east-1)
Note: For faster access to storage located in a particular region, you should specify a region-specific endpoint instead of using the default endpoint.
• Whether the storage that’s represented by this component is considered to be compliant.
• The account label that you want to associate with the initial Amazon S3
Web Services user account that you want HCP to use to access the storage that’s represented by the component. In the System
Management Console, HCP uses the account label to represent the user account with the specified credentials.
• The access key and secret key for the Amazon S3 Web Services user account that you want HCP to use to access the storage that’s represented by the component.
Note: Once you create an Amazon S3 storage component, you can modify it to specify credentials for one or more additional user accounts. For details on this, see “Configuring a new user account for access to an extended storage endpoint” on page 153.
Chapter 6: Storage administration
Administering HCP
121
About storage components
• Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to Amazon S3 Web Services to request read or write access to the storage associated with the specified user account.
• Whether you want to access existing buckets associated with the specified user account, and if so, the name of each existing bucket you want to access.
Notes:
• At any given time, a bucket can be associated with only one storage component.
• You can add an existing bucket to an Amazon S3 storage component only if that bucket is empty or has only HCP data in it.
• Whether you want to create any new buckets for the specified user account, and if so, the name of each new bucket you want to create.
Note: By default, the Add Component wizard displays a list of the existing buckets that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to create a new bucket. To create a new bucket, you need to click on Bucket Actions , then select the Create new option from the dropdown list, then specify the name of the bucket you want to create.
Google Cloud storage components
Each Google Cloud component represents a single endpoint that’s used to access cloud storage using one or more Google Cloud Platform user accounts.
To enable HCP to access the storage that’s represented by a Google Cloud storage component, when you create that component, you specify the following information:
• The component name.
• Optionally, a description of the component.
• Optionally, the network you want communicating with the storage component. This field is only visible if Virtual network management is enabled. For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
122 Chapter 6: Storage administration
Administering HCP
About storage components
• Whether you want HCP to use the default endpoint, storage.googleapis.com
, to connect to Google Cloud Platform, and if not, the fully qualified domain name (FQDN) of the endpoint that you want
HCP to use instead of the default.
• Optionally, any of these advanced configuration settings:
– Whether you want HCP to use HTTPS to access the endpoint, and if so, the HTTPS port you want to use to connect to the endpoint
(default is 443)
– The HTTP port you want to use to connect to the endpoint (default is
80)
– Whether you want to use a proxy server to connect to the endpoint, and if so, the following information about the proxy server:
• The hostname or IP address of the proxy server
• The port number you want to use to connect to the proxy server
(default is 0)
• The username, password, and AD domain of the user account that HCP needs to use to access the proxy server
– Whether you want HCP to use path-style URLs to access the storage that’s represented by the storage component
• Whether the storage that’s represented by this component is considered to be compliant.
• The account label that you want to associate with the initial Google
Cloud Platform user account that you want HCP to use to access the storage that’s represented by the component. In the System
Management Console, HCP uses the account label to represent the user account with the specified credentials.
• The access key and secret key for the Google Cloud Platform user account that you want HCP to use to access the storage that’s represented by the component.
Note: Once you create a Google Cloud storage component, you can modify it to specify credentials for one or more additional user accounts. For details on this, see “Configuring a new user account for access to an extended storage endpoint” on page 153.
Chapter 6: Storage administration
Administering HCP
123
About storage components
• Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to Google Cloud Platform to request read or write access to the storage associated with the specified user account.
• Whether you want to access existing buckets associated with the specified user account, and if so, the name of each existing bucket you want to access.
Notes:
• At any given time, a bucket can be associated with only one storage component.
• You can add an existing bucket to a Google Cloud storage component only if that bucket is empty or has only HCP data in it.
• Whether you want to create any new buckets for the specified user account, and if so, the name of each new bucket you want to create.
Note: By default, the Add Component wizard displays a list of the existing buckets that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to create a new bucket. To create a new bucket, you need to click on Bucket Actions , then select the Create new option from the dropdown list, then specify the name of the bucket you want to create.
Hitachi Cloud Service storage components
Each Hitachi Cloud Service component represents a single endpoint that’s used to access cloud storage using one or more Hitachi Cloud Service user accounts.
To enable HCP to access the storage that’s represented by a Hitachi Cloud
Service storage component, when you create that component, you specify the following information:
• The component name.
• Optionally, a description of the component.
• Optionally, the network you want communicating with the storage component. This field is only visible if Virtual network management is enabled. For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
124 Chapter 6: Storage administration
Administering HCP
About storage components
• The fully qualified domain name (FQDN) of the endpoint that you want
HCP to use to connect to Hitachi Cloud Service.
• Optionally, any of these advanced configuration settings:
– Whether you want HCP to use HTTPS to access the endpoint, and if so, the HTTPS port you want to use to connect to the endpoint
(default is 443)
– The HTTP port you want to use to connect to the endpoint (default is
80)
– Whether you want to use a proxy server to connect to the endpoint, and if so, the following information about the proxy server:
• The hostname or IP address of the proxy server
• The port number you want to use to connect to the proxy server
(default is 0)
• The username, password, and AD domain of the user account that HCP needs to use to access the proxy server
– Whether you want HCP to use path-style URLs to access the storage that’s represented by the storage component
• Whether the storage that’s represented by this component is considered to be compliant.
• The account label that you want to associate with the initial Hitachi
Cloud Service user account that you want HCP to use to access the storage that’s represented by the component. In the System
Management Console, HCP uses the account label to represent the user account with the specified credentials.
• The access key and secret key for the Hitachi Cloud Service user account that you want HCP to use to access the storage that’s represented by the component.
Note: Once you create a Hitachi Cloud Service storage component, you can modify it to specify credentials for one or more additional user accounts. For details on this, see “Configuring a new user account for access to an extended storage endpoint” on page 153.
Chapter 6: Storage administration
Administering HCP
125
About storage components
• Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to Hitachi Cloud Service to request read or write access to the storage associated with the specified user account.
• Whether you want to access existing namespaces associated with the specified user account, and if so, the name of each existing namespace you want to access.
Notes:
• At any given time, a namespace can be associated with only one storage component.
• You can add an existing namespace to a Hitachi Cloud Service storage component only if that bucket is empty or has only HCP data in it.
• Whether you want to create any new namespaces for the specified user account, and if so, the name of each new namespace you want to create.
Note: By default, the Add Component wizard displays a list of the existing namespaces that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to create a new namespace. To create a new namespace, you need to click on Namespace Actions , then select the Create new option from the dropdown list, then specify the name of the namespace you want to create.
Microsoft Azure storage components
Each Microsoft Azure component represents a single endpoint that’s used to access cloud storage using one or more Microsoft Azure user accounts.
To enable HCP to access the storage that’s represented by a Microsoft
Azure storage component, when you create that component, you specify the following information:
• The component name.
• Optionally, a description of the component.
126 Chapter 6: Storage administration
Administering HCP
About storage components
• Optionally, the network you want communicating with the storage component. This field is only visible if Virtual network management is enabled. For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
• Whether you want HCP to use the default endpoint, blob.core.windows.net, to connect to Windows Azure, and if not, the fully qualified domain name (FQDN) of the endpoint that you want HCP to use instead of the default.
• Optionally, any of these advanced configuration settings:
– You can display an advanced option that lets you specify whether to connect to Microsoft Azure using HTTPS. This option is enabled by default.
– Whether you want to use a proxy server to connect to the endpoint, and if so, the following information about the proxy server:
• The hostname or IP address of the proxy server
• The port number you want to use to connect to the proxy server
(default is 0)
• Whether the storage that’s represented by this component is considered to be compliant.
• The account label that you want to associate with the initial Microsoft
Azure user account that you want HCP to use to access the storage that’s represented by the component. In the System Management
Console, HCP uses the account label to represent the user account with the specified credentials.
• The access key and secret key for the Microsoft Azure user account that you want HCP to use to access the storage that’s represented by the component.
Note: Once you create a Microsoft Azure storage component, you can modify it to specify credentials for one or more additional user accounts. For details on this, see “Configuring a new user account for access to an extended storage endpoint” on page 153.
• Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to Microsoft Azure to request read or write access to the storage associated with the specified user account.
Chapter 6: Storage administration
Administering HCP
127
About storage components
• Whether you want to access existing containers associated with the specified user account, and if so, the name of each existing container you want to access.
Notes:
• At any given time, a container can be associated with only one storage component.
• You can add an existing container to a Microsoft Azure storage component only if that container is empty or has only HCP data in it.
• Whether you want to create any new containers for the specified user account, and if so, the name of each new container you want to create.
Note: By default, the Add Component wizard displays a list of the existing containers that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to create a new container. To create a new container, you need to click on Container Actions , then select the Create new option from the dropdown list, then specify the name of the container you want to create.
S3-compatible storage components
Each S3-compatible component represents a single physical storage device or cloud storage service that’s used to access storage using a protocol that’s compatible with the Amazon S3 access protocol.
To enable HCP to access the storage that’s represented by an
S3-compatible storage component, when you create that component, you specify the following information:
• Optionally, the network you want communicating with the storage component. This field is only visible if Virtual network management is enabled. For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
• The endpoint that HCP needs to use to access the physical device or cloud storage service that manages the storage that’s represented by this component.
• Optionally, any of these advanced configuration settings:
128 Chapter 6: Storage administration
Administering HCP
About storage components
– Whether you want HCP to use HTTPS to access the endpoint, and if so, the HTTPS port you want to use to connect to the endpoint
(default is 443)
– The HTTP port you want to use to connect to the endpoint (default is
80)
– Whether you want to use a proxy server to connect to the endpoint, and if so, the following information about the proxy server:
• The hostname or IP address of the proxy server
• The port number you want to use to connect to the proxy server
(default is 0)
• The username, password, and AD domain of the user account that HCP needs to use to access the proxy server
– Whether you want HCP to use path-style URLs to access the storage that’s represented by the storage component
• Whether the storage that’s represented by this component is considered to be compliant.
• The account label that you want to associate with the initial user account that you want HCP to use to access the storage that’s represented by the component. In the System Management Console,
HCP uses the account label to represent the user account with the specified credentials.
• The access key and secret key for the user account that you want HCP to use to access the storage that’s represented by the component.
Note: Once you create an S3-compatible storage component, you can modify it to specify credentials for one or more additional user accounts. For details on this, see “Configuring a new user account for access to an extended storage endpoint” on page 153.
• Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to the target storage device or cloud service to request read or write access to the storage associated with the specified user account.
Chapter 6: Storage administration
Administering HCP
129
About storage components
• Whether you want to access existing buckets associated with the specified user account, and if so, the name of each existing bucket you want to access.
Notes:
• At any given time, a bucket can be associated with only one storage component.
• You can add an existing bucket to an S3-compatible storage component only if that bucket is empty or has only HCP data in it.
• Whether you want to create any new buckets for the specified user account, and if so, the name of each new bucket you want to create.
Note: By default, the Add Component wizard displays a list of the existing buckets that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to create a new bucket. To create a new bucket, you need to click on Bucket Actions , then select the Create new option from the dropdown list, then specify the name of the bucket you want to create.
Verizon Cloud storage components
Each Verizon Cloud component represents a single endpoint that’s used to access cloud storage using one or more Verizon Cloud user accounts.
To enable HCP to access the storage that’s represented by an Verizon
Cloud storage component, when you create that component, you specify the following information:
• The component name.
• Optionally, a description of the component.
• Optionally, the network you want HCP to use for communication with
Verizon. This field is only visible if Virtual network management is enabled. For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
• The fully qualified domain name (FQDN) of the endpoint that you want
HCP to use.
• Optionally, any of these advanced configuration settings:
130 Chapter 6: Storage administration
Administering HCP
About storage components
– Whether you want HCP to use HTTPS to access the endpoint, and if so, the HTTPS port you want to use to connect to the endpoint
(default is 443)
– The HTTP port you want to use to connect to the endpoint (default is
80)
– Whether you want to use a proxy server to connect to the endpoint, and if so, the following information about the proxy server:
• The hostname or IP address of the proxy server
• The port number you want to use to connect to the proxy server
(default is 0)
• The username, password, and AD domain of the user account that HCP needs to use to access the proxy server
– Whether you want HCP to use path-style URLs to access the storage that’s represented by the storage component.
• Whether the storage that’s represented by this component is considered to be compliant.
• The account label that you want to associate with the initial Verizon
Cloud user account that you want HCP to use to access the storage that’s represented by the component. In the System Management
Console, HCP uses the account label to represent the user account with the specified credentials.
• The access key and secret key for the Verizon Cloud user account that you want HCP to use to access the storage that’s represented by the component.
Note: Once you create a Verizon Cloud storage component, you can modify it to specify credentials for one or more additional user accounts. For details on this, see “Configuring a new user account for access to an extended storage endpoint” on page 153.
• Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to Verizon Cloud to request read or write access to the storage associated with the specified user account.
Chapter 6: Storage administration
Administering HCP
131
About storage components
• Whether you want to access existing buckets associated with the specified user account, and if so, the name of each existing bucket you want to access.
Notes:
• At any given time, a bucket can be associated with only one storage component.
• You can add an existing bucket to an Verizon Cloud storage component only if that bucket is empty or has only HCP data in it.
• Whether you want to create any new buckets for the specified user account, and if so, the name of each new bucket you want to create.
Note: By default, the Add Component wizard displays a list of the existing buckets that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to create a new bucket. To create a new bucket, you need to click on Bucket Actions , then select the Create new option from the dropdown list, then specify the name of the bucket you want to create.
132 Chapter 6: Storage administration
Administering HCP
About storage components
NFS storage components
Each NFS storage component represents a single physical storage device on which one or more volumes are accessed using NFS mount points.
Notes:
• When you create an NFS storage component, you provide HCP with the information that it needs to create an NFS mount point for each volume that you want to access on the device that’s represented by the NFS storage component. However, HCP creates an NFS mount point that’s associated with a given storage component only when that mount point is added to an NFS storage pool. For information on adding an NFS mount point to a storage pool, see “Adding access points to an extended storage pool” on page 162.
• When an HCP system is upgraded from release 6.x to release 7.0 or later, HCP automatically creates an NFS storage component and an NFS storage pool (see “NFS storage pools” on page 136) for each external volume that was configured on the HCP system before it was upgraded, and defines each NFS storage pool as a storage tier. For each namespace that was configured to use NFS storage before the upgrade, HCP automatically configures the service plan for that namespace to define the appropriate NFS storage pool as a storage tier.
• On the Hardware page of the System Management Console, HCP uses an external volume (also called an NFS volume) to represent the storage that’s accessed using a single NFS mount point that’s contained in an NFS storage pool (see “NFS storage pools” on page 136 for details). You can use the Storage page to view information about all
NFS volumes stored on a single physical storage device that’s represented by an NFS storage component.
Before you can create an NFS storage component, you need to create and configure the NFS shares for the volumes you want to access on the physical storage device that’s represented by the component.
The main steps for creating NFS shares on a physical storage device for which you want to create an NFS storage component are:
1. On the physical storage device, create the directories you want to share
(see “Directories for export” below).
2. Export each directory as an NFS share (see “Exported shares” below).
Chapter 6: Storage administration
Administering HCP
133
About storage components
Directories for export
For each storage volume you want to access on the physical storage device that’s represented by an NFS storage component, you need to create a directory on that physical storage device. For each directory, you need to set the permissions to allow read, write, and execute access to all users.
For example, on Linux systems, each directory you want to share must have its permissions set to 777.
Exported shares
Each directory that you want to mount as an NFS volume on an HCP node must be exported as an NFS share on the physical storage device that’s represented by the NFS storage component you want to create. To ensure that other systems and applications cannot mount the same storage, you should export each share exclusively to the HCP system. You can identify each the HCP system in one of three ways:
• Using the fully-qualified domain name (FQDN) of the domain that’s associated with the [hcp_system] network, preceded by admin (for example, admin.hcp.example.com). This option is available only if the
HCP system is using DNS.
• By the CIDR notation for any IPv4 or IPv6 gateway that’s defined for the [hcp_system] network.
• By the node IP addresses that the extended storage device needs to use to communicate with the [hcp_system] network. In this case, you need to export the share to the appropriate IPv4 or IPv6 addresses for
all the HCP nodes.
You need to export each share to all nodes because you cannot predict with which node HCP will associate the NFS storage volume you create for a share. If you omit a node and HCP associates a volume with that node, HCP has no access to the share for that volume.
Note: If you use node IP addresses to identify the HCP system and you subsequently change any of those IP addresses in the
[hcp_system] network, you need to update the export specification for the share with the new addresses. Then you need to export the share again.
134 Chapter 6: Storage administration
Administering HCP
About storage components
The method you use to export the shares and the export options you specify depend on the type of storage device for which you want to create an NFS storage component. Minimally, the exported share must allow read and write access by the HCP system.
Note: The following information on exporting shares on Linux systems is included for explanatory purposes only. The extended storage devices that are represented by NFS storage components should be enterprise-class, purpose-built appliances. The storage volumes that are accessed using NFS mount points should be on storage that’s
RAID-protected, secure, and monitored closely for its health.
On Linux systems, you specify the shares to be exported in the
/etc/exports
file. To ensure that HCP correctly uses the NFS volumes that you make available to it, the specification of each exported share must minimally include these options: rw,sync,no_wdelay
For example, to export the share named
/hcp_shares/share1
to the HCP system with the domain name hcp.example.com, you would add this line to the
/etc/exports
file:
/hcp_shares/share1 admin.hcp.example.com(rw,sync,no_wdelay)
The export options in each line in the
/etc/exports
file must directly follow the system identifier with no space between them.
Once you’ve specified the shares to exported, you use this command to export them: exportfs -a
For information on how to export shares on non-Linux storage devices, see the device-specific documentation.
Required NFS storage component configuration settings
To enable HCP to access the storage that’s represented by an NFS storage component, when you create that component, you specify the following information:
• The IP address or hostname that HCP needs to use to connect to the physical storage device on which you want to access storage volumes using NFS mount points
Chapter 6: Storage administration
Administering HCP
135
About storage components
• The mount
command options that you want HCP to use when it creates
NFS mount points to access NFS shares on the device that’s represented by the component
To ensure that NFS volumes are mounted correctly, HCP always uses these options to the mount
command: rw,sync,soft,nodev,nfsvers=3
HCP uses the options that you specify in addition to the above options.
The additional options that you can specify are: lookupcache=none noatime nodiratime nosuid port= n retrans= n rsize= n tcp proto=tcp6 timeo= n wsize= n
Other mount
command options are not supported.
Note: If the [hcp_system] network is currently configured to use both
IPv4 and IPv6 addresses, you need to specify the tcp
or proto=tcp6 option to indicate which type of IP address you want HCP to use to connect to the NFS storage component.
• The full pathname of each directory that you want to access using an
NFS mount point
Notes:
• At any given time, a mount point can be associated with only one
NFS storage component.
• By default, the Add Component wizard displays a list of the existing mount points that HCP is able to access using the specified user account credentials, but the wizard does not display the controls required to specify the pathname for an existing NFS share. To specify a directory that does not appear in the list, you need to click on Mount Point Actions , then specify the full pathname of the directory for which you want to create an NFS mount point.
136 Chapter 6: Storage administration
Administering HCP
About storage pools
About storage pools
HCP uses storage pools to represent logical groups of storage components that can be used as storage tiers. Each storage pool consists of one or more storage components that are used to access the same type of storage.
Each storage tier typically consists of only one storage pool, but a tier can be configured to use multiple storage pools. To store objects on a given tier, HCP uses all of the storage that’s accessed using the storage components that are contained in the storage pools that are configured for the storage tier. Therefore, the capacity of a given storage pool is the total amount of space that’s associated with all the physical storage devices or all of the cloud storage service endpoints represented by the storage components in the pool. You can add storage components to a pool at any time, thereby increasing the capacity of the pool.
You should size extended storage pools to accommodate the amount of data you expect to be written to them. In making this calculation, you need to account for multiple namespaces using the same service plan as well as for multiple service plans specifying the same target storage pool.
Primary storage pools
Every HCP system has a pre-configured storage pool for each type of primary storage that the system is configured to use. The primary running storage pool contains the pre-configured primary running storage component, which represents all continuously spinning disks that are currently managed by the HCP nodes. For SAIN systems with spindown storage, the primary spindown storage pool contains the pre-configured primary spindown storage component, which represents all spindown-capable disks that are currently managed by the HCP nodes.
In the System Management Console, you can use the Storage page to view information about the current hardware configuration, health status, availability, capacity, and usage of the storage that’s represented by each primary storage pool.
You can also use the Storage page to view current and historical storage usage statistics for each individual primary storage pool, and you can view a comparison of the current and historical storage capacity usage statistics for all storage pools that are defined on the HCP system, including the two primary storage pools.
Chapter 6: Storage administration
Administering HCP
137
About storage pools
You can use the information that you can view on the Storage page to monitor the health and usage of each type of primary storage and determine when you need to add primary storage to an HCP system or replace storage devices that are used for primary running storage or primary spindown storage.
Note: You cannot modify a primary storage pool in order to add, retire, or upgrade primary running storage or primary spindown storage.
To add primary storage to an HCP system either to increase primary storage capacity or to replace one or more retired storage devices, contact your authorized HCP service provider for help.
On a RAIN or SAIN system, you can use either the Storage page or the
Migration page in the System Management Console to retire one or more primary storage devices. When you retire primary storage, HCP automatically updates each primary storage pool as necessary to reflect the changes in the total storage capacity and in the total number of disks represented by each primary storage pool.
For more information on retiring primary storage using the Storage page, see “Retiring primary storage devices” on page 165.
For more information on retiring primary storage using the Migration page, see “Migration service” on page 339.
Economy storage pools
HCP S Series Nodes use storage pools to group buckets together. A storage pool can contain multiple buckets from different HCP S Series
Nodes, but a bucket cannot belong to multiple storage pools.
If you add an HCP S Series Node to the HCP system, a storage pool needs to already exist or be created. To create a storage pool you must specify the following information:
• The storage pool name
• Whether the storage pool is compliant
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the buckets in the storage pool
138 Chapter 6: Storage administration
Administering HCP
About storage pools
• For each bucket you want to include in the storage pool:
– The account to which the bucket is assigned
– The name of the bucket
Note:
• At any given time, a bucket can be included in only one storage pool.
• Each bucket you add to a new storage pool must be empty or have only
HCP data in it.
• A storage pool is compliant only if all of the buckets in the pool are associated with compliant storage components.
Extended storage pools
HCP supports the use of seven different types of extended storage. To enable HCP to use a specific type of extended storage, you need to create and configure one or more storage pools of the appropriate type.
For each storage pool you create, you need to specify the name of the pool, the type of extended storage that’s represented by the pool, and the storage components that are contained in the pool.
The next seven sections describe each type of extended storage pool and describe the information you need to specify to enable HCP access the storage that’s represented by each type of storage pool.
Amazon S3 storage pools
Each Amazon S3 storage pool contains one or more buckets that are associated with specific Amazon S3 storage components. Each Amazon S3 storage pool includes all of the storage that’s allocated to all of the buckets in the pool.
To enable HCP to access the storage that’s represented by an Amazon S3 storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
Chapter 6: Storage administration
Administering HCP
139
About storage pools
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• For each bucket you want to include in the storage pool:
– The name of the Amazon S3 storage component that represents the
Amazon S3 Web Services endpoint that’s used to access the bucket
– The account label used to identify the Amazon S3 Web Services user account that’s used to access the storage associated with the bucket
– The name of the bucket
Notes:
• At any given time, a bucket can be included in only one storage pool.
• Each bucket you add to a new Amazon S3 storage pool must be empty or have only HCP data in it.
• A storage pool is compliant only if all of the buckets in the pool are associated with compliant Amazon S3 storage components.
Google Cloud storage pools
Each Google Cloud storage pool contains one or more buckets that are associated with specific Google Cloud storage components. Each Google
Cloud storage pool includes all of the storage that’s allocated to all of the buckets in the pool.
To enable HCP to access the storage that’s represented by a Google Cloud storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the buckets in the storage pool
140 Chapter 6: Storage administration
Administering HCP
About storage pools
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• For each bucket you want to include in the storage pool:
– The name of the Google Cloud storage component that represents the Google Cloud Platform endpoint that’s used to access the bucket
– The account label used to identify the Google Cloud Platform user account that’s used to access the storage associated with the bucket
– The name of the bucket
Notes:
• At any given time, a bucket can be included in only one storage pool.
• Each bucket you add to a new Google Cloud storage pool must be empty or have only HCP data in it.
• A storage pool is compliant only if all of the buckets in the pool are associated with compliant Google Cloud storage components.
Hitachi Cloud Service storage pools
Each Hitachi Cloud Service storage pool contains one or more namespaces that are associated with specific Hitachi Cloud Service storage components. Each Hitachi Cloud Service storage pool includes all of the storage that’s allocated to all of the namespaces in the pool.
To enable HCP to access the storage that’s represented by a Hitachi Cloud
Service storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the namespaces in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the namespaces in the storage pool
Chapter 6: Storage administration
Administering HCP
141
About storage pools
• For each namespace you want to include in the storage pool:
– The name of the Hitachi Cloud Service storage component that represents the Hitachi Cloud Service endpoint that’s used to access the namespace
– The account label used to identify the Hitachi Cloud Service user account that’s used to access the storage associated with the namespace
– The name of the namespace
Notes:
• At any given time, a namespace can be included in only one storage pool.
• Each namespace you add to a new Hitachi Cloud Service storage pool must be empty or have only HCP data in it.
• A storage pool is compliant only if all of the namespaces in the pool are associated with compliant Hitachi Cloud Service storage components.
Microsoft Azure storage pools
Each Microsoft Azure storage pool contains one or more containers that are associated with specific Microsoft Azure storage components. Each
Microsoft Azure storage pool includes all of the storage that’s allocated to all of the containers in the pool.
To enable HCP to access the storage that’s represented by a Microsoft
Azure storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the containers in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the containers in the storage pool
142 Chapter 6: Storage administration
Administering HCP
About storage pools
• For each container you want to include in the storage pool:
– The name of the Microsoft Azure storage component that represents the Microsoft Azure endpoint that’s used to access the container
– The account label used to identify the Microsoft Azure user account that’s used to access the storage associated with the container
– The name of the container
Notes:
• At any given time, a container can be included in only one storage pool.
• Each container you add to a new Microsoft Azure storage pool must be empty or have only HCP data in it.
• A storage pool is compliant only if all of the containers in the pool are associated with compliant Microsoft Azure storage components.
S3-compatible storage pools
Each S3-compatible storage pool contains one or more buckets that are associated with specific S3-compatible storage components. Each
S3-compatible storage pool includes all of the storage that’s allocated to all of the buckets in the pool.
To enable HCP to access the storage that’s represented by an
S3-compatible storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• For each bucket you want to include in the storage pool:
Chapter 6: Storage administration
Administering HCP
143
About storage pools
– The name of the S3-compatible storage component that represents the endpoint that’s used to access the bucket
– The account label used to identify the user account that’s used to access the storage associated with the bucket
– The name of the bucket
Notes:
• At any given time, a bucket can be included in only one storage pool.
• Each bucket you add to a new S3-compatible storage pool must be empty or have only HCP data in it.
• A storage pool is compliant only if all of the buckets in the pool are associated with compliant S3-compatible storage components.
Verizon Cloud storage pools
Each Verizon Cloud storage pool contains one or more buckets that are associated with specific Verizon Cloud storage components. Each Verizon
Cloud storage pool includes all of the storage that’s allocated to all of the buckets in the pool.
To enable HCP to access the storage that’s represented by a Verizon Cloud storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
• Whether you want HCP to compress object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s allocated to the buckets in the storage pool
• For each bucket you want to include in the storage pool:
– The name of the Verizon Cloud storage component that represents the Verizon Cloud Platform endpoint that’s used to access the bucket
144 Chapter 6: Storage administration
Administering HCP
About storage pools
– The account label used to identify the Verizon Cloud Platform user account that’s used to access the storage associated with the bucket
– The name of the bucket
Notes:
• At any given time, a bucket can be included in only one storage pool.
• Each bucket you add to a new Verizon Cloud storage pool must be empty or have only HCP data in it.
• A storage pool is compliant only if all of the buckets in the pool are associated with compliant Verizon Cloud storage components.
NFS storage pools
Each NFS storage pool contains one or more mount points that are associated with specific NFS storage components. Each NFS storage pool includes all of the storage that’s accessed using the NFS mount points included in the pool.
To enable HCP to access the storage that’s represented by an NFS storage pool, when you create that component, you specify the following information:
• The storage pool name
• Optionally, a description of the pool
• Whether you want HCP to compress object data that’s stored on the storage that’s accessed using the NFS mount points in the storage pool
• Whether you want HCP to encrypt object data that’s stored on the storage that’s accessed using the NFS mount points in the storage pool
• For each NFS mount point you want to include in the storage pool:
– The name of the NFS storage component that represents the physical storage device that’s accessed using the NFS mount point
Chapter 6: Storage administration
Administering HCP
145
About storage pools
– The full pathname of the directory that you want to access using the
NFS mount point
Notes:
• At any given time, an NFS mount point can be included in only one storage pool.
• An NFS storage pool is compliant only if all of the NFS mount points in the pool are associated with compliant NFS storage components.
When you add an NFS mount point to a new or existing NFS storage pool,
HCP creates that mount point and mounts the appropriate storage volume
(called an NFS volume or an external storage volume) on a node in the
HCP system. HCP then adds that NFS volume to the NFS storage pool.
HCP uses a round-robin algorithm to determine which node to associate with each new NFS volume that’s added to an NFS storage pool. This method of assigning NFS volumes to the nodes in the HCP system ensures that the volumes are distributed evenly among the nodes.
If the node with which an NFS storage volume is associated becomes unavailable, that volume also becomes unavailable. HCP does not reassign the volume to a different node. When the node returns to service, the volume becomes available again.
In the HCP System Management Console, you can use the Hardware and
Storage Node pages to view information about the NFS storage volumes
(called external storage volumes) that are associated with each node in the
HCP system. For information on these pages, see “Hardware administration” on page 89.
Considerations for using NFS volumes
These considerations apply to using NFS volumes with HCP:
• HCP can use multiple NFS shares from a single device that’s represented by an NFS storage component. Keep in mind, however, that the larger the number of shares HCP uses, the greater the I/O load on the device.
• Typically, you specify export options for a share according to the standards for your site. However, if HCP is unable to mount the extended storage volume that you created as an NFS share, you may need to change the export options. After changing the export options, you need to export the NFS share again.
146 Chapter 6: Storage administration
Administering HCP
About storage pools
• For each NFS mount point that’s associated with an NFS storage component, you can specify more mount options than the required ones. You might do this, for example, to set the network block size for read or write requests to the optimal size for the storage device that’s represented by the NFS storage component. However, if HCP is unable to mount the extended storage volume that you created as an NFS share, you may need to change the additional mount options that you specified.
• If the share for an NFS volume becomes unavailable (for example, because the extended storage device that’s hosting the share is inaccessible), HCP tries periodically to remount the volume. If, after the share is available again, the remount fails, you can try to manually remount the NFS volume:
1.
On the left side of the Storage page, click on Components .
2.
In the components list, click on the name of the NFS storage component that’s associated with the NFS volume that you want to remount.
3.
At the top of the panel that opens, click on the Mount Points tab.
4.
On the Mount Points panel, in the table row that contains the NFS mount point that corresponds to the NFS volume you want to remount, click on the remount control ( ).
HCP attempts to remount the NFS volume. If the remount fails, contact your authorized HCP service provider for help.
To see which node the NFS volume is associated with, mouse over the status icon for the mount point on the Mount Points panel.
• You cannot move an NFS volume from one NFS storage pool to another.
• You cannot control which NFS volume HCP writes data to within an NFS storage pool.
• When HCP creates a mount point for a specific NFS volume, HCP stores a file named
.__hcp_uuid__
in the shared directory on the device that’s represented by the NFS storage component associated with that mount point. This file uniquely associates the NFS shared directory with the
NFS volume. As a result:
– HCP creates only one NFS storage volume for any given exported share.
Chapter 6: Storage administration
Administering HCP
147
About storage pools
– If you delete an NFS mount point from an NFS storage component, the associated exported share cannot be reused as is. This means that any data remaining in the NFS volume associated with the mount point becomes permanently inaccessible to HCP.
For more information on deleting NFS mount points, see “Deleting an unused access point from an extended storage component” on page 154.
– To reuse an exported share after the associated NFS mount point is deleted from HCP, you first need to delete any remaining files from the shared directory, including the
.__hcp_uuid__
file.
– If you inadvertently delete the
.__hcp_uuid__
file from an NFS shared directory that contains other HCP data, HCP can no longer use the exported share. Contact your authorized HCP service provider for help in recreating the file.
– When you back up an NFS shared directory that’s associated with an
NFS volume, you need to ensure that the
.__hcp_uuid__
file is included in the backup operation. This ensures that the file still exists in the directory after a restore operation.
• A situation can occur in which HCP can access an exported share but cannot mount the associated NFS volume. In this case, if the
.__hcp_uuid__
file is the only file in the shared directory on the extended storage device on which the data in the NFS volume is stored, you can reuse the exported share. To do this:
1.
Delete the mount point that’s associated with the NFS volume from the NFS storage component that represents the device on which the
NFS volume is stored.
2.
Delete the
.__hcp_uuid__
file from the shared directory.
3.
Create a new NFS mount point for the share on the same NFS storage component from which you deleted the mount point in step
1.
• If an NFS volume becomes inaccessible due to a disk failure on the extended storage device on which the data in the NFS volume is stored, you need to replace the disk, restore the data from backup, and then export the NFS share again.
148 Chapter 6: Storage administration
Administering HCP
About storage pools
In this case, the NFS volume needs to be remounted. If HCP doesn’t remount the volume automatically, you can try to manually remount the NFS volume:
1.
On the left side of the Storage page, click on Components .
2.
In the components list, click on the name of the NFS storage component that’s associated with the NFS volume that you want to remount.
3.
At the top of the panel that opens, click on the Mount Points tab.
4.
On the Mount Points panel, in the table row that contains the NFS mount point that corresponds to the NFS volume you want to remount, click on the remount control ( ).
If the manual remount fails, try restarting the node with which the NFS volume is associated. To see which node the NFS volume is associated with, mouse over the status icon for the mount point on the Mount
Points panel.
• You can restore an NFS shared directory to a different location from where it was originally. If you do this, you need to modify the configuration of the associated NFS mount point to point to the new location. For information on modifying an NFS mount point, see
“Modifying an extended storage component” on page 149.
• If HCP cannot create, mount, or use an NFS volume and you’ve already determined that the permissions for the shared directory, the export options for the share, the mount point configuration on the associated
NFS storage component in HCP, and the mount options for the mount point are all correct, the problem may exist on the extended storage device that’s represented by the NFS storage component on which you configured the mount point. To resolve such problems:
– Ensure that the NFS share has been exported on the device.
– Ensure that the NFS server is running on the device.
– Ensure that any NFS security software on the device is not blocking access by any of the HCP nodes.
– Check the system log file on the device for messages indicating device errors. Then correct those errors.
If HCP still cannot create, mount, or use the volume, contact your authorized HCP service provider for help.
Chapter 6: Storage administration
Administering HCP
149
Storing objects on extended storage tiers
Storing objects on extended storage tiers
Each extended storage pool consists of one or more extended storage component access points (mount points, buckets, containers, or namespaces) that are used to access the same type of extended storage.
To store objects in a given extended storage pool, HCP uses all of the storage that’s accessed using all of the extended storage component access points that are contained in that pool. You can add access points to an extended storage pool at any time, thereby increasing the capacity of the pool.
The service plan for a namespace defines one or more storage tiers for that namespace, and specifies the rules that determine which tier is used to store each object in that namespace at any given point in the object lifecycle. Each extended storage tier that’s defined for a namespace typically consists of only one extended storage pool, but a tier can be configured to use multiple storage pools. To store objects on a given extended storage tier, HCP uses all of the storage that’s accessed using the extended storage component access points contained in the storage pools that are configured for that tier.
Considerations for moving objects from primary storage to extended storage
When moving an object to a storage tier that includes only extended storage pools, the storage tiering service moves only the object data onto the extended storage that’s used for the new tier. HCP keeps all metadata, including custom metadata, for the object on primary running storage.
The system metadata for an object points to each specific NFS volume and each specific extended storage bucket, container, and namespace that’s used to store the data for that object.
When objects are added to a namespace, HCP always writes the object data to primary running storage. HCP never writes object data directly to extended storage. However, HCP can read object data directly from extended storage.
The service plan for a given namespace defines one or more storage tiers for that namespace and specifies a separate DPL setting for each tier, including the ingest tier (primary running storage). When an object is moved from one storage tier to another, all copies of the object data are removed from the previous tier, and the object data is then stored only on the new tier. The DPL setting for the new tier is the total number of copies of the object data that must be stored on that tier, and it’s also the total number of copies of the object data that must be stored in the HCP repository. (For a metadata-only tier, the DPL is zero.)
150 Chapter 6: Storage administration
Administering HCP
Storing objects on extended storage tiers
When the storage tiering service moves an object in a given namespace from a storage tier that includes only primary storage pools to a tier that includes only extended storage pools, the storage tiering service removes all existing copies of the data for that object from primary storage and stores the specified number of copies of the object data only on the extended storage that’s represented by the pools that are configured for the new storage tier.
The storage tiering service moves all copies of the data for an object to extended storage only if all of these are true:
• The cryptographic hash algorithm for the object has been stored in both the primary and secondary metadata for the object.
• The object is not still open for write. For more information on open objects, see Using a Namespace or Using the Default Namespace.
• If the namespace is being replicated, the object has already been replicated.
• The namespace that contains the object has a service plan that defines an storage tier that includes only extended storage pools, and the object meets the criteria for being moved to that tier.
While the data for an object is stored only on extended storage:
• If the object is deleted, the data that’s on the extended storage is deleted
• If the object is an old version that’s pruned, the version data that’s stored on the extended storage is deleted
• If the object is shredded, the data that’s stored on the extended storage is not shredded
• New data cannot be appended to the object (assuming the namespace has appendable objects enabled)
For more information on the movement of objects between primary storage and extended storage, see “Storage tiering service” on page 331 and “Working with service plans” on page 188.
For more information about extended storage, see “Storage for HCP systems” on page 110.
Chapter 6: Storage administration
Administering HCP
151
Storing objects on extended storage tiers
Encryption and compression of objects in storage pools
The configuration of an economy or extended storage pool specifies whether the data for an object should be encrypted and/or compressed when it’s stored on the economy or external storage that’s used for that pool. If the encryption option is selected for an economy or extended storage pool, the storage tiering service encrypts object data before writing it to the economy or extended storage that’s used for that pool.
When reading encrypted data from an economy or extended storage pool,
HCP automatically decrypts the data.
Note: If an extended storage tier contains multiple external storage pools, HCP evenly distributes object data that’s stored on that tier across all of those pools. For this reason, each storage pool that’s configured for a given extended storage tier should be configured to use the same encryption setting (enabled or disabled).
To encrypt object data for economy or extended storage, the storage tiering service uses the currently active NDMP encryption key. To manage
NDMP encryption keys, you use the Tenant Management Console for the default tenant. For information on managing these keys, see Managing the
Default Tenant and Namespace.
If compression is selected for an economy or extended storage pool, the storage tiering service compresses the object data before writing it to the economy or extended storage that’s used for that pool. When reading compressed data from an economy or extended storage pool, HCP automatically decompresses the data.
This compression activity is separate from the activity of the compression service. If an object in HCP has been compressed by the compression service, HCP must decompress it before the storage tiering service can compress the object data and write it to economy or extended storage.
Note: If an extended storage tier contains multiple storage pools, HCP evenly distributes object data that’s stored on that tier across all of those pools. For this reason, each extended storage pool that’s configured for a given storage tier should be configured to use the same compression setting (enabled or disabled).
If you change the encryption or compression setting for a given economy or extended storage pool, the change affects only the data that’s stored after you make the change. HCP does not change the data that’s already stored on economy or extended storage that’s used for the pool. As a
152 Chapter 6: Storage administration
Administering HCP
Working with HCP S Series Node storage components result, an economy or extended storage pool may contain both encrypted and unencrypted data and both compressed and uncompressed data at the same time.
Working with HCP S Series Node storage components
An HCP S Series Node storage component becomes visible on the Storage page once an node has been added to the HCP system. From this page you can monitor and manage existing components.
HCP uses economy storage components to:
• Monitor the general health, read permissions, and write permissions of the storage
• Manage node settings
• Add buckets and accounts
• Suspend or abandon the HCP S Series Node
• Configure advanced settings
What you need to know
When you add an HCP S Series Node to your HCP system, HCP automatically creates a storage component, a storage pool (if one doesn’t already exist), and a bucket. At the same time, a user account is created on the S Series Node, which is granted permission to manage buckets and storage pools on the node.
Bucket created on HCP system
The bucket HCP automatically creates when you add an S Series Node can only be used by that HCP system. The name of this bucket is: hcpsrvhcp-system-name
If a bucket with that name already exists (which can happen if the S Series
Node is added to the HCP system a second time), HCP creates a new bucket named: hcpsrvhcp-system-name 0
Subsequently, each time HCP automatically creates a new bucket on the S
Series Node, HCP either increments the numeric suffix on the bucket name by one or reuses an earlier name from a deleted HCP-created bucket.
Chapter 6: Storage administration
Administering HCP
153
Working with HCP S Series Node storage components
User account created on the HCP S Series Node
The user account HCP creates when you add an S Series Node is: hcpsrvhcp-system-name
If a user account with that username already exists (which can happen if the S Series Node is added to the HCP system a second time), HCP creates a new user account with the username: hcpsrvhcp-system-name 0
Subsequently, each time HCP needs to create a new user account on the S
Series Node, HCP either increments the numeric suffix on the username by one or reuses an earlier username from a deleted HCP-created account.
Creating an HCP S Series Node component
To create an economy storage component, you need to add an S Series
Node to the HCP system. To add an S Series Node to your HCP system:
1. On Hardware Nodes page, click on the Add Node button.
The Add Node wizard appears.
2. In the Username field, type a username for an S Series node user account with the security role.
3. In the Password field, type a password for an S Series node user account with the security role.
4. In the Domain Name or Virtual IP field, type the fully qualified domain or virtual IP address of the S Series Node.
5. Optionally, if Virtual network management is enabled and the Storage
Network field is visible, select the network you want HCP to use to communicate with the S Series Node.
If Virtual network management is not enabled this field does not exist. For more information on storage networks, see
“Isolating networks for storage tiering” on page 238.
6. Optionally, select Use HTTPS for Management to use HTTP with SSL security for S Series Node management requests.
7. Optionally , click on Advanced to display the following additional configuration options. Then:
154 Chapter 6: Storage administration
Administering HCP
Working with HCP S Series Node storage components
– To use HTTP with SSL security for data access requests, select Use
HTTPS .
– In the HTTPS Port field, type the Port you want to use to connect to the end point. The default is 443.
– In the HTTP Port field, type the Port you want to use to connect to the S Series Node. The default is 80.
– Optionally, select Use proxy to connect to the endpoint.
– In the Proxy Host field, type the hostname or IP address of the proxy server.
– In the Proxy Port number field, type the number of the proxy server.
The default is 0.
– In the Proxy Username field, type the username of the proxy server.
– In the Proxy Password field, type the password of the proxy server.
– In the Proxy Domain field, type the AD domain of the proxy server.
8. Click on the Next button.
9. In the Name field, type a name for the S Series Node.
10.In the Description (optional) field, type a description for the S Series
Node.
11.Click on the Next button.
12.Select the Compliant checkbox if the storage that’s represented by the storage component is compliant to the terms and conditions of your service plan.
13.Take either of the following actions:
– To create a new storage pool and attach the S Series Node to it, type a name for the new storage pool in the Add to new storage pool field.
– To add the S Series Node to an existing storage pool, select Add to existing storage pool and select the existing storage pool from the
Name field.
Chapter 6: Storage administration
Administering HCP
155
Working with HCP S Series Node storage components
14.Select Compress data if you want to compress object data that’s stored on the storage that’s allocated to the namespaces in the storage pool.
15.Select Encrypt data if you want to encrypt object data that’s stored on the storage that’s allocated to the namespaces in the storage pool.
16.Click on the Next button.
17. On the Review page, make sure that the S Series Node is configured to your specifications.
18. If your set up is correct, click on the Finish button.
Roles: In order to create an HCP S Series Node storage component, you need the administrator role.
Modifying an HCP S Series Node storage component
Once an HCP S Series Node is added to your HCP system, its storage component appears on the Storage Components page. Once it’s displayed on the System Management Console, you can manage and modify the S
Series Node basic and advanced settings.
Modifying basic component settings
The Settings tab of an S Series Node Storage Components page shows the
Name , Type , Description , Storage network (if enabled) and Endpoint of the
HCP S Series Node. All of the information on this page can be modified except the node Type . You can also select or deselect the Compliant option depending on whether the node meets the compliancy expectations of your service plan.
To modify basic S Series Node settings:
1. Go to the Storage Components page.
2. Click on an S Series Node.
3. On the Storage Node page, click on the Settings tab.
4. In the Name field, type the new name you want to give the S Series
Node.
156 Chapter 6: Storage administration
Administering HCP
Working with HCP S Series Node storage components
5. In the Description field, type the new description you want to give the S
Series Node.
6. Optionally, if Storage Network field is visible, select a network for tiering.
For more information on selecting a network, see
“Isolating networks for storage tiering” on page 238.
7. In the Domain Name or Virtual IP field, type the new domain or virtual IP address of the S Series Node.
8. Select the Compliant checkbox if the S Series Node meets the compliancy expectations of your service plan.
9. Click on the Update Settings button.
Modifying advanced component settings
To modify the advanced settings of an HCP S Series Node storage component:
1. Go to the Storage Components page.
2. Click on an S Series Node.
3. On the Storage Node page that opens, click on the Advanced tab.
4. Configure the following options:
– Use HTTPS — To use HTTP with SSL security for data access requests, select Use HTTPS.
– HTTPS Port — In the HTTPS Port field, type the Port you want to use to connect to the S Series Node with SSL requests. The default is 443.
– HTTP Port — In the HTTP Port field, type the Port you want to use to connect to the S Series Node. The default is 80.
– Use proxy — Optionally, select Use proxy to connect to the S Series
Node. If you select Use proxy :
• Proxy Host - In the Proxy Host field, type the hostname or IP address of the proxy server.
• Proxy Port — In the Proxy Port number field, type the number of the proxy server. The default is 0.
Chapter 6: Storage administration
Administering HCP
157
Working with HCP S Series Node storage components
• Proxy Username — In the Proxy Username field, type the username of the proxy server.
• Proxy Password — In the Proxy Password field, type the password of the proxy server.
• Proxy Domain — In the Proxy Domain field, type the AD domain of the proxy server.
– Connection Timeout (ms) — In the Connection Timeout (ms) field, type the wait time you want to permit a connection to respond before the connection times out.
– Socket Timeout (ms) — In the Socket Timeout (ms) field, type the amount of time you want to wait for data to be transferred over an open connection before the connection closes.
– Max Connections — In the Max Connections field, type the max connection pool size.
– Max Error Retries — In the Max Error Retries field, type the maximum allowable error retries.
– User Agent — In the User Agent field, type the user agent.
– TCP Send Buffer Size Hint — In the TCP Send Buffer Size Hint field, type the optional size hint (in bytes) for the low-level TCP send buffers.
– TCP Receive Buffer Size Hint — In the TCP Receive Buffer Size
Hint field, type the optional size hint (in bytes) for the low-level TCP receive buffers.
– Enable additional data integrity validation — Select this option if you want the S Series Node to check the md5 hash of every object it receives against the hash generated by HCP when writing the object. If the hashes do not match, the object fails to tier.
– Maximum object size (GB) — In the Maximum object size (GB) field, type the maximum allowable object size.
– Enable multipart object uploads — Allows HCP to write objects to the S Series Node using multipart object upload. If you select
Enable multipart object uploads :
158 Chapter 6: Storage administration
Administering HCP
Working with buckets and accounts on an HCP S Series Node storage component
• Multipart object upload size threshold (MB) — In the
Multipart object upload size threshold (MB) field, type the object size threshold you want HCP to use to determine when to employ a multipart upload.
• Multipart object upload part size (MB) — In the Multipart object upload part size (MB) field, type the part size of a single part of a multipart object upload.
5. Once you are finished, perform one of the following actions:
– If you want to save your configuration, click on the Update Settings button.
– If you want to restore the page to its default settings, click on Reset
Advanced Settings button.
Working with buckets and accounts on an HCP S Series
Node storage component
The Buckets tab of an HCP S Series Node on the Storage Components page shows the buckets in the S Series Node and the S Series user account to which they are assigned. Each bucket shows how many bytes of data it’s currently storing, whether it’s in use, and alerts. Once you add an S
Series Node to the HCP system, a bucket and user account are automatically generated. More buckets can be manually created through the storage component.
Creating a bucket
To create a bucket on an S Series Node:
1. Go to the Storage Components page.
2. Click on an S Series Node.
3. On the Storage Node page, click on the Buckets tab.
4. Click on the Add Buckets button.
5. In the Select Account section that opens, select the account you want to own the bucket.
6. Click on the Go button.
Chapter 6: Storage administration
Administering HCP
159
Working with buckets and accounts on an HCP S Series Node storage component
7. Click on the Bucket Actions button.
8. Select Create new in the Action field.
9. Type the name of the new bucket in the Bucket Name text box.
A bucket name must be at least three and no more than 63 characters long. Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period (.). Bucket names can contain lowercase letters, numbers, and dashes. Each label must start and end with a lowercase letter or a number. Bucket names must not be formatted as an IP address.
10.Click on the Go button.
11.Click on the Finish button.
Adding an existing bucket to an HCP S Series Node storage component
Buckets can be created and not added to their respective account. When this occurs, the buckets are not displayed on the Buckets tab and cannot have objects tiered to them from the HCP system.
To add an existing bucket to its account:
1. On the Buckets tab, click the Add Buckets button.
A Select Account drop down menu appears.
2. Select the account to which the bucket is assigned and click on the Go button .
All buckets assigned to the account appear in the Available Buckets field. Buckets that are already added to the account are selected.
3. Select the buckets you want to add from the Available Buckets field.
4. Click on the Finish button .
Adding an existing HCP S Series Node user account
Aside from the HCP S Series Node user account that’s automatically generated when an S Series Node is added to your HCP system, S Series
Node user accounts are created on the HCP S Series Management Console.
160 Chapter 6: Storage administration
Administering HCP
Working with buckets and accounts on an HCP S Series Node storage component
The accounts are independent of the HCP system and can exist and without appearing on the System Management Console. If you want user accounts to appear on the HCP system, they need to be manually added.
In order to add an S Series Node account to HCP, you need an access key and secret key. For more information on these keys, see the HCP S Series
Node Help.
To add an existing S Series Node user account to the HCP system:
1. On the Buckets tab of an HCP S Series Node, click on the Accounts button.
2. Click on the Add Accounts button.
An Add Account wizard opens.
3. In the Account Label field, type the name you want to give the S Series
Node user account on HCP.
4. In the Access Key field, type your account access key.
5. In the Secret Key field, type your account Secret Key.
6. Optionally, if you want Custom Request Headers :
– Click on the Custom Request Headers button.
– Type the header name in the blank text field.
– Click on the Add button.
– In the Value field, type the header value.
7. Click on the Finish button.
Modifying an HCP S Series Node user account
To modify an existing HCP S Series Node user account:
1. On the Buckets tab of an HCP S Series Node, click on the Accounts button.
2. Click on the account you want to modify.
3. In the Edit Account wizard, make all modifications to the user account.
Chapter 6: Storage administration
Administering HCP
161
Pausing and resuming an HCP S Series Node storage component
4. Click on the Finish button.
Deleting a HCP S Series Node user account
Except for the HCP S Series Node user account that is automatically generated when you add the S Series Node to the HCP system, all other accounts can be deleted. Deleting an S Series Node account does not delete it permanently, but rather removes the account from the HCP system. The account still exists and can be readded. An account can only be removed once all buckets on the account have been deleted.
To delete an S Series Node account from HCP:
1. On the Buckets tab of an HCP S Series Node, click on the Accounts button.
2. Click on the garbage can icon beside the account you want to delete.
3. In the warning message that appears, type yes.
4. Click on the Delete button.
Pausing and resuming an HCP S Series Node storage component
An HCP S Series Node storage component can be paused. Pausing the component makes it inaccessible for storage tiering, although it still exists as a storage component. Once you resume the component, it becomes available for tiering again.
To pause a storage component:
1. Go to the Storage Components page.
2. Click on an S Series Node.
3. On the Storage Node page that opens, click on the Manage tab.
4. Click on the Pause Component button.
Once a storage component is paused, the Pause Component button becomes a Resume Component button. Click on the Resume Component button to resume communication between HCP and the storage component.
162 Chapter 6: Storage administration
Administering HCP
Deleting or abandoning an HCP S Series Node storage component
Deleting or abandoning an HCP S Series Node storage component
If the storage represented by an S Series Node storage component is not being used to store objects in any namespaces defined on the HCP system, you can safely delete that storage component.
To delete an S Series Node storage component:
1. Retire the storage component. For more information on retiring a
storage component, see “Retiring storage” on page 185.
2. On the Storage Retirement page, click on the retired S Series Node.
3. Click on the Delete Volume button. If the node is not successfully retired, this button is inaccessible.
Abandoning an HCP S Series Node storage component removes it from the
HCP system. This can be done regardless of whether data is tiered to the
S Series Node. If you abandon an S Series Node without retiring its data, that data becomes inaccessible even if you add re-add the S Series Node.
It’s always recommended to retire and delete a component instead of abandoning it.
To abandon an HCP S Series storage component from the HCP system:
1. Go to the Storage Components page.
2. Click on an S Series Node.
3. On the Storage Node page that opens, click on the Manage tab.
4. Click on the Abandon Component button.
5. In the Confirm: Abandon Component window, type Yes in the text field.
6. Click on the Abandon button.
Chapter 6: Storage administration
Administering HCP
163
Working with extended storage components
Working with extended storage components
HCP uses extended storage components to provide you with an interface to:
• Configure HCP to provide the information that HCP needs to use to access specific extended storage devices and cloud storage service endpoints.
• Configure HCP to monitor, manage, and use all of the extended storage that’s accessed using one or more extended storage components of the same type as a single storage pool.
• Monitor the health, availability, capacity, and usage of the extended storage that’s represented by each component, and appropriately provision storage.
• Pause (suspend), retire, or abandon extended storage that’s represented by a single storage component or retire all of the extended storage that’s represented by the components in a single storage pool.
You can use the Storage page in the System Management Console to perform all of the above tasks.
To display the Storage page, in the System Management Console menu, click on Storage .
Roles: To view the Storage page, you need the monitor or administrator role. To create, modify, or delete extended storage components and extended storage pools, you need the administrator role.
Creating an extended storage component
You use the Add Component wizard on the Storage page to create and configure an extended storage component. Each time you use the Storage page to access the Add Component wizard, you are prompted to select the type of extended storage component that you want to create. The System
Management Console then dynamically builds the pages in the Add
Component wizard to present only the fields you need to use to configure
HCP to access and use the specified type of extended storage component.
To create an extended storage component:
1. On the left side of the Storage page, click on the Components tab.
164 Chapter 6: Storage administration
Administering HCP
Working with extended storage components
2. On the Components panel, click on the Add Component button.
The Get Started wizard opens.
3. In the Get Started wizard, click on the arrow to display a list of supported extended storage component types, and select the type of component that you want to create.
The Get Started wizard exits and the System Management Console opens the appropriate Add Component wizard for the type of extended storage component that you selected.
4. Use the fields on each page of the Add Component wizard to specify the information that HCP needs to use to access and use the extended storage that’s represented by the component you’re creating:
– To create an Amazon S3 storage component, use the fields to specify the configuration information that’s described in “Amazon S3 storage components” on page 115.
– To create a Google Cloud storage component, use the fields to specify the configuration information that’s described in “Google
Cloud storage components” on page 117.
– To create a Hitachi Cloud Service storage component, use the fields to specify the configuration information that’s described in “Hitachi
Cloud Service storage components” on page 119.
– To create a Microsoft Azure storage component, use the fields to specify the configuration information that’s described in “Microsoft
Azure storage components” on page 121.
– To create an S3-compatible storage component, use the fields to specify the configuration information that’s described in
“S3-compatible storage components” on page 123.
– To create a Verizon Cloud storage component, use the fields to
specify the configuration information that’s described in “Verizon
Cloud storage components” on page 130.
– To create an NFS storage component, use the fields to specify the configuration information that’s described in “Required NFS storage component configuration settings” on page 127.
You use the Next button at the bottom of each page to save the information you entered on that page and display the next page in the
Add Component wizard.
Chapter 6: Storage administration
Administering HCP
165
Working with extended storage components
The last page in each wizard is the Review page, which displays all of the extended storage component configuration information that you’ve entered in the wizard.
5. On the Review page in the Add Component wizard, take one of these actions:
– If the extended storage component configuration information that you entered is correct, click on the Finish button at the bottom of the page.
– If the extended storage component configuration information is not correct, use the Previous and Next buttons at the bottom of each page to navigate through the pages in the wizard and change any settings that are not correct.
When you’re finished making changes to the storage component configuration settings, navigate to the Review page and click on the
Finish button.
When you click on the Finish button at the bottom of the Review page, the wizard exits. The System Management Console displays the
Components panel on the Storage page. This panel displays a list of all of the primary storage components and extended storage components that exist on the HCP system and provides information about the current status of each existing component, including the new one you just created.
Each extended storage component provides HCP with the information it needs to access and use the storage that’s represented by that component. However, HCP can actually use the storage that’s represented by a given component only if at least one of its access points (a mount point, bucket, container, or namespace) is contained in a storage pool that’s included in at least one storage tier that’s defined for a namespace by its service plan.
Modifying an extended storage component
You can use the Components panel on the Storage page to view and modify the configuration of any extended storage component. To display this panel, click on the Components tab on the left side of the Storage page.
You can use the Components panel to modify the configuration of any extended storage component in any of the the following ways:
• Change one or more of the configuration settings that are specified when the component is first created:
166 Chapter 6: Storage administration
Administering HCP
Working with extended storage components
– For information on the configuration settings specified when an
Amazon S3 storage component is created, see “Amazon S3 storage components” on page 115.
– For information on the configuration settings specified when a
Google Cloud storage component is created, see “Google Cloud storage components” on page 117.
– For information on the configuration settings specified when a
Hitachi Cloud Service storage component is created, see “Hitachi
Cloud Service storage components” on page 119.
– For information on the configuration settings specified when a
Microsoft Azure storage component is created, see “Microsoft Azure storage components” on page 121.
– For information on the configuration settings specified when an
S3-compatible storage component is created, see “S3-compatible storage components” on page 123.
– To create a Verizon Cloud storage component, use the fields to
specify the configuration information that’s described in “Verizon
Cloud storage components” on page 130.
– For information on the configuration settings specified when an NFS storage component is created, see “Required NFS storage component configuration settings” on page 127.
For instructions on modifying these configuration settings see
“Modifying the configuration settings used for an extended storage component” on page 151.
• Modify one or more of the default values for the advanced settings used for the extended storage component. Each type of extended storage component has slightly different advanced settings.
Typically, you do not need to change any of the default values that are used for the advanced settings for an extended storage component.
However, you should familiarize yourself with the advanced settings that are used for each extended storage component that you create and configure in HCP, so that you can identify any advanced settings that you might need to change.
For instructions on accessing the advanced settings for an extended storage component, see “Modifying the configuration settings used for an extended storage component” on page 151.
Chapter 6: Storage administration
Administering HCP
167
Working with extended storage components
• Add a new access point (a mount point, bucket, container, or namespace) to an existing storage component.
• Delete any access point that’s not currently in use.
• For all types of extended storage components except NFS:
– Configure a new user account to be used to access the cloud storage service endpoint or S3-compatible storage device endpoint that’s represented by the component.
– Delete any user account that’s not currently in use.
Modifying the configuration settings used for an extended storage component
To modify the configuration settings that are specified for an extended storage component when it’s first created:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component that you want to modify.
3. At the top of the panel that opens, click on the Settings tab.
4. On the panel that opens, use the fields to change any of the settings that are currently used for the component.
5. Click on the Update Settings button.
To modify the advanced configuration settings that are used for an extended storage component:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component that you want to modify.
3. At the top of the panel that opens, click on the Advanced tab.
4. On the panel that opens, use the fields to change any of the settings that are currently used for the component or click on the Reset
Advanced Settings button to change all advanced settings to use the default values.
5. Click on the Update Settings button.
168 Chapter 6: Storage administration
Administering HCP
Working with extended storage components
Adding access points to an extended storage component
To add one or more access points (mount points, buckets, containers, or namespaces) to an extended storage component:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component for which you want to configure one or more new access points.
3. At the top of the panel that opens, click on the tab that corresponds to the type of access point that’s used for the component ( Mount Points ,
Buckets , Containers , or Namespaces ).
4. At the bottom of the panel that opens, click on the Add AccessPointType button.
5. For every type of extended storage except NFS, in the window that opens, use the dropdown list to select the account label that’s associated with the user account that’s used to access the bucket, container, or namespace you want to add, and click on the Go button.
The window does not appear if you’re adding a mount point to an NFS storage component.
The Add AccessPointType wizard opens, displaying a table that contains a list of existing access points (mount points, buckets, containers, or namespaces) that are available for use, along with a check box that corresponds to each access point in the list.
6. Click on AccessPointType Actions .
7. Take either or both of these actions:
– To add existing access points to the storage component:
1.
In the AccessPointType Actions section, in the Action field, select
Add existing .
Note: When you first expand the AccessPointType Actions section, the Add existing option is selected by default.
2.
Use the check boxes in the left column in the table to select each existing access point that you want to add to the storage component configuration.
Chapter 6: Storage administration
Administering HCP
169
Working with extended storage components
3.
Click on the Go button.
– To create one or more new buckets, containers, or namespaces for use by the specified user account or to create one or more mount points:
1.
In the AccessPointType Actions section, in the Action field, select
Create new .
2.
In the AccessPointType Name field, for each new access point you want to create, type a name for the new access point, and click on the Go button.
Each new access point you create is added to the list of existing access points, and its checkbox is automatically selected.
Note: You can delete any new access point from the list before you actually create the new access point on the extended storage device. To do this, click on the delete control ( ) in the row that corresponds to the access point name.
3.
When you’re finished creating new access points, in the Action field, select Add existing , and then click on the Go button.
8. When you’re finished adding both new and existing access points to the extended storage components, click on the Finish button at the bottom of the panel.
When you click on the Finish button, the Add AccessPointType wizard exits, and the AccessPointType panel ( Mount Points , Buckets , Containers , or Namespaces ) for the storage component you’ve modified is displayed, showing the list of access points that are currently configured for the component and the current status of each access point. All of the new and existing access points you’ve just added are included in the list.
Configuring a new user account for access to an extended storage endpoint
To configure a new user account to be used to access any cloud storage service endpoint or S3-compatible storage device endpoint that’s represented by an extended storage component:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component for which you want to configure a new user account.
170 Chapter 6: Storage administration
Administering HCP
Working with extended storage components
3. At the top of the panel that opens, click on the tab that corresponds to the type of access point that’s used for the component ( Buckets ,
Containers , or Namespaces ).
4. At the top of the Buckets , Containers , or Namespaces panel, click on the
Accounts tab.
5. At the bottom of the Accounts panel, click on the Add Account button.
The Add Account wizard opens.
6. In the Add Account wizard, specify the following information to configure the new user account:
– The account label that you want HCP to use to identify the user account in the System Management Console
– The access key and secret key that HCP needs to use to access the new user account
– Optionally, any custom request headers that you want HCP to include in the access request URLs that are sent to the cloud storage service or storage device that’s represented by the storage component in order to request read or write access to the storage associated with the new user account
7. Click on the Finish button.
When you click on the Finish button, the Add Account wizard exits, and the AccessPointType panel ( Buckets , Containers , or Namespaces ) for the storage component you’ve modified is displayed, showing the list of user accounts that are currently configured for the component and the current status of each account. The new and user account you’ve just added is included in the list.
Deleting an unused access point from an extended storage component
To delete an unused access point from an extended storage component:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component from which you want to delete an unused access point.
Chapter 6: Storage administration
Administering HCP
171
Working with extended storage components
3. At the top of the panel that opens, click on the tab that corresponds to the type of access point that’s used for the component ( Mount Points ,
Buckets , Containers , or Namespaces ).
The AccessPointType panel opens, showing a list of access points that are currently configured for the component. A delete control ( ) appears in the row for each unused access point.
4. Click on the delete control for any access point to delete it from the component.
Deleting an unused user account from an extended storage component
To delete an unused user account from an extended storage component:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component from which you want to delete an unused user account.
3. At the top of the panel that opens, click on the tab that corresponds to the type of access point that’s used for the component ( Buckets ,
Containers , or Namespaces ).
4. At the top of the Buckets , Containers , or Namespaces panel, click on the
Accounts tab.
The Accounts panel opens, showing a list of user accounts that are currently configured for the component. A delete control ( ) appears in the row for each unused user account.
5. Click on the delete control for any user account to delete it from the component.
Pausing and resuming an extended storage component
At any time when an extended storage component is in use, you can
pause, or suspend all read and write operations, on the extended storage that’s represented by any extended storage component.
In certain situations, the storage that’s represented by an extended storage component may become temporarily inaccessible, due to scheduled maintenance or due to an unforeseen problem with an extended storage device or cloud storage service endpoint. If this happens, you might need to temporarily pause, or suspend all read and write operations on, a given storage component.
172 Chapter 6: Storage administration
Administering HCP
Working with extended storage components
While a storage component is paused, HCP considers the extended storage that’s represented by the component to be unavailable for storage tiering, and does not attempt to communicate with that device or service.
Therefore, any alerts that would normally be generated by attempts to communicate with the inaccessible extended storage device or cloud storage service endpoint do not appear when the component is paused.
When an extended storage component is resumed, the storage that’s represented by the component becomes available for storage tiering, HCP resumes attempting to communicate with the extended storage device or cloud storage endpoint, and if such attempts fail, HCP displays the appropriate alerts on the Components panel on the Storage page.
To pause or resume a specific extended storage component:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component that you want to pause or resume.
3. At the top of the panel that opens, click on the Manage tab.
4. On the Manage panel, take one of these actions:
– To pause a component, click on the Pause Component button. HCP pauses the component, and the panel displays the Resume
Component button.
– To resume a component that’s currently paused, click on the
Resume Component button. HCP resumes communications with the component, and the panel displays the Pause Component button.
Deleting or abandoning an extended storage component
If the storage that’s represented by an extended storage component is not currently being used to store objects in any namespaces defined on the
HCP system, you can safely delete that storage component.
If, however, the storage that’s represented by an extended storage component is currently being used to store object data, you cannot delete that component. Instead you need to either retire that component or abandon it.
When you retire an extended storage component, HCP migrates the data off of that component and then deletes that component from the system.
For information on retiring an extended storage component, see “Retiring storage” on page 185,
Chapter 6: Storage administration
Administering HCP
173
Working with extended storage components
When you abandon an extended storage component, HCP deletes that component from the system without attempting to migrate any of the stored data off of the extended storage component. This operation is not recommended because it may result in data loss. If the only existing copies of the data for a given object are stored on a single extended storage component, when you abandon that component, the object data becomes permanently inaccessible to HCP.
Retiring and deleting a component is a much safer alternative to abandoning that component, as retiring a component ensures that the data stored on that component remains protected at the appropriate levels. You should consider abandoning an extended storage component only as a last resort and only after you’ve taken the necessary steps to ensure that the data stored on the component exists elsewhere in the HCP system.
Deleting an unused extended storage component
To delete an extended storage component that’s not currently in use:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component that you want to delete.
3. At the top of the panel that opens, click on the Manage tab.
4. On the Manage panel, click on the Delete Component button,
Abandoning an extended storage component
To abandon an extended storage component that’s currently in use:
1. On the left side of the Storage page, click on the Components tab.
2. On the Components panel, click on the table row that contains the name of the component that you want to abandon.
3. At the top of the panel that opens, click on the Manage tab.
4. On the Manage panel, click on the Abandon Component button,
174 Chapter 6: Storage administration
Administering HCP
Working with economy storage pools
Working with economy storage pools
HCP uses economy storage pools to represent logical groups of storage components that can be used as storage tiers. Each storage pool consists of one or more storage components that are used to access the same type of storage.
When storing objects on HCP S Series Nodes, HCP uses all the storage in all of the S Series Nodes that are contained in the storage pools. The total capacity of a given storage pool is the total amount of space remaining in all HCP S Series Nodes connected to the HCP system.
You use the Storage section of the System Management Console to create, modify, manage, delete, and retire economy storage pools and to monitor the health, availability, capacity, and usage of all the HCP S Series Nodes that contain the storage pool.
When setting up an HCP S Series Node, you automatically assign it to a storage pool. If no S Series Node storage pool exists, the set up wizard asks you to create a new storage component for the node. For more information on creating a storage component, see
Series Node component” on page 154.
Roles: To manage economy storage pools, you need the administrator role. To view the economy storage pools you need the monitor role.
Creating an economy storage pool
You use the Create Pool wizard on the Storage page to create and configure a storage pool.
To create a storage pool:
1. From the top-level menu of the System Management Console, click on the Storage button and navigate to the Storage Pools page.
2. Click on the Create Pool button.
3. In the Get Started wizard that opens, select HCP S Series
4. Click on the Go button.
The Create Pool wizard opens.
Chapter 6: Storage administration
Administering HCP
175
Working with economy storage pools
5. In the Name field, type a name for the storage pool.
6. Optionally, in the Description field, type a description to use for the storage pool.
7. Click on the Next button.
8. Select all of the storage components you want to allocate to the pool.
9. Select Compress data if you want to compress object data that’s stored on the storage that’s allocated to the namespaces in the storage pool.
10.Select Encrypt data if you want to encrypt object data that’s stored on the storage that’s allocated to the namespaces in the storage pool.
11.Click on the Next button.
12.Take one of these actions:
– If the economy storage pool configuration entered is correct, click on the Finish button.
– If the economy storage pool configuration information is not correct, use the Previous and Next buttons to navigate through the pages in the wizard and change any settings that are not correct.
When you’re finished making changes to the storage pool configuration settings, navigate to the Review page and click on the
Finish button.
Modifying an economy storage pool
You can use the Storage Pools page to view and modify the configuration of any economy storage pool in the following ways:
• Change one or more of the configuration settings that are specified when the pool was first created. For more information on the configuration setting specified when an HCP S Series Node is created,
see “Modifying the configuration settings used for an economy storage pool” on page 177.
• Add one or more storage component buckets to an economy storage
pool. For instructions, see “Adding an existing bucket to an HCP S
Series Node storage component” on page 160.
176 Chapter 6: Storage administration
Administering HCP
Working with economy storage pools
• Delete one or more buckets from an economy storage pool. For instructions, see
“Deleting buckets from an economy storage pool” on page 177.
Modifying the configuration settings used for an economy storage pool
To modify the configuration settings of an economy storage pool:
1. On the Storage Pools page, click on the table row that contains the name of the pool you want to modify.
2. On the individual pool of the Storage Pools page, click on the Settings tab.
3. In the Settings tab, use the fields to change the settings of the pool.
4. Click on the Update Settings button.
Adding buckets to add an economy storage pool
To add one or more buckets to an existing economy storage pool:
1. On the Storage Pools page, click on the table row that contains the name of the pool you want to add one or more buckets too.
2. On the individual pool of the Storage Pools page, click on the Buckets tab.
3. Select the buckets to add to the storage pool. You cannot select buckets that are used by other storage pools.
4. Click on the Update Settings button.
Deleting buckets from an economy storage pool
Deleting buckets from an economy storage pool does not remove them from the HCP system. S Series Node buckets that are not associated with a pool can be readded to a pool.
To delete one or more unused buckets from an existing economy storage pool:
1. On the Storage Pools page, click on the table row that contains the name of the pool you want to delete buckets from.
Chapter 6: Storage administration
Administering HCP
177
Working with extended storage pools
2. On the individual pool of the Storage Pools page, click on the Buckets tab.
3. Deselect buckets that you want to delete from the storage pool.
4. Click on the Update Settings button.
Deleting an economy storage pool
If the storage that’s represented by an economy storage pool is not currently being used to store objects in any namespaces defined on the
HCP system, you can safely delete that storage pool.
If, however, the storage that’s represented by an economy storage pool is being used to store object data, you need to first retire the storage pool by migrating all of the data off of it.
When you retire an extended storage pool, HCP migrates the data off that pool and then deletes the pool. For information on retiring an economy storage pool, see
“Retiring storage” on page 185.
To delete an economy storage pool that’s not currently in use:
1. On the Storage Pools page, click on the delete control ( ) beside the unused storage pool you want to delete.
A Confirm: Delete window appears.
2. Click on Delete in the window to delete the storage pool from HCP.
Working with extended storage pools
HCP uses extended storage pools to represent logical groups of storage components that can be used as storage tiers. Each storage pool consists of one or more storage components that are used to access the same type of storage.
Each extended storage pool contains one or more extended storage component access points (mount points, buckets, containers, or namespaces) that are all used to access the same type of extended storage. A given NFS storage pool includes all of the storage that’s allocated to all of the NFS volumes that are accessed using the mount points in the pool. A given Amazon S3, Google Cloud, S3-compatible,
Microsoft Azure, Hitachi Cloud Service, or Verizon Cloud storage pool includes all of the storage that’s allocated to the buckets, containers, or namespaces in the pool.
178 Chapter 6: Storage administration
Administering HCP
Working with extended storage pools
Each storage tier that’s defined for a namespace by its service plan typically consists of only one storage pool, but a tier can be configured to use multiple storage pools. To store objects on a given extended storage tier, HCP uses all of the storage that’s allocated to all of the extended storage component access points (mount points, buckets, containers, or namespaces) that are contained in the storage pools that are configured for the storage tier. Therefore, the capacity of a given extended storage pool is the total amount of space that can be accessed using the extended storage component access points included in the pool. You can add access points to an extended storage pool at any time, thereby increasing the capacity of the pool.
Each extended storage component provides HCP with the information it needs to use one or more mount points, buckets, containers, or namespaces to access and use the storage that’s represented by that extended storage component. However, HCP can actually use the storage that’s represented by a given extended storage component only if at least one of its access points is contained in a storage pool that’s included in at least one storage tier that’s defined for a namespace by its service plan.
You use the Storage page in the System Management Console to create, modify, manage, delete, and retire extended storage pools and to monitor the health, availability, capacity, and usage of all of the storage that’s used for each storage pool that’s defined on the HCP system.
Creating an extended storage pool
You use the Create Pool wizard on the Storage page to create and configure an extended storage pool. Each time you use the Storage page to access the Create Pool wizard, you are prompted to select the type of extended storage pool that you want to create. The System Management Console then dynamically builds the pages in the Create Pool wizard to present only the fields you need to use to configure HCP to access and use the specified type of extended storage pool.
To create an extended storage pool:
1. On the left side of the Storage page, click on the Pools tab.
2. On the Pools panel, click on the Create Pool button.
The Get Started wizard opens.
3. In the Get Started wizard, click on the arrow to display a list of supported extended storage pools, and select the type of pool that you want to create.
Chapter 6: Storage administration
Administering HCP
179
Working with extended storage pools
The Get Started wizard exits and the System Management Console opens the appropriate Create Pool wizard for the type of extended storage pool that you selected.
4. Use the fields on each page of the Create Pool wizard to specify the extended storage component access points that you want to include in the pool to specify the extended storage pool configuration settings that you want to use for the new pool you’re creating:
– To create an Amazon S3 storage pool, use the fields to specify the configuration information that’s described in “Amazon S3 storage pools” on page 131.
– To create a Google Cloud storage pool, use the fields to specify the configuration information that’s described in “Google Cloud storage pools” on page 132.
– To create a Hitachi Cloud Service storage pool, use the fields to specify the configuration information that’s described in “Hitachi
Cloud Service storage pools” on page 133.
– To create a Microsoft Azure storage pool, use the fields to specify the configuration information that’s described in “Microsoft Azure storage pools” on page 134.
– To create an S3-compatible storage pool, use the fields to specify the configuration information that’s described in “S3-compatible storage pools” on page 135.
– To create a Verizon Cloud storage component, use the fields to
specify the configuration information that’s described in “Verizon
Cloud storage components” on page 130.
– To create an NFS storage pool, use the fields to specify the configuration information that’s described in “NFS storage pools” on page 136.
You use the Next button at the bottom of each page to save the information you entered on that page and display the next page in the
Create Pool wizard.
The last page in each wizard is the Review page, which displays all of the extended storage pool configuration information that you’ve entered in the wizard.
180 Chapter 6: Storage administration
Administering HCP
Working with extended storage pools
5. On the Review page in the Create Pool wizard, take one of these actions:
– If the extended storage pool configuration information that you entered is correct, click on the Finish button at the bottom of the page.
– If the extended storage pool configuration information is not correct, use the Previous and Next buttons at the bottom of each page to navigate through the pages in the wizard and change any settings that are not correct.
When you’re finished making changes to the storage pool configuration settings, navigate to the Review page and click on the
Finish button.
When you click on the Finish button at the bottom of the Review page, the wizard exits. The System Management Console displays the Pools panel on the Storage page. This panel displays a list of all of the primary storage pools and extended storage pools that exist on the HCP system and provides information about the current status of each existing pool, including the new one you just created.
Each extended storage pool provides HCP with the information it needs to access and use the storage that’s represented by that pool.
However, HCP can actually use the storage that’s represented by a given pool only if it’s included in at least one storage tier that’s defined for a namespace by its service plan.
Modifying an extended storage pool
You can use the Pools panel on the Storage page to view and modify the configuration of any extended storage pool. To display this panel, click on the Pools tab on the left side of the Storage page.
You can use the Pools panel to modify the configuration of any extended storage pool in any of the following ways:
• Change one or more of the configuration settings that are specified when the pool is first created:
– For information on the configuration settings specified when an
Amazon S3 storage pool is created, see “Amazon S3 storage pools” on page 131.
Chapter 6: Storage administration
Administering HCP
181
Working with extended storage pools
– For information on the configuration settings specified when a
Google Cloud storage pool is created, see “Google Cloud storage pools” on page 132.
– For information on the configuration settings specified when a
Hitachi Cloud Service storage pool is created, see “Hitachi Cloud
Service storage pools” on page 133.
– For information on the configuration settings specified when a
Microsoft Azure storage pool is created, see “Microsoft Azure storage pools” on page 134.
– For information on the configuration settings specified when an
S3-compatible storage pool is created, see “S3-compatible storage pools” on page 135.
– To create a Verizon Cloud storage component, use the fields to
specify the configuration information that’s described in “Verizon
Cloud storage components” on page 130.
– For information on the configuration settings specified when an NFS storage pool is created, see “NFS storage pools” on page 136.
For instructions on modifying these configuration settings see
“Modifying the configuration settings used for an extended storage pool” on page 162.
• Add one or more storage component access points (mount points, buckets, containers, or namespaces) to an extended storage pool. For instructions, see “Adding access points to an extended storage pool” on page 162.
• Delete one or more storage component access points from an extended storage pool. For instructions, see “Deleting access points from an extended storage pool” on page 163.
Modifying the configuration settings used for an extended storage pool
To modify the configuration settings that are specified for an extended storage pool when it’s first created:
1. On the left side of the Storage page, click on the Pools tab.
2. On the Pools panel, click on the table row that contains the name of the pool that you want to modify.
3. At the top of the panel that opens, click on the Settings tab.
182 Chapter 6: Storage administration
Administering HCP
Working with extended storage pools
4. On the panel that opens, use the fields to change any of the settings that are currently used for the pool.
5. Click on the Update Settings button
Adding access points to an extended storage pool
To add one or more access points (mount points, buckets, containers, or namespaces) to an existing extended storage pool:
1. On the left side of the Storage page, click on the Pools tab.
2. On the Pools panel, click on the table row that contains the name of the pool to which you want to add one or more access points.
3. At the top of the panel that opens, click on the tab that corresponds to the type of access point that’s contained in the pool ( Mount Points ,
Buckets , Containers , or Namespaces ).
The AccessPointType panel opens, displaying a table that contains a list of existing access points (mount points, buckets, containers, or namespaces) that can be included in the type of storage pool that you’re currently configuring, along with a check box that corresponds to each access point in the list. The appropriate checkboxes are selected to indicate the access points that are currently included in the pool.
4. Use the check boxes in the left column in the table to select each existing access point that you want to add to the storage pool.
5. Click on the Update Settings button.
Deleting access points from an extended storage pool
To delete one or more unused access points (mount points, buckets, containers, or namespaces) from an existing extended storage pool:
1. On the left side of the Storage page, click on the Pools tab.
2. On the Pools panel, click on the table row that contains the name of the pool from which you want to delete one or more access points.
3. At the top of the panel that opens, click on the tab that corresponds to the type of access point that’s contained in the pool ( Mount Points ,
Buckets , Containers , or Namespaces ).
Chapter 6: Storage administration
Administering HCP
183
Working with extended storage pools
The AccessPointType panel opens, displaying a table that contains a list of existing access points (mount points, buckets, containers, or namespaces) that can be included in the type of storage pool that you’re currently configuring, along with a check box that corresponds to each access point in the list. The appropriate checkboxes are selected to indicate the access points that are currently included in the pool.
4. Use the check boxes in the left column in the table to deselect each existing access point that you want to delete from the storage pool.
Note: Once you store data on an NFS volume, you cannot delete it from its NFS storage pool. Also, you cannot delete all of the access points in a storage pool if that pool is currently used for a storage tier that’s defined for a namespace by its service plan.
5. Click on the Update Settings button.
Remounting an NFS volume
If an NFS volume is experiencing problems, you can manually try to remount that NFS volume. Before doing that, however, you should ensure that the device hosting the NFS volume and the network connection to that device are functioning properly. You should also ensure that the exported share that corresponds to the NFS volume is configured correctly on the host device.
HCP can take up to a minute to respond to a remount request.
To manually try to remount an NFS volume:
1. On the left side of the Storage page, click on Components .
2. In the components list, click on the name of the NFS storage component that’s associated with the NFS volume that you want to remount.
3. At the top of the panel that opens, click on the Mount Points tab.
4. On the Mount Points panel, in the table row that contains the NFS mount point that corresponds to the NFS volume you want to remount, click on the remount control ( ).
If the manual remount fails, try restarting the node with which the NFS volume is associated. To see which node the NFS volume is associated with, mouse over the status icon for the mount point on the Mount Points panel.
184 Chapter 6: Storage administration
Administering HCP
Retiring storage
Deleting an extended storage pool
If the storage that’s represented by an extended storage pool is not currently being used to store objects in any namespaces defined on the
HCP system, you can safely delete that storage pool.
If, however, the storage that’s represented by an extended storage pool is currently being used to store object data, you cannot delete that pool.
Before you can delete a storage pool, you need to first remove the extended storage pool from all storage tiers that currently include that pool and then retire the storage pool by migrating all of the data off of it.
When you retire an extended storage pool, HCP migrates the data off of that pool and then deletes that pool from the system. For information on
To delete an extended storage pool that’s not currently in use:
1. On the left side of the Storage page, click on the Pools tab.
2. The Pools pane opens, showing a list of storage pools that are currently defined on the HCP system. A delete control ( ) appears in the row for each unused storage pool.
3. Click on the delete control for any unused extended storage pool to delete it from the HCP system.
Retiring storage
You can use the Storage page in the System Management Console to retire primary storage devices, economy storage pools, economy storage components, economy storage volumes (buckets), extended storage pools, extended storage components, and extended storage volumes that are associated with specific access points (mount points, buckets, containers, and namespaces).
Chapter 6: Storage administration
Administering HCP
185
Retiring storage
Retiring primary storage devices
You can use either the Migration page or the Storage page in the System
Management Console to migrate data off of selected storage nodes in an
HCP RAIN system or off of selected storage arrays in an HCP SAIN system in preparation for retiring those devices.
Note: The migration service is not available for HCP VM systems.
During a data migration, the migration service copies objects and, if applicable, the metadata query engine index from the selected devices to free storage on the remaining devices. Before you start a data migration, you need to ensure that those devices have enough unused capacity to hold the data to be migrated.
After copying an object, the migration service deletes the object from the source device. Once the migration is complete, you can submit a request to your authorized HCP service provider to finalize the migration and remove the retired devices from the system.
Important: After the migration of data off of a storage node in an HCP
RAIN system is finalized, the system can never again include a node with the same fourth octet in its back-end IP address as that node had.
Retiring a node is not part of the normal procedure for replacing a node that has failed or for upgrading to newer hardware. In these cases, the new node can use the same back-end IP address as the one being replaced.
The migration service runs only when you explicitly start a data migration.
When the migration is complete, the service stops automatically.
When you start a data migration, the selected nodes or storage arrays automatically become read-only (except for allowing the migration service to delete objects). After the migration is complete, they remain read-only.
186 Chapter 6: Storage administration
Administering HCP
Retiring storage
When you start a migration of data off of selected nodes in a RAIN system,
HCP automatically removes any NFS volumes from those nodes and associates those volumes with other nodes in the system.
Important: To prevent data loss in namespaces that are not being replicated and that have service plans that set the ingest tier DPL to 1, always migrate data off of a device before submitting a request to your authorized HCP service provider to remove the device from the HCP system.
Before starting a primary storage retirement
Typically, for a RAIN system, before starting a data migration, you submit a request to your authorized HCP service provider to add new nodes to the
HCP system in order to maintain (or increase) the system storage capacity.
However, if the nodes not selected for migration have sufficient free space to accommodate all the data to be migrated, adding new nodes before the data migration is not required.
For a SAIN system, before starting a data migration, your SAN storage administrator, working in conjunction with your authorized HCP service provider, needs to add logical volumes (LUNs) from new or existing storage arrays to any nodes on which all the existing LUNs on all the existing arrays are being retired. Migrated data, however, can be written to any node, and does not necessarily have to be written to the same node from which the data is being migrated.
The HCP system cannot be upgraded while a data migration is in progress.
Before the system can be upgraded, you need to either allow the migration to finish or cancel the migration. If you cancel the migration, you can configure a new migration of data off the same devices after the system is upgraded.
For detailed instructions on preparing for a data migration, and for more information on how the migration service works, see “Migration service” on page 339.
Chapter 6: Storage administration
Administering HCP
187
Retiring storage
Using the Retire Primary Storage wizard to perform a data migration
Important: This section describes how to use the Retire Primary Storage wizard to migrate data off of one or more primary storage devices, but it does not provide a detailed description of the entire data migration process. For a full description of the data migration process and for an explanation of how the migration service works, see “Migration service” on page 339.
To retire one or more primary storage devices, you can use the Retire
Primary Storage wizard on the Retirement panel to specify the devices you want to retire and then configure and run a data migration to move all the data off of the storage devices you want to retire and onto one or more other primary storage devices.
When configuring a data migration on a RAIN system, you select nodes to be retired. When configuring a data migration on a SAIN system, you select storage arrays.
To use the Storage page to perform a data migration in preparation for retiring primary storage:
1. On the left side of the Storage page, click on Retirement .
2. On the Retirement panel, click on the Retire Storage button.
The Get Started wizard opens. You use this wizard to select the type of storage you want to retire. Once you select a type of storage, the
System Management Console dynamically builds either the Retire
Primary Storage wizard or the Retire Extended Storage wizard, depending on the type of storage you selected.
3. In the Get Started wizard, click on the arrow and select Primary Storage from the dropdown list.
4. Click on the Go button.
The Get Started wizard exits, and the Retire Primary Storage wizard opens.
5. On the Select page of the Retire Primary Storage wizard, in the Select
Hardware for Retirement section, use the checkboxes to select the RAIN system storage nodes or SAIN system storage arrays that you want to retire.
To clear your selections and start over, click on the Cancel button.
188 Chapter 6: Storage administration
Administering HCP
Retiring storage
6. Click on the Next button.
The Review page of the Retire Primary Storage wizard opens, displaying step two of the migration configuration process ( Review configuration summary and confirm ). The Configuration Summary section on this page in the wizard indicates whether the migration configuration is acceptable.
Notes:
• When you click on the Next button, HCP checks that the system is in a valid state to perform the migration. This includes checking for degraded RAID groups. This check can take up to 90 seconds.
• Certain hardware errors, such as a degraded RAID group on a source or target node, prevent you from configuring a data migration. In such cases, you need to fix the problem before you can continue.
If the configuration is not acceptable, you can click on the view details link in the Configuration Summary section to display the specific reasons why. You can also click on the Configuration Report link to download the configuration summary and details to a file. The default name for this file is
Configuration-Report.txt
.
The Configuration Details section on the Review page in the Retire
Primary Storage wizard lists the RAIN system nodes or the SAIN system storage arrays that are selected for migration
7. Take one of these actions:
– To change the list of selected nodes or storage arrays, click on the
Previous button to return to the Select page in the wizard. Use this page to change your selections. Then click on the Next button to return to the Review page in the wizard.
– To cancel the migration and exit the wizard, click on the Cancel button.
– If the list of selected storage devices is correct, and you want to perform the data migration, continue on to step 8.
Chapter 6: Storage administration
Administering HCP
189
Retiring storage
8. Optionally, add a description of the data migration and/or change the performance level for the migration service:
– To add a description: a.
Click on the Add description link.
b.
In the text box that opens, type a description of the migration.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
– To change the performance level, in the Performance Level field, select Low , Medium , or High . The higher the performance level, the greater the load on the HCP system.
9. Click on the Start Migration button.
The migration service begins the data migration process, and the wizard exits. The migration service reports its progress on the
Retirement panel on the Storage page. You can refresh this page at any time to view the current status of the data migration.
If any nodes become unavailable while the migration service is running, the service stops migrating data. When those nodes become available, the service automatically starts migrating data again.
You can use the Retirement panel on the Storage page to manage the migration service throughout the entire data migration process. At any time during the migration, you can click on the Retirement Settings button to display the controls that you can use to change the performance level of the migration, pause and resume the migration as needed, or cancel the migration. You can also use the appropriate field in the Retirement Settings section to modify the migration description at any time (for example, to record when and how long the migration was paused).
10.When the data migration is complete (that is, the migration status is
Migrated ):
– If a migration report is available, review it. This report identifies tenants that own namespaces containing unacknowledged irreparable objects. For the default tenant and for HCP tenants that
190 Chapter 6: Storage administration
Administering HCP
Retiring storage are configured to allow system-level users to manage them, the report also lists the unacknowledged irreparable objects in those namespaces.
Note: If the migration service encounters one or more objects that it cannot migrate, it marks those objects as irreparable (if they weren’t already marked that way).
– If the data migration statistics show that not all objects were migrated, contact your authorized service provider for help.
11.Submit a request to your authorized service provider to finalize the migration and remove the retired hardware.
Retiring economy and extended storage pools, components, and volumes
You can use the Storage Retirement page in the System Management
Console to retire both economy and extended storage pools, storage components, and storage volumes that are associated with storage component access points (buckets, containers, namespaces, or NFS volumes).
When you retire an economy or extended storage that’s associated with a specific storage pool, component, or volume, HCP migrates all the data off of that storage and moves it to the replacement storage that you specify.
To use the Storage Retirement page to retire an economy or extended storage pool, component, or volume:
1. On the Storage Retirement page, click on the Retire Storage button.
The Get Started wizard opens. You use this wizard to select the type of storage you want to retire. Once you select a type of storage, the
System Management Console dynamically builds either the Retire
Economy Storage , or the Retire Extended Storage wizard, depending on the type of storage you selected.
2. In the Get Started wizard, click on the arrow and select either Economy
Storage or Extended Storage from the dropdown list.
3. Click on the Go button.
Chapter 6: Storage administration
Administering HCP
191
Retiring storage
4. On the Select page of the Retire Economy Storage or Retire Extended
Storage wizard, use the fields to specify the economy or extended storage pool, component, or volume that you want to retire:
– In the What do you want to retire?
field, select the appropriate option to indicate whether you want to retire a storage pool, component, or volume.
Depending on your selection, the wizard displays up to three different fields: Pool , Component , and Volume .
– Use the Pool , Component , or Volume field to select the specific storage pool, component, or volume you want to retire.
If multiple fields appear, you can use the Pool field to filter the lists of components and volumes, and you can use the Component field to filter the list of volumes.
– If you’re retiring a storage pool on which data is currently stored, use the Replacement Pool field to specify the storage pool on which you want HCP to store the object data that it migrates off of the storage pool that you’re retiring.
5. Click on the Finish button to exit the wizard and start the retirement process.
The migration service checks to see whether the selected pool, component, or volume is eligible for retirement.
If the storage is not eligible for retirement, the migration service reports the problem on the Retirement tab. If this happens, you need to fix the problem and then restart the storage retirement process.
If the storage is eligible for retirement, the migration service starts the retirement process:
– If the storage does not have any data on it, the migration service simply deletes the selected pool, component, or volume.
– If a selected storage pool has data on it, the service migrates all object data off of that pool and onto the replacement pool you selected. The service then deletes the storage pool you selected for retirement.
192 Chapter 6: Storage administration
Administering HCP
Monitoring storage pools and components
– If a selected storage component has data on it, the service migrates all of the data off of that component. The service moves this data onto one or more of the other components that are contained in the same storage pool as the component you’re retiring. The service then deletes the storage you selected for retirement.
– If a selected storage volume has data on it, the service moves all of the data off of that volume. The service moves that data onto one or more of the other volumes that are stored on the same storage component as the one you’re retiring. The service then deletes the volume you selected for retirement.
The migration service reports the progress of the economy or extended storage retirement on the Storage Retirement page. You can refresh this page at any time to view the current status of the economy or extended storage pool, component, or volume retirement.
If you’re retiring economy or extended storage that has data on it, you can use the Storage Retirement page to manage the migration service throughout the entire data migration process. At any time during the migration, you can click on the Retirement Settings button to display the controls that you can use to change the performance level of the migration, pause and resume the migration as needed, or cancel the migration (and the retirement). You can also use the appropriate field in the Retirement Settings section to modify the retirement description at any time (for example, to record when and how long the data migration was paused).
Monitoring storage pools and components
You can use the Storage section in the System Management Console to monitor the current health, availability, capacity, and usage of the storage that’s associated with any given storage pool, component, volume, or service plan. You can also use the Storage section to view current and historical usage statistics for the storage associated with any storage pool, component, volume, or service plan.
You can use the Storage page in the System Management Console to monitor the health, availability, and usage of the storage that’s associated with any given storage component, storage pool, or service plan in any of the following ways:
• Use the Storage Overview page to view current storage capacity and storage usage statistics for each component, pool, and service plan that’s defined on the HCP system.
Chapter 6: Storage administration
Administering HCP
193
Monitoring storage pools and components
• Use the Storage Components , Storage Pools , and Storage Service
Plans pages to display information about the current health status, availability, compliance status, and storage capacity usage of each storage component, storage pool, and service plan that’s defined on the
HCP system.
• Use the Storage Components page to view current and historical storage usage statistics for a specific storage component. To do this:
1.
On the Storage Components page, click on the table row that corresponds to the storage component for which you want to view storage usage statistics.
2.
If necessary, at the top of the panel that opens, click on the appropriate tab to display the Overview page.
The Overview page displays one or more graphs that show current and historical usage statistics for the selected component.
• Use the Storage Components page to view current storage usage for each access point (mount point, bucket, container, or namespace) that’s associated with a specific storage component. To do this:
1.
On the Storage Components page, click on the table row that corresponds to the storage component associated with the access points for which you want to view the current storage usage.
2.
At the top of the page that opens, click on the tab that corresponds to the type of access point that’s used for the component you’re viewing ( Mount Points , Buckets , Containers , or Namespaces ).
The panel that opens displays a list of all of the access points associated with the selected component and specifies the amount of used storage capacity that’s associated with each access point.
• Use the Storage Reports page to generate reports that show current and historical storage usage information for any specific storage pool, component, or service plan, or to generate reports that show statistics for all storage components, storage pools and service plans defined on the HCP system.
On the Storage Reports page, to generate a report:
1.
Use the fields in the Report For section to specify the storage for which you want to generate a storage usage report. You can specify any of these:
194 Chapter 6: Storage administration
Administering HCP
Monitoring storage pools and components
– An individual storage component, storage pool, or service plan
– All storage components
– All storage pools
– All service plans
– All storage components, all storage pools, and all service plans
2.
Use the Reporting Interval field to select the reporting interval to use for the report, and use the Start Date and End Date fields to select the time period that’s covered by the report. For detailed information and instructions on using these fields, see
“Generating chargeback reports” on page 432.
3.
Click on the Download Report button.
4.
When prompted, save the report in the location of your choice.
Monitoring economy and extended storage component and pool usage
The Storage Overview page displays information about economy and extended storage and pool usage. From this page you can find the amount of objects tiered, the bytes tiered, the usage of individual components, and the usage of individual storage pools.
The Extended and Economy Storage Statistics panel shows how many objects and bytes are currently tiered to all of your storage components.
The Metadata-only Statistics panel shows how many Metadata-only objects exist on your primary storage as a result of being tiered off, and it shows how many bytes of primary storage you save as a result of tiering. Bytes saved is an estimate that does not take into account duplicate elimination or compression.
Note: If you have an active/active replication link, the
Metadata-only statistics fluctuates during object replication.
The Component Usage By Capacity section shows the usage, in gigabytes, of individual storage components. The graph incorporates primary, economy, and extended storage, depending on which exist in your HCP system. This
Chapter 6: Storage administration
Administering HCP
195
About service plans information is also presented in a pie chart. Clicking on the primary, economy, or extended storage part of the bar graph or pie chart takes you to that component’s individual overview page.
The Pool Usage By Capacity section shows the usage, in gigabytes, of all storage pools. The graph incorporates primary, economy, and extended storage pools depending on which exist on your HCP system. This information is also presented in a pie chart. Clicking on a primary, economy, or extended storage pool in the bar graph or pie chart takes you to that pool’s individual overview page.
Monitoring the HCP S Series Node operations
The Overview tab of an individual HCP S Series Node Storage Components page displays four graphs that show the number of objects that have been written and read by the HCP system. The graphs partition the information in the following way:
Writes (bytes)
This graph shows how many bytes of data were being written onto the HCP
S Series Node at any given time since the node was added to the HCP system.
Writes (operations)
This graph shows how many write operations were performed by the HCP S
Series Node at any given time since the node was added to the HCP system.
Reads (bytes)
This graph shows how many bytes of data were being read from the HCP S
Series Node at any given time since the node was added to the HCP system.
Reads (operations)
This graph shows how many read operations were performed by the HCP S
Series Node at any given time since the node was added to the HCP system.
About service plans
Each namespace has a service plan that defines both a storage tiering strategy and a data protection strategy for the objects in that namespace.
At any given point in the lifecycle of an object, its storage tiering strategy
196 Chapter 6: Storage administration
Administering HCP
About service plans specifies the types of storage on which copies of that object must be stored, and its data protection strategy specifies the number of object copies that must be stored on each type of storage.
The service plan for a given namespace defines one or more tiers of storage that can be used to store objects in that namespace. For each object in the namespace, at any given point in the object lifecycle, the service plan specifies the criteria that determine which storage tiers must be used to store copies of that object and the number of copies of that object that must be stored on each tier.
Because HCP initially stores every object on primary running storage, every service plan automatically defines primary running storage as the initial storage tier, called the ingest tier. By default, each namespace service plan defines only the ingest tier, so that HCP stores all objects in the namespace on primary running storage throughout the object lifecycle.
Primary running storage is designed to provide both high data availability and high performance for object data storage and retrieval operations. To optimize data storage price/performance for the objects in a namespace, you can configure the service plan for that namespace to define a storage tiering strategy that specifies multiple storage tiers.
Ingest tier data protection level
The service plan for a given namespace defines one or more storage tiers for that namespace and specifies the data protection level (DPL) and the primary running storage metadata protection level (MPL) for each storage tier. The DPL for a given storage tier is the number of copies of the object data that HCP must maintain for each object that’s stored on that tier. The
primary running storage MPL for a given storage tier is the number of copies of the object metadata that HCP must maintain on primary running storage for each object that’s stored on the tier.
Note: For any given storage tier, the primary running storage MPL must be equal to or greater than the DPL.
Every service plan defines primary running storage as the initial storage tier, called the ingest tier, and specifies a DPL setting and an MPL setting for that tier.
For each object in a given namespace, the ingest tier DPL is the number of copies of the object data that HCP must maintain on primary running storage, from the time when the object is first stored in the repository until the time when the object data is moved onto one or more other storage tiers (if multiple storage tiers are defined for the namespace). The ingest
Chapter 6: Storage administration
Administering HCP
197
About service plans
tier MPL is the number of copies of the object metadata that HCP must maintain on primary running storage for as long as the object exists in the repository.
In the default namespace, each directory also has an ingest tier DPL setting. This setting is the same as the ingest tier DPL setting that’s specified in the service plan that’s assigned to the default namespace.
For both objects and directories, the ingest tier DPL setting is stored as metadata. Users and applications can see, but not modify, this metadata.
For information on viewing ingest tier DPL settings, see Using a
Namespace or Using the Default Namespace.
Note: When the ingest tier DPL of a namespace changes, for each object in that namespace that’s stored on primary running storage, HCP creates or deletes copies of the object data, as needed to satisfy the new ingest tier DPL. This can take some time, during which some objects have the old required number of copies and some have the new. When viewing object metadata, however, users and applications always see the intended number of copies (that is, the ingest tier DPL specified in the service plan for the namespace).
Default ingest tier DPL setting
Each HCP system has a default service plan that’s automatically created and configured during the HCP software installation. The default service plan is applied to each tenant and namespace for which another service plan is not explicitly selected.
For any given HCP system, the ingest tier DPL setting that’s initially configured for the default service plan is used as the default ingest tier DPL setting for each new service plan that’s created on the HCP system. When you create a new service plan, you can choose to use the default ingest tier
DPL setting or select a different setting. You can also modify any service plan, including the default service plan, to change the ingest tier DPL setting. However, changing the ingest tier DPL setting used for the default service plan does not change the default ingest tier DPL setting that’s used for new service plans.
Typically, the default ingest tier DPL setting used for service plans created on an HCP system is the optimal setting for the type of physical storage that the HCP system uses. For RAIN and VM systems, the default ingest tier DPL is two. For SAIN systems, the SAN arrays provide a high level of data protection, so the default ingest tier DPL setting is one.
198 Chapter 6: Storage administration
Administering HCP
About service plans
The default ingest tier DPL setting used for all service plans that are created on an HCP system is the optimal setting for the type of storage used by that system. However, the optimal ingest tier DPL setting that’s configured for the service plan that’s assigned to a specific tenant or namespace is subject to considerations such as whether the tenant or namespace is being replicated and whether the HCP system owner or the tenant administrator has any particular data protection needs.
On HCP RAIN systems, by default, service plans can be configured to set the ingest tier DPL to two, three, or four. To enable HCP RAIN system administrators to configure service plans to set the ingest tier DPL to one, contact your authorized HCP service provider.
Storage tier properties specified in service plans
For each storage tier, including the ingest tier, that’s defined for a given namespace, the service plan specifies:
• The storage pools that are used to store copies of each object on the tier. Each storage pool consists of one or more storage components.
Each storage component represents a type of primary storage
(running or spindown), economy storage device, an extended storage device, or a cloud storage service endpoint.
• For each object that’s stored on the tier, the number of copies of the object data (called the data protection level, or DPL) that HCP must maintain on each storage pool and the number of copies of object metadata (called the metadata protection level or MPL) that HCP must maintain on the ingest tier.
• The transition criteria for each tier except for the ingest tier. The
transition criteria for a storage tier are the rules that determine when one or more copies of each object in the namespace must be stored on the tier:
– The object age (number of days since ingest) at which one or more copies of the object data must be moved from the previous tier onto this tier
– For service plans that define exactly two tiers, including the ingest tier, whether a threshold will be applied to the second tier, and if so, the percentage of primary running storage capacity that must be used (the threshold) before object data can be moved to the second storage tier
Chapter 6: Storage administration
Administering HCP
199
About service plans
• For a namespace that’s currently being replicated to another system, whether the copies of the object that are stored on the tier are to be made metadata-only.
Regardless of the transition criteria that are specified for a metadata-only tier, objects are moved to such a tier only after they are replicated. When a replicated object is moved to a metadata-only tier, all existing copies of the object data are deleted from the previous tier and from primary running storage, and stores the specified number of copies of the object metadata on primary running storage.
• Whether the data for each object stored on the tier is rehydrated (that is, restored on primary running storage) upon being read from the tier, and if so, the number of days HCP is required to keep a rehydrated copy of object data on primary running storage
Clicking on this button also submits any changes you’ve made to the external storage volumes in the storage pool.
How HCP uses the information found in service plans
If the service plan for a given namespace defines only the ingest tier
(primary running storage), for each object in that namespace, the protection service works to ensure that:
• The correct number of copies of the object data are always stored on primary running storage.
• The correct number of copies of the object metadata are always stored on primary running storage.
For details on how the protection service works, see “Protection service” on page 300.
If the service plan for a given namespace defines multiple storage tiers, the storage tiering service works to ensure that each object in that namespace is stored on the correct tier and the correct number of copies of the object is stored on each tier.
For each object in that namespace, the storage tiering service:
• Moves copies of the object data among the storage tiers that are defined for the namespace to satisfy the transition criteria that are defined for each storage tier
200 Chapter 6: Storage administration
Administering HCP
About service plans
• Upon moving all existing copies of the data for an object from one tier to another:
– If the new tier has a different DPL than the previous tier, creates or deletes the number of copies of object data that’s required to satisfy the DPL setting for the new tier
– If the new tier has a different primary running storage metadata protection level (MPL) than the previous tier, creates or deletes the number of copies of object metadata that’s required to satisfy the
MPL setting for the new tier
• Upon moving a replicated object to a metadata-only tier, deletes all copies of the object data from the previous tier, and if the previous tier is not the ingest tier, deletes any copies of the object data that exist on primary running storage
• Checks to see if the object data has been read from a data storage tier for which rehydration is enabled, and if so, creates an extra copy of the object data on primary running storage
• After moving a replicated object to a metadata-only tier for which rehydration is enabled and making that object metadata-only, checks to see whether that object has been read from a remote system, and if so, restores the data to each copy of the object that’s stored on primary running storage
For information about how the storage tiering service works, see “Storage tiering service” on page 331.
Metadata-only storage tiers
When the storage tiering service moves an object off of primary running storage and onto another storage tier, the service removes all copies of the object data from primary running storage and stores the specified number of copies of the object data on the new storage tier. However, at least one copy of the object metadata must always remain on primary running storage. For each storage tier that’s defined for a given namespace, the service plan specifies the number of copies of object data that must be stored on the tier and the number of copies of object metadata that must be stored on primary running storage.
If a given namespace is being replicated to another system, you can configure the service plan for that namespace to define a metadata-only storage tier. For each object that’s stored on a metadata-only tier, the service plan specifies the number of copies of the object metadata that
Chapter 6: Storage administration
Administering HCP
201
About service plans must be stored on primary running storage, but service plan also specifies that no copies of the data for that object can be stored on any storage tier, including the ingest tier. Read-from-remote functionality enables clients to read the data for replicated metadata-only objects.
Note: Each service plan can be configured to define only one metadata-only storage tier. In addition, if the storage plan for a namespace defines a metadata-only tier, that tier must be the last storage tier that’s defined by the service plan. Once objects in a namespace are moved to the metadata-only tier that’s defined for that namespace, the data for those objects is removed from all storage tiers defined for the namespace.
The storage tiering service makes an object metadata-only only when all of these conditions are true:
• The service plan for the namespace that contains the object defines a metadata-only storage tier.
• The object is on the storage tier that immediately precedes the metadata-only tier defined in the namespace service plan, and the object meets the transition criteria specified for the metadata-only storage tier.
• A copy of the data for the object exists on at least one other HCP system in the replication topology in which the current system participates. (This is possible because service plans with the same name can have different definitions on different systems.)
When all of these conditions are true, the storage tiering service deletes all copies of the data for the object from the preceding storage tier. If the preceding storage tier is not primary running storage, the storage tiering service also deletes any copies of the object data that exist on primary running storage. After deleting all copies of the data for the object, the storage tiering service creates or deletes copies of the object metadata on primary running storage, as necessary, to satisfy the primary running storage MPL that’s specified for the metadata-only storage tier.
If rehydration is enabled for a metadata-only storage tier, when rehydrating a replicated object that’s been read from primary running storage on a remote system, the storage tiering service rehydrates all copies of that object on primary running storage on the local system.
202 Chapter 6: Storage administration
Administering HCP
About service plans
When replicating an object in a namespace to a system on which objects in that namespace can be made metadata-only, HCP replicates only the object metadata if the object is larger than one MB. If the object is smaller than one MB, HCP replicates both the data and metadata.
Here’s a scenario that shows how allowing metadata-only objects can be used to advantage:
You have a many-to-one replication topology in which the HCP systems at the outlying sites are much smaller than the central HCP system to which they all replicate. To optimize the use of storage on the outlying systems, you allow the namespaces on those systems to have metadata-only objects while requiring the central system to have the object data. The outlying systems respond to client requests for object data by reading the data from the central system.
In this scenario, the replication topology should include a disaster recovery system (that is, a replica of the central system) to protect against data loss in case of a catastrophic failure of the central system.
Important: HCP does not prevent you from removing a namespace from a replication topology even if the namespace contains metadata-only objects on one or more systems in that topology. This can result in data for objects in that namespace being permanently inaccessible from those systems.
In most cases, HCP warns you if the modification you’re making to a replication link would cause this condition to occur.
Note: For the HDDS search facility to index the data for metadata-only objects, the objects must be rehydrated.
For more information on replication, see Replicating Tenants and
Namespaces.
Rehydration
HCP reads objects most efficiently from primary running storage on the system that’s the target of the read request. If you anticipate frequent reads of the same objects in a namespace with objects that are stored on a specific extended storage tier that’s defined for a given namespace by its service plan, consider reconfiguring that service plan to enable rehydration on the appropriate storage tier. Similarly, if you anticipate frequent reads
Chapter 6: Storage administration
Administering HCP
203
General considerations for namespace service plans of the same objects in a namespace that contains metadata-only objects, consider configuring the service plan for that namespace to enable rehydration on the metadata-only storage tier.
Default service plan configuration settings
Each HCP system has a default service plan that’s automatically created and configured during the HCP software installation. The default service plan is applied to each tenant and namespace for which another service plan is not explicitly selected.
When the HCP system is first installed, the Default service plan defines primary running storage (the ingest tier) as the only storage tier. On RAIN and VM systems, by default, the ingest tier DPL and MPL are both set to two. On SAIN systems, by default, the ingest tier DPL and MPL are both set to one.
You can modify the Default service plan at any time to define one or more additional storage tiers or to change the ingest tier DPL and MPL settings.
General considerations for namespace service plans
Initially, when you add an object to a namespace, HCP creates and stores the data and metadata for the object on primary running storage. For each object that’s stored in a namespace:
1. HCP creates primary metadata for it. This metadata consists of information HCP already knows, such as the creation date, and, for objects only, the data size, hash algorithm, and cryptographic hash value generated by that algorithm. It also includes metadata that was either inherited or specified in the write request, such as retention setting, UID, and GID.
2. HCP creates the number of additional copies of the primary metadata required to satisfy the ingest tier metadata protection level (MPL) that’s set for the namespace by its service plan. HCP then distributes all copies of the primary metadata among the HCP storage nodes.
3. HCP creates the number of copies of the object data required to satisfy the ingest tier data protection level (DPL) that’s set for the namespace by its service plan. HCP then distributes all copies of the object data among the HCP storage nodes.
Each copy of the primary metadata for the object points to all copies of the object data. However, the object data is not necessarily stored on the same node as the primary metadata for the object.
204 Chapter 6: Storage administration
Administering HCP
General considerations for namespace service plans
4. HCP stores a copy of the metadata with each copy of the object data.
Each copy, called the secondary metadata, lets HCP reconstruct the primary metadata should that become necessary.
Object content stored on different types of storage
When the storage tiering service moves an object off of primary running storage and onto another storage tier, the service removes all copies of the object data from primary running storage and stores the specified number of copies of the object data on the new storage tier. However, at least one copy of the object metadata must always remain on primary running storage. For each storage tier that’s defined for a given namespace, the service plan specifies the number of copies of object data that must be stored on the tier and the number of copies of object metadata that must be stored on primary running storage.
For each object in a given namespace, the storage tiering service always moves copies of the data for that object among the storage tiers that are defined for the namespace by its service plan. However, the storage tiering service does not move all of the other content for an object to each storage tier that’s defined for a namespace.
For each copy of an object that’s stored on primary spindown storage, only the data, custom metadata, ACL, and secondary metadata for that object are actually stored on primary spindown storage. All copies of the primary metadata for an object must always remain on primary running storage.
Note: Objects moved from primary running storage to primary spindown storage are always kept on the same storage node.
For each copy of an object that’s moved to economy or extended storage, only the data for that object is actually stored on primary running storage.
All copies of the object metadata must always remain on primary running storage.
Storage allocation for objects on an economy or extended storage tier
Each economy or extended storage tier can be configured to use one or more storage pools. Each storage pool can be configured to include one or more access points (mount points, buckets, containers, or namespaces) that can be associated with one or more storage components.
Chapter 6: Storage administration
Administering HCP
205
General considerations for namespace service plans
If a service plan defines an economy or extended storage tier that contains more than one storage pool, and the DPL for that storage tier is greater than one, HCP uses different storage pools to store duplicate copies of the data for each object on that tier. Similarly, if a storage pool that’s used for a given storage tier contains more than one economy or extended storage component access point, HCP uses the storage that’s associated with different access points to store any duplicate copies of object data that are stored on the tier that contains the storage pool.
When HCP stores a single copy for each object on a given economy or extended storage tier, HCP still distributes the object data storage evenly across all of the storage component access points contained in all storage pools configured for a given economy or extended storage tier.
This ensures that data that’s stored on a given tier is protected as much as possible and the storage that’s used for a given tier is allocated as efficiently as possible.
Service plans and read requests
When creating service plans, you should keep in mind how HCP handles read requests.
In response to a read request, HCP tries to retrieve the data for an object from these sources, in the order specified below:
1. Primary running storage
2. Primary spindown storage
3. NFS storage volumes
4. Cloud storage
5. Primary storage on a remote system to which the object has been replicated
In response to a read request, HCP tries to retrieve the metadata for an object from these sources, in the order specified below:
1. Primary running storage
2. Primary spindown storage
3. Primary running storage on a remote system to which the object has been replicated
206 Chapter 6: Storage administration
Administering HCP
Considerations for service plans on an upgraded system
Service plans for tenants and namespaces
When you create an HCP tenant, you have the option of associating a service plan with it. This plan then applies to each namespace that’s owned by the tenant. Alternatively, you can allow HCP tenant administrators to associate service plans with their individual namespaces.
In this case, the tenant administrator can choose from any of the service plans that are defined at the system level (including Default).
When you create the default tenant and namespace, you associate a service plan with the default namespace. The default tenant administrator can choose a different service plan for the default namespace at any time.
You can change the service plan that’s associated with an HCP tenant at any time. However, if you switch to allowing the tenant to associate service plans with individual namespaces, you can no longer associate a service plan with the tenant.
When allowed to choose service plans for individual namespaces, tenant administrators see only the service plan names and descriptions, and not service plan rules. The names and descriptions can indicate the namespace usage patterns and properties with which the service plans are intended to work. Thus, tenant administrators do not need to be aware of the HCP system storage in order to associate service plans with namespaces.
Service plans and replication
HCP replicates the associations between service plan names and tenants or namespaces but does not replicate the service plans themselves. This means that service plans with the same name can have different definitions on different systems in a replication topology. Because of this, you can optimize storage usage differently on those different systems.
If a service plan associated with a tenant or namespace is not defined on a system to which the tenant or namespace is replicated, that system uses its Default service plan for the tenant or namespace. However, the original service plan name remains associated with the tenant or namespace even though the plan is undefined.
Considerations for service plans on an upgraded system
Starting in HCP 7.0, the behavior that’s governed by namespace service plans has been expanded to include the specification of the DPL setting and the primary running storage tier MPL setting for each storage tier that’s defined for a namespace by its service plan. As a result, starting in HCP
Chapter 6: Storage administration
Administering HCP
207
Considerations for service plans on an upgraded system
7.0, the system-level DPL setting has been deprecated and replaced with the ingest tier DPL setting for the default service plan, and the namespace
DPL and MPL settings have also been deprecated.
During an upgrade from HCP 6.x to HCP 7.0 or later, to maintain the behavior of the system-level DPL setting and the namespace DPL and MPL settings that are in effect for each namespace that’s defined on an HCP system, the HCP Setup program will update existing service plans and create new service plans for each namespace, as needed.
After an upgrade completes, all existing service plans will be upgraded to use the HCP 7.x format. In addition, HCP will ensure that each namespace has a new or existing service plan that sets the correct DPL and primary running storage MPL for each storage tier that’s defined for the namespace.
During an upgrade from HCP 6.x to HCP 7.0 or later, if the system-level
DPL setting was in use before the upgrade, HCP Setup modifies the default service plan to use the system-level DPL setting as the ingest tier DPL. If any namespace has a DPL setting of Dynamic and the default service plan is not assigned to that namespace, then HCP Setup either modifies the existing service plan for that namespace or creates a new service plan for that namespace to ensure that the current system-level DPL setting is used for each storage tier that’s defined for the namespace.
After modifying the ingest tier DPL setting for the default service plan (if necessary) then for each existing service plan:
• If the existing service plan is assigned to one or more namespaces, and all of those namespaces have the same DPL setting (for example,
Dynamic , or 1 ), HCP Setup reconfigures the existing service plan to specify the existing namespace DPL setting as the ingest tier DPL.
• If the existing service plan is assigned to multiple namespaces that have different DPL settings, then for those namespaces, HCP Setup performs the following procedure:
1.
HCP Setup creates a new, retired service plan for each unique combination of an existing namespace DPL setting and the existing service plan storage tier specification.
2.
HCP configures each namespace to replace the existing service plan with the appropriate retired service plan that’s required to maintain the behavior of the original namespace DPL setting on each storage tier that was defined by the original service plan.
208 Chapter 6: Storage administration
Administering HCP
Considerations for service plans on an upgraded system
After an upgrade from HCP 6.x to HCP 7.0 or later, the new retired service plans created by HCP Setup are not configurable, and each assignment of a retired service plan to a given namespace overrides the previous service plan assignment that was configured for that namespace before the upgrade.
As a result, for each namespace to which HCP Setup has assigned an automatically generated, retired service plan:
• If the namespace is owned by a tenant that’s not configured to allow the tenant administrator to assign a new service plan to the namespace:
– Because a retired service plan is currently in use by the namespace,
HCP generates a system-level alert to inform you that you need to assign a new service plan to the namespace.
– To respond to the alert, you need to take one of these actions:
• Change the status of the retired service plan from retired to active, and continue to use the new service plan that HCP Setup has generated for the namespace.
• Assign a new service plan to the tenant that owns the namespace (and hence, assign that new service plan to all namespaces owned by that tenant).
• Configure the tenant that owns the namespace to allow tenant administrators to assign a specific service plan to each namespace that’s owned by the tenant. In this case, the retired service plan will continue to be assigned to the namespace until a tenant administrator configures the namespace to assign a new service plan to it.
• If the namespace is owned by a tenant that is configured to allow the tenant administrator to assign a new service plan to the namespace:
– Because a retired service plan is currently in use by the namespace,
HCP generates a tenant-level alert to inform tenant administrators that a new service plan needs to be assigned to the namespace.
– In response to this alert, a tenant administrator needs to assign a new service plan to the namespace.
Chapter 6: Storage administration
Administering HCP
209
Working with service plans
Working with service plans
Each namespace has a service plan that defines both a storage tiering strategy and a data protection strategy for the objects in that namespace.
At any given point in the lifecycle of an object, its storage tiering strategy specifies the types of storage on which copies of that object must be stored, and its data protection strategy specifies the number of object copies that must be stored on each type of storage.
A service plan is a named specification of HCP service behavior that determines how HCP manages the storage of the data and metadata for objects in a given namespace. For example, the service plan for a namespace could specify that the storage tiering service should move objects from primary running storage to primary spindown storage 30 days after they’re stored and specify that the protection service should ensure that HCP maintains two copies of the data for each object that exists on primary spindown storage. Service plans enable you to tailor a storage tiering strategy and a data protection strategy for each tenant and its namespaces based on specific storage usage patterns or business needs.
You can create any number of service plans on an HCP system and configure each plan to use up to four different storage tiers, including the ingest tier (primary running storage). You can then offer a wide variety of service plans to tenant administrators in order to meet the business needs of each tenant.
You can use the Storage page in the System Management Console to create, modify, retire, and delete service plans. You can also use the
Storage page to monitor the usage of all primary spindown storage and extended storage tiers that are defined by any given service plan.
To display the Storage page, in the top-level menu in the System
Management Console, click on Storage .
Roles: To view existing service plans and monitor storage usage for storage tiers defined for one or more service plans, you need the monitor or administrator role. To create, modify, retire, and delete service plans, you need the administrator role.
Creating a service plan
To create a service plan:
1. On the left side of the Storage page, click on the Service Plans tab.
210 Chapter 6: Storage administration
Administering HCP
Working with service plans
2. At the top of the Service Plans panel, click on the Create Service Plan button.
The Create Service Plan wizard opens.
3. On the Name page in the wizard, use the appropriate fields to specify a name for the new service plan and, optionally, a description for the service plan.
A service plan name must be from one through 64 characters long, can contain only alphanumeric characters, hyphens (-), and underscores
(_), and are not case sensitive.
A service plan description can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space
4. Click on the Next button.
5. On the Import page in the wizard, you are given the option to import the configuration for an existing service plan into the service plan you’re creating. When you import the configuration for an existing service plan, the storage tiers that are configured for that plan are automatically defined in the new plan. You can then use the imported service plan configuration as a starting point to configure each of the tiers you want to define in the service plan.
If you want to import the configuration for an existing service plan into the new service plan you’re creating, check the box next the existing service plan you want to import.
6. Click on the Next button.
7. On the Review page in the wizard, review the information you entered in the wizard.
8. Take one of the following options:
– If the information you entered is correct, click on the Finish button.
– If the information is incorrect, use the Previous and Next buttons to navigate through the pages of the wizard and make the changes you want. When you’re satisfied with the configuration settings you’ve entered, click on the Finish button.
When you click on the Finish button, the wizard exits, and the Storage page displays the Tiers panel on the service plan configuration page for the service plan that you’ve just created.
Chapter 6: Storage administration
Administering HCP
211
Working with service plans
You can use Tiers panel to add one or more new tiers to the service plan configuration. If you chose to import the configuration from another service plan into the new plan you created, you can also delete or modify any of the existing tiers that were imported from that plan. For more information on this, see “Modifying a service plan” below.
If you’re satisfied with the storage tiers that are configured for the new service plan, you can click on the Tenants tab at the top of the page and use the Tenants panel to assign the service plan to one or more tenants. For more information on this, see “Assigning a service plan to one or more tenants” on page 194.
Modifying a service plan
You can use the Service Plans panel on the Storage page to view and modify the configuration of any existing service plan. At any time, you can modify any service plan to:
• Change the service plan name or description. Note that when you change the name, the original name remains associated with any applicable tenants and namespaces. The result is that these tenants and namespaces are associated with an undefined service plan, and
HCP uses the Default service plan for them. If you subsequently create a new service plan with the original name, that plan then applies to those tenants and namespaces.
• Add one or more new storage tiers to the storage tiering strategy that’s defined in the service plan.
• Delete one or more existing storage tiers from the plan.
• Change any configuration settings used for any given storage tier that’s defined in the service plan.
When you change the storage tiering strategy or the data protection strategy that’s defined in a service plan, objects that complied with the original service plan requirements may not be in compliance with the new ones. The next time the storage tiering service processes such an object, the service moves, copies, deletes, or changes the object as needed to comply with the new storage tiering strategy and/or to comply with the new data protection plan.
212 Chapter 6: Storage administration
Administering HCP
Working with service plans
• Assign the service plan to one or more tenants.
Note: When you assign a service plan to an existing tenant, that service plan replaces the one that was previously in effect for the tenant. Similar to a change in the configuration for an existing service plan for a namespace, when you change the service plan that’s assigned to a tenant, the new storage tiering strategy and data protection strategy do not take effect until the next time the storage tiering service runs.
Modifying basic configuration settings for a service plan
You can modify the basic configuration settings for any service plan to change either the name or the description that’s used for the service plan.
To modify the basic configuration settings for a specific service plan:
1. On the left side of the Storage page, click on the Service Plans tab.
2. On the Service Plans panel, click on the table row that corresponds to the service plan for which you want to configure a new storage tier.
3. At the top of the panel that opens, click on the Settings tab.
4. On the Settings panel, use the appropriate fields to change the service plan name or to specify a new description for the service plan.
5. At the bottom of the page, click on the Update Settings button.
Adding a storage tier to a service plan
You configure any storage plan to define up to four different storage tiers, including the ingest tier. To modify an existing service plan to add a new storage tier:
1. On the left side of the Storage page, click on the Service Plans tab.
2. On the Service Plans panel, click on the table row that corresponds to the service plan for which you want to configure a new storage tier.
3. At the top of the panel that opens, click on the Tiers tab.
4. On the Tiers panel, click on the Add Tier button.
The Add Tier wizard opens.
Chapter 6: Storage administration
Administering HCP
213
Working with service plans
5. On the Transition page in the wizard, use the appropriate fields to set the transition criteria for the new storage tier.
6. Click on the Next button.
7. On the Options page in the wizard, use the appropriate fields to specify:
– Whether to enable rehydration for the new storage tier, and if so, the number of days an object must remain on primary running storage after it’s rehydrated
– Whether to make this storage tier metadata-only
8. Click on the Next button.
9. Take one of these actions:
– If in step 7 above, you did not select the appropriate option to make this tier metadata-only, then on the Storage Pools page:
• The wizard displays a table containing a list of all of the storage pools that you can include in the storage tier, along with a check box that corresponds to each storage pool in the list. Use the checkboxes in the left column in the table to select one or more storage pools to be included in the tier.
• A dropdown list box appears next to the name of each storage pool you select. Use these fields to specify the the number of copies of object data that HCP must maintain on each storage pool for each object that’s moved to the storage tier you’re configuring. The total number of copies of object data that must be stored on each pool is the DPL for the storage tier.
• In the Metadata Copies on Primary Storage field, specify the primary running storage MPL for the new tier. This is the number of copies of the object metadata that HCP must maintain on primary running storage for each object that’s moved to the new storage tier.
• At the bottom of the page, select I Understand to indicate that you understand the consequences of moving all copies of the object data to the new tier.
– If in step 7 above, you selected the appropriate option to make this tier metadata-only, on the Storage Pools page:
214 Chapter 6: Storage administration
Administering HCP
Working with service plans
• In the Metadata Copies on Primary Running Storage field, specify the primary running storage MPL for the new tier. This is the number of copies of the object metadata that HCP must maintain on primary running storage for each object that’s moved to the new storage tier.
• Select I Understand to indicate that you understand the consequences of moving all copies of the object data to the new tier. In this case, this statement means that you understand that the DPL of the new tier is zero, so all copies of the object data will be deleted for each object that’s moved to the new tier.
10.Click on the Next button.
11.On the Review page in the wizard, review the storage tier configuration settings that you specified in the wizard.
12.Take one of the following options:
– If the information you entered is correct, click on the Finish button.
– If the information is incorrect, use the Previous and Next buttons to navigate through the pages of the wizard and make the changes you want. When you’re satisfied with the configuration settings you’ve entered, click on the Finish button.
When you click on the Finish button, the wizard exits, and the Storage page displays the Tiers panel on the service plan configuration page for the service plan for which you’ve just created a new storage tier.
Removing one or more storage tiers from a service plan
To modify an existing service plan to delete one or more storage tiers:
1. On the left side of the Storage page, click on the Service Plans tab.
2. On the Service Plans panel, click on the table row that corresponds to the service plan for which you want to configure a new storage tier.
3. At the top of the panel that opens, click on the Tiers tab.
4. The Tiers panel opens, showing a list of storage tiers that are currently configured for the service plan. A delete control ( ) appears in the row for each storage tier except for the ingest tier.
5. Click on the delete control for any storage tier to delete it from the service plan.
Chapter 6: Storage administration
Administering HCP
215
Working with service plans
Assigning a service plan to one or more tenants
You can configure the service plan for a namespace to assign that service plan to any existing tenant. When you assign a particular service plan to a tenant, that service plan replaces the one that was previously assigned to the tenant.
Note: Similar to a change in the configuration for an existing service plan for a namespace, when you change the service plan that’s assigned to a tenant, the new storage tiering strategy and data protection strategy do not take effect until the next time the storage tiering service runs.
To assign a service plan to one or more existing tenants:
1. On the left side of the Storage page, click on the Service Plans tab.
2. On the Service Plans panel, click on the table row that corresponds to the service plan for which you want to configure a new storage tier.
3. At the top of the panel that opens, click on the Tenants tab.
4. The Tenants panel, in the Tenants assigned other service plans section, use the checkboxes in the left column in the table to select the tenants to which you want to assign the service plan.
Note: You can also use the checkboxes in the Tenants assigned service plan name field to deselect one or more tenants in order to delete those service plan assignments. However, if you do this, the deselected tenants will have no service plan assigned to them, so you’ll have assign new service plans to them. If you want to change the service plan that’s assigned to a specific tenant, you should modify the configuration for that tenant or modify the configuration of the new service plan to assign it to the tenant.
5. At the bottom of the page, click on the Update Settings button.
Retiring a service plan
You can retire a service plan at any time. When you retire a service plan, the plan remains in effect for all namespaces and tenants to which it is currently assigned. However, a retired service plan is no longer available to be assigned to any new or existing tenants or namespaces.
216 Chapter 6: Storage administration
Administering HCP
Working with service plans
You can also reactivate a retired service plan at any time to make that service plan available to be assigned to tenants and namespaces once again.
To retire or reactivate a service plan:
1. On the left side of the Storage page, click on the Service Plans tab.
2. On the Service Plans panel, click on the table row that corresponds to the service plan for which you want to configure a new storage tier.
3. At the top of the panel that opens, click on the Settings tab.
4. On the Settings tab, in the Retire service plan section, take one of these actions:
– If you want to retire the service plan, select the Retire option.
– If you want to reactivate the service plan, deselect the Retire option.
5. At the bottom of the page, click on the Update Settings button.
Deleting a service plan
You can delete any service plan except the Default service plan at any time. However, in order to delete a service plan that’s assigned to one or more tenants or namespaces, you need to specify a replacement service plan for those tenants and namespaces.
When you delete a service plan, objects to which that plan applied must now comply with the replacement service plan that you specified when you deleted the plan. The next time the storage tiering service processes such an object, the service moves or changes the object as needed to comply with the specified replacement service plan.
To delete a service plan:
1. On the left side of the Storage page, click on the Service Plans tab.
Chapter 6: Storage administration
Administering HCP
217
Storage license
2. The Service Plans panel displays a list of service plans that are currently configured on the HCP system. A delete control ( ) appears next to each service plan that’s not currently assigned to any tenants or namespaces.
Take one of these actions:
– If the service plan you want to delete is not currently assigned to any namespaces or service plans, on the Service Plans panel:
1.
Click on the delete control ( ) in the table row that corresponds to the service plan you want to delete.
2.
In response to the confirming message, click on the Delete button.
– If the service plan is associated with one or more tenants or namespaces, on the Service Plans panel:
1.
Click on the table row that corresponds to the service plan that you want to delete.
2.
At the top of the panel that opens, click on the Manage tab.
3.
On the Manage panel, in the Delete service plan section in the
Replacement Service Plan field, select the service plan that you want to assign to all namespaces and tenants that are currently assigned to the service plan you want to delete.
4.
Click on the Delete Service Plan button.
HCP deletes the service plan from the system and assigns the specified replacement service plan to each tenant and namespace to which the deleted service plan was assigned.
Storage license
A storage license permits you to use a designated amount of your
HCP system disk storage capacity. Storage licenses are available for all system configurations: RAIN, SAIN, and VM.
All HCP systems are required to have a storage license. Newly installed systems come with a storage license that has two terabytes of active storage and two terabytes of extended storage.
218 Chapter 6: Storage administration
Administering HCP
Storage license
HCP systems upgrading to a version 7.1 of HCP or newer receive an unlimited storage license for both active and extended storage that lasts for one year.
If an active, extended, or active and extend storage license is exceeded or expires, a warning appears on the System
Management Console Overview page under System Status.
Monitoring mechanisms such as: syslog, system log messages, and
SNMP send reminders every twenty four hours asking the system administrator to upload a new storage license.
If the HCP system serial number changes, a new license with an updated serial number must be uploaded.
Storage licenses are available for active, economy, and extended storage. To view details about your current license or upload a new license, go to the Storage Licenses page of the System
Management Console. From there, you can monitor your current license and the license history. The page contains the following information about your current license:
• Type — The type of storage that the license covers. The possible types are:
– Active — This license type covers used storage capacity. For more information about used storage capacity, see
“Capacity and usage” on page 86.
– Economy — This license type covers objects tiered to HCP S Series
Nodes. Although the license can be monitored through the HCP system, license management is done through the HCP S Series
Management Console. For more information about the economy license, see HCP S Series Help.
– Extended — This license type covers tiering to additional storage managed by devices outside of the HCP system. This license is not required if tiering through NFS.
• HCP system serial number — Is the serial number for the HCP system.
• Quote number — Is the storage license number.
• Capacity — Is the amount of storage capacity that the license provides.
Chapter 6: Storage administration
Administering HCP
219
Storage license
• Expiration date — Is the date that the license expires. There may not be an expiration date.
• Status — Describes the current state of the storage license. The possible values are:
– OK — The storage license has not been exceeded or expired.
– Storage license has expired — The storage license is out of date.
Even if the storage license capacity hasn’t been exceeded, a new license needs to be uploaded if the current one expires.
– Storage license is not a valid license for this system — The storage license serial number does not match the HCP system serial number. This only occurs if the HCP system serial number changes during an upgrade, but, if it happens, a new license with an updated system serial number must be uploaded.
– Usage has exceeded license capacity for (active | extended |
active and extended) storage — The storage capacity of the active, extended, or active and extended component of the license has been exceeded. Regardless of which license component has been exceeded, a new license with a larger amount of storage capacity must be uploaded to replace the current one.
The License History panel keeps a record of all licenses uploaded to the system. If a license is uploaded, expires, is in danger of being exceeded, or is exceeded, the event is visible in the License History panel. Click on any event in the panel to see more information about it.
Roles: You need the administrator or monitor role to access the
Storage Licenses page.
Upload a new storage license
To upload a new storage license:
1. On the Storage Licenses page, click on the Upload License button.
2. In the Upload License wizard window, click on the Browse button and navigate to the location of your license key.
3. Click on the Next button.
220 Chapter 6: Storage administration
Administering HCP
Storage license
4. Review your license information.
5. Click on the Finish button.
Roles: In order to upload a storage license, you need the administrator role.
Chapter 6: Storage administration
Administering HCP
221
Storage license
222 Chapter 6: Storage administration
Administering HCP
7
Network administration
An HCP system can be configured to support virtual networking. Virtual networking enables the segregation of network traffic between clients and different HCP tenants, between management and data access functions, and between system-level and tenant-level traffic. This segregation enhances the privacy and security of communications over the HCP front-end network.
To implement virtual networking (if the system is configured to support it), you define one or more networks. You then configure the system to use specific networks for specific functions.
This chapter contains:
• An overview of virtual networking with HCP
• An explanation of the Networks page in the HCP System Management
Console
• Instructions for creating, modifying, and deleting networks and network aliases
• Instructions for enabling and disabling a network
• Instructions for restarting a network
• Instructions for displaying the DNS zone definitions for one or more network domains
Important: This chapter assumes you already have a solid understanding of network virtualization and experience with configuring physical and logical network components.
223 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
About virtual networking with HCP
Virtual networking is a technology that enables the overlay of multiple logical network configurations onto a single physical network. For virtual networking to work, the physical network must include VLAN-capable devices.
HCP supports virtual networking only for the front-end network through which clients communicate with the system and through which different
HCP systems communicate with each other. HCP does not support virtual networking for the back-end network through which the HCP nodes communicate with each other.
In HCP, logical network configurations are referred to simply as networks.
Each network has a name, an IP mode (IPv4, IPv6, or Dual), one or more subnets defined for the network, IP addresses defined on each subnet for none, some, or all of the nodes in the HCP system, and some other settings.
HCP has two networks that are created during system installation:
[hcp_system] and [hcp_backend]. The [hcp_system] network is used for front-end communication with the system. The [hcp_backend] network is the only network used for communication between the nodes in the HCP system. Modifying the [hcp_system] and [hcp_backend] networks requires the service role and should be done only by authorized HCP service providers.
In addition to the [hcp_system] and [hcp_backend] networks, you can create and configure user-defined networks for communication with HCP over the front-end network. In order to create networks the Virtual network management must be enabled. You can then configure the system to use the specific networks for specific functions.
You can also create network aliases for user-defined networks. Aliases are pointers to actual networks. For information on network aliases, see
“Network aliases” on page 236.
At any given time, the total number of user-defined networks and network aliases together cannot exceed 200.
224 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
IP modes
The IP mode for a front-end network determines whether that network can be configured to use IPv4 addresses, IPv6 addresses, or both. HCP has a system-level IP mode setting that determines which types of front-end network IP addresses are supported.
If the system supports both IPv4 and IPv6 addresses (that is, the IP mode is set to Dual), the [hcp_system] network can be configured to use either or both types of IP addresses. However, you can configure a user-defined network to use a specific type of IP address only if the [hcp_system] network is also configured to use that type of IP address.
The IP mode of a front-end network determines the types of IP addresses that can be used for communication between HCP and other devices over that network. For example, if the [hcp_system] network is configured to use only IPv6 addresses, all devices that need to use that network to communicate with HCP must be configured to use IPv6 addresses (or both
IPv4 and IPv6 addresses).
If HCP is not currently configured to support a specific type of IP address that is required for communication between HCP and other devices, contact your authorized HCP service provider to request a change to the system configuration.
Front-end network usage
The [hcp_system] network is always used for:
• Access to the HCP System Management Console
• Access to the Tenant Management Console for the default tenant
• Access to the HCP management API using a system-level URL
• Syslog functions at the system and tenant levels
• SNMP functions at the system and tenant levels
• Access to the default namespace using the namespace access protocols
• Access to the HCP metadata query API using a system-level URL
• Access to the HCP Search Console using a system-level URL
Chapter 7: Network administration
Administering HCP
225
About virtual networking with HCP
• Access to the default namespace using HCP Data Migrator
• Communication between HCP and Active Directory for configuration and for user authentication at the system and tenant levels
• Communication between HCP and RADIUS servers for user authentication at the system and tenant levels
• For SAIN systems, communication between HCP and the storage arrays
• Communication between HCP and any external storage components configured for the system
• Communication between HCP and Hitachi Tiered Storage Manager
• Communication between HCP and Hitachi Device Manager (HDvM)
• Communication between HCP and Hi-Track ®
• Access to the HCP system through interfaces reserved for authorized service providers
You can choose to use [hcp_system] or any user-defined network for the following purposes:
• Management of a given HCP tenant, including:
– Access to the Tenant Management Console for the tenant
– Access to the HCP management API using a URL for the tenant
You select the network for this purpose when you create or modify the tenant.
• Access to the namespaces owned by a given HCP tenant, including access through:
– The namespace access protocols
– The Namespace Browser
– The HCP metadata query API using a URL for the tenant
– The HCP Search Console using a URL for the tenant
– HCP Data Migrator
226 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
You select the network for this purpose when you create or modify the tenant.
• Communication with other HCP systems in a replication topology. For information on selecting the network for this purpose, see Replicating
Tenants and Namespaces.
You can use the same network for multiple purposes. If you don’t choose a network for a purpose, HCP uses [hcp_system] by default.
When you select a network for a given purpose, you need to ensure that your networking infrastructure is configured to allow client requests for that purpose to be routed to that network. HCP responds to each client request on the same network as the one on which the request arrived.
Therefore, clients do not need to be on the same subnet as the network they are using to access the system, but they do need to be configured to use at least one IPv4 or IPv6 address that is routable from that network.
Network properties
A user-defined network has these properties:
• A name.
• Optionally, a description.
•
Optionally, a VLAN ID (see “Tagged and untagged networks” on page 230).
• A domain (see
“Network domains” on page 232).
• A maximum transmission unit (MTU). The MTU is the largest packet size supported for data sent on the network.
The MTU for a network can be 1,500 or, if supported by the networking infrastructure, 9,000. The larger MTU reduces overhead and increases network throughput.
• Whether the network is enabled or disabled. If a network is disabled,
HCP does not accept communications routed on that network.
When first created, networks are enabled by default.
Chapter 7: Network administration
Administering HCP
227
About virtual networking with HCP
• A total number of tenant references. This is the number of tenants that are configured to use the network for management, data access, or both purposes. HCP derives this number from the tenant configurations defined on the system.
For information on this property and on the next property in this list,
see “Understanding the tenant list” on page 278
• If the network is assigned to one or more tenants, a list of tenant references. This list contains the names of the tenants that are configured to use the network and the purpose for which each tenant uses the network (management, data access, or both purposes). HCP obtains this information from the tenant configurations defined on the system.
• A total number of alias references. This is the number of network aliases that are defined for the network. HCP derives this number from the network alias configurations defined on the system.
For more information on this property and on the next property in this list, see
“Network aliases” on page 236.
• If one or more aliases are defined for the network, a list of alias references. This list contains the names of the network aliases that are defined for the network. HCP obtains this information from the network alias configurations defined on the system.
• Whether HCP should hide the IP addresses of its master name servers from clients using the network and allow client access to HCP over the network only through specified downstream DNS servers.
For more information on this property and on the next two properties,
see “Downstream DNS configuration settings for networks” on page 233.
• Whether HCP should notify specified downstream DNS servers about changes to the zone definition for the network.
• The rate at which the downstream DNS servers should query HCP for updates to the zone definition for the network domain.
228 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
• Whether the network supports IPv4 addresses, IPv6 addresses, or both:
– If the network supports IPv4 addresses, the network has these properties:
• An IPv4 gateway. This is the IPv4 address from which system-initiated communications are sent over the network.
• An IPv4 subnet mask.
• An IPv4 subnet. HCP derives the IPv4 subnet for the network from the IPv4 gateway and subnet mask that you specify.
• Optionally, assignments of IPv4 addresses to storage nodes.
The IPv4 addresses for a given network must all be on the IPv4 subnet defined for that network.
Note: If a node has any IP addresses assigned to it for a given network, that node must have an IP address assigned to it on each IPv4 and IPv6 subnet defined for the network.
• If the network supports IPv6 addresses, it has primary IPv6 address settings and, optionally, secondary IPv6 address settings. For each type of IPv6 address settings, the network has these properties:
• An IPv6 gateway. This is the IPv6 address from which system-initiated communications are sent over the network.
Note: Each IPv6 gateway defined for the network can be a global address, a unique local address (ULA), or a link local address (LLA). However, if two IPv6 gateways are defined for the network, you cannot use ULAs for both gateways, and the two gateways must be on separate, non-overlapping IPv6 subnets.
• An IPv6 address prefix length.
• An IPv6 subnet. HCP derives the IPv6 subnet for the network from the IPv6 gateway and IPv6 address prefix length that you specify.
Chapter 7: Network administration
Administering HCP
229
About virtual networking with HCP
• Optionally, assignments of IPv6 addresses to storage nodes.
The IPv6 addresses for the network must all be on the IPv6 subnet defined for that network.
Note: If a node has any IP addresses assigned to it for a given network, that node must have an IP address assigned to it on each IPv4 and IPv6 subnet defined for the network.
Each network, including the [hcp_system] and [hcp_backend], must use separate, non-overlapping subnets for IPv4 addresses, primary
IPv6 addresses, and secondary IPv6 addresses.
• A zone definition. This is the DNS zone definition that is currently used for the network domain. HCP automatically creates and maintains a
DNS zone definition for each network defined on the system.
For more information on zone definitions used for HCP, see
“Configuring DNS for HCP,” on page 585.
Tagged and untagged networks
A tagged network is one that has a specified VLAN ID. The VLAN ID is an identifier that’s attached to each packet routed to HCP over that network.
This function is performed by the switches in the physical network.
The routing tables in the switches that route requests to the HCP front end must include each VLAN ID you assign to a network. The routing tables associate the VLAN IDs with the network subnets.
A network carries only the packets that have its VLAN ID and ignores all other packets, thereby segregating the traffic on each tagged network from the traffic on other networks.
An untagged network is one for which you don’t specify a VLAN ID. An untagged network ignores all packets that have VLAN IDs.
HCP can have at most one untagged front-end network, including the
[hcp_system] network. All other networks must have a VLAN ID.
230 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
An untagged network uses the bond0 front-end network interface. When you assign a VLAN ID to a network, HCP creates a logical network interface for the network. This interface is named bond0.xxxx, where xxxx is the
VLAN ID, with leading zeroes added if needed to create a four-digit number.
The figure on the next page shows a configuration in which:
• HCP uses the [hcp_system] network with VLAN ID 999 for system-level management purposes
• The tenant named Tenant-1 uses a network named t1 with VLAN ID 7 for tenant management purposes and a network named t1-data with
VLAN ID 8 for data access purposes
• HCP uses a network named replication with VLAN ID 200 for replication traffic
Chapter 7: Network administration
Administering HCP
231
About virtual networking with HCP
Request to system-level administration network:
Request to Tenant-1 management network: t1
Request to Tenant-1 data network: t1-data
Request to replication network: replication
VLAN-capable switch
VLAN ID 999: [hcp_system] subnet
VLAN ID 7: t1 subnet
VLAN ID 8: t1-data subnet
VLAN ID 200: replication subnet
Node 1
VLAN ID 999
IP address in
[hcp_system] network
VLAN ID 7
IP address in t1 network
VLAN ID 8
IP address in t1-data network
VLAN ID 200
IP address in replication network
Node 2
VLAN ID 999
IP address in
[hcp_system] network
VLAN ID 7
IP address in t1 network
VLAN ID 8
IP address in t1-data network
VLAN ID 200
IP address in replication network
.
.
.
.
.
.
Network domains
Each network you create must be associated with a domain. The domain can be unique to the network or can be shared among networks. For example, you may want to configure different tenants to use networks associated with different domains, but you may want to configure a single tenant to use management and data networks associated with the same domain.
232 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
Clients use network domain names in the URLs that provide access to the
HCP system. By associating different domains with different networks, you can brand the system for different customers. For example, the networks you associate with the tenants you create for Customer-1 could all have the domain named object-store.cust1.com.
Assigning different domains to different networks enhances network security because each domain uses a separate certificate to authenticate access requests. If two different networks have two different domains assigned to them, a client cannot use the same credentials to access HCP over both networks. In addition, when a client request uses a domain name for access to HCP, the client making that request has visibility only into the networks that use the specified domain. Thus, a client can retrieve IP addresses only for the networks that it’s authorized to use to access the HCP system.
For more information on domains, see “About domains” on page 401.
Downstream DNS configuration settings for networks
At any time after you create a network, you can change its downstream
DNS configuration settings to:
• Enable hidden master for one or more downstream DNS servers
• Enable notify for one or more downstream DNS servers
• Change the DNS refresh rate for all the downstream DNS servers
A downstream DNS server is a DNS server through which client requests are routed to HCP. An upstream DNS server is a DNS server to which
HCP routes the outbound communications it initiates (for example, for sending log messages to syslog servers or for communicating with Active
Directory). The downstream and upstream DNS servers can be the same servers.
Hidden master
Hidden master is an HCP DNS configuration that’s used to hide the IP addresses of the HCP nodes configured as master name servers from users accessing HCP over a specific network. In a hidden master configuration, the specified downstream DNS servers become the authoritative masters for the zone defined for the network domain. Additionally, in the zone definition that HCP sends, the name server records contain the IP addresses of the downstream DNS servers, and not the IP addresses of the
HCP nodes configured as master name servers.
Chapter 7: Network administration
Administering HCP
233
About virtual networking with HCP
Notify
Notify is a network configuration option that, when enabled for a network, tells HCP to notify only the specified downstream DNS servers whenever any of the network properties changes (including the description). In response to this notification, each specified DNS server sends a request to
HCP to get the updated zone definition for the network domain.
Zone definitions with hidden master or notify enabled
When hidden master or notify is enabled for a network, the domain associated with that network must be defined as a secondary zone (also called a slave zone), and not as a stub zone, on the specified downstream
DNS servers. If a network domain is defined as a stub zone and:
• You enable hidden master for the network, client requests routed to any of the specified DNS servers fail
• You enable notify for the network, the specified DNS servers do not receive the notify messages
If a stub zone is already defined for a domain associated with a network, and you plan to enable hidden master or notify for that network, change the DNS zone definition type for the domain to secondary before you modify the network.
When hidden master or notify is enabled for a network that’s configured to use a secondary IPv6 subnet, each IPv6 address that’s specified in the downstream DNS server list must either be on the secondary IPv6 subnet or be routable from the primary IPv6 gateway that’s defined for the network.
For more information on zone definitions for HCP, see Appendix E,
“Configuring DNS for HCP,” on page 585.
Refresh rate
The refresh rate for a network is the frequency with which the downstream DNS servers poll HCP to check whether the zone definition for the network domain has changed. If the definition has changed, the servers then ask HCP for the updated definition.
The refresh rate always applies to all the downstream DNS servers that have a zone definition for the network domain and is used regardless of whether that zone definition has a type of secondary or stub.
By default, the refresh rate is three hours. If you enable notify and specify all the applicable DNS servers, consider increasing the refresh rate to a much higher value.
234 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
Notify does not work with stub zones. Therefore, if the domain is defined as a stub zone, consider decreasing the refresh rate. If DNS failover occurs, the shorter refresh rate may allow clients targeting a failed system over the network to be more quickly redirected to another system in the replication topology. For information on DNS failover, see Replicating
Tenants and Namespaces.
You specify the refresh rate for a network as any combination of weeks
(W), days (D), hours (H), minutes (M), and seconds (S), using this syntax:
#W#D#H#M#S
These considerations apply:
• In each case,
#
must be an integer greater than or equal to one.
• If an integer is specified without a time unit, the time unit is assumed to be seconds.
• Time units can be specified in any order.
• Any given time unit can be specified only once.
• Time units are not case sensitive.
• The total time specified must be in the range one through
2,147,483,647 seconds.
Advanced downstream DNS configuration
A system administrator can activate advanced downstream DNS configuration mode through the management API. The advanced downstream DNS configuration mode offers more control over the HCP system downstream DNS configuration than the basic panel provides. For more information on enabling advanced downstream DNS configuration mode, see the HCP Management API Reference manual.
Once enabled, advanced DNS downstream configuration mode replaces the
Downstream DNS Configuration panel of an individual network on the
Network Network View page with Zone Entry and Forward Zone File fields that let you work directly with the HCP DNS management files. In order to use these fields, you need to have the service role. Using advanced downstream DNS configuration mode is not recommended unless you have an extensive background in networking. User accounts with the monitor role enabled can see the created networks.
Chapter 7: Network administration
Administering HCP
235
About virtual networking with HCP
Downstream DNS configuration supports 32 downstream DNS servers.
For more information on zone definitions for HCP, see Appendix E,
“Configuring DNS for HCP,” on page 585.
For more information on using the advanced downstream DNS configuration mode, see
“Changing the advanced downstream DNS configuration settings for a network” on page 257.
Network aliases
A network alias is a named pointer to another network. You can select a network alias for any purpose for which you can select a network. When a network alias is selected for a particular purpose, HCP uses the network the alias points to for that purpose.
For example, suppose you have a network alias named t1-mng that points to a network named tenant-1. If you select t1-mng as the management network for a given tenant, HCP uses the tenant-1 network as the management network for that tenant.
Network aliases are useful in the context of replication, particularly in situations where the network topologies differ between the two systems involved in a given replication link. The two systems, for example:
• May not have the same number of nodes
• May not both have a VLAN-capable networking environment
Because network topologies can differ, HCP doesn’t replicate the definitions of networks and network aliases from one system to another. However, when replicating a tenant, HCP does replicate the names of the networks or aliases associated with that tenant. For the tenant and its namespaces to be accessible on the target system, networks or aliases with those names must be defined on that system.
Here are two replication scenarios that illustrate the use of network aliases:
• One of the HCP systems involved in a given replication link makes extensive use of virtual networking, with each tenant having its own networks for management and data access purposes. None of these networks is [hcp_system]. The other system involved in the link is in a networking environment that is not VLAN capable. As a result, the only front-end network defined on that system is [hcp_system].
236 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
To support replication of the tenants on the first system to the second system, for each network used by a tenant on the first system, you create a network alias with the same name on the second system. You define each of these aliases to point to the [hcp_system] network.
• One of the HCP systems involved in a given replication link has networks named t1-mng, t1-data, t2-mng, t2-data, and so forth selected as the management and data access networks for Tenant-1,
Tenant-2, and so forth. The other system involved in the link is used exclusively for data access. Therefore, on that system, the segregation of tenant management networks is not important.
On the second system, you want to have a single network for the management of all tenants and a separate network for data access for each tenant. To do this and still support replication of all the tenants from the first system to the second system, on the second system:
– For tenant management, you create a single network named tenant-mng. You also create network aliases named t1-mng, t2-mng, and so forth that all point to the tenant-mng network.
– For data access, you create networks named t1-data, t2-data, and so forth.
HCP does not require that the networks and network aliases defined on one system in a replication pair directly correspond to networks and network aliases on the other system. That is, the name of a network on one system can be the name of an alias on the other system.
For more information on replication, see Replicating Tenants and
Namespaces.
These considerations apply to network aliases:
• The target network for a network alias can be a user-defined network or the [hcp_system] network. A network alias cannot point to another network alias.
• A network alias can point to only one network. However, multiple aliases can point to the same network.
Network states
To be used most effectively, a network should have IP addresses defined for each node in the HCP system. This enables HCP to spread the processing load across all nodes for clients using that network.
Chapter 7: Network administration
Administering HCP
237
About virtual networking with HCP
If a node doesn’t have IP addresses for a given network, that node does not receive communications that come into the system on that network.
However, a network is usable as long as at least one available node is assigned IP addresses for the IPv4 and IPv6 subnets defined for that network.
Depending on the number of nodes that have IP addresses for a network, the network can be in any of these states:
• Fully defined — A network is fully defined if all nodes in the system have IP addresses defined for the network.
• Partial — A network is partial if at least two nodes have IP addresses defined for the network and at least one node does not have any IP addresses defined for the network.
• Degraded — A network is degraded if exactly one node has IP addresses defined for that network.
A degraded network presents a single point of failure for clients using that network for system access.
• Empty — A network is empty if no nodes have IP addresses defined for the network. An empty network is not usable.
You cannot select an empty network for tenant management or data access purposes. You cannot select an empty, degraded, or partial network for use with replication.
Isolating networks for storage tiering
A network can be reserved for exclusive communication between an HCP system and an HCP S Series Node or an HCP supported external storage device. This increases tiering security by segregating data tiering to individual networks instead of having all data tiered over one network.
The total amount of virtual networks that can tier to individual storage components is 200. In order to designate an individual network to a storage component, you need the administrator role. Users with the monitor role can see which storage components are tiering through which networks.
238 Chapter 7: Network administration
Administering HCP
About virtual networking with HCP
If a network is assigned to a storage tier, it can still be used for Tenant data management, Tenant network management, and replication. For more information about Tenant management, see
“HCP tenant properties” on page 285. For more information about replication, see the Replicating
Tenants and Namespaces manual.
In order to give storage components individual networks, Virtual network management must be enabled. For information on enabling Virtual network management
, see “About the Advanced Settings panel” on page 247.
A network is only accepted for an individual storage component if each node that belongs to the network has its IP address defined on HCP.
For more information on how to select a network for individual storage components, see:
•
“Creating an HCP S Series Node component” on page 154
•
“Creating an extended storage component” on page 164
For more information on selecting a network for existing storage components, see:
•
“Modifying basic component settings” on page 156
•
“Modifying an extended storage component” on page 166
Considerations for virtual networking
The following considerations apply to virtual networking with HCP:
• The IP mode of a front-end network determines the type of IP addresses that can be used to communicate with HCP over that network. Before selecting a specific network for a specific purpose, you need to ensure that all devices that need to communicate with HCP for that purpose are configured to use at least one type of IP address supported by that network.
• HCP accepts communications from Active Directory only on the
[hcp_system] network. Therefore, if a tenant is configured to use AD for user authentication, that tenant must also be configured to use either the [hcp_system] network or an alias for that network for both management and data access purposes. In addition, each Active
Directory domain controller used for HCP user authentication must have at least one IPv4 or IPv6 address that is routable from the
[hcp_system] network.
Chapter 7: Network administration
Administering HCP
239
About the Networks page
• When using HCP Data Migrator to copy objects between namespaces owned by different tenants, a client must have visibility into the data access networks for both tenants.
• HCP Data Migrator does not support the use of IPv6 networks for communication with HCP. Therefore, to use HCP Data Migrator to access namespaces owned by a given tenant, that tenant must have
IPv4 addresses defined for its data access network.
In addition, if the data access network for a tenant has both IPv4 and
IPv6 addresses, HCP Data Migrator cannot use a domain name to connect to any namespace owned by that tenant. Instead, HCP Data
Migrator must be configured to connect to each namespace using the
IPv4 addresses assigned to the nodes for the data access network.
• After HCP is upgraded from release 6.x to release 7.0 or later, by default, the HCP system is configured to support only IPv4 addresses for front-end networks. If you need to use IPv6 addresses for communication between HCP and other devices over the [hcp_system] network or any user-defined network, you need to ensure that when the upgrade is complete, your authorized HCP service provider configures HCP to enable support for IPv6 addresses and then configures the [hcp_system] network to use IPv6 addresses.
• When a new node is added to the HCP system, it automatically has IP addresses on each subnet defined for the [hcp_system] network.
However, it does not have any IP addresses for any user-defined front-end networks. Those networks, therefore, become partial networks. You can assign IP addresses to the new node for each of those networks at any time.
For considerations related to replicating an HCP system that uses virtual networking, see
“Network aliases” on page 236 and Replicating Tenants
and Namespaces.
About the Networks page
To work with networks and network aliases, you use the Networks page in the HCP System Management Console.
The Networks page has four sections:
• Network View — Lets you view, create, modify, and delete networks and network aliases, and monitor the health of individual networks.
240 Chapter 7: Network administration
Administering HCP
About the Networks page
• Node View — Lets you view, add, modify, and delete the IP addresses assigned to each node for each network.
Note: Both the Network View panel and the Node View panel let you view and modify node IP addresses. However, the Network View panel shows the node IP addresses defined for each network, while the Node
View panel shows the IP addresses assigned to each node for all networks in which it participates. The Node View panel is particularly useful for assigning IP addresses to nodes that are added to the HCP system after you’ve defined multiple networks.
• All Zone Definitions — Lets you view the DNS zone definitions that HCP uses for all network domains that are currently defined on the HCP system.
Note: You cannot filter the list of DNS zone definitions that are displayed on the All Zone Definitions panel. However, you can use the
Network View panel to display all properties of any specific network, including the zone definition information for that network.
For information on displaying zone definition information for a specific network or for all networks defined on the system, see
DNS zone definition for a network domain” on page 265.
• Advanced Settings — Lets you enable IP address configurations for the nodes in your networks and enable virtual network management.
To display the Networks page:
1. In the top-level menu, mouse over Configuration to display a secondary menu.
2. In the secondary menu, click on Networks .
The System Management Console opens the Networks Network View page.
Roles: To view the Networks page, you need the monitor, administrator or service role. To create, modify, and delete user-defined networks and network aliases, you need the administrator role. To modify the
[hcp_system] or [hcp_backend] network, you need the service role.
When you use the Configuration menu to access the Networks page, the
Networks Network View is displayed by default. You can then use the tabs on the left side of the page to navigate between sections.
Chapter 7: Network administration
Administering HCP
241
About the Networks page
About the Network View page
The Networks Network View page lets you view, create, modify, and delete networks and network aliases, and monitor the health of individual networks. This panel displays a list of existing networks and network aliases defined for the HCP system and shows basic configuration information and alerts for each network and network alias.
Understanding the network list
The Networks Network View contains a list of existing networks and network aliases. For each network, this list shows:
• The network name.
• The IP mode currently used for the network. The IP mode for a network indicates the types of IP addresses that the network is configured to use for each node that participates in the network.
If the IP mode for a network is:
– IPv4, the network is configured to use only IPv4 addresses
– IPv6, the network is configured to use only IPv6 addresses
– IPv4/IPv6, the network is configured to use both IPv4 and IPv6 addresses
• All IPv4 and IPv6 subnets that are defined for the network, shown in
CIDR format.
• The name of the network domain.
• None, one, or more alert icons representing problems with the network.
To see the text that accompanies an icon, mouse over the icon.
For information on the alerts that can appear on the
Networks Network View
page, see “Networks page alerts” on page 522.
For each network alias, the list shows:
• The alias name
• The IP mode, IPv4 and IPv6 subnets, and domain name used for the target network
242 Chapter 7: Network administration
Administering HCP
About the Networks page
• The alerts that apply to the target network
Additionally, the network list displays this icon in the table row that corresponds to the network or alias that’s currently selected as the replication network:
To view more information about a specific network or network alias, or to modify the configuration settings used for that network or network alias, click on its name in the network list.
Managing the network list
By default, the network list on the Networks Network View page includes all existing networks and network aliases. The networks and aliases are listed 20 at a time in ascending order by network or alias name.
You can page through, sort, and filter the list of networks and aliases. The
Networks Network View page indicates which networks and aliases are shown out of the total number of networks and aliases in the current list.
Paging
You can change the number of networks and aliases that appear on each page of the network list on the Networks Network View page. To do this, in the Items per page field, select the number of networks and aliases you want to display on each page in the network list. The options are 10, 20, and 50.
To page forward or backward through the network list, click on the next
( ) or back ( ) control, respectively.
To jump to a specific page in the network list:
1. In the Page field, type the page number that corresponds to the network list page you want to view.
2. Press Enter.
Sorting
You can sort the networks and aliases in the network list in ascending or descending order by network name or by domain name. To sort the list, click on the column heading for the property by which you want to sort.
Each time you click on the column heading, the sort order switches between ascending and descending.
Chapter 7: Network administration
Administering HCP
243
About the Networks page
Filtering
You can use the fields and controls that appear above the network list to filter the items in the list by network name or by network IP mode.
When filtered by network name, the list includes only those networks and aliases that have a name that begins with or is the same as a specified text string.
To filter the list by network name:
1. Select Name from the drop-down list above the network list.
2. In the text field, type the text string that you want to use as a filter.
This string can be up to 64 characters long, can contain any valid UTF-8 characters except commas (,), and is not case sensitive. White space is allowed.
3. Click on the find control ( ).
When filtered by network IP mode, the list includes only those networks and network aliases that have the specified IP mode (IPv4, IPv6, or
IPv4/IPv6).
To filter the list by IP mode:
1. Select IP Mode from the drop-down list above the network list.
2. In the text field, type the text string that corresponds to the IP mode that you want to use as a filter:
– Type IPv4 to filter the list to show the networks and network aliases that are configured to use only IPv4 addresses.
– Type IPv6 to filter the list to show the networks and network aliases that are configured to use only IPv6 addresses.
– Type IPv4/IPv6 to filter the list to show the networks and network aliases that are configured to use both IPv4 and IPv6 addresses.
3. Click on the find control ( ).
244 Chapter 7: Network administration
Administering HCP
About the Networks page
About the Node View page
The Networks Node View page lets you view and modify the IP address assignments for the nodes in the HCP system.
Roles: To view the Node View panel on the Networks page, you need the monitor, administrator or service role. To change IP address assignments for user-defined networks, you need the administrator role. You cannot modify IP addresses for the [hcp_system] or [hcp_backend] networks on the Node View panel.
Understanding the node list
The Networks Node View page contains a list of all nodes in the HCP system. For each node, the list shows:
• The node number (node ID).
• The back-end IP address for the node.
• The node status, either OK or Unavailable . You can change the IP addresses for a node regardless of its status.
To view the network IP address assignments for an individual node, click on the node number. In the list of networks that appears, the networks for which the node has IP addresses are listed first, in ascending order by network name. These are followed by the networks for which the node doesn’t have IP addresses, also listed in ascending order by network name.
Managing the node list
By default, the nodes in the node list are listed 20 at a time in ascending order by node number. You can page through and sort the node list. The
Networks Node View page indicates which nodes are shown out of the total number of nodes in the current list.
Paging
You can change the number of nodes displayed on each page of the node list shown on the Networks Node View page. To do this, in the Items per page field, select the number of nodes that you want to display on each page of the node list. The options are 10, 20, and 50.
Chapter 7: Network administration
Administering HCP
245
About the Networks page
To page forward or backward through the node list, click on the next ( ) or back ( ) control, respectively.
To jump to a specific page in the node list:
1. In the Page field, type the page number that corresponds to the node list page that you want to view.
2. Press Enter.
Sorting
You can sort the node list in ascending or descending order by node number. To change the sort order, click on the Node ID column heading.
Each time you click on the column heading, the sort order switches between ascending and descending.
Filtering
You can use the fields and controls that appear above the node list to filter the items in the list by node number or by node status.
When filtered by node number, the list displays only the node with the specified node number.
To filter the list by node number:
1. Select Node ID from the drop-down list above the node list.
2. In the text field, type the node number for the node you want to display in the node list.
3. Click on the find control ( ).
When filtered by node status, the list includes only those nodes that have the specified node status (ok or unavailable).
To filter the list by node status:
1. Select Status from the drop-down list above the node list.
2. In the text field, type the text string that corresponds to the node status that you want to use as a filter:
– Type ok to filter the list to show the nodes that have a status of ok.
– Type unavailable to filter the list to show the nodes that have a status of unavailable.
246 Chapter 7: Network administration
Administering HCP
About the All Zone Definitions page
Click on the find control ( ).
About the All Zone Definitions page
The Networks All Zone Definitions page lists the zone definitions of all network domains used for each network defined on the system. If you have a network alias, the zone definition displayed is the DNS zone definition that HCP uses for the network that the alias points to.
For more information on zone definitions, see
About the Advanced Settings panel
The Networks Advanced Settings page is used to enable network creation and configure network versions for your nodes. IPv4 addresses are automatically permitted on all nodes in your networks. Selecting Enable
IPv6 permits nodes in your networks to configure for IPv6 addresses.
By selecting Enable virtual network management you permit users with the system administrator role to create networks with the Create Network wizard. The wizard can be accessed from the Networks Network View page. Virtual network management also permits a system administrator to use the network per storage component tiering. For more information on the network per storage component tiering, see
“Isolating networks for storage tiering” on page 238.
Creating a network
You use the Create Network wizard on the Networks Network View page to create a new network on the HCP system. In order to use the wizard, a system administrator needs to have enabled Virtual network management.
For more information on Virtual network management, see
Advanced Settings panel” on page 247
When you create a new network with the wizard:
• The network is enabled by default, but it is initially empty. To make the new network usable, you need to modify the initial network configuration to assign IP addresses to one or more nodes.
For instructions on configuring node IP addresses for a new network,
see “Assigning IP addresses to nodes for a network” on page 252.
Chapter 7: Network administration
Administering HCP
247
Creating a network
• The network is configured to use the default downstream DNS configuration settings: hidden master is disabled, notify is disabled, and the refresh rate is set to three hours.
For more information about the effects of each setting and for a list of
For instructions on modifying the default downstream DNS
To create a new network, on the Networks Network View page:
1. Click on the Create Network button above the network list to open the
Create Network wizard.
2. On the Settings page in the wizard:
– In the Network Name field, type a unique name for the network.
User-defined network names:
• Must be from one through 63 characters long.
• Can contain only characters that are valid in DNS hostnames. In
English, valid hostnames can contain only alphanumeric characters and hyphens (-).
• Cannot start or end with a hyphen.
• Cannot contain white space.
• Are not case sensitive.
Additionally, the following words are reserved and cannot be used as network names: none, [hcp_system], and [hcp_backend].
– Optionally, in the Description field, type a description of the network.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
– Take one of these actions:
• To create an untagged network, select the Make untagged network option. This option is hidden if an untagged network already exists.
248 Chapter 7: Network administration
Administering HCP
Creating a network
• To create a tagged network, in the VLAN ID field, type a VLAN ID for the network. Valid values are integers in the range one through 4,094.
The VLAN ID field is greyed while the Make untagged network option is selected.
– In the MTU field, select 1500 or 9000 .
If an untagged network exists, the MTU that you select cannot be larger than the MTU for the untagged network. If you’re creating an untagged network and an existing network has an MTU of 9,000, the network you’re creating must have an MTU of 9,000. For information on untagged networks, see
“Tagged and untagged networks” on page 230.
– In the Domain field, select a domain for the network. The dropdown list does not include domains that have only a CSR and no SSL server certificates.
3. Click on the Next button.
4. On the IP Configuration page in the Create Network wizard, take one of these actions:
– If HCP is configured to support only one type of IP address, the wizard automatically selects the supported IP mode for the new network and displays the fields that you need to use to specify IPv4 or IPv6 configuration settings for the network.
If the wizard displays the IPv4 Configuration section or the IPv6
Configuration
.
– If HCP is configured to support both IPv4 and IPv6 addresses, and the [hcp_system] network is configured to use both IPv4 and IPv6 addresses, you can configure the network to use either or both types of IP addresses.
If the wizard displays the IP Mode section, and does not display any warning messages, select one or both options to set the IP mode for the network:
• To configure the network to use only IPv4 addresses, select only the IPv4 option. When you select this option, the wizard displays the IPv4 Configuration section.
Chapter 7: Network administration
Administering HCP
249
Creating a network
• To configure the network to use only IPv6 addresses, select only the IPv6 option. When you select this option, the wizard displays the IPv6 Configuration section.
• To configure the network to use both IPv4 and IPv6 addresses, select both options.
– If HCP is configured to support both IPv4 and IPv6 addresses, but the [hcp_system] network is configured to use only one type of IP address, you need to configure the new network to use only the type of IP address that the [hcp_system] network uses.
If the wizard displays the IP Mode section, but it also displays a warning message to inform you that the [hcp_system] network is configured to use only one type of IP address, select only the option that corresponds to that type of IP address.
Note: If the wizard displays this warning message, only the supported IP Mode option is selectable. However, you still need to select this option before you can continue specifying configuration settings for the new network.
5. Take either or both of these actions:
– If the HCP system supports only IPv4 addresses, or if you selected the IPv4 option in step 5 above, then in the IPv4 Configuration section:
• In the Gateway field, type the IP address of the gateway that you want to use for the IPv4 subnet.
• In the Subnet Mask field, type the subnet mask that you want to use for the IPv4 subnet.
– If the HCP system supports only IPv6 addresses, or if you selected the IPv6 option in step 5 above, then in the IPv6 Configuration section:
• Under IPv6 Address Settings :
– In the Gateway field, type the IP address of the gateway that you want to use for the primary IPv6 subnet.
– In the Prefix Length field, type the IPv6 address prefix length that you want to use for the primary IPv6 subnet.
250 Chapter 7: Network administration
Administering HCP
Creating a network
• Optionally, to configure a secondary IPv6 subnet for the network, under Secondary IPv6 Address Settings :
– In the Gateway field, type the IP address of the gateway that you want to use for the secondary IPv6 subnet.
– In the Prefix Length field, type the IPv6 address prefix length that you want to use for the secondary IPv6 subnet.
6. Click on the Next button.
7. On the Review page in the Create Network wizard, review the network configuration settings that you entered.
8. Take one of these actions:
– If the configuration settings that you entered are incorrect: a.
Use the Previous and Next buttons to navigate through the wizard and modify your entries on each page, as necessary.
b.
When you have corrected all the configuration errors, use the
Next buttons to navigate to the Review page.
c.
Click on the Finish button to exit the wizard and create an empty network with the specified configuration.
– If the configuration settings that you entered are correct, click on the Finish button to exit the wizard and create an empty network with the specified configuration settings.
When you exit the wizard, the Network View panel displays the IP
Configuration panel for the new network, showing the IPv4 and IPv6 subnet configuration information that you entered in the Create
Network wizard.
You can use the IP Configuration panel to assign IP addresses to one or more nodes for the new network.
For instructions on using the IP Configuration panel to configure node IP addresses for a new network, see
“Using the Network View page to configure node IP addresses for a network” on page 252.
Optionally, from the IP Configuration panel, you can click on the appropriate tab to open the Settings panel, and then use the Settings panel to change the default downstream DNS settings for the network.
Chapter 7: Network administration
Administering HCP
251
Assigning IP addresses to nodes for a network
For instructions on using the Settings panel to view and change the
Assigning IP addresses to nodes for a network
You can use either the Networks Network View page or the
Networks Node View page to assign IP addresses to one or more nodes for each network defined on the HCP system:
• Use the Networks Network View page to configure node IP addresses for a specific network.
• Use the Networks Node View page to assign IP addresses to each node for one or more networks.
The next two sections provide instructions for assigning IP addresses to nodes for a network using the Networks Network View page and using the
Networks Node View page, respectively.
Using the Network View page to configure node IP addresses for a network
To use the Networks Network View page to configure node IP addresses for a network:
1. On the Networks Network View page, in the network list, click on the name of the network that you want to configure.
2. In the panel that opens, click on the IP Configuration tab.
3. On the IP Configuration panel, in the node IP addresses table at the bottom of the page, specify the IPv4 and IPv6 addresses that you want to assign to each node included in the network:
– To assign an IPv4 address to a node, in the row for that node, in the text field in the IPv4 Address column, type the IP address that you want to assign to the node on the IPv4 subnet.
252 Chapter 7: Network administration
Administering HCP
Assigning IP addresses to nodes for a network
– To assign a primary IPv6 address to a node, in the row for that node, in the text field in the IPv6 Address column, type the IP address that you want to assign to the node on the primary IPv6 subnet.
– To automatically generate a primary IPv6 address for each node in the HCP system, click on the Calculate Primary button.
Notes:
• If any node already has a primary IPv6 address for the network, the generated primary IPv6 address overwrites the existing address.
• The Calculate Primary button to generate primary IPv6 addresses only if the primary IPv6 address prefix length is 64 or greater.
– To assign a secondary IPv6 address to a node, in the row for that node, in the text field in the IPv6 Address column, type the IP address that you want to assign to the node on the secondary IPv6 subnet.
– To automatically generate a secondary IPv6 address for each node in the HCP system, click on the Calculate Secondary button.
Notes:
• If any node already has a secondary IPv6 address for the network, the generated secondary IPv6 address overwrites the existing address.
• You can use the Calculate Secondary button to generate secondary IPv6 addresses only if the secondary IPv6 address prefix length is 64 or greater.
Note: Fields and buttons used to assign IPv4 and IPv6 addresses to nodes appear only when the appropriate IP Mode options are selected on the IP Configuration panel. The IPv4 Address column in the node list table appears only when the IPv4 option is selected. The IPv6 Address and Secondary IP Address columns in the node list table and the
Calculate Primary and Calculate Secondary buttons under the node list table appear only when the IPv6 option is selected.
Chapter 7: Network administration
Administering HCP
253
Assigning IP addresses to nodes for a network
4. Click on the Update Settings button.
A warning message appears asking you to confirm the changes you’ve made to the IP configuration settings for the network.
5. In the field in the message window, type YES. This is case sensitive.
6. Click on the Update Settings button.
Using the Node View page to assign network IP addresses to a node
To use the Networks Node View page to assign IP addresses to a node for one or more networks:
1. On the Networks Node View page, in the node list, click on the number of the node to which you want to assign network IP addresses.
2. On the panel that opens, in the Network Settings table, specify the IP addresses that you want to assign to the node for each network in which you want to include that node:
– To assign an IPv4 address to a node for a network, in the row for that network, in the IP field, type the IP address that you want to assign to the node on the IPv4 subnet defined for the network.
– To assign a primary IPv6 address to a node for a network, in the row for that network, in the Primary IP field, type the IP address that you want to assign to the node on the primary IPv6 subnet defined for the network.
– To automatically generate a primary IPv6 address for the node for each network that is configured to use a primary IPv6 subnet: a.
At the top of the panel, click on Calculate IPv6 Addresses .
254 Chapter 7: Network administration
Administering HCP
Assigning IP addresses to nodes for a network b.
In the Calculate IPv6 Addresses section, click on the Calculate
Primary button.
Notes:
• If any node already has a primary IPv6 address for the network, the generated primary IPv6 address overwrites the existing address.
• The Calculate Primary button to generate primary IPv6 addresses only if the primary IPv6 address prefix length is 64 or greater.
– To assign a secondary IPv6 address to a node for a network, in the row for that network, in the Secondary IP field, type the IP address that you want to assign to the node on the secondary IPv6 subnet defined for the network.
– To automatically generate a secondary IPv6 address for the node for each network that is configured to use a secondary IPv6 subnet: a.
At the top of the panel, click on Calculate IPv6 Addresses .
b.
In the Calculate IPv6 Addresses section, click on the Calculate
Secondary button.
Notes:
• If any node already has a secondary IPv6 address for the network, the generated secondary IPv6 address overwrites the existing address.
• You can use the Calculate Secondary button to generate secondary IPv6 addresses only if the secondary IPv6 address prefix length is 64 or greater.
3. At the bottom of the page, click on the Update Settings button.
A warning message appears asking you to confirm the changes you’ve made to the networks for which you’ve assigned IP addresses to the node.
4. In the field in the message window, type YES. This is case sensitive.
5. Click on the Update Settings button.
Chapter 7: Network administration
Administering HCP
255
Changing the default downstream DNS configuration settings for a network
Changing the default downstream DNS configuration settings for a network
When you create a new network with the Create Network wizard, the network is configured to use these default downstream DNS configuration options:
• Hidden master is disabled
• Notify is disabled
• The refresh rate is three hours
Once you have created a new network, at any time, you can use the
Networks Network View page to change these default settings.
For more information about the effects of each setting and for a list of
To change the default downstream DNS configuration settings for a network:
1. On the Networks Network View page, click on the name of the network for which you want to change the default downstream DNS configuration settings.
2. Take one of these actions:
– If the Settings panel opens, go to step 4.
– If the IP Configuration panel opens, click on the Settings tab at the top of the panel to display the Settings panel.
3. On the Settings panel, click on the Downstream DNS Configuration link to view the downstream DNS configuration settings.
4. In the Downstream DNS Configuration section:
– To enable hidden master, select the Enable hidden master option.
– To enable notify, select the Enable notify option.
256 Chapter 7: Network administration
Administering HCP
Changing the advanced downstream DNS configuration settings for a network
– If you are enabling hidden master or notify, in the Downstream DNS
Servers field, type a comma-separated list of between one and ten downstream DNS server IP addresses. Spaces are not allowed.
Note: If a secondary IPv6 subnet is defined for the network, then each IPv6 address that you specify in the downstream DNS server list must either be on the secondary IPv6 subnet or be routable from the primary IPv6 gateway that’s defined for the network.
– To change the refresh rate, in the Refresh Rate field, type the new
refresh rate. For valid values for the refresh rate, see “Refresh rate” on page 234.
Changing the advanced downstream DNS configuration settings for a network
If advanced downstream DNS configuration mode is enabled and you have the service role, you can use the Networks Network View page to directly access the UNIX IP address management for any forward facing network you created, including [hcp_system].
Changes made in advanced downstream DNS configuration mode need to be manually applied to all nodes added to the system. HCP generates a system log message that alerts you if you need to add new nodes to the zone file. If your changes are compatible with new system versions, all modifications carry over through future system upgrades.
To change the advanced downstream DNS configuration settings for a network:
1. On the Networks Network View page, click on the network for which you want to change the advanced downstream DNS configuration settings.
2. In the Zone Entry field make all of your necessary changes. For more
information on the Zone Entry field see, Appendix E, “Configuring DNS for HCP,” on page 585.
3. In the Forward Zone field, make all of the your necessary changes. For
more information on the Forward Zone field, see Appendix E,
“Configuring DNS for HCP,” on page 585.
4. Perform one of the following actions:
Chapter 7: Network administration
Administering HCP
257
Creating a network alias
– If you want to discard your changes, click on the Reset Zone Entry and File button. This resets the network to its default downstream
DNS configuration settings. For more information on the downstream DNS configuration default settings, see
“Changing the default downstream DNS configuration settings for a network” on page 256.
– If you want to keep your changes, click on the Update Settings button.
Once you click on the Update button, HCP performs a syntax validation check and administers your changes to the HCP system. Before they can take effect however, a system reboot is required.
During the reboot, if the HCP system finds any issues with your DNS configuration, it reverts all forward facing networks to their default downstream DNS configuration value. If this occurs, advanced downstream DNS configuration mode remains enabled but your changes are not saved.
Once your HCP system reboots, it’s recommended that you test your DNS access to HCP. If you do not want to keep your changes, click on the Reset
Zone Entry and File button in the Advanced DNS Downstream Configuration panel.
Creating a network alias
To create a network alias, on the Networks Network View page:
1. Click on the Create Network Alias button above the network list to open the Create Network Alias wizard.
2. On the Settings page in the wizard:
– In the Network Name field, type a unique name for the network alias. Alias names follow the same rules as network names. For
these rules, see “Creating a network” on page 247.
– In the Aliased Network field, select the network for which you’re creating the alias.
3. Click on the Next button.
4. On the Review page in the Create Network Alias wizard, review the network alias configuration settings that you entered.
258 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
5. Take one of these actions:
– If the configuration settings that you entered are incorrect: a.
Click on the Previous button to return to the Settings page of the wizard and modify your entries as necessary.
b.
When you have corrected all the configuration errors, click on the Next button to return to the Review page.
c.
Click on the Finish button to exit the wizard and create the specified alias for the specified network.
– If the configuration settings that you entered are correct, click on the Finish button to exit the wizard and create the specified alias for the specified network.
Viewing and modifying properties of a network or network alias
You can use the Networks Network View page to view all properties of a network or network alias. You can also use this panel to modify any configurable properties of a network or network alias.
You can use the Networks Node View page to view the network name,
IPv4 and IPv6 subnets, and node IP address assignments that are defined for each existing network on the HCP system. You can also use this panel to modify the network IP address assignments that are defined for each node for each existing network on the HCP system.
You can use either the Networks All Zone Definitions page or the
Networks Network View page to view the DNS zone definition that HCP uses for a network:
• Use the Networks Network View page to view the DNS zone definition that HCP uses for a specific network.
• Use the Networks All Zone Definitions page to view the DNS zone definitions that HCP uses for all existing networks.
Chapter 7: Network administration
Administering HCP
259
Viewing and modifying properties of a network or network alias
Viewing properties of a network or network alias on the Network
View page
To use the Networks Network View page to view the properties of a network or network alias, click on its name in the network list. The properties of the network or network alias are displayed on three separate panels: Settings , IP Configuration , and Zone Definitions .
If there are no alerts associated with a network or network alias, when you click on its name to view its properties, the Settings panel opens. If an alert is associated with a network or network alias, when you click on its name to view its properties, the panel that opens is the one used to display the configuration settings that you need to change to fix the problem indicated by the alert.
You can use the tabs at the top of each panel to navigate between the three panels. To display a specific panel, click on the corresponding tab.
The next three sections list the network and network alias properties that are displayed on the Settings , IP Configuration , and Zone Definitions panels, respectively.
Network and network alias properties displayed on the Settings panel
The Settings panel displays different properties for networks and network aliases.
For a network, the Settings panel displays these properties:
• The name of the network.
• Whether the network is enabled or disabled.
• The network description (if configured).
• The maximum transmission unit (MTU) used for the network.
• The domain associated with the network. (For more information, see
“Network domains” on page 232.)
• The total number of tenant references defined for the network or network alias. This is the number of tenants that are configured to use the network for data access, management, or both purposes.
260 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
• The tenant reference list for the network or network alias. This list contains the names of the tenants that are configured to use the network and the purpose for which each tenant uses the network (data access, management, or both purposes).
• The total number of alias references defined for the network. This is the total number of aliases that point to the network.
• The alias reference list for the network. This list contains the names of the network aliases that have been defined for the network.
• The downstream DNS configuration settings for the network. (For more
• The advanced Downstream DNS Configuration settings for the network, if the mode is enabled. For more information on these settings, see "
Advanced downstream DNS configuration” on page 235.
For a network alias, the Settings panel displays these properties:
• The name of the network alias.
• The name of the targeted network. This is the network that the alias points to.
• The total number of tenant references defined for the network alias.
This is the number of tenants for which the alias is selected as the data access network, the management network, or both networks.
• The tenant reference list for the network alias. This list contains the names of the tenants for which the alias is selected as the data access network, the management network, or both networks.
• The following properties of the targeted network:
– The network description (if configured).
– The maximum transmission unit (MTU) used for the network.
– The domain associated with the network. (For more information,
see “Network domains” on page 232.)
– The total number of alias references defined for the network. This is the total number of aliases that point to the network.
– The alias reference list for the network. This list contains the names of the network aliases that have been defined for the network.
Chapter 7: Network administration
Administering HCP
261
Viewing and modifying properties of a network or network alias
– The downstream DNS configuration settings for the network. (For
Network and network alias properties displayed on the IP Configuration panel
When you click on the name of a network in the network list, the IP
Configuration panel displays the IP configuration properties defined for that network.
When you click on the name of a network alias in the network list, the IP
Configuration panel displays the IP configuration properties defined for the targeted network (that is, the IP configuration properties defined for the network that the alias points to).
The IP Configuration panel displays these properties for a network or for the targeted network of an alias:
• The IP Mode settings that are used for the network. These settings determine whether the network supports IPv4 addresses, IPv6 addresses, or both.
• In the IP Mode section on the panel, if the IPv4 option is selected, then the network supports IPv4 addresses, and the IP Configuration panel displays these properties:
– The IPv4 gateway and subnet mask that are defined for the network.
– The IPv4 subnet that is defined for the network. HCP derives the
IPv4 subnet from the IPv4 gateway and subnet mask that are configured for the network.
– The IPv4 addresses that are assigned to the nodes that are included in the network (if any). These addresses must be on the IPv4 subnet defined for the network.
• If the IPv6 option is selected, indicating that the network supports IPv6 addresses, the IP Configuration panel displays these properties:
– The primary IPv6 gateway and the primary IPv6 address prefix length that are defined for the network.
262 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
– The primary IPv6 subnet that is defined for the network. HCP derives the primary IPv6 subnet for the network from the IPv6 gateway and IPv6 address prefix length that are configured for the network.
– The primary IPv6 addresses that are assigned to the nodes that are included in the network (if any). These addresses must be on the primary IPv6 subnet defined for the network.
– Whether or not a secondary IPv6 subnet is defined for the network.
– If a secondary IPv6 subnet is defined for the network, the IP
Configuration panel displays these additional properties:
• The secondary IPv6 gateway and the secondary IPv6 address prefix length that are defined for the network.
• The secondary IPv6 subnet that is defined for the network. HCP derives the secondary IPv6 subnet for the network from the IPv6 gateway and IPv6 address prefix length that are configured for the network.
• The secondary IPv6 addresses that are assigned to the nodes that are included in the network. These addresses must be on the secondary IPv6 subnet defined for the network.
• A list of nodes that do not have any IPv4 or IPv6 addresses assigned to them for the network. These nodes are not included in the network.
Network and network alias properties displayed on the Zone Definitions panel
HCP automatically creates and maintains a DNS zone definition for the network domain used for each network defined on the system.
When you click on the name of a network in the network list, the Zone
Definitions panel displays the DNS zone definition that HCP uses for that network.
When you click on the name of a network alias in the network list, the Zone
Definitions panel displays the DNS zone definition that HCP uses for the targeted network (that is, the DNS zone definition that HCP uses for the network that the alias points to).
For more information on viewing the DNS zone definitions that HCP uses
Chapter 7: Network administration
Administering HCP
263
Viewing and modifying properties of a network or network alias
Viewing properties of a network on the Node View page
You can use the Networks Node View page to view the network name and the IPv4 and IPv6 subnets that are defined for each existing network on the HCP system. You can also use this page to view the network IP address assignments that are defined for each node for each existing network on the HCP system.
To use the Networks Node View page to view the name and subnets that are defined for each existing network on the HCP system, and to view all network IP address assignments that are defined for a specific node, click on its node number (that is, its node ID) in the node list. The page that opens displays the Network Settings table for the node.
The Network Settings table shows the following properties for each network that is defined on the HCP system:
• The name of the network.
• Whether the node is included in the network. To be included in the network, the node must have a separate IP address on each IPv4 and
IPv6 subnet that is defined for the node.
• If the network is configured to support IPv4 addresses:
– The IPv4 subnet that is defined for the network, shown in CIDR format.
– If the node is included in the network, the IPv4 address assigned to the node for the network. This address must be on the IPv4 subnet that is defined for the network.
• If the network supports IPv6 addresses:
– The primary IPv6 subnet that is defined for the network (shown in
CIDR format).
– If the node is included in the network, the primary IPv6 address assigned to the node for the network. This address must be on the primary IPv6 subnet that is defined for the network.
– Whether the network is configured to use a secondary IPv6 subnet.
– If used, the secondary IPv6 subnet that is defined for the network
(shown in CIDR format).
264 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
– If the network is configured to use a secondary IPv6 subnet and if the node is included in the network, the secondary IPv6 address that is assigned to the node for the network. This address must be on the secondary IPv6 subnet that is defined for the network.
Viewing the DNS zone definition for a network domain
If you’re using DNS for domain name resolution, you need to add each domain you associate with a network to your DNS. If the domain for the network you’re using for replication is shared with other networks, you need to add this additional domain to the DNS: replication.admin.
replicaton-network-domain-name
You can use either the Networks All Zone Definitions page or the
Networks Network View page to view the DNS zone definition that HCP uses for a network:
• Use the Networks Network View page to view the DNS zone definition that HCP uses for a specific network.
• Use the Networks All Zone Definitions page to view the DNS zone definitions that HCP uses for all existing networks.
The DNS zone definition for each network domain is displayed in the format used for DNS zone definitions on Unix DNS servers. To add a network domain to your DNS, you can copy its DNS zone definition directly from the HCP System Management Console into your DNS.
If hidden master or notify is enabled for a network, the domain associated with that network is defined as a slave zone. Otherwise, the network domain is defined as a stub zone.
For more information on configuring DNS domains for HCP, see Appendix
E, “Configuring DNS for HCP,” on page 585.
Viewing the DNS zone definition for a specific network
To display the DNS zone definition for the domain associated with a specific network:
1. On the Networks Network View page, in the network list, click on the name of the network for which you want to display the DNS zone definition, or click on the name of an alias that points to that network.
2. At the top of the panel that opens, click on the Zone Definitions tab.
Chapter 7: Network administration
Administering HCP
265
Viewing and modifying properties of a network or network alias
The Zone Definitions panel opens. This panel shows the slave or stub zone definition that HCP uses for the network domain, formatted as shown in this example:
# net5 Network for Customer-1 zone "object-store.cust1.com" IN { type slave; file "/var/named/slave/object-store.cust1.com"; masters {
192.168.10.101;
2001:0db8::101;
192.168.10.102;
2001:0db8::102;
192.168.10.103;
2001:0db8::103;
192.168.10.104;
2001:0db8::104;
};
};
Tip: You can use the Zone Definition link on the Replication page to show the zone definition for a user-defined network that’s selected for replication. For more information on this, see Replicating Tenants and
Namespaces.
Viewing the DNS zone definitions for all existing networks
To display the DNS zone definitions for all network domains defined on the
HCP system, go to the Networks All Zone Definitions page.
The Networks All Zone Definitions page shows the DNS zone definitions that HCP uses for all existing network domains.
266 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
Considerations for modifying properties of networks and network aliases
The following considerations apply to modifying properties of networks and network aliases:
• You can modify only the configurable properties of a network or network alias. You cannot modify any property that has a value that’s generated or derived by HCP.
• You cannot change the name of a network while that network is associated with a tenant or referenced by an alias. You cannot change the name of an alias while that alias is associated with a tenant.
• You cannot change a network to an alias or an alias to a network.
• When you take any of these actions for a network, communication on that network is temporarily disrupted:
– Modify the VLAN ID or MTU. However, in the case of MTU, applications may not notice the disruption.
– Modify the IPv4 gateway or netmask (if defined)
– Modify the primary or secondary IPv6 gateway or IPv6 address prefix length (if defined)
– Add or remove all settings for the secondary IPv6 configuration, including the gateway, prefix length, and node IP addresses
– Disable support for IPv4 addresses, which automatically removes all
IPv4 configuration settings, including the gateway, subnet mask, and node IP addresses. (Removing all these settings automatically disables support for IPv4 addresses.)
– Disable support for IPv6 addresses, which automatically removes all
IPv6 configuration settings, including the gateway, prefix length, and node IP addresses for the primary IPv6 subnet and, if defined, for the secondary IPv6 subnet. (Removing all these settings automatically disables support for IPv6 addresses.)
– Add or remove the IP address assignments for one or more nodes.
Chapter 7: Network administration
Administering HCP
267
Viewing and modifying properties of a network or network alias
• The following considerations apply to modifying the IP Configuration settings for a network:
– The [hcp_system] network IP mode determines the IP modes that are supported for user-defined networks:
• You can configure a network to use a specific type of IP address
(IPv4 or IPv6) only if the [hcp_system] network is also configured to use that type of IP address. However, If the
[hcp_system] network is configured to use both IPv4 and IPv6 addresses, you can configure a network to use only IPv4 addresses, only IPv6 addresses, or both types of IP addresses.
• If the [hcp_system] network is configured to use IPv6 addresses, you can configure a network to use a primary IPv6 subnet and, optionally, a secondary IPv6 subnet. The number of
IPv6 subnets that are defined for the [hcp_system] network does not affect the number of IPv6 gateways that can be defined for a user-defined network.
– To configure a network to use an IPv4 subnet, you need to define both the gateway and the subnet mask for that IPv4 subnet.
– You can assign IPv4 addresses to nodes for a network only if an
IPv4 subnet is defined for that network. All IPv4 addresses defined for a network must be on the IPv4 subnet defined for that network.
– To configure a network to use an IPv6 subnet (whether it’s a primary or secondary IPv6 subnet), you need to define both the gateway and the prefix length for that subnet.
– A secondary IPv6 subnet can be defined for a network only if a primary IPv6 subnet is also defined for that network.
– When hidden master or notify is enabled for a network, if you configure that network to use a secondary IPv6 subnet, you also need to review and, if necessary, modify the list of downstream DNS server IP addresses configured for that network to ensure that each
IPv6 address either is on the secondary IPv6 subnet or is routable from the primary IPv6 gateway that’s defined for the network.
– You can assign primary IPv6 addresses to nodes for a network only if a primary IPv6 subnet is defined for that network. All primary
IPv6 addresses defined for a network must be on the primary IPv6 subnet defined for that network.
268 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
– You can assign secondary IPv6 addresses to nodes for a network only if a secondary IPv6 subnet is defined for that network. All secondary IPv6 addresses defined for a network must be on the secondary IPv6 subnet defined for that network.
– To include a node in a network, you need to assign a separate IP address to that node on each IPv4 and IPv6 subnet that is defined for the network.
Note: To configure a partial network, you need to ensure that each node in the HCP system either has no IP addresses for the network or has an IP address on every IPv4 and IPv6 subnet that is defined for the network.
• Selecting a different domain for a network has no effect on requests currently being serviced over that network. However, in subsequent requests, clients using that network need to specify the new domain name in the request URL.
• If the HCP system is configured for DNS and you select a different domain for a network, make sure you change the domain name in the
DNS to specify the name of the new domain for the network.
• After you select a different domain for a network that’s being used for tenant management, any clients connected to the Tenant Management
Console for the applicable tenants at the time of the change need to close all browser windows to clear cookies so they can access the
Console using the new domain name.
• If you select a different domain for the network that’s used for replication and the other system in the replication pair identifies the current system by its domain name, you need to modify the domain name in the definition of the replication link. Similarly, if you change the node IP addresses for the network that’s used for replication and the other system in the replication pair identifies the current system by its IP addresses, you need to modify the IP addresses in the definition of the replication link.
• For the network that’s currently selected for replication, all nodes must have IP addresses. You can change but cannot remove IP addresses for that network.
• You can disable or reenable a network at any time. If you disable the network that’s currently selected for replication, the status of all replication links in which the HCP system participates changes to broken, and replication or recovery, as applicable, stops on those links.
If you then reenable the network, replication or recovery resumes automatically on those links.
Chapter 7: Network administration
Administering HCP
269
Viewing and modifying properties of a network or network alias
Modifying a network
You can use the Networks Network View page to view and modify any configurable properties of a network or network alias.
You can use the Networks Node View page to modify the network IP address assignments that are defined for each node for each existing network on the HCP system.
The next two sections provide instructions for modifying a network using the Networks Network View page and using the Networks Node View page, respectively.
Modifying a network on the Network View panel
To use the Networks Network View page to modify a network:
1. On the Networks Network View page, in the network list, click on the name of the network that you want to modify.
The properties of the network are displayed on three separate panels:
Settings , IP Configuration , and DNS Zone Definitions .
If there are no alerts associated with a network, when you click on its name in the network list, the Settings panel opens.
If an alert is associated with a network, when you click on its name in the network list, the panel that opens is the one used to display the network configuration settings that you need to change to fix the problem indicated by the alert.
2. On the panel that opens, either change the settings displayed on the panel or click on the appropriate navigation tab to open the panel that displays the settings you want to change:
– On the Settings panel, you can:
• Enable or disable the network. To do this, select the appropriate option in the Network Status field in the top right corner of the panel.
• Use the fields that are displayed by default to change any of these general network configuration settings: network name, description, domain, and MTU. For instructions, see
the procedure documented in “Creating a network” on page 247.
270 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
• If Downstream DNS Configuration basic mode is enabled, display the appropriate fields and change the Downstream DNS
Configuration settings for the network. For instructions, see
“Changing the default downstream DNS configuration settings for a network” on page 256.
• If the advanced downstream DNS configuration mode is enabled, display the appropriate fields and change the downstream DNS configuration settings for the network. For instructions, see
“Advanced downstream DNS configuration” on page 235.
– On the IP Configuration panel, you can:
• Use the Make untagged network and VLAN ID fields to specify whether the network is tagged or untagged and to specify the
VLAN ID for a tagged network, respectively. For instructions on
using these two fields, see step 2
in the procedure documented in
“Creating a network” on page 247.
• If HCP is configured to support both IPv4 and IPv6 addresses for user-defined networks, use the fields in the IP Mode section to change the IP mode for the network. For instructions, see
of the procedure documented in
“Creating a network” on page 247.
Note: If you select an IP Mode option that was not previously selected, the IP Configuration panel displays the fields that you need to use to configure the network to use the specified type of
IP addresses. If you deselect an option that was previously unselected, the panel hides all IP configuration settings associated with that option.
• Depending on the IP mode selected for the network, use the fields in the IPv4 Configuration section, the IPv6 Configuration section, or both sections to specify the IPv4 gateway and subnet mask for the IPv4 subnet and to specify the IPv6 gateway and prefix length for each IPv6 subnet, respectively.
For instructions on using the appropriate fields to specify IPv4
and IPv6 subnet configuration information, see step 5 in the
procedure documented in “Creating a network” on page 247.
• At the bottom of the IP Configuration panel, use the fields in the node IP addresses table, and optionally, use the Calculate
Primary and Calculate Secondary buttons below the table to
Chapter 7: Network administration
Administering HCP
271
Viewing and modifying properties of a network or network alias assign IP addresses to each node included in the network. For instructions, see
“Using the Network View page to configure node IP addresses for a network” on page 252.
– You cannot use the Zone Definitions panel to change any network configuration settings.
3. When you finish modifying settings on the selected panel, click on the
Update Settings button at the bottom of the page.
A warning message appears asking you to confirm the changes you’ve made.
4. In the field in the message window, type YES. This is case sensitive.
5. Click on the Update Settings button.
6. Optionally, to change additional network configuration settings on another panel, click on the appropriate navigation tab to display that panel. Then, repeat steps 3-6 above to make the additional changes to the network configuration.
7. When you’re finished making changes to the network configuration, on the go to the Networks Network View page to return to the network list.
Modifying network IP address assignments for a node on the Node
View page
You can use the Networks Node View page to modify the network IP address assignments that are defined for each node for each existing network on the HCP system.
To use the Networks Node View page to modify network IP address assignments for a node:
1. On the Networks Network View page, in the node list, click on the number of one of the nodes for which you want to modify network IP address assignments.
2. On the panel that opens, use the fields in the Network Settings table, and optionally, use the buttons in the Calculate IPv6 Addresses section above the table to assign IP addresses to the node for each network in
which you want to include that node. For instructions, see “Using the
Network View page to configure node IP addresses for a network” on page 252.
272 Chapter 7: Network administration
Administering HCP
Viewing and modifying properties of a network or network alias
3. When you finish modifying the network IP address assignments for the node, click on the Update Settings button at the bottom of the page.
A warning message appears asking you to confirm the changes you’ve made.
4. In the field in the message window, type YES. This is case sensitive.
5. Click on the Update Settings button.
Modifying a network alias
You can use the Networks Network View page to change the name of the alias or to select a different targeted network for the alias (that is, configure the alias to point to a different network.
Note: When you click on the name of a network alias in the network list, you can view the configuration settings used for the targeted network, but you cannot change them.
To change the name or to change the targeted network of a network alias:
1. On the Networks Network View page, in the network list, click on the name of the network alias that you want to modify.
2. Take one of these actions:
– If the Settings panel opens, go to step 4.
– If the IP Configuration panel opens, click on the Settings tab at the top of the panel to display the Settings panel.
3. On the Settings panel, take one or both of these actions:
– To change the name of the alias, edit the text in the Network Alias
Name field.
– To change the targeted network for the alias: a.
Select the Switch targeted network option.
The panel displays the Aliased Network field, showing the name of the network that the alias currently points to.
b.
In the Aliased Network field, select the new targeted network for the alias.
Chapter 7: Network administration
Administering HCP
273
Restarting a network
4. Click on the Update Settings button.
A warning message appears asking you to confirm the changes you’ve made.
5. In the field in the message window, type YES. This is case sensitive.
6. Click on the Update Settings button.
Restarting a network
If a tagged network is enabled but traffic on it is not reaching the HCP system, the cause may be that the network interface cannot be found. In this case, both the Overview and Networks pages in the HCP System
Management Console display an alert about the condition.
To resolve this issue, you can restart the network. Restarting a network causes HCP to recreate the network interface that corresponds to the network VLAN ID.
You should not restart a network for which the network interface is functioning properly. Restarting a working network temporarily stops communications on that network from reaching HCP.
Note: Before restarting a network, ensure that the physical network is functioning properly.
To restart a network:
1. On the Networks Network View page, in the network list, click on the name of the network that you want to restart.
2. At the bottom of the panel that opens, click on the Restart Network button.
A warning message appears asking you to confirm the action.
3. In the field in the message window, type YES. This is case sensitive.
4. Click on the Update Settings button.
274 Chapter 7: Network administration
Administering HCP
Deleting a network or network alias
Deleting a network or network alias
You can delete a user-defined network or network alias only if it’s not currently selected for use for any purpose. Additionally, you cannot delete a network that is currently the target of a network alias.
You cannot delete the [hcp_system] or [hcp_backend] network.
To delete a network or network alias:
1. On the Networks Network View page, in the network list, click on the delete control ( ) for the network or network alias that you want to delete.
2. In response to the confirming message, take one of these actions:
– If you’re sure you want to delete the network or network alias, click on the Delete button.
– If you decide not to delete the network or network alias, click on the
Cancel button.
Chapter 7: Network administration
Administering HCP
275
Deleting a network or network alias
276 Chapter 7: Network administration
Administering HCP
8
Tenant administration
Tenants are the administrative entities that own and manage namespaces.
When an HCP system is first installed, no tenants exist. You use the HCP
System Management Console to create them as needed.
Tenant-level administrators create HCP namespaces in the Tenant
Management Console. When you create the default tenant, HCP automatically creates the default namespace.
After creating a tenant, you can modify only some of its properties. You can delete a tenant only if it has no namespaces.
This chapter contains information on:
• The information displayed for tenants
• Creating, modifying, and deleting tenants
• Accessing the Tenant Management Console for a tenant
• Resetting tenant security (HCP tenants only)
• Changing the product branding that’s exposed to tenants
• Selecting the appropriate protocol optimization option for your tenant
For an introduction to tenants, see “Tenants” on page 5.
277 Chapter 8: Tenant administration
Administering HCP
About the Tenants page
About the Tenants page
To view, create, and manage tenants, you use the Tenants page in the HCP
System Management Console. To display this page, in the top-level menu, click on Tenants .
The Create Tenant bar on the Tenants page shows:
• The total amount of storage currently used by all namespaces in the
HCP system
• The total amount of storage still available out of the total storage capacity for the HCP system
The Tenants page also lists the existing tenants. For information on this list, see
“Understanding the tenant list”
and “Managing the tenant list” below.
Roles: To view the Tenants page, you need the monitor or administrator role.
Understanding the tenant list
The Tenants page contains a list of existing tenants. For each tenant, the list shows:
• The tenant name.
• In an HCP system that uses virtual networking, the network assigned to the tenant for management purposes.
• In an HCP system that uses virtual networking, the network assigned to the tenant for data access purposes.
For information on networks, see Chapter 7, “Network administration,” on page 223.
• Icons for any current alerts that apply to the tenant. Alerts indicate conditions that may need your attention. To see the text that accompanies an alert icon, mouse over the icon.
For information about the alerts that can appear on the Tenants page,
see “Tenants page alerts” on page 526.
278 Chapter 8: Tenant administration
Administering HCP
About the Tenants page
• The total amount of storage currently used by all namespaces owned by the tenant.
• For HCP tenants only, a graphical representation of the amount of storage used out of the hard quota for the tenant.
• For HCP tenants only, the hard quota for the tenant.
• For the default tenant and for each HCP tenant that has been configured to allow system-level users to manage it and search its namespaces, an icon ( ) that you can click on to open the Tenant
Management Console for the tenant.
To view additional information about an individual tenant, click on the tenant name.
Managing the tenant list
By default, the tenant list on the Tenants page includes all existing tenants.
The tenants are listed 20 at a time in ascending order by tenant name.
You can page through, sort, and filter the list of tenants. The Tenants page indicates which tenants are shown out of the total number of tenants in the current list.
Paging
You can change the number of tenants shown at a time on the Tenants page. To do this, in the Items per page field, select the number of tenants you want. The options are 10, 20, and 50.
To page forward or backward through the tenant list, click on the next ( ) or back ( ) control, respectively.
To jump to a specific page in the tenant list:
1. In the Page field, type the page number you want.
2. Press Enter.
Sorting
You can sort the tenant list in ascending or descending order by tenant name, management network, data access network, or hard quota. To sort the list, click on the column heading for the property you want to sort by.
Each time you click on the column heading, the sort order switches between ascending and descending.
Chapter 8: Tenant administration
Administering HCP
279
About the tenant Overview panel
Filtering
You can filter the tenant list by tenant name, management network, data access network, or tag. The filtered list includes only those tenants with a name, management network, data access network, or tag, as applicable, that begins with or is the same as a specified text string.
You can filter the tenant list by using the fields above the list. You can also filter the list by tag by using the tag control.
To filter the tenant list by using the filter fields:
1. In the field above the Name column, select the property you want to filter by.
2. In the next field, type the text string you want to use as a filter. This string can be up to 64 characters long, can contain any valid UTF-8 characters except commas (,), and is not case sensitive. White space is allowed.
3. Click on the find control ( ).
To redisplay the entire list of tenants after filtering it, click on the clear filter control ( ).
To filter the tenant list by tag using the tag control:
1. Click on the tag control ( ) on the right above the tenant list.
The Tags window opens. This window lists all the tags currently associated with the existing tenants. For each tag, the window shows the number of associated tenants.
2. Click on the tenant-count icon ( ) for the tag you want.
The tenant list shows only the tenants that have the selected tag, and the fields above the Name column show the filter criteria.
About the tenant Overview panel
The tenant Overview panel shows the current status of any given tenant.
To display this panel for a tenant:
1. In the top-level menu in the System Management Console, click on
Tenants .
280 Chapter 8: Tenant administration
Administering HCP
About the tenant Overview panel
2. In the list of tenants, click on the name of the tenant that you want to examine.
To return to the tenant Overview panel from the tenant Settings panel, click on Overview in the row of tabs below the tenant name.
Roles: To view the tenant Overview panel, you need the monitor or administrator role.
Tenant URL
The top of the tenant Overview panel shows the URL for access to the
Tenant Management Console for the tenant. The URL has this format:
https://tenant-url-name.hcp-domain-name:8000
In this format, hcp-domain-name
is the name of the domain associated with the management network for the tenant. For information on networks, see
“About virtual networking with HCP” on page 224.
For example, the URL for access to the Tenant Management Console for the tenant named Finance in the HCP system named hcp-ma.example.com is: https://finance.hcp-ma.example.com:8000
Clicking on a tenant URL opens either the Overview page or the login page for the Tenant Management Console for that tenant:
• If a tenant is configured to allow system-level users to manage it, clicking on the URL for that tenant opens its Tenant Management
Console Overview page. For an HCP tenant, the Overview page opens only if at least one of your client IP addresses is allowed access to the
Tenant Management Console for the tenant.
• If the tenant is not configured to allow system-level users to manage it, clicking on the URL for that tenant opens its Tenant Management
Console login page.
You can also use the access control ( ) for a tenant to click through to the Tenant Management Console. For more information on this access
control, see “Accessing the Tenant Management Console for a tenant” on page 302.
For information on using a system-level user account to directly access,
manage, monitor, and search tenants, see “Tenant-level administration” on page 55.
Chapter 8: Tenant administration
Administering HCP
281
About the tenant Overview panel
Tenant description
The tenant Overview panel shows the tenant description, if any, below the tenant URL. This is optional text that you can specify when creating or modifying the tenant.
Features Enabled section
The Features Enabled section of the tenant Overview panel lists the features that are enabled for the tenant. Possibilities are:
• Replication — The tenant is eligible for replication. For information on replication, see Replicating Tenants and Namespaces.
• Retention Mode Selection:
– An HCP tenant administrator can create namespaces in either enterprise or compliance mode. Additionally, a tenant administrator can change the retention mode of a namespace from enterprise to compliance.
Without this feature, tenant administrators can create namespaces only in enterprise mode and cannot subsequently change the retention mode.
– The default tenant administrator can change the retention mode of the default namespace from enterprise mode to compliance mode
(if the namespace was originally in enterprise mode).
For information on the enterprise and compliance retention modes, see
• Search — Tenant administrators can enable and disable search in the namespaces that the tenant owns.
For an introduction to search, see “HCP Search Console” on page 9. For
more information on the supported search facilities, see “Configuring search” on page 312.
• Service Plan Selection — Tenant administrators can associate service plans with the namespaces that the tenant owns.
If the tenant does not have this feature, the HCP system administrator chooses the service plan for the tenant, and that service plan applies to all namespaces owned by that tenant.
For information on service plans, see
“Working with service plans” on page 210.
282 Chapter 8: Tenant administration
Administering HCP
About the tenant Overview panel
• Versioning — Tenant administrators can enable and disable versioning in the namespaces that the tenant owns. This feature is available only for HCP tenants.
For information on versioning, see Managing a Tenant and Its
Namespaces and Using a Namespace.
Namespaces section
For HCP tenants only, the Namespaces section of the tenant Overview panel shows:
• Quota — The number of namespaces that HCP reserves for the tenant out of the total number of namespaces that the system can have. This is also the maximum number of namespaces that the tenant can own at any given time. If the tenant doesn’t have a namespace quota, this field displays No Quota .
• Used — The number of namespaces the tenant currently owns.
• Available — If the tenant has a quota, this is the number of additional namespaces that the tenant can own. If the tenant has no quota, this is the number of unallocated namespaces out of the total number of namespaces the system can have, minus the number of existing namespaces owned by tenants that don’t have quotas.
When calculating the number of available namespaces for a tenant with no quota, HCP considers only locally created namespaces and not namespaces that were replicated to the system from another system.
Objects section
The Objects section of the tenant Overview panel shows:
• Ingested — The total number of objects currently stored in all namespaces owned by the tenant. When an object has multiple versions, each version is counted as a separate object.
• Indexed — The total number of indexed objects currently stored in all namespaces owned by the tenant. This item appears only if the tenant has the search feature and a search facility is currently selected for use with the Search Console. If the HDDS search facility is in use, that facility must also be configured to show statistics.
Chapter 8: Tenant administration
Administering HCP
283
Creating a tenant
Storage section
For HCP tenants only, the Overview panel includes a Storage section. This section shows:
• Quota — The total amount of storage available to the tenant for allocation to its namespaces
• Used — The total amount of storage currently used by all namespaces owned by the tenant
• Available — The amount of unused storage still available to the tenant
Creating a tenant
The information you provide when creating the default tenant differs from the information you provide for HCP tenants. This is because:
• When you create the default tenant, HCP automatically creates the default namespace as well
• HCP administers storage usage differently for the default tenant
The following sections present separate procedures for creating the two types of tenants.
Roles: To create an HCP tenant or the default tenant and namespace, you need the administrator role.
Note: You can create the default tenant and namespace only if allowed to do so by the system configuration.
Creating an HCP tenant
You create HCP tenants in the System Management Console. Once an HCP tenant exists, tenant administrators can use the Tenant Management
Console to create namespaces for the tenant.
284 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
HCP tenant properties
When creating an HCP tenant, you specify:
• A name for the tenant. This name determines the URL for the tenant.
When naming tenants, keep in mind that each tenant name must be unique within an HCP system. For example, you cannot create a tenant named finance for each of two different customers. You could, however, create a tenant named cust1-finance for Customer 1 and another tenant named cust2-finance for Customer 2.
Also, keep in mind that you cannot replicate a tenant to another HCP system that already has a different tenant with the same name.
You can change the tenant name at any time after you create the tenant, except while the CIFS or NFS protocol is enabled for any namespaces owned by the tenant. However, keep in mind that when you change the tenant name, you are also changing the URLs for the tenant and its namespaces.
Tip: Be sure to notify the tenant contact when you change the name of a tenant.
• Optionally, a description of the tenant. For example, you can use a description to specify the name of the organization for which you’re creating the tenant.
You can change this description at any time after you create the tenant.
• In an HCP system that uses virtual networking, a management
network for the tenant. Clients use this network to access the Tenant
Management Console and HCP management API for the tenant. Clients use the domain name associated with this network when sending access requests to the management interfaces (Tenant Management
Console and HCP management API) for the tenant.
You need to ensure that requests for access to the Tenant Management
Console and HCP management API for the tenant are routable from the clients to the HCP system over the management network that you specify.
If the tenant is configured to allow system-level users to manage it, those users can access its Tenant Management Console directly from the System Management Console even if the tenant management network is not [hcp_system].
Chapter 8: Tenant administration
Administering HCP
285
Creating a tenant
You can select a different management network for a tenant at any time. However, when you change the management network, you also change:
– The IP addresses used to route access requests from clients to the management interfaces (Tenant Management Console and HCP management interface) for the tenant
– The management network domain name included in the tenant URL
Tip: Be sure to notify the tenant contact when you select a different management network for a tenant.
For information on networks and routability, see “About virtual networking with HCP” on page 224.
• In an HCP system that uses virtual networking, a data access
network for the tenant. Clients use this network to access the contents of namespaces that the tenant owns. Clients use the domain name associated with this network when sending namespace data access requests to the tenant.
You need to ensure that requests for access to the contents of the namespaces that the tenant owns are routable from the clients to the
HCP system over the data access network that you specify.
HCP Data Migrator (HCP-DM) and the Hitachi Data Discovery Suite
(HDDS) search facility do not support the use of IPv6 networks for communication with HCP. To enable clients to use HCP-DM to access the contents of namespaces that the tenant owns or to use the HDDS search facility to search and index those namespaces, you need to specify a data access network that has IPv4 addresses assigned to it.
You can select a different data access network for a tenant at any time.
However, when you change the data access network, you also change:
– The IP addresses used to route namespace data access requests from clients to the tenant
– The domain name included in the URLs for the namespaces that the tenant owns
286 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
Changing the IP addresses and domain name used to access the namespaces that a tenant owns causes all CIFS and NFS mounts of those namespaces to be disconnected from HCP.
Tip: Be sure to notify the tenant contact when you select a different data access network for a tenant.
• A hard quota for the tenant. This is the total amount of storage available to the tenant. The tenant allocates this storage to the namespaces it owns by setting a hard quota for each namespace.
You can allocate more total space to your tenants than is actually available for storing objects. HCP warns you when the space used by all tenants is approaching the system storage capacity.
You can change this quota at any time after you create the tenant.
However, you cannot specify a quota that is less than the total amount of storage that the tenant has already allocated to its namespaces.
Note: HCP checks the amount of data stored in a namespace against the namespace hard quota hourly. If large amounts of data are added rapidly to a namespace, the namespace can store substantially more data than its hard quota allows.
Each namespace managed by a tenant can exceed its hard quota in this way. As a result, the total amount of storage used by all namespaces owned by a tenant can exceed the hard quota for that tenant..
• A soft quota for the tenant. This is the percentage point at which HCP should notify tenant administrators that the storage available to the tenant is running low on free space.
You can change this quota any time after you create the tenant.
• A namespace quota for the tenant. This is the number of namespaces that HCP reserves for the tenant out of the total number of namespaces that the system can have (10,000).
You cannot overallocate namespaces. That is, the maximum number of namespaces that you can allocate to tenants is 10,000, or 9,999 if the system includes the default namespace.
Chapter 8: Tenant administration
Administering HCP
287
Creating a tenant
You can create tenants that do not have quotas. The total number of namespaces that these tenants can own is equal to the number of unallocated namespaces in the HCP system. If you allocate a total of
10,000 namespaces to other tenants, the tenants that do not have quotas cannot create any namespaces.
You can change the namespace quota for a tenant at any time after you create the tenant, as long as the new quota is not less than the number of namespaces that the tenant currently owns.
Note: While an active/passive replication link that includes a given
HCP tenant is failed over to the replica, you cannot change the namespace quota for that tenant on the replica. For information on replication links, see Replicating Tenants and Namespaces.
• The authentication methods allowed for the tenant. At least one of these authentication methods must be enabled:
– Local — The tenant supports internal authentication by HCP. To be authenticated, a user must have a locally authenticated HCP user account.
– RADIUS — The tenant supports remote authentication by RADIUS.
To be authenticated, a user must have a RADIUS-authenticated HCP user account.
A tenant that supports RADIUS authentication must also support local authentication, Active Directory authentication, or both.
– Active Directory — The tenant supports remote authentication by
AD. To be authenticated, a user must have an AD user account.
Tip: To help ensure that AD authentication is available for those tenants that need to support it, enable AD only for those tenants.
288
Note: For RADIUS or Active Directory authentication to work for the tenant for:
• Access to the Tenant Management Console and HCP management
API, the tenant management network must be [hcp_system]
• Access to the content of namespaces owned by the tenant, the tenant data access network must be [hcp_system]
For information on networks, see “About virtual networking with HCP” on page 224.
Chapter 8: Tenant administration
Administering HCP
Creating a tenant
You can change the allowed authentication methods at any time after you create the tenant. However, you cannot disable local authentication if the only tenant-level account with the security role is a locally authenticated HCP user account. Similarly, you cannot disable
AD authentication if the only tenant-level account with the security role is a group account.
If you disable AD authentication for a tenant after the tenant has created group accounts, those accounts continue to exist but are not visible to the tenant. If you subsequently reenable AD authentication for the tenant, the group accounts become visible again.
For information on these authentication methods, see
“User authentication” on page 64.
• An initial security account for the tenant. This can be a locally authenticated HCP user account or an HCP group account, depending on which authentication methods are allowed for the tenant:
– For a locally authenticated user account, you specify the account username and password. When HCP creates the tenant, it also creates a tenant-level user account with the specified username and password. This account has only the security role and no data access permissions.
– For an HCP group account, you select an AD group. When HCP creates the tenant, it also creates a tenant-level group account that corresponds to that AD group. This group account has only the security role and no data access permissions.
For the initial security account to be a group account, Active
Directory must be selected as an authentication method for the tenant, HCP must be configured to support AD, and HCP must be able to communicate with AD. For information on this, see
“Configuring Active Directory or Windows workgroup support” on page 418.
After creating the tenant, you cannot modify the initial security account configuration from the System Management Console. However, tenant administrators can modify the initial security account configuration in the Tenant Management Console.
For information on user and group accounts, see
“About user and group accounts” on page 52.
Chapter 8: Tenant administration
Administering HCP
289
Creating a tenant
• Optionally, contact information for the tenant. For example, you can specify contact information for the primary person responsible for administering the tenant.
You can change this information at any time after you create the tenant. Tenant-level administrators can also change this information from the Tenant Management Console.
• Optionally, tags for the tenant. A tag is an arbitrary text string associated with an HCP tenant. You can associate up to ten tags with any given tenant, and you can use the same tags for multiple tenants.
You can use tags to group tenants and filter tenant lists. For example, if you’ve created multiple tenants for a company named ABC
Corporation, you could associate the tag ABC with each of those tenants. Then you could filter a list of tenants to display only the tenants with that tag.
Tags exist only as long as they are associated with at least one tenant.
If you remove a tag from the last tenant with which it’s associated, the tag no longer exists.
You can change the tags associated with the tenant at any time after you create the tenant.
• Whether the tenant can be replicated. This option is available only if the HCP system supports replication.
After creating the tenant, you can change this setting from not allowing replication to allowing replication. However, you cannot do the reverse.
For information on replication, see Replicating Tenants and
Namespaces.
• Whether tenant administrators are allowed to select the retention
mode for the namespaces that the tenant owns. If this is not allowed, tenant administrators can create namespaces only in enterprise mode.
After creating the tenant, you can change this setting from not allowing tenant administrators to select the retention mode to allowing it.
However, you cannot do the reverse.
For retention mode descriptions, see page 26.
290 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
• Whether tenant administrators are allowed to enable search for the namespaces that the tenant owns.
After creating the tenant, you can change this setting from not allowing tenant administrators to enable search for the namespaces that the tenant to allowing it. However, you cannot do the reverse.
For information on search, see
Chapter 9, “Search administration,” on page 311.
• Whether tenant administrators are allowed to associate service plans with the namespaces that the tenant owns. If tenant administrators are not allowed to associate service plans with the namespaces that the tenant owns, you need to specify a service plan for the tenant. This specification is not visible in the Tenant Management Console.
After creating the tenant, you can change this setting from not allowing tenant administrators to associate service plans with the namespaces that the tenant owns to allowing it. However, you cannot do the reverse.
For information on service plans, see
“Working with service plans” on page 210.
• Whether tenant administrators are allowed to enable versioning for the namespaces that the tenant owns.
After creating the tenant, you can change this setting from not allowing tenant administrators to enable versioning for the namespaces that the tenant owns to allowing it. However, you cannot do the reverse.
For information on versioning, see Managing a Tenant and Its
Namespaces and Using a Namespace.
What you do
To create an HCP tenant:
1. In the top-level menu in the System Management Console, click on
Tenants .
2. On the Tenants page, click on Create Tenant .
Chapter 8: Tenant administration
Administering HCP
291
Creating a tenant
3. In the Create Tenant panel:
– If the Make default tenant/namespace option is present, leave it unselected. This option does not appear if the default tenant already exists or if the system does not support creation of the default tenant.
– In the Tenant Name field, type a unique name for the tenant. HCP derives the hostname for the tenant from this name. The hostname is used in URLs for access to the tenant and its namespaces.
In English, the name you specify for a tenant must be from one through 63 characters long, can contain only alphanumeric characters and hyphens (-), and cannot start or end with a hyphen.
In other languages, because the derived English hostname cannot be more than 63 characters long, the name that you specify can be limited to fewer than 63 characters.
Tenant names cannot contain special characters other than hyphens and are not case sensitive. White space is not allowed.
Tenant names cannot start with xn-- (that is, the characters x and n followed by two hyphens).
You can reuse tenant names that are not currently in use. So, for example, if you delete a tenant, you can create a new tenant with the same name that you originally assigned to the deleted tenant.
The following words are reserved and cannot be used as tenant names: admin, cifs, default, fcfs, nfs, scavenging, search,
search-api, smb, smtp, snmp, and www.
– Optionally, in the Description field, type a description of the tenant.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
– In the Management Network field, select the management network for the tenant. The dropdown list of networks does not include empty networks.
The Management Network field is present only if the HCP system is configured to support virtual networking.
292 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
– In the Data Network field, select the data access network for the tenant. The dropdown list of networks does not include empty networks.
The Data Network field is present only if the HCP system is configured to support virtual networking.
– In the Hard Quota field, type the number of gigabytes (GB) or terabytes (TB) of storage to make available to the tenant and select either GB or TB to indicate the measurement unit. Valid values are decimal numbers with up to two places after the period. The minimum is 1 (one) for GB and .01 for TB.
– In the Soft Quota field, type the percentage point at which you want
HCP to notify tenant administrators that free storage space is running low. Valid values are integers in the range zero through
100.
– Take one of these actions:
• To specify a namespace quota for the tenant, in the Namespace
Quota field, type an integer in the range one through the current number of namespaces available for allocation.
The number of available namespaces is displayed below the
Namespace Quota field. It is equal to 10,000 minus the number of namespaces currently allocated to HCP tenants, minus the number of namespaces currently owned by HCP tenants that do not have quotas, minus one for the default namespace, if it exists. If any tenants are above their quotas, the number of excess namespaces is also subtracted from the number of available namespaces.
• To create the tenant without giving it a namespace quota, select
No quota .
– In the Authentication Methods section, select one or more of these authentication methods for the tenant: Local , RADIUS , and Active
Directory . If you select RADIUS , you also need to select one or both of these RADIUS authentication methods: Local and Active
Directory .
Chapter 8: Tenant administration
Administering HCP
293
Creating a tenant
– In the Initial Security Account section, select Local or Active Directory to specify the type of initial security account that you want to create for the tenant. Then:
• If you selected Local , specify the username and password for the initial HCP user account that you want to create for the tenant:
– In the Username field, type a name for the initial HCP user account for the tenant. Usernames must be from one through 64 characters long, can contain any valid UTF-8 characters, and cannot start with an opening square bracket
([). White space is allowed.
Usernames are not case sensitive.
– In the Password field, type a password for the initial HCP user account. Passwords can be up to 64 characters long, are case sensitive, and can contain any valid UTF-8 characters, including white space. The minimum length for the password for the initial user account is six characters.
To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other.
– In the Confirm Password field, type the password again.
• If you selected Active Directory , in the Group field, specify the name of the AD group account whose credentials you want to use for the initial HCP group account that you want to create for the tenant.
– Optionally, specify contact information for the tenant:
1.
Click on Contact Information .
2.
In the Contact Information panel, fill in the contact information.
The table below describes the values that you can specify.
Except as indicated, all fields are optional.
Field
First Name
Description
First name of the tenant contact. First names can be up to 64 characters long and can contain any valid
UTF-8 characters, including white space.
294 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
(Continued)
Field
Last Name
Description
The last name of the tenant contact. Last names can be up to 64 characters long and can contain any valid
UTF-8 characters, including white space.
A valid email address for the tenant contact. Email addresses cannot be more than 254 characters long.
Confirm Email A repeat of the email address for the tenant contact.
This field is required if you specify an email address in the Email field.
Phone A telephone number for the tenant contact. Do not include a telephone number extension. Instead, put the extension, if any, in the Extension field.
Telephone numbers can contain only numbers, parentheses, hyphens (-), periods (.), plus signs (+), and spaces and can be up to 24 characters long (for example, (800) 123-4567).
Extension A telephone number extension for the tenant contact.
Telephone number extensions can contain only numbers and can be up to five characters long.
Address Line 1 The first line of an address for the tenant contact.
Address lines can be up to 100 characters long and can contain any valid UTF-8 characters, including white space.
Address Line 2 The second line of an address for the tenant contact.
City
State/Provinc e
The city for the tenant contact. City names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space.
The state or province for the tenant contact. State and province names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space.
Postal Code
Country
The postal code for the tenant contact. Postal codes can be up to 64 characters long and can contain only alphanumeric characters and hyphens (-).
The country for the tenant contact. Country names can be up to 64 characters long and can contain any valid
UTF-8 characters, including white space.
– Optionally, associate tags with the tenant: a.
Click on Tags .
Chapter 8: Tenant administration
Administering HCP
295
Creating a tenant b.
For each tag you want to associate with the tenant:
1.
In the field in the Tags section, type a text string to be used as a tag. Tags must be from one through 64 characters long, can contain any valid UTF-8 characters except commas (,), and are not case sensitive. White space is allowed.
2.
Click on Add Tag .
To remove a new tag, click on the delete control ( ) for the tag.
– Optionally, select the Replication option to allow the tenant to be replicated. This option is present only if the HCP system supports replication.
– Optionally, select the Retention Mode Selection option to allow tenant administrators to select the retention mode for the namespaces that the tenant owns.
– Optionally, select the Search option to allow tenant administrators to enable search for the namespaces that the tenant owns.
– Take one of these actions:
• To allow tenant administrators to associate service plans with the namespaces that the tenant owns, select the Service Plan
Selection option.
• To associate a service plan with the tenant, leave the Service
Plan Selection option unselected. Then either type the name of an existing service plan in the accompanying field or click on the arrow control ( ) for the field. If you click on the arrow control:
1.
In the Service Plans window, select the service plan that you want to assign to the tenant.
2.
Click on the Apply Service Plan button.
– Optionally, select the Versioning option to allow tenant adminstrators to enable versioning for the namespaces that the tenant owns.
4. Click on the Create Tenant button.
296 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
Creating the default tenant and namespace
You create the default tenant and namespace in a single operation in the
HCP System Management Console. The name of the default tenant is always Default. Similarly, the name of the default namespace is always
Default.
You can create the default tenant and namespace only if allowed to do so by the HCP system configuration.
Default tenant and namespace properties
When creating the default tenant and namespace, you specify:
• Optionally, a description of the tenant. For example, you can use a description to specify the purpose of the tenant.
You can change this description at any time after you create the tenant and namespace.
• Optionally, contact information for the tenant. For example, you can specify contact information for the primary person responsible for administering the default tenant and namespace.
You can change this information at any time after you create the tenant and namespace. You can change it either from the System
Management Console or from the Tenant Management Console for the default tenant.
• The cryptographic hash algorithm used to calculate the hash value for each object in the namespace. After creating the tenant and namespace, you cannot change the hash algorithm.
For information on hash algorithms and values, see
“Content verification service” on page 344.
• The retention mode for the namespace — either enterprise or compliance. Tenant administrators can use the Tenant Management
Console to change this setting from enterprise to compliance. However, they cannot do the reverse.
For retention mode descriptions, see page 26.
• Whether the namespace is search-enabled. Tenant administrators can use the Tenant Management Console to change this setting at any time.
Chapter 8: Tenant administration
Administering HCP
297
Creating a tenant
For information on enabling one or more search facilities on an HCP
system, see “Configuring search” on page 312.
• The service plan for the namespace. Tenant administrators can change use the Tenant Management Console to change this setting at any time.
For information on service plans, see
“Working with service plans” on page 210.
What you do
To create the default tenant and namespace:
1. In the top-level menu in the System Management Console, click on
Tenants .
2. On the Tenants page, click on Create Tenant .
The Create Tenant panel opens.
3. In the Create Tenant panel, select the Make default tenant/namespace option.
The Create Tenant panel changes to show the applicable options for the default tenant.
4. In the Create Tenant panel:
– Optionally, in the Description field, type a description of the tenant.
The description can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
– Optionally, specify contact information for the tenant:
1.
Click on Contact Information .
2.
In the Contact Information panel, fill in the contact information.
The table below describes the values that you can specify.
Except as indicated, all fields are optional.
Field
First Name
Description
First name of the tenant contact. First names can be up to 64 characters long and can contain any valid
UTF-8 characters, including white space.
298 Chapter 8: Tenant administration
Administering HCP
Creating a tenant
(Continued)
Field
Last Name
Description
The last name of the tenant contact. Last names can be up to 64 characters long and can contain any valid
UTF-8 characters, including white space.
An email address for the tenant contact. Email addresses cannot be more than 254 characters long.
Confirm Email A repeat of the email address for the tenant contact.
This field is required if you specify an email address in the Email field.
Phone A telephone number for the tenant contact. Do not include a telephone number extension. Instead, put the extension, if any, in the Extension field.
Telephone numbers can contain only numbers, parentheses, hyphens (-), periods (.), plus signs (+), and spaces and can be up to 24 characters long (for example, (800) 123-4567).
Extension A telephone number extension for the tenant contact.
Telephone number extensions can contain only numbers and can be up to five characters long.
Address Line 1 The first line of an address for the tenant contact.
Address lines can be up to 100 characters long and can contain any valid UTF-8 characters, including white space.
Address Line 2 The second line of an address for the tenant contact.
City
State/Provinc e
The city for the tenant contact. City names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space.
The state or province for the tenant contact. State and province names can be up to 64 characters long and can contain any valid UTF-8 characters, including white space.
Postal Code
Country
The postal code for the tenant contact. Postal codes can be up to 64 characters long and can contain only alphanumeric characters and hyphens (-).
The country for the tenant contact. Country names can be up to 64 characters long and can contain any valid
UTF-8 characters, including white space.
– In the Hash Algorithm field, select the cryptographic hash algorithm for the default namespace.
– For the Retention Mode option, select either Enterprise or Compliance to set the retention mode of the default namespace.
Chapter 8: Tenant administration
Administering HCP
299
Modifying a tenant
– Optionally, select the Enable Search option to enable search for the default namespace.
– In the Service Plan field, specify the service plan for the default namespace. To do this, either type the name of an existing service plan in the accompanying field or click on the arrow control ( ) for the field. If you click on the arrow control:
1.
In the Service Plans window, select the service plan that you want to assign to the default namespace.
2.
Click on the Apply Service Plan button.
5. Click on the Create Tenant button.
Modifying a tenant
After creating a tenant, you can modify some of its properties. You do this in the Settings panel for the tenant.
Roles: To view the Settings panel, you need the monitor or administrator role. To modify a tenant, you need the administrator role.
These considerations apply to modifying HCP tenants:
• You can enable AD authentication for a tenant only while HCP can communicate with AD.
• When you rename a tenant for which AD authentication is enabled, AD authentication is automatically disabled for that tenant. After the operation is complete, you need to manually reenable AD authentication for the tenant.
• You cannot rename a tenant while the only account with the security role defined for the tenant is a group account.
• You cannot rename a tenant while the CIFS or NFS protocol is enabled for any namespaces owned by that tenant.
• When you select a different management network for an HCP tenant while any given user is logged into the Tenant Management Console for that tenant, HCP denies any subsequent requests made within the same Console session. To continue using the Console, the user needs to start a new session so that the client can use the new management network to access the Console for the tenant.
300 Chapter 8: Tenant administration
Administering HCP
Modifying a tenant
• When you select a different data access network for an HCP tenant,
HCP denies any client requests for access to namespaces owned by that tenant that arrive over the previously selected network.
• When a tenant is replicated from one system to a second system, if the management or data access network selected for the tenant on the first system does not exist on the second system, the applicable field in the tenant Settings panel on the second system shows the network name enclosed in angle brackets (for example, <ten1_data>). This network is not included in the dropdown list for the field, so if you select a different network in that field, you cannot then select the undefined network.
• You can change the service plan that’s assigned to a specific tenant by modifying the tenant to select the new service plan or by modifying the new service plan to assign it to the tenant. You can also modify a service plan to assign it to multiple tenants at the same time.
To modify the configuration settings for an individual tenant, including selecting a new service plan for that tenant, follow the procedure outlined below.
For more information on modifying a service plan to assign one or more tenants to it, see
“Working with service plans” on page 210.
To modify an existing tenant:
1. In the top-level menu in the System Management Console, click on
Tenants .
2. In the list of tenants, click on the name of the tenant that you want to modify.
3. In the row of tabs below the tenant name, click on Settings .
4. In the Settings panel, make the changes you want.
To remove a tag from an HCP tenant, in the Tags section in the Settings panel, click on the delete control ( ) for the tag. The row with the tag turns red. To revert the removal before submitting your changes, click again on the delete control.
For information on the fields and options in this panel, see “Creating an
“Creating the default tenant and namespace” on page 297, as applicable.
Chapter 8: Tenant administration
Administering HCP
301
Accessing the Tenant Management Console for a tenant
5. Click on the Update Settings button.
If all of these are true, a confirming message appears:
– You changed the name of the tenant.
– The tenant supports AD authentication.
– HCP cannot communicate with AD.
In response to the confirming message, click on the Update Settings button.
Accessing the Tenant Management Console for a tenant
If a tenant is configured to allow system-level users to manage it, you can open the Tenant Management Console for that tenant directly from the
HCP System Management Console. You can use this method to access the
Tenant Management Console for an HCP tenant only if at least one of your client IP addresses is allowed access to the Tenant Management Console for that tenant.
When you access the Tenant Management Console in this way, HCP communicates with the client over the [hcp_system] network and does not use the management network selected for the tenant.
Roles: To access the Tenant Management Console directly from the
System Management Console, you need the monitor or administrator role.
To open the Tenant Management Console for a tenant:
1. In the top-level menu in the System Management Console, click on
Tenants .
2. Take one of these actions:
– In the list of tenants, click on the access control ( ) for the tenant that you want to access.
– In the list of tenants, click on the name of the tenant that you want to access. Then click on the tenant URL in the tenant Overview panel.
The browser window switches to the tenant Overview page in the
Tenant Management Console.
302 Chapter 8: Tenant administration
Administering HCP
Resetting HCP tenant security
To return to the System Management Console from the Tenant
Management Console, click on the return control ( ) in the top right corner of the Tenant Management Console window.
Note: After opening a Tenant Management Console from the System
Management Console, do not use the browser back button to return to the
System Management Console. Doing so can have unpredictable results.
For more information on administrative access to tenants, see
“Tenant-level administration” on page 55. For information on using the
Tenant Management Console, see Managing a Tenant and Its Namespaces or Managing the Default Tenant and Namespace.
Resetting HCP tenant security
HCP ensures that each HCP tenant always have at least one:
• Locally authenticated HCP user account with the security role
• Group account with the security role
For a given tenant, it is highly improbable that all locally authenticated users with the security role will forget their passwords at the same time.
However, should this happen, if the tenant does not have a group account with the security role, the tenant would have no administrators who could manage user and group accounts.
To resolve this issue, you can use the System Management Console to restore access to the tenant for locally authenticated users with the security role. You can do this in one of two ways:
• Reset the passwords for all locally authenticated user accounts with the security role. When you do this, you specify a single password for all affected accounts.
• Grant the security role to a new or existing group account. A new group account will have only the security role and no data access permissions. An existing group account will have the security role plus whatever roles and data access permissions it currently has.
Chapter 8: Tenant administration
Administering HCP
303
Resetting HCP tenant security
You can grant the security role to a group account only if the tenant is configured to support AD authentication, HCP is configured to support
AD, and HCP is to communicate with AD. For more information, see
“Configuring Active Directory or Windows workgroup support” on page 418.
Roles: To reset security for an HCP tenant, you need the administrator role.
To reset security for an HCP tenant:
1. In the top-level menu in the System Management Console, click on
Tenants .
2. In the list of tenants, click on the name of the tenant for which you want to reset security.
3. In the row of tabs below the tenant name, click on Settings .
4. In the Settings panel, click on the Reset Security button.
5. In the Reset Security window, select Local to reset the passwords of all locally authenticated HCP user accounts with the security role, or select
Active Directory to grant the security role to a new or existing group account. Then:
– If you selected Local :
• In the Password field, type a new password for the locally authenticated user accounts with the security role. Passwords can be up to 64 characters long, are case sensitive, and can contain any valid UTF-8 characters, including white space. The minimum length for a password is the tenant-specific minimum password length.
To be valid, a password must include at least one character from two of these three groups: alphabetic, numeric, and other.
• In the Confirm Password field, type the password again.
– If you selected Active Directory , in the Group field, enter the name of the AD group account that corresponds to the new HCP group account that you want to create or the existing HCP group to which you want to grant the security role.
6. Click on the Reset Security button.
304 Chapter 8: Tenant administration
Administering HCP
Deleting a tenant
Deleting a tenant
You can delete an HCP tenant only if it doesn’t currently own any namespaces. You cannot delete the default tenant.
Roles: To delete a tenant, you need the administrator role.
To delete a tenant:
1. In the top-level menu in the System Management Console, click on
Tenants .
2. In the list of tenants, click on the delete control ( ) for the tenant that you want to delete.
3. In response to the confirming message, click on the Delete button.
Changing the product branding
By default, the graphical user interfaces that HCP provides for tenant and namespace access are branded for the company Hitachi and the product
Hitachi Content Platform. The elements that show this are:
• In the Tenant Management Console and Namespace Browser:
– The company logo that appears in the top right corner of each page except the login page
– The product name that appears:
• In the title bar of the browser window for all pages
• In the top portion of the login page
• Above the top-level menu on every page except the login page
– The product name abbreviation that appears before the product name in the title bar of the browser window for the login page
The figure below highlights the branding elements that appear on each page of the Tenant Management Console except the login page.
Chapter 8: Tenant administration
Administering HCP
305
Changing the product branding
• In the HCP Search Console:
– The company logo that appears in the top right corner of every page except the login page
– The product name that appears:
• In the title bar of the browser window for the login page
• In the top portion of the login page
You can change these elements to show your own company logo and product name. You can also reset them to show the Hitachi and HCP branding.
For the company logo, HCP supports BMP, GIF, JPEG, JPG, and PNG images that are no larger than two MB. For best results, the logo should be 77 pixels wide by 19 pixels high and should have a transparent background.
Logos with other dimensions are resized to fit in the available space.
The logo for the Tenant Management Console and Namespace Browser appears on a white background, so text on a transparent background should use a dark color. The logo for the Search Console appears on a medium grey background, so text on a transparent background should use either a very light color or a very dark color.
To view and change the branding settings for an HCP system, you use the
Branding Settings page in the HCP System Management Console. To display this page:
1. In the top-level menu, mouse over Configuration to display a secondary menu.
2. In the secondary menu, click on Branding .
Roles: To view branding settings, you need the monitor or administrator role. To change branding settings, you need the administrator role.
306 Chapter 8: Tenant administration
Administering HCP
Changing the product branding
Changing the product name and abbreviation
To change the product name and product name abbreviation, on the
Branding Settings page:
1. In the Product Settings section:
– Optionally, in the Product Name field, type a new product name.
Product names must be at least one character long and can contain any valid UTF-8 characters. White space is allowed.
Product name length is limited by the width of the area in which the name is displayed on the login pages. This width is 440 pixels.
– Optionally, in the Product Abbreviation field, type a new product name abbreviation. Product name abbreviations must be from one to ten characters long and can contain any valid UTF-8 characters.
White space is allowed.
2. Click on the Update Settings button.
Changing the company logo
To change the company logo for the Tenant Management Console and
Namespace Browser or for the HCP Search Console, on the Branding
Settings page:
1. In the Company Logo section, click on the appropriate Browse button.
Use the button on the left side to select a new logo for the Tenant
Management Console and Namespace Browser. Use the button on the right side to select a new logo for the HCP Search Console. Then select the image file the contains the logo that you want to use.
The logo appears in the sample display.
2. Click on the Apply Logo button.
Resetting the branding
To restore the Hitachi and Hitachi Content Platform branding, on the
Branding Settings page:
1. Click on the Reset Brand Settings button.
A confirming message appears.
2. In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then, click on the Reset Brand Settings button.
Chapter 8: Tenant administration
Administering HCP
307
Protocol and cloud optimization
Protocol and cloud optimization
Protocol optimization improves the ingest performance of namespaces using HCP supported access protocols. You can either optimize namespaces for balanced performance across both cloud protocols and non-cloud protocols or you can optimize namespaces to only use cloud protocols, which are further optimized for improved ingest performance.
In order to benefit most from optimizing, it is recommended to increase system memory. Results are most apparent on a system with high object and directory counts. If you want to upgrade system memory, please contact your HCP sales representative.
Cloud only optimization improves the ingest rate of namespaces using cloud-based access protocols. This setting can be enabled by a system administrator for all existing and newly created namespaces on your system or by a tenant administrator for individual namespaces. While a namespace is optimized for cloud it can only use these protocols:
• REST API
• HS3
• HSwift
On a system level, the default configuration setting is optimize for all access protocols. In this mode, the namespaces can use all available access protocols. This setting is required if you intend to use any of the following non-cloud protocols:
• CIFS
• NFS
• Webdav
• SMTP
Namespaces that contain objects ingested through non-cloud access protocols are not eligible for cloud protocol optimization.
Note: Protocol optimization changes cannot be made during an HCP system upgrade.
308 Chapter 8: Tenant administration
Administering HCP
Protocol and cloud optimization
Setting the default protocol optimization option for new namespaces
Through the System Management Console, the system administrator can set the default protocol optimization setting for newly created namespaces to optimized for cloud protocols only. Once enabled, all newly created namespaces, across the system, are created with cloud optimization already enabled.
To enable the Default new namespaces to optimize for cloud protocols only setting :
1. In the System Management Console, mouse over the top-level
Configuration section and, in the drop-down menu, click on the Protocol
Optimization button .
2. On the Protocol Optimization page, select Default new namespaces to optimize for cloud protocols only .
3. Click on the Update Settings button.
Tenants can disable the cloud protocol setting for individual namespaces as long as the namespace is empty. For more information on overriding the cloud protocol optimization setting on individual namespaces, see
Managing a Tenant and Its Namespaces.
Configuring protocol optimization settings for new namespaces
All existing namespaces that only use cloud access protocols (REST API,
HS3, and HSwift) and namespaces that have not ingested objects can be optimized for cloud access protocols.
The system administrator can optimize all eligible namespaces for cloud protocols through the System Management Console. To optimize existing eligible namespaces:
1. In the System Management Console, mouse over the top-level
Configuration section and, in the drop-down menu, click on Protocol
Optimization.
2. On the Protocol Optimization page, click on the Optimize for Cloud Only button.
3. In the Confirm: Optimize Existing Namespaces for Cloud Protocols Only window that appears, type YES in the text box.
Chapter 8: Tenant administration
Administering HCP
309
Protocol and cloud optimization
4. Click on the Optimize Namespaces button.
Note: Once you enable optimize existing namespaces for cloud, the operation cannot be undone on namespaces that have ingested objects.
All eligible namespaces become optimized for cloud and they can no longer ingest objects through CIFS, NFS, WebDAV, and SMTP.
310 Chapter 8: Tenant administration
Administering HCP
9
Search administration
HCP supports two search facilities: the metadata query engine and the
HDDS search facility. The metadata query engine is always available in the
HCP system. The HDDS search facility requires an installation of Hitachi
Data Discovery Suite and must be configured in HCP.
Each search facility has its own configuration settings. You can select either of the two supported facilities for use with the HCP Search Console.
This chapter describes the two search facilities and explains how to configure them. It also contains instructions for selecting a search facility for use with the Search Console.
For an introduction to searching in HCP, see “HCP Search Console” on page 9.
Chapter 9: Search administration
Administering HCP
311
Configuring search
Configuring search
The Search page in the HCP System Management Console lets you configure the supported search facilities and select a search facility for use with the HCP Search Console. It also shows the current status of each facility.
To display the Search page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
2. In the secondary menu, click on Search .
Roles: To view the Search page, you need the monitor or administrator role. To configure search, you need the administrator role.
Metadata query engine
The metadata query engine is one of the search facilities supported by
HCP. In addition to supporting the HCP Search Console, the metadata query engine supports the metadata query API. For information on the
metadata query API, see “HCP metadata query API” on page 8.
About the metadata query engine
The metadata query engine uses an index to find results for object-based queries issued through the metadata query API and for searches performed in the HCP Search Console. You can configure metadata query engine indexing and control the use of the metadata query API.
Metadata query engine index
The metadata query engine index resides on the HCP storage nodes. The engine builds and maintains this index by reading objects in the search-enabled namespaces that also have indexing enabled. The engine indexes system metadata, custom metadata (optional), and ACLs. In HCP namespaces that support versioning, it indexes only the most recent version of each object.
The System Management Console shows how up to date the metadata query engine index is by displaying the date and time before which eligible objects are guaranteed to be indexed.
312 Chapter 9: Search administration
Administering HCP
Metadata query engine
Index protection level
HCP can store one or two copies of the metadata query engine index. The number of copies stored is called the index protection level.
Storing one copy of the index uses less storage than storing two copies.
However, storing two copies helps ensure the availability of the index in the case of node unavailability. In particular, with an index protection level of one, if one or more nodes in a RAIN or VM system are unavailable, the index is unavailable.
In SAIN systems with an index protection level of one, because of zero-copy failover, single-node unavailability does not cause the index to be unavailable. However, if multiple nodes are unavailable, the index may be unavailable. This depends on which nodes are involved. For information on zero-copy failover, see
Appendix C, “Zero-copy failover behavior,” on page 575.
While the metadata query engine index is unavailable:
• The metadata query engine does not update the index
• The metadata query API does not support object-based queries
• If the metadata query engine is selected for the Search Console, searches in the Console return an error
Enabling and disabling indexing
You can enable and disable metadata query engine indexing. While indexing is enabled, the engine continuously processes objects in order based on the time of their last metadata changes. For new objects, this is the time they were added to the repository.
If indexing is disabled after being enabled, the metadata query engine stops all indexing activity. However, it does not delete the existing index, and that index remains available. When indexing is reenabled after being disabled, the engine updates the index with all the object additions and metadata changes that occurred while indexing was disabled.
Note: When the HCP system is installed or is upgraded from an earlier release, metadata query engine indexing is disabled by default.
Chapter 9: Search administration
Administering HCP
313
Metadata query engine
Custom metadata indexing
You can choose whether to allow the metadata query engine to index custom metadata. If you allow this, tenant administrators can choose whether to index custom metadata in each of their namespaces. If you disallow custom metadata indexing, custom metadata cannot be indexed in any namespaces.
By default, when custom metadata indexing is enabled for a namespace, the metadata query engine indexes the content properties for that namespace and not the full text of custom metadata. If the namespace doesn’t have any associated content properties, no custom metadata is indexed.
Tenant administrators can choose to have the metadata query engine index the full text of custom metadata. If they enable this option, the metadata query engine indexes both content properties, if any exist, and the full text of custom metadata.
Custom metadata can take up a significant amount of the space in the metadata query engine index. Disallowing custom metadata indexing can save space but also means that searches based on custom metadata do not find any objects.
If you disable custom metadata indexing after it has been enabled, the custom metadata that has already been indexed is not removed from the index.
For information on content properties, see Managing a Tenant and Its
Namespaces or Managing the Default Tenant and Namespace.
Index size
HCP stores the metadata query engine index on predetermined logical volumes on storage nodes. Depending on the type of system (RAIN, SAIN, or VM) and on the volume configuration, the index shares or does not share the space on these volumes with object data:
• In a RAIN or VM system, one logical volume on each node is index enabled and can store both the index and object data (that is, it’s a shared volume).
• In a SAIN system, logical volumes with numbers in the range 64 through 95 store only the index. Additionally, one additional volume on each node is a shared volume.
314 Chapter 9: Search administration
Administering HCP
Metadata query engine
In the System Management Console, you specify the maximum amount of space the index can occupy on shared volumes as a percent of the total space on those volumes. You can increase or decrease this percent at any time. However, you cannot decrease it to lower than the percent of space already used for the index on those volumes.
HCP does not reserve the amount of space you specify as the maximum for the index on shared volumes. As a result, as additional data is stored, the space available for the index on those volumes may actually be less than the maximum amount of space allowed.
HCP notifies you when the size of the index reaches 50 percent of the combination of the space on the index-only volumes with either the maximum amount of space allowed for the index on the shared volumes or the actual space available on the shared volumes, whichever is less. At this point, HCP can no longer optimize the space used by the index. As a result, the index grows faster, and responses to metadata query engine
API requests become slower, as do responses to searches in the Search
Console when that Console is using the metadata query engine.
When the size of the index reaches 100 percent of the same combination, indexing is disabled. To start indexing again, you need to increase the maximum index size and then reenable indexing. If sufficient space is not available to increase the maximum size, you need to add index-enabled storage to the HCP system so that the index can continue to grow.
The System Management Console can show this information about storage usage on the index-enabled logical volumes:
• The total amount of storage space allowed for the index across all shared volumes in the system. This includes both used and unused space.
• The total amount of storage space on all index-only volumes in the system. This includes both used and unused space.
• The amount of space currently occupied by the index on all index-enabled volumes (that is, both index-only volumes and shared volumes).
• The total amount of space currently occupied by other data on all shared volumes.
• The total amount of space currently available for storing more of the index across all index-only and shared volumes in the system.
Chapter 9: Search administration
Administering HCP
315
Metadata query engine
Objects that cannot be indexed
HCP reports objects that the metadata query engine cannot index in the applicable tenant-level log. The short description of the logged event is
“Object indexing failed.” For more information on the tenant-level log, see
Managing a Tenant and Its Namespaces or Managing the Default Tenant
and Namespace.
Metadata query engine management
From the HCP System Management Console, you can:
• Enable or disable the ability to use the metadata query API. Disabling the use of the metadata query API has no effect on the use of the metadata query engine with the Search Console.
• Enable or disable the indexing of new objects and metadata changes across all namespaces.
• Enable or disable indexing of custom metadata.
• Change the maximum size of the metadata query engine index.
• Change the index protection level. To change the index protection level, you first need to disable indexing.
• Display information about storage usage on index-enabled logical volumes
• Delete the metadata query engine index. You might delete the index, for example, to save space in a system in which no namespaces have clients using the metadata query API or Search Console.
To delete the index, you first need to disable indexing and then wait for indexing to completely stop.
For information on performing these tasks, see “Configuring the metadata query engine” below and
“Deleting the metadata query engine index” on page 318.
316 Chapter 9: Search administration
Administering HCP
Metadata query engine
Configuring the metadata query engine
To configure the metadata query engine:
1. On the left side of the Search Facility Settings section on the Search page, click on MQE .
2. In the MQE panel:
– To enable or disable use of the metadata query API, select or deselect, respectively, the Enable metadata query API option.
– To enable or disable metadata query engine indexing, select or deselect, respectively, the Enable indexing option.
– To enable or disable indexing of custom metadata, select or deselect, respectively, the Enable indexing of custom metadata option. You can enable this option only while metadata query engine indexing is enabled.
– To change the maximum amount of space allowed for the metadata query engine index on shared volumes, in the Maximum Allowed Size on Shared Volumes field, type the maximum percent of shared storage that can be used for the index. Valid values are integers in the range one through 100.
Tip: Before changing the maximum index size, click on the Index storage details link to view information about storage usage on the index-enabled logical volumes.
– To change the number of copies of the metadata query engine index, in the Index Protection Level field, select 1 or 2 . You can change the index protection level only while indexing is disabled.
3. Click on the Update MQE Settings button.
If you changed the index protection level, a confirming message appears. In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then click on the Update Settings button.
Chapter 9: Search administration
Administering HCP
317
HDDS search facility
Deleting the metadata query engine index
You can delete the metadata query engine index at any time while indexing is disabled and completely stopped. To rebuild the index after deleting it, you need to reenable indexing.
Tip: To check the status of indexing, refresh the Search page.
To delete the metadata query engine index:
1. On the left side of the Search Facility Settings section on the Search page, click on MQE .
2. In the MQE panel, click on the Delete Index button.
A confirming message appears.
3. In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then click on the Delete Index button.
HDDS search facility
The HDDS search facility is one of the search facilities supported by HCP.
This facility works with Hitachi Data Discovery Suite to provide the search functionality available in the HCP Search Console.
HDDS is a separate product from HCP. It runs on its own servers and has its own installation and configuration procedures.
Note: Currently, HDDS does not support the use of IPv6 networks for communication with HCP.
About the HDDS search facility
The HDDS search facility uses an index to find results for searches performed in the HCP Search Console. This index is based on object data and system metadata. For the Search Console to work with the HDDS search facility, however, you first need to perform some configuration in both HDDS and HCP.
318 Chapter 9: Search administration
Administering HCP
HDDS search facility
HDDS search facility index
The HDDS search facility index resides in HDDS. HDDS builds and maintains this index by reading the objects in the namespaces you make known to it.
For HDDS to index objects in a namespace, all of these must be true:
• The HTTP or HTTPS protocol must be enabled for the namespace.
• The effective permission mask for the namespace must include the read and search permissions.
• The HCP management API must be enabled both at the system level and for the tenant that owns the namespace.
• HCP must be defined as a subdomain in your DNS.
HDDS search facility configuration information
You use the HDDS administrative interface to specify the information HDDS needs in order to index and search HCP namespaces. You use the HCP
System Management Console to specify the information HCP needs in order to use the HDDS search facility with the HCP Search Console.
For information on using the HDDS administrative interface, see the applicable HDDS documentation.
Note: Depending on security requirements, the person specifying the
HCP information in the HDDS administrative interface may be someone other than you. For example, your site may have an HDDS system administrator who is responsible for this, or you may choose to make the
HDDS administrative interface available to HCP tenant-level administrators.
Namespace mappings
To make a namespace known to HDDS, you use the HDDS administrative interface to map the namespace to an HDDS server. To do this, you need to know:
• The name of the domain associated with the data access network for the tenant that owns the namespace. To enable HDDS to communicate with HCP over this network, it must have IPv4 addresses assigned to it.
For more information on networks, see
“About virtual networking with
Chapter 9: Search administration
Administering HCP
319
HDDS search facility
• The namespace name.
• The name of the tenant that owns the namespace.
• For an HCP namespace, either of these:
– The name and password of a tenant-level HCP user account with the monitor or administrator role
– The name and password of a recognized Active Directory user for which an applicable system-level HCP group account has the monitor or administrator role
• For the default namespace, either of these:
– The name and password of a system-level HCP user account with the monitor or administrator role
– The name and password of a recognized AD user account for which an applicable system-level HCP group account has the monitor or administrator role
• For an HCP namespace, either of these:
– The name and password of a tenant-level HCP user account whose data access permissions for the namespace include read and search
– The name and password of a recognized AD user account for which an applicable tenant-level HCP group account has the read and search data access permissions for the target namespaces
• The protocol that HDDS needs to use to access the namespace (HTTP or HTTPS).
Note: If the password for either account changes, you need to update the namespace mapping in HDDS.
User account mappings
To use the Search Console:
• To search HCP namespaces, a user needs either of these:
– A tenant-level HCP user account whose data access permissions for the target namespaces include read and search
320 Chapter 9: Search administration
Administering HCP
HDDS search facility
– A recognized AD user account for which an applicable tenant-level
HCP group account has the read and search data access permissions for the target namespaces
• To search the default namespace or to use a system-level user account to access and search HCP namespaces, a user needs either of these:
– A system-level HCP user account with the search role
– A recognized AD user account for which an applicable system-level
HCP group account has the search role
In all of these cases, the HCP or AD user account must be mapped to an
HDDS user account.
You use the HDDS administrative interface to map HCP and AD user accounts to HDDS user accounts. To do this, you need to know the username and password of each HCP and AD account you want to map.
You can map one or more HCP and AD accounts to any given HDDS account. For the simplest configuration, map all the HCP and AD accounts to a single HDDS account. For the greatest security, map each HCP and AD account to a different HDDS account.
Notes:
• If the password for an HCP or AD user account changes, you need to update the account mapping in HDDS.
• When creating an account mapping, you need to specify the URL for the applicable tenant. For the default tenant, the tenant name in the
URL must begin with an uppercase D.
HDDS server
To make the HDDS search facility available to HCP, you need to tell HCP about the applicable HDDS server. You do this in the HCP System
Management Console.
Statistics account
HCP can report counts of indexed objects in the System and Tenant
Management Consoles. To enable HCP to report HDDS search indexing statistics, you need to specify an HDDS user account name and password in the HDDS search facility configuration in HCP. The account that you identify must be in the Administrator group in HDDS.
Chapter 9: Search administration
Administering HCP
321
HDDS search facility
Configuring the HDDS search facility
To configure the HDDS search facility:
1. On the left side of the Search Facility Settings section on the Search page, click on HDDS .
2. In the HDDS panel:
– In the HDDS Server IP Address field, type the hostname or IP address of the HDDS server.
– In the Port field, type 8443.
– To enable the display of indexing statistics: a.
Select the Show statistics option.
The Username and Password fields appear.
b.
In the Username field, type the username for an HDDS user account in the Administrator group.
c.
In the Password field, type the password for the HDDS user account.
If you’re modifying the HDDS search facility settings and you leave the Password field empty, the previously set password remains in effect.
d.
Optionally, click on the Test button to verify that you have correctly specified the HDDS server specification, port number, and user account information.
Tip: You can return to the Search page to test the HDDS configuration at any time. If the Show statistics option is not selected, you need to temporarily select it and provide a valid username and password for the test to work.
To disable the display of indexing statistics, deselect the Show statistics option.
3. Click on the Update HDDS Settings button.
322 Chapter 9: Search administration
Administering HCP
Search facility status
Search facility status
The Search page in the HCP System Management Console displays the current availability of each search facility and displays the current indexing status of the metadata query engine. To refresh this information without reloading the page, click on the Refresh Now link below the Indexing Status column in the data table.
Search facility availability
The table below describes the possible values for search facility availability.
Search facility
Metadata query engine
HDDS search facility
Available
Value
Partial
Unavailable
Available
Unavailable
Not configured
Authentication failure
Description
The metadata query engine is running on all
HCP storage nodes.
The metadata query engine is running on at least one but not all HCP storage nodes. This is most likely because one or more storage nodes are unavailable.
If this value persists while all storage nodes are available, contact your authorized HCP service provider for help.
The metadata query engine is not running on any storage nodes.
If this value persists while at least one storage node is available, contact your authorized HCP service provider for help.
The server specified in the HDDS search facility is an HDDS server and is available.
The server specified in the HDDS search facility configuration is unavailable or is not an HDDS server.
The HDDS search facility configuration does not specify a server.
The HDDS search configuration specifies a username and password for statistics, but the combination of username and password is not valid for any HDDS user account.
Chapter 9: Search administration
Administering HCP
323
Search facility status
Metadata query engine indexing status
The table below describes the possible values for the indexing status of the metadata query engine.
Value Description
Enabled, starting
Enabled, running
Indexing is enabled and in the process of starting.
Indexing is enabled and running.
Enabled, optimizing Indexing is enabled but is temporarily not running because the metadata query engine is in the process of optimizing the index.
When the optimization is complete, indexing automatically resumes.
Enabled, balancing Indexing is enabled but is temporarily not running while HCP redistributes the index across the available storage. When the redistribution is complete, indexing automatically resumes.
Enabled, upgrading Indexing is enabled but is temporarily not running while the HCP system is being upgraded. When the upgrade is complete, indexing automatically resumes.
Enabled, paused Indexing is enabled but is currently paused. This status can appear, for example, when the metadata query engine experiences a temporary error. When the situation is resolved, indexing automatically resumes.
Enabled, stopped
Enabled, out of space
Indexing is enabled but not running. This status can appear, for example, when the index has reached its maximum allowed size. When the situation is resolved, indexing automatically resumes.
Indexing is enabled but not running because insufficient space is available on the index-enabled logical volumes. When more space becomes available, indexing automatically resumes.
Enabled, out of memory
Enabled, missing index segments
Indexing is enabled but not running because insufficient memory is available for the metadata query engine to continue the indexing process. When more memory is added to the system (typically, by adding storage nodes), indexing automatically resumes.
Indexing is enabled not running because at least one part of the index is unavailable. This status can appear, for example, while an index-enabled logical volume is unavailable. When the situation is resolved, indexing automatically resumes.
Disabled, stopping Indexing is disabled and in the process of stopping.
Disabled, stopped Indexing is disabled and has completely stopped.
If indexing has stopped unexpectedly and does not automatically restart, contact your authorized HCP service provider for help.
324 Chapter 9: Search administration
Administering HCP
Enabling or disabling the Search Console
Enabling or disabling the Search Console
To enable the HCP Search Console, you select a search facility to be used with it. If you do not select a search facility, users cannot access the
Search Console at all.
Tenant administrators need to know which search facility, if any, is enabled at any given time. This is because the choice of search facility:
• Determines which index, if any, is used as the source of indexing statistics in the System and Tenant Management Consoles
• Affects namespace indexing options in the Tenant Management Console
• Determines whether Search Console users need an HDDS user account in order to perform searches
Tip: If the Search Console is currently enabled, before disabling it, you should notify your tenant contacts. You should notify them again when access to the Console is restored.
To enable or disable the Search Console, in the Search Console section on the Search page in the HCP System Management Console:
1. Take one of these actions:
– To enable the Search Console, select either Metadata Query Engine or Hitachi Data Discovery Suite (for the HDDS search facility).
– To disable the Search Console, Disable Search Console .
2. Click on the Update Console Settings button.
Chapter 9: Search administration
Administering HCP
325
Enabling or disabling the Search Console
326 Chapter 9: Search administration
Administering HCP
10
HCP policies
An HCP policy is one or more settings that influence how transactions and services work on objects in namespaces. Policies ensure that objects behave in expected ways.
HCP supports these policies:
• Retention
• Shredding
• Indexing
• Versioning
• Custom metadata XML checking
This chapter describes each policy.
Chapter 10: HCP policies
Administering HCP
327
Retention policy
Retention policy
The retention policy determines how long an object must remain in the repository. Each object has its own retention policy settings. These settings are part of the object metadata.
The retention policy consists of two settings:
• A retention setting, which is one of these:
– A specific date and time before which the object cannot be deleted.
– Deletion Allowed, which means that the object can be deleted at any time.
– Deletion Prohibited, which means that the object can never be deleted.
– Initial Unspecified, which means that the object has not yet been assigned one of the other possible retention settings. Objects with a setting of Initial Unspecified cannot be deleted.
– A retention class, which prevents an object from being deleted before a certain amount of time past its creation date. The specific amount of time is part of the retention class definition.
• A hold setting. An object is either on hold or not. An object that is on hold cannot be deleted through any mechanism under any circumstances. Objects can be placed on hold or released from hold at any time.
Users and applications can see and modify retention policy settings. For information on these activities, see Using a Namespace or Using the
Default Namespace.
Note: If the namespace is in enterprise mode, the privileged delete function can be used to delete objects regardless of their retention setting, except when the objects are on hold.
328 Chapter 10: HCP policies
Administering HCP
Shredding policy
Shredding policy
The shredding policy determines whether objects are shredded by the shredding service when they’re deleted. Each object has its own shredding policy setting that indicates whether or not the object should be shredded.
This setting is part of the object metadata.
Users and applications can see and modify shredding policy settings. For information on these activities, see Using a Namespace or Using the
Default Namespace.
For information on the shredding service, see “Shredding service” on page 350.
Indexing policy
The indexing policy determines how the metadata query engine indexes objects. Each object has its own indexing policy setting that indicates whether the metadata query engine should index custom metadata for that object. This setting is part of the object metadata.
Note: For any given object, if custom metadata indexing is disabled for the HCP system or for the namespace that contains the object, the metadata query engine does not index custom metadata for that object, regardless of its indexing policy setting. For more information on custom metadata indexing for the metadata query engine, see
“Custom metadata indexing” on page 314.
Every object has an individual indexing policy setting defined as part of its system metadata. HCP ignores this setting for an object when custom metadata indexing is disabled for its namespace. However, metadata query
API requests can always use the individual indexing policy setting as a namespace search criterion. Additionally, third-party applications can use this setting for their own purposes.
Users and applications can see and modify indexing policy settings. For information on these activities, see Using a Namespace or Using the
Default Namespace.
For information on metadata query engine indexing, see
“Metadata query engine index” on page 312.
Chapter 10: HCP policies
Administering HCP
329
Versioning policy
Versioning policy
The versioning policy determines whether HCP can create multiple versions of objects. The policy is set at the namespace level and applies only to
HCP namespaces.
The versioning policy consists of two settings:
• A versioning setting, which is either on or off. When versioning is on, an attempt to store an object that already exists in the target namespace results in the creation of a new version of the object. When versioning is off, an attempt to store such an object results in an error.
• A pruning setting. This setting is the amount of time HCP should wait after a version is created before automatically deleting it. HCP automatically deletes only old versions of objects. It never automatically deletes the most recent version.
If the effective permission mask for the namespace prohibits deletions,
HCP does not automatically prune object versions. For an explanation of
effective permission mask, see “Setting the systemwide permission mask” on page 431.
Custom metadata XML checking policy
The custom metadata XML checking policy determines whether HCP allows custom metadata to be added to a namespace if it is not well-formed XML.
This policy is set at the namespace level.
The XML checking policy can have a setting of enabled or disabled:
• Enabled — When custom metadata is added to or replaced in a namespace, HCP checks whether it’s well-formed XML. If the XML is not well-formed, HCP rejects it.
• Disabled — HCP accepts any data submitted as custom metadata.
XML checking applies only when custom metadata is added to or replaced in a namespace. It does not apply to custom metadata already in the namespace.
330 Chapter 10: HCP policies
Administering HCP
11
HCP services
HCP services are responsible for optimizing the use of system resources and maintaining the integrity and availability of the stored data. Each of the twelve services — protection, content verification, scavenging, shredding, compression, duplicate elimination, disposition, garbage collection, capacity balancing, storage tiering, migration, and replication — performs a specific function that contributes to the overall health and viability of the system.
Services generally run without user intervention either according to a schedule or in response to certain events.
In the HCP System Management Console, you can set the service schedule and control certain aspects of some services. You can also monitor the progress of the shredding, duplicate elimination, and replication services and review the use of primary spindown storage and extended storage.
Additionally, you use the Console to configure and manage data migrations and replication.
This chapter:
• Presents general information about services
• Describes how HCP stores metadata, which plays a role in some service processing
• Explains each of the HCP services (except replication, which is addressed in Replicating Tenants and Namespaces)
• Explains how to monitor and control services, where applicable
• Contains instructions for creating, modifying, activating and deleting service schedules
331 Chapter 11: HCP services
Administering HCP
About services
About services
A service is a background process that performs a specific function that contributes to the continuous tuning of the HCP system. HCP implements twelve services.
Services work on the repository as a whole; that is, they work across all namespaces.
In general, services run only while they are enabled. The exception is the protection service, which runs in response to certain triggers even while it’s disabled. Typically, services are disabled only by authorized HCP service providers during problem resolution.
The System Management Console shows the status of most services on the
Overview page. HCP records information about service runs and irreparable violations in the system log.
For information on the Overview page, see
“About the Overview page” on page 80. For information on the system log, see
“Understanding the HCP system log” on page 436.
Service types
HCP implements these services:
• The protection service ensures that damaged or lost objects can be
recovered. For more information on this service, see “Protection service” on page 336.
• The content verification service ensures that object data is not
corrupted. For more information on this service, see “Content verification service” on page 344.
• The scavenging service ensures that the metadata for each object exists and is not corrupted. For more information on this service, see
“Scavenging service” on page 349.
• The shredding service shreds deleted objects that are marked for
shredding. For more information on this service, see “Shredding service” on page 350.
• The compression service compresses object data to make more efficient use of HCP storage. For more information on this service, see
“Compression service” on page 354.
332 Chapter 11: HCP services
Administering HCP
About services
• The duplicate elimination service merges duplicate data to free space in the HCP storage. You can monitor the activity of this service.
For more information on this service, see “Duplicate elimination service” on page 358.
• The disposition service automatically deletes expired objects. For more information on this service, see
“Disposition service” on page 362.
• The garbage collection service deletes data and metadata left in the repository by incomplete operations, thereby freeing space for the storage of additional objects. For more information on this service, see
“Garbage collection service” on page 363.
• The capacity balancing service ensures that the percentage of space used remains roughly equivalent across the storage nodes in the HCP system. For more information on this service, see
“Capacity balancing service” on page 367.
• The storage tiering service moves objects among storage tiers, creates and deletes copies of objects on various storage tiers to ensure that each tier contains the correct number of copies of each object, and changes objects to metadata-only according to rules in service plans.
“Working with service plans” on page 210.
• The network per storage component service increases tiering performance from the HCP system to HCP S Series Nodes or external storage devices by isolating their communication to an individual forward facing HCP network. Each HCP S Series Node or external device can use its own network to communicate with HCP. For more
information on this service, see “Migration service” on page 376.
• The migration service migrates data off selected nodes in an HCP
RAIN system or selected storage arrays in an HCP SAIN system in preparation for retiring those devices. For more information on this
service, see “Migration service” on page 376.
• The replication service copies tenants and namespaces between HCP systems to ensure data availability and enable disaster recovery. You can configure, monitor, and control the activity of this service. For more information on this service, see Replicating Tenants and
Namespaces.
Chapter 11: HCP services
Administering HCP
333
About services
Service precedence
Some services take precedence over others:
• On any given node, the protection service takes precedence over the content verification and compression services. If either of these services is running when the protection service starts, the service that was running stops. When the protection service stops, each service that stopped automatically restarts, provided that the service is scheduled to run at that time.
• On any given node, the capacity balancing service takes precedence over the scavenging service. If the scavenging service is running when the capacity balancing service starts, the scavenging service stops.
When the capacity balancing service stops, the scavenging service automatically restarts, providing that it is scheduled to run at that time.
• On any given node, the migration service takes precedence over the capacity balancing service. If the capacity balancing service is running when the migration service starts, the capacity balancing service stops.
It does not restart automatically when the migration service stops.
Metadata storage
To fully understand how certain services work, you need to know how HCP manages metadata. When you add an object, directory, or symbolic link to a namespace:
1. HCP creates primary metadata for it. This metadata consists of information HCP already knows, such as the creation date, and, for objects only, the data size, hash algorithm, and cryptographic hash value generated by that algorithm. It also includes metadata that was either inherited or specified in the write request, such as retention setting, UID, and GID.
2. HCP creates the number of additional copies of the primary metadata required to satisfy the ingest tier metadata protection level (MPL) that’s set for the namespace by its service plan. HCP then distributes all copies of the primary metadata among the HCP storage nodes.
3. For objects: a.
HCP creates the number of copies of the object data required to satisfy the ingest tier data protection level (DPL) that’s set for the namespace by its service plan. HCP then distributes all copies of the object data among the HCP storage nodes.
334 Chapter 11: HCP services
Administering HCP
About services
Each copy of the primary metadata for the object points to all copies of the object data. However, the object data is not necessarily stored on the same node as the primary metadata for the object.
b.
HCP stores a copy of the metadata with each copy of the object data. Each copy, called the secondary metadata, lets HCP reconstruct the primary metadata should that become necessary.
The figure below outlines the data and metadata that result from storing an object in a namespace that has a service plan that sets both the ingest tier DPL and the ingest tier MPL to 2.
Primary metadata
Primary metadata
Secondary metadata
Secondary metadata
Object data
Object data
For more information on metadata, see Using a Namespace or Using the
Default Namespace.
Service scheduling
The protection, content verification, scavenging, compression, duplicate elimination, disposition, garbage collection, and storage tiering services run according to a weekly schedule. The schedule controls when during the week each service runs and the performance level at which it runs.
The performance level determines the load the service puts on the system.
You can create multiple service schedules and, at any time, change the one that’s active. For example, you could create two schedules — one that puts a very light load on the system and one that puts a heavier load.
During periods of high system usage, you could activate the first schedule.
During periods of low system usage, you could activate the second schedule.
Chapter 11: HCP services
Administering HCP
335
Protection service
For more information on scheduling the protection, content verification, scavenging, compression, duplicate elimination, disposition, garbage
collection, and storage tiering services, see “Scheduling services” on page 388.
The replication service also runs according to a schedule, but you manage this schedule separately from the schedule for the other services. For information on scheduling the replication service, see Replicating Tenants
and Namespaces.
Protection service
The protection service ensures the stability of the repository by maintaining a specified level of data redundancy, called the data
protection level (DPL), for each object in the repository throughout the entire object lifecycle. The DPL for an object is the number of copies of the object data that HCP must maintain.
Each namespace has a service plan that defines both a storage tiering strategy and a data protection strategy for the objects in that namespace.
For all objects in a given namespace, the storage tiering strategy defines one or more types of storage as tiers. The data protection strategy specifies the DPL that’s applied to the objects that are stored on each tier.
At any given point in the lifecycle of an object, the data protection strategy specifies the number of copies of the object that must exist in the HCP repository and the storage tier on which each copy must be stored.
Because HCP initially stores all object data and metadata on primary running storage, the service plan for a namespace must always define primary running storage as the initial storage tier, called the ingest tier, and must specify both the data protection level (DPL) and the metadata protection level (MPL) for the ingest tier.
For each object in a given namespace, the ingest tier DPL is the number of copies of the object data that HCP must maintain on primary running storage, from the time when the object is first stored in the repository until the time when the object data is moved onto one or more other storage tiers (if multiple storage tiers are defined for the namespace). The ingest
tier MPL is the number of copies of the object metadata that HCP must maintain on primary running storage for as long as the object exists in the repository.
336 Chapter 11: HCP services
Administering HCP
Protection service
For namespaces on RAIN and VM systems, the default ingest tier DPL is two and the default ingest tier MPL is also two. For namespaces on RAIN and VM systems, the default ingest tier DPL is one and the default ingest tier MPL is also one. At any time, you can modify the service plan for a namespace to set the ingest tier DPL and MPL for that namespace.
For any given namespace, you can assign a service plan which will give the namespace a DPL setting of one (supported on SAIN and VM systems only), two, three, or four. You can also set the ingest tier MPL to one, two, three, or four. However, the ingest tier MPL for a namespace must be equal to the ingest tier DPL for that namespace.
HCP uses the protection service to maintain the correct number of copies of each object in the HCP repository. When the number of existing copies of an object goes below the number of object copies specified in the applicable service plan (for example, because of a logical volume failure), the protection service automatically creates a new copy of that object in another location. When the number of existing copies of an object goes above the number of object copies specified in the applicable service plan, the protection service automatically deletes all unnecessary copies of that object.
The protection service runs according to the active service schedule and in response to certain events. For information on service schedules, see
“Scheduling services” on page 388. For information on the events that
cause the protection service to run, see “Protection service triggers” on page 344.
Ingest tier data protection level
Each namespace has a service plan that defines one or more storage tiers for that namespace and specifies the data protection level (DPL) that’s applied to the objects that are stored on each tier.
Every service plan defines primary running storage as the initial storage tier, called the ingest tier, and specifies a DPL setting and an MPL setting for that tier.
For each object in a given namespace, the ingest tier DPL is the number of copies of the object data that HCP must maintain on primary running storage, from the time when the object is first stored in the repository until the time when the object data is moved onto one or more other storage tiers (if multiple storage tiers are defined for the namespace). The ingest
tier MPL is the number of copies of the object metadata that HCP must maintain on primary running storage for as long as the object exists in the repository.
Chapter 11: HCP services
Administering HCP
337
Protection service
In the default namespace, each directory also has an ingest tier DPL setting. This setting is the same as the ingest tier DPL setting that’s specified in the service plan that’s assigned to the default namespace.
For both objects and directories, the ingest tier DPL setting is stored as metadata. Users and applications can see, but not modify, this metadata.
For information on viewing ingest tier DPL settings, see Using a
Namespace or Using the Default Namespace.
Note: When the ingest tier DPL of a namespace changes, for each object in that namespace that’s stored on primary running storage, HCP creates or deletes copies of the object data, as needed to satisfy the new ingest tier DPL. This can take some time, during which some objects have the old required number of copies and some have the new. When viewing object metadata, however, users and applications always see the intended number of copies (that is, the ingest tier DPL specified in the service plan for the namespace).
Default ingest tier DPL setting
Each HCP system has a default service plan that’s automatically created and configured during the HCP software installation. The default service plan is applied to each tenant and namespace for which another service plan is not explicitly selected.
For any given HCP system, the ingest tier DPL setting that’s initially configured for the default service plan is used as the default ingest tier DPL setting for each new service plan that’s created on the HCP system. When you create a new service plan, you can choose to use the default ingest tier
DPL setting or select a different setting. You can also modify any service plan, including the default service plan, to change the ingest tier DPL setting. However, changing the ingest tier DPL setting used for the default service plan does not change the default ingest tier DPL setting that’s used for new service plans.
Typically, the default ingest tier DPL setting used for service plans created on an HCP system is the optimal setting for the type of physical storage that the HCP system uses. For RAIN and VM systems, the default ingest tier DPL is two. For SAIN systems, the SAN arrays provide a high level of data protection, so the default ingest tier DPL setting is one.
The default ingest tier DPL setting used for all service plans that are created on an HCP system is the optimal setting for the type of storage used by that system. However, the optimal ingest tier DPL setting that’s configured for the service plan that’s assigned to a specific tenant or
338 Chapter 11: HCP services
Administering HCP
Protection service namespace is subject to considerations such as whether the tenant or namespace is being replicated and whether the HCP system owner or the tenant administrator has any particular data protection needs.
On HCP RAIN systems, by default, service plans can be configured to set the ingest tier DPL to two, three, or four. To enable HCP RAIN system administrators to configure service plans to set the ingest tier DPL to one, contact your authorized HCP service provider.
Protection sets
HCP groups storage nodes into protection sets with the same number of nodes in each set. To improve reliability in the case of multiple component failures, HCP tries to store all the copies of the data for an object that exist on primary running storage or primary spindown storage on nodes in a single protection set. Each copy is stored on a logical volume associated with a different node.
HCP creates protection sets for each possible ingest tier DPL setting that can be specified in a service plan. For example, if an HCP system has six nodes, it creates three groups of protection sets:
• One group of six protection sets with one node in each set (for DPL 1)
• One group of three protection sets with two nodes in each set (for
DPL 2)
• One group of two protection sets with three nodes in each set (for
DPL 3)
For each object in a given namespace, to store copies of the object data on primary running storage, HCP uses the group of protection sets that corresponds to the ingest tier DPL setting that’s specified in the service plan for the namespace. To store copies of the object data on primary spindown storage (if it’s used), HCP uses the group of protection sets that corresponds to the primary spindown storage tier DPL setting.
The nodes in a protection set are not necessarily all associated with the same amount of storage. If the total number of storage nodes in the system is not evenly divisible by a DPL setting, HCP can use the storage associated with the extra nodes as standby storage. At any time, HCP can add standby storage to any existing protection set that requires additional storage to balance available storage capacity among its nodes.
Chapter 11: HCP services
Administering HCP
339
Protection service
The protection service is responsible for checking and repairing protection sets. If a node in a protection set fails and the system includes an extra node, the service creates a new protection set that includes all the healthy nodes in the original protection set and the extra node.
Note: Regardless of whether HCP uses the storage associated with a node that’s not in a protection set, the node itself runs all the HCP software and performs all the same functions as the nodes in protection sets.
Data availability
When HCP needs to maintain multiple copies of the data for an object on primary running storage or on primary spindown storage (if it’s used), HCP stores each copy of the object data on storage that’s managed by a different node. All but one of these object data copies can become unavailable without affecting access to the object.
Copies of object data become unavailable on primary running storage or primary spindown storage when HCP detects an improperly functioning logical volume or corrupted or missing data. Copies of the object data also become unavailable if the nodes that provide access to those copies become unavailable. A data outage occurs when all the nodes that provide access to all the copies of the data for an object fail.
The ingest tier DPL for a namespace affects the amount of storage that’s used when data is added to that namespace. With an ingest tier DPL of 1,
HCP creates only one copy of the object data on primary running storage.
With an ingest tier DPL of 2, HCP creates two copies, thereby using twice as much primary running storage.
Protection service processing
The protection service has two main functions: detecting protection violations and repairing those violations.
Detecting protection violations
To detect protection violations, the protection service checks that for each object in a given namespace, at any given point in the object lifecycle:
• The total number of existing copies of object data is equal to the total number of copies of object data that are currently required to exist on all of the storage tiers defined for the namespace by its service plan
• If copies of the object data are stored on primary running storage or primary spindown storage:
– Each copy of the object data is stored on a different node
340 Chapter 11: HCP services
Administering HCP
Protection service
– All copies of the object data are stored in the same protection set
– Each copy of the object data is accessible
A violation occurs when any one of these conditions is not true.
Repairing protection violations
The protection service can repair certain protection violations for an object, usually by relying on other good copies of the object data stored in the
HCP repository.
For each object in a given namespace, at any given point in the object lifecycle:
• If the total number of existing copies of the object data is less than the total required number of copies that’s specified in the namespace service plan (for example, because of a logical volume failure on primary running storage), then on each storage tier that’s defined for the namespace, the protection service creates the number of copies of the object data that’s required to bring the object into compliance with the namespace service plan.
Notes:
• If one or more copies of the object data are supposed to be stored on a tier that’s currently inaccessible (for example, due to a failed network connection), but rehydration is enabled for that tier, the protection service creates an extra copy of the object data on primary running storage.
• For objects stored on primary storage, if the repository contains fewer than the required number of copies of the object data for a set of duplicate-eliminated objects, then for each object, the protection service creates enough additional copies of the object data on primary storage to:
– Satisfy the ingest tier DPL and, if applicable, the primary spindown storage tier DPL specified in the service plan for the namespace that contains the object
– Comply with the protection set requirements for the applicable ingest tier and primary spindown storage tier DPL settings
The duplicate elimination service then merges the object data again the next time it runs. For information on the duplicate elimination
service, see “Duplicate elimination service” on page 358.
Chapter 11: HCP services
Administering HCP
341
Protection service
• If the total number of existing copies of the object data is greater than the total required number of copies that’s specified in the namespace service plan, then the protection service deletes the correct number of copies of the object data from each storage tier in order to bring the object into compliance with the namespace service plan.
Note: An object can have an extra copy of its data if the object was rehydrated after a read from primary spindown storage (if it’s used) or from any extended storage tier that’s defined for the namespace that contains the object. Copies of objects on primary running storage that are supposed to be metadata-only can have data if they were rehydrated after a read from a remote system. The protection service marks rehydrated object data for deletion only after the rehydration keep time has expired and only if another copy of the data exists.
The protection service may determine that it should mark object data on primary spindown storage or on extended storage for deletion when a rehydrated copy of that data exists on primary running storage. In this case, before marking the copy on primary spindown storage or extended storage for deletion, the protection service checks the service plan for the applicable namespace to determine whether the object is supposed to be moved back onto the applicable storage tier. If the object is supposed to be moved back onto the applicable storage tier, the protection service doesn’t mark the copy that’s currently on that storage tier for deletion.
For information on primary spindown storage and extended storage, see
“Storage for HCP systems” on page 115. For information on
metadata-only objects, see
“Making objects metadata-only” on page 372. For information on rehydration, see
“Working with service plans” on page 210.
• On primary storage, if two copies of the data for an object are stored on the same node, the protection service creates a new copy on a different node and marks the extra one in the first location for deletion.
• On primary running storage, primary spindown storage, or NFS storage, if a logical volume has a copy of the secondary metadata for an object but it has no copy of object data with it, the protection service creates a replacement copy of the object data on that volume.
If replication is in effect and the protection service cannot find a copy of the object data in the current repository, it can repair the object by using a copy from another HCP system in the replication topology.
342 Chapter 11: HCP services
Administering HCP
Protection service
For an explanation of secondary metadata, see “Metadata storage” on page 334.
• For an object that’s stored on primary running storage or primary spindown storage, if fewer than the required number of copies of the object data are accessible on the nodes in a protection set, the protection service first tries to increase the number of copies stored on those nodes. If the protection service cannot create all the required copies of the object data on the nodes in the protection set (for example, because a node is unavailable), the service tries to put the required number of copies on the nodes in a different protection set. If the service cannot put all required copies of the object data on nodes in the same protection set, the service stores the copies on different nodes in different protection sets.
Unavailable and irreparable objects
When the protection service cannot repair a violation, it marks the object as either unavailable or irreparable:
• An object is unavailable if all of these are true:
– At least one copy of the object data is unavailable due to a node, logical volume, or extended storage device being unavailable.
– None of the available copies of the object data are good.
– Either the namespace that contains the object is not being replicated, or all copies of the object data on other systems in the replication topology are either inaccessible or not good.
• An object is irreparable if all of these are true:
– All of the primary storage volumes, NFS volumes, and extended storage devices on which copies of the object data are stored are available.
– None of the copies of the object data are good.
– Either the namespace that contains the object is not being replicated, or all copies of the object data on other systems in the replication topology are either inaccessible or not good.
Chapter 11: HCP services
Administering HCP
343
Content verification service
Protection service triggers
In addition to running according to the service schedule, the protection service runs in response to certain events. In these cases, the service does a full run (that is, it examines every object in the repository regardless of the schedule and regardless of whether the object data is stored on primary running storage, primary spindown storage, or extended storage).
Events that trigger a protection service run are:
• Node shutdown — When a node becomes unavailable, HCP triggers the protection service after waiting 90 minutes to ensure that the node is not just temporarily unavailable.
• Logical-volume failure — When HCP determines that a local logical volume is broken, it triggers the protection service after waiting one minute to ensure that the volume is not just temporarily unavailable.
• Node removal — When a node is removed from the HCP system, HCP triggers the protection service after waiting ten minutes to ensure that the node removal is permanent.
Note: When the protection service is disabled, its scheduled runs are canceled. However, the protection service still runs in response to the triggers listed above unless all of these conditions are true:
• None of the tenants or namespaces on the HCP system are being replicated.
• All existing service plans are configured to set the ingest tier DPL to (1) one.
• If the HCP system is configured to use spindown storage, all existing service plans set the primary spindown storage tier DPL to 1 (one).
Content verification service
When an object is created, HCP uses cryptographic hash algorithms to calculate various hash values for it. These values, which are generated based on the object data, system metadata, and custom metadata are stored with the primary metadata for the object.
344 Chapter 11: HCP services
Administering HCP
Content verification service
One of the hash values that’s generated only from the object data is also stored with the secondary metadata for the object. The cryptographic hash algorithm HCP uses to calculate this hash value is namespace dependent. It is set when the namespace is created. Once set, it cannot be changed.
Users and applications can see, but not modify, hash values generated from object data and annotations. They cannot see any other hash values.
For information on viewing hash values for objects, see Using a
Namespace, Using the HCP HS3 API, or Using the Default Namespace.
The content verification service ensures the integrity of each object by:
• Checking that the object data, system metadata, and custom metadata still match the stored cryptographic hash values
Note: The content verification service does not do a data check for objects for which the only copies of the data are stored on extended
storage. For information about extended storage, see “Storage for HCP systems” on page 115.
• Ensuring that certain secondary metadata other than the hash value matches the primary metadata for the object
The content verification service runs according to the active service schedule. For information on service schedules, see
“Scheduling services” on page 388.
During HCP content verification, HCP attempts to repair any files that HCP
S Series Nodes report as being irreparable.
Cryptographic hash algorithms
HCP supports these cryptographic hash algorithms for selection at the namespace level:
MD5
SHA-1
SHA-256
SHA-384
SHA-512
RIPEMD-160
Note: The more complex the hash algorithm, the greater the impact on performance when objects are stored or when services run.
Chapter 11: HCP services
Administering HCP
345
Content verification service
ETags and the content verification service
When an object is stored, HCP generates an ETag for it. An ETag is an identifier for the content of an object.
ETags were introduced in release 6.0 of HCP, so objects stored while the system was at an earlier release do not initially have ETags. When the content verification service runs, it generates ETags for objects that do not have them.
In response to an HS3 request to retrieve an object that does not yet have an ETag, HCP generates the ETag before returning the object. This can be time consuming for large objects, with the result that read performance is slow for those objects.
If tenant administrators will be enabling the HS3 API on namespaces that were created while the HCP system was at a release earlier than 6.0, consider scheduling more run time for the content verification service and/or increasing the performance level at which the service runs.
Content verification service processing
The content verification service has two main functions: detecting corrupted data and discrepancies in metadata and repairing that data and metadata.
Detecting content verification violations
To detect corrupted data, the content verification service regenerates the cryptographic hash values for each object. After regenerating the hash values, the content verification service checks that these regenerated values match the corresponding values in the primary metadata.
The content verification service detects metadata discrepancies by checking that certain secondary metadata for each object matches the primary metadata for the object.
346 Chapter 11: HCP services
Administering HCP
Content verification service
A violation occurs when either of the conditions described above is not true. (Violations of the second type are not reported in the system log.)
Note: When an object is stored through the CIFS or NFS protocol, its primary metadata does not initially include cryptographic hash values that are based on the object data. HCP waits several minutes to ensure that the object content is complete before calculating these values. Large objects stored through these protocols may take longer to get hash values than smaller objects do.
If the content verification service encounters primary metadata without hash values, it adds the regenerated values to it.
For an explanation of primary and secondary metadata, see
“Metadata storage” on page 334.
Repairing content verification violations
If the content verification service finds a discrepancy between the cryptographic hash values it regenerates for the object and the corresponding hash value in the primary metadata, it creates a new copy of the object from an existing good copy and marks the corrupted copy for deletion.
If replication is in effect and the content verification service cannot find a good copy of the object in the current repository, it can repair the object by using a copy from another HCP system in the replication topology.
If the content verification service finds a discrepancy between other secondary metadata for the object and the corresponding primary metadata, it uses the primary metadata to replace the secondary metadata.
Unavailable and irreparable objects
When the content verification service cannot repair a violation, it marks the object as either unavailable or irreparable:
• An object is unavailable if all of these are true:
– At least one copy of the object is unavailable due to a node, logical volume, or extended storage device being unavailable.
– None of the available copies of the object are good.
– Either the namespace that contains the object is not being replicated, or all copies of the object data on other systems in the replication topology are either inaccessible or not good.
Chapter 11: HCP services
Administering HCP
347
Content verification service
• An object is irreparable if all of these are true:
– All of the primary storage volumes, NFS volumes, and extended storage devices on which copies of the object data are stored are available.
– None of the copies of the object data are good.
– Either the namespace that contains the object is not being replicated, or all copies of the object data on other systems in the replication topology are either inaccessible or not good.
Configuring the content verification service
The content verification service regenerates cryptographic hash values to detect object corruption. Under certain circumstances, you may want to modify or disable this function to reduce the load on the system:
• In a namespace that’s not being replicated and that has a service plan that sets the ingest tier DPL to 1 (one) and does not define any additional storage tiers, only one copy of each object exists. Therefore, if the content verification service discovers a discrepancy in the cryptographic hash values for an object, it cannot repair the object from another copy.
You can choose to have the content verification service regenerate hash values only for objects that it could repair if needed. With this option, the service does not regenerate hash values for objects in a namespace if HCP is configured to maintain only one copy of each object in that namespace.
Note: Although the service cannot repair corrupt objects in this situation, it can report them. For this reason, if performance is not an issue, you may want to keep hash-value regeneration enabled for all objects.
• When the load on the system is high, temporarily disabling all hash-value regeneration can provide some relief.
The Content Verification page in the HCP System Management Console lets you configure the content verification service. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
348 Chapter 11: HCP services
Administering HCP
Scavenging service
2. In the secondary menu, click on Content Verification .
Roles: To view the Content Verification page, you need the monitor or administrator role. To configure the content verification service, you need the administrator role.
To configure the content verification service:
1. On the Content Verification page, select the appropriate Content
Verification Mode option:
– To configure the content verification service to regenerate hash values for all objects stored in the repository, regardless of the number of copies of each object that HCP must maintain in the repository, select the Check all objects and repair if needed option.
– To configure the content verification service to regenerate hash values for a given object only when HCP is required to maintain multiple copies of that object in the repository, select the Check only objects that can be repaired and repair if needed option.
– To completely disable the hash-value regeneration function, select the Do not check and repair objects option.
2. Click on the Update Settings button.
If you selected the second or third Content Verification Mode option, a confirming message appears.
In the window with the confirming message, select I understand to confirm that you understand the consequences of your action. Then click on the Update Settings button.
Scavenging service
The scavenging service ensures that objects in the repository have valid metadata. When the service runs, it verifies that both the primary metadata for each object and the secondary metadata are complete, valid, and in sync with each other.
Chapter 11: HCP services
Administering HCP
349
Shredding service
To correct violations it detects, the scavenging service tries to rebuild or repair the problem metadata:
• If the primary metadata for an object is missing, the service reconstructs it from the secondary metadata. If a user or application changed any of the object metadata between when the violation occurred and the time of its repair, those changes may be overwritten with the previous settings.
• If the primary metadata is missing a pointer to a copy of the object data, the service reconstructs that pointer.
• If the secondary metadata for an object doesn’t match any copies of the primary metadata, the object is considered irreparable, and the service moves it to the
.lost+found
directory, located under rest
, data
, or fcfs_data
, as applicable,. At this point, you need to determine whether the object needs to be stored again and, if so, ensure that it happens.
You can delete an object from the
.lost+found
directory only when it’s not under retention. For more information on the
.lost+found
directory, see Using a Namespace or Using the Default Namespace.
For an explanation of primary and secondary metadata, see
“Metadata storage” on page 334.
In the default namespace, the scavenging service detects and repairs violations in the metadata for directories only if the directory is associated with abandoned data (that is, data no longer associated with any metadata). If the service cannot recover the directory metadata, it rebuilds it from the metadata associated with the parent directory.
The scavenging service runs according to the active service schedule. For information on service schedules, see
“Scheduling services” on page 388.
Shredding service
The shredding service shreds deleted objects that are marked for shredding. Shredding, also called secure deletion, is the process of overwriting the places where all the copies of the data, secondary metadata, and custom metadata for an object were stored in such a way that the object cannot be reconstructed.
350 Chapter 11: HCP services
Administering HCP
Shredding service
The primary metadata for a shredded object is deleted from HCP after all of these events have happened:
• The object is removed from the metadata query engine index, if applicable.
• The object deletion is replicated, if applicable.
• For old versions of objects, the version is pruned or purged.
• The deletion record for the object is deleted from the transaction log. If the garbage collection service is configured never to delete deletion records from the transaction log, the primary metadata for the object remains in the system indefinitely.
For information on the transaction log, see “Transaction log cleanup” on page 364.
The shredding policy for each object determines whether that object is shredded. For information on the shredding policy, see
“Shredding policy” on page 329.
Note: The shredding service does not shred object data that’s stored on
extended storage. For information on extended storage, see “Storage for
Shredding service processing
By default, the shredding service uses three passes to overwrite the areas where the object data, secondary metadata, and custom metadata were stored. The three passes are applied to the entire object, repeating for each 128-KB block. Each pass has this pattern:
1. Set to a specified value
2. Set to the complement of that value
3. Set to a random value
4. Verify the value by reading it back
To use a different shredding algorithm, please contact your authorized HCP service provider.
Chapter 11: HCP services
Administering HCP
351
Shredding service
Sending shredding messages to syslog servers
HCP gives you the option of sending a log message for each shredded object to the syslog servers specified in the syslog logging configuration.
This option takes effect only while syslog logging is enabled and the syslog logging level is set to Notice. The log message for a shredded object is sent to the syslog servers only after the primary metadata for the object is deleted.
Object shredding is a namespace-level event. Therefore, messages about shredded objects are sent to the syslog servers only if syslog logging is enabled at the tenant level.
Log messages about shredded objects do not appear in the System or
Tenant Management Console regardless of whether those messages are sent to the syslog servers.
For more information on syslog logging, see
“Configuring syslog logging” on page 440. For information on enabling syslog logging at the tenant
level, see Managing a Tenant and Its Namespaces and Managing the
Default Tenant and Namespace.
Note: HCP never sends messages about shredded objects to the system log or SNMP managers.
Understanding shredding statistics
The Shredding page in the HCP System Management Console lets you monitor the amount of data waiting to be shredded. It also lets you control various aspects of shredding activity.
To display the Shredding page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
2. In the secondary menu, click on Shredding .
Roles: To view the Shredding page, you need the monitor or administrator role. To change shredding settings, you need the administrator role.
352 Chapter 11: HCP services
Administering HCP
Shredding service
The Shredding page shows:
• Objects waiting to be shredded — The number of objects waiting to be shredded
• Total bytes to be shredded — The total number of bytes of object data and metadata waiting to be shredded
These statistics include all objects marked for shredding for which the primary metadata has not yet been deleted.
The panel also shows the current shredding settings (see “Changing shredding settings” below).
Changing shredding settings
Depending on the system load, the HCP system can develop a backlog of objects to be shredded. If the system load from other activities is light, you can increase the rate at which shredding occurs. If the load is heavy, you can lower the shredding rate.
To change the settings for the shredding service:
1. On the Shredding page in the System Management Console, set the options you want:
– To change the shredding rate, in the Shredding Rate field, select
Low , Medium , or High . The higher the shredding rate, the greater the load on the HCP system.
– To enable or disable sending log messages about shredded objects to syslog servers, select or deselect, respectively, the Log shredded objects to syslog option.
2. Click on the Submit button.
Duplicate elimination and shredding
Objects merged by the duplicate elimination service do not necessarily have the same shred settings. When merged objects with different shred settings are deleted:
• If the last object deleted is not marked for shredding, the merged data is not shredded.
Chapter 11: HCP services
Administering HCP
353
Compression service
• If the last object deleted is marked for shredding, the merged data is shredded.
see “Shredding policy” on page 329.
Shredding service trigger
The shredding service is event driven only, not scheduled. It is triggered by the deletion of an object that’s marked for shredding. The delete operation can be invoked by a user or application or by the garbage collection service.
For information on the garbage collection service, see “Garbage collection service” on page 363.
Compression service
The compression service compresses object data so as to make more efficient use of HCP storage space. The space reclaimed by compression can be used to store additional objects.
Depending on the types of objects stored, compression can provide a significant benefit. For example, email objects compress very well, thereby saving a lot of space.
The compression service runs according to the active service schedule. For information on service schedules, see
“Scheduling services” on page 388.
Note: The compression service does not compress object data stored on extended storage. For information on compression of that data, see
“Encryption and compression of objects in storage pools” on page 152.
Compression service processing
When the compression service runs, it checks each object that’s eligible for compression. If the object isn’t already compressed, it compresses it. If compressing the object doesn’t reduce its size (for example, because it’s already in a compressed format), the compression service marks it as uncompressible and doesn’t try to compress it again in future runs.
354 Chapter 11: HCP services
Administering HCP
Compression service
You control which objects are eligible for compression by setting criteria in the System Management Console. For information on this, see
“Changing compression settings” on page 356.
Note: By default, the compression service runs only on primary storage.
However, you can configure HCP to run the compression service on extended storage as well. For information on this, see
“Encryption and compression of objects in storage pools” on page 152.
If an object that was not eligible for compression becomes eligible, the compression service compresses it on its next run. Similarly, if a compressed object loses its eligibility for compression, the compression service decompresses it on its next run.
Note: Multiple objects merged by the duplicate elimination service may have differing eligibility for compression. If any one of the objects is eligible for compression, the merged object data is compressed.
Understanding compression statistics
The Compression page in the HCP System Management Console displays statistics about the space saved by the compression service. It also lets you control various aspects of compression activity.
To display the Compression page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
2. In the secondary menu, click on Compression .
Roles: To view the Compression page, you need the monitor or administrator role. To change compression settings, you need the administrator role.
The Compression page shows:
• Total bytes saved by compression — The current number of bytes of storage freed by compressed objects
• Percent of storage saved — The amount of storage space currently saved by object compression, expressed as a percentage of the total space available for storing objects
Chapter 11: HCP services
Administering HCP
355
Compression service
• Number of objects compressed — The number of objects currently compressed
The panel also shows the current compression settings (see
“Changing compression settings” below).
Changing compression settings
You can control which objects HCP compresses based on these object properties:
• Age — You can compress only objects that were added to the repository more than some number of days ago.
• Size — You can compress only objects whose content is larger than a specified size. (HCP never compresses objects smaller than seven KB.)
• Location — You can exclude from compression objects located in a specified directory, as well as in all its subdirectories, recursively.
• Name — You can exclude from compression objects with names that match a pattern you specify. For example, you might choose to exclude objects with names that match *.jpg because the data for this type of object is already highly compressed.
To be eligible for compression, an object must meet all the criteria you specify.
Notes:
• The criteria you specify apply across all namespaces.
• HCP always compresses old versions of objects, regardless of age, size, and any specified exclusion criteria.
356 Chapter 11: HCP services
Administering HCP
Compression service
What you do
To change the settings for the compression service, on the Compression page in the System Management Console:
• In the Compression Settings section, configure the settings that you want to use:
– To compress only objects added to a namespace more than a certain number of days ago, type the number of days in the
Compress objects stored more than field. Valid values are integers in the range zero through 40,000.
A value of zero tells the compression service not to use age as a criterion when selecting objects to compress.
– To compress only objects larger than a certain size, type the size, in
KB, in the Compress objects larger than field. Valid values are integers in the range zero though 104,857,600 (100 GB).
A value of zero tells the compression service not to use size as a criterion when selecting objects to compress.
Then click on the Update Settings button.
• To exclude objects from compression based on location or name, specify the criteria for exclusion in the Exclude from Compression list:
– To add a criterion to the list, type the criterion in the field above the list. Then click on the Add button.
For information on how to specify the criteria in this list, see
– To remove a criterion from the list, click on the delete control ( ) for that criterion.
– To remove all criteria from the list, click on the Delete All button.
Exclusion criteria
You can exclude objects from compression based on location, name, or a combination of the two. Locations are directory paths relative to rest
or data
for HCP namespaces or fcfs_data
for the default namespace.
Chapter 11: HCP services
Administering HCP
357
Duplicate elimination service
For object names, you can use patterns. The wildcard character for pattern matching is the asterisk (*), which matches any number of characters of any type, including none.
The format for criteria in the exclude list is:
[/directory-path/]object-name-pattern
The initial forward slash (/) is required with a directory path.
Here are some examples:
• Either of these excludes all objects in the corporate/mktg/graphics directory, as well as all objects in all subdirectories of that directory, recursively:
/corporate/mktg/graphics/*
/corporate/mktg/graphics/*.*
• This excludes all objects with names ending in .jpg:
*.jpg
• This excludes all objects that have names ending in .ppt and that are in the
/corporate/hr/benefits
directory or any of its subdirectories, recursively:
/corporate/hr/benefits/*.ppt
• This excludes all objects that have names matching 21*_*.* (for example,
2198_John_Doe.doc
) and that are in the corporate/hr/employees directory or any of its subdirectories, recursively:
/corporate/hr/employees/21*_*.*
Duplicate elimination service
Duplicate elimination is the process of merging the data associated with two or more identical objects. For objects to be identical, their data content must match exactly. By eliminating duplicates, HCP increases the amount of space available for storing additional objects.
358 Chapter 11: HCP services
Administering HCP
Duplicate elimination service
For example, if the same document is added to several different directories, duplicate elimination ensures that each copy of the document content that HCP must maintain in the repository is stored in only one location. This saves the space that would have been used by the additional copies of the document.
The duplicate elimination service runs according to the active service schedule. For information on service schedules, see
“Scheduling services” on page 388.
Duplicate elimination service processing
HCP performs duplicate elimination by first sorting objects according to their MD5 hash values. After sorting all the objects in the repository, the service checks for objects with the same hash value. If the service finds any, it compares the object content. If the content is the same, the service merges the object data but still maintains the required number of copies of the object data that’s specified in the service plan for the namespace that contains the object.
The metadata for each merged object points to the merged object data.
The duplication elimination service never deletes any of the metadata for duplicate objects.
Chapter 11: HCP services
Administering HCP
359
Duplicate elimination service
Before duplicate elimination
Object 1
Primary metadata
Object 1
Primary metadata
After duplicate elimination
Object 1
Primary metadata
Object 1
Primary metadata
360
Object 1
Secondary metadata
Object 1
Object data
Object 1
Secondary metadata
Object 1
Object data
Object 1
Secondary metadata
Object data
Object 1
Secondary metadata
Object data
Object 2
Object data
Object 2
Object data
Object 2
Secondary metadata
Object 2
Secondary metadata
Object 2
Secondary metadata
Object 2
Secondary metadata
Object 2
Primary metadata
Object 2
Primary metadata
Object 2
Primary metadata
Object 2
Primary metadata
These considerations apply:
• The duplicate elimination service does not merge objects smaller than seven KB.
• The duplicate elimination service does not merge data that’s stored on extended storage.
• For objects that are stored on primary running storage, the duplicate elimination service generally merges objects from different namespaces only if the namespaces have the same ingest tier DPL.
• For objects that are stored on primary spindown storage, the duplicate elimination service generally merges objects from different namespaces only if the namespaces have the same primary spindown storage tier DPL.
Chapter 11: HCP services
Administering HCP
Duplicate elimination service
• For the purpose of duplicate elimination, HCP considers an object stored on extended storage to have a DPL that’s one less than the ingest tier DPL that’s specified in the service plan for the namespace that contains the object. So, for example, the duplicate elimination service will merge objects that are stored on primary running storage in a namespace that has an ingest tier DPL of 1 with objects that are stored on extended storage in a namespace that has an ingest tier DPL of 2.
For information on ingest tier DPL, see
“Ingest tier data protection level” on page 337.
• The duplicate elimination service may bypass merging certain objects until it reprocesses the objects. This can happen with:
– Objects stored with CIFS or NFS that are still open due to lazy close
– Objects stored with CIFS or NFS that do not immediately have MD5 hash values
For information on lazy close, see Using a Namespace or Using the
Default Namespace. For more information on cryptographic hash
values, see “Content verification service” on page 344.
Understanding duplicate elimination statistics
The Duplicate Elimination page in the HCP System Management Console shows statistics about duplicate-eliminated objects. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
2. In the secondary menu, click on Duplicate Elimination .
Roles: To view the Duplication Elimination Status panel, you need the monitor or administrator role.
The Duplication Elimination page shows:
• Total merged objects — The total number of objects for which data was merged since HCP was installed.
• Total bytes saved from duplicate elimination — The total number of bytes of storage freed due to duplicate elimination since HCP was installed.
Chapter 11: HCP services
Administering HCP
361
Disposition service
The amount of storage freed when you merge duplicates is the size of the data times one less than the number of objects merged, times the total number of copies that HCP needs to maintain on primary storage to comply with the ingest tier DPL and primary spindown storage DPL
(if applicable) specified in the namespace service plan, and to satisfy all protection set requirements.
HCP increases both of these numbers when duplicate data is deleted but does not subtract from these numbers when duplicate-eliminated objects are deleted from the repository.
Disposition service
The disposition service automatically deletes expired objects. An object is expired if either of these is true:
• The object has a retention setting that’s a specific date and time, and that date and time is in the past.
• The object has a retention setting that’s a retention class, and the date and time calculated from the duration specified by the retention class is in the past. In this case, the disposition service deletes the object only if the retention class has disposition enabled.
The disposition service deletes only the current version of a versioned object. It does not delete old versions.
The disposition service is enabled or disabled both at the HCP system level and on a per-namespace basis. Enabling disposition for a namespace has no effect if the service is disabled at the HCP system level.
By default, when the HCP system is first installed, the disposition service is disabled at the system level. To have this service enabled, contact your authorized HCP service provider.
The disposition service runs according to the active service schedule.
When the service runs, it checks each object to see whether the object is expired. If the object is expired, the service checks whether disposition is enabled for the namespace that includes the object.
If an object is expired and in a namespace with disposition enabled, the service hides the object data and metadata and marks the object for deletion. The garbage collection service then deletes the object through its normal processing. When applicable, the deletion triggers the shredding service.
362 Chapter 11: HCP services
Administering HCP
Garbage collection service
For information on:
•
Retention settings, see “Retention policy” on page 328\
• Retention classes, see Managing a Tenant and Its Namespaces or
Managing the Default Tenant and Namespace
• The service schedule, see
“Scheduling services” on page 388
•
Shredding service, see “Shredding service” on page 350
Garbage collection service
The garbage collection service ensures that HCP storage doesn’t fill up with data that’s no longer needed.
The garbage collection service runs according to the active service schedule. For information on service schedules, see
“Scheduling services” on page 388.
Garbage collection service processing
The garbage collection service performs several different functions, including object deletions and transaction log cleanup.
Object deletions
Object deletions happen like this:
• When a user, an application, or the disposition service deletes an object, HCP hides the object data and metadata, marks the object for deletion, and if possible, immediately deletes it.
• When a user or application purges an object, HCP hides the data and metadata for all versions of the object, marks them all for deletion, and if possible, immediately deletes them all.
• When HCP prunes a version of an object, it hides the data and metadata for that version, marks the version for deletion, and if possible, immediately deletes it.
• When the garbage collection service runs:
– It looks for hidden objects. If it finds such objects marked for deletion, it deletes them.
Chapter 11: HCP services
Administering HCP
363
Garbage collection service
– It looks for objects left by failed writes through the HTTP, WebDAV, and SMTP protocols. If it finds such objects, it deletes them.
In all cases, when applicable, deletion triggers the shredding service.
Transaction log cleanup
HCP maintains a transaction log of all create, delete, purge, prune, and disposition operations performed on objects. HCP uses this log to respond to operation-based queries issued through the metadata query API.
HCP adds and deletes records in the transaction log as follows:
• When a user or application creates an object, HCP adds a creation record to the log.
• When a user or application deletes an object from a namespace that does not have versioning enabled, HCP deletes the applicable creation record from the log and adds a deletion record.
• When a user or application deletes an object from a namespace that has versioning enabled, HCP adds a deletion record to the log but does not delete the creation record.
• When a user or application purges an object, HCP deletes all the creation and deletion records for all versions of the object from the log and adds a purge record for the most recent version.
• When HCP prunes a version of an object, it deletes the applicable creation record from the log and adds a prune record.
• When the disposition service deletes an object, HCP deletes the applicable creation record from the log and adds a disposition record.
Deletion, purge, prune, and disposition records contain only object metadata. You can configure the garbage collection service to delete these records after a specified amount of time. If you do this, each time the service runs, it checks the log for records that are eligible to be deleted and, if it finds any, deletes them.
If you don’t configure the garbage collection service to delete deletion, purge, prune, and disposition records from the transaction log, they remain in the log indefinitely.
364 Chapter 11: HCP services
Administering HCP
Garbage collection service
For any given namespace, the applicable tenant administrator can choose whether HCP should keep records of delete, purge, prune, and disposition operations if the namespace has ever had versioning enabled. If the tenant administrator chooses not to keep these records, they are immediately eligible to be deleted from the log regardless of the garbage collection service configuration.
While the transaction log contains any deletion, purge, prune, or disposition records for a namespace, the namespace cannot be deleted. If a tenant administrator cannot delete an apparently empty namespace, a possible reason is that the transaction log contains one or more of these records. In this case, have the tenant administrator disable the option to keep these records for that namespace.
Note: A namespace with versioning enabled can be deselected from replication while the owning tenant is included in an active/active replication link. In this situation, deletion, purge, prune, and disposition records for objects in the namespace are not deleted from the transaction log, regardless of the garbage collection service configuration, unless the namespace option to keep those records is disabled.
Other garbage collection service functions
• Deletes data and metadata left in the repository by unsuccessful or interrupted write operations.
• Deletes extra copies of objects that are marked for deletion. For example, the following series of events could occur:
1.
A logical volume fails on primary running storage.
2.
The protection service detects the failed volume and creates a new copy of each object stored on that volume.
3.
The volume comes back online, so the extra object copies that the protection service created are no longer needed.
4.
The protection service finds the extra copies that it created and marks them for deletion.
5.
The garbage collection service detects the object copies marked for deletion, verifies that they are extra copies, and deletes them.
Chapter 11: HCP services
Administering HCP
365
Garbage collection service
In all cases, when applicable, the deletion of an object triggers the shredding service. For information on the shredding service, see
“Shredding service” on page 350.
Configuring the garbage collection service
The Garbage Collection page in the HCP System Management Console lets you set the length of time to keep deletion, purge, prune, and disposition records in the transaction log. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
2. In the secondary menu, click on Garbage Collection .
Roles: To view the Garbage Collection page, you need the monitor or administrator role. To configure the garbage collection service, you need the administrator role.
To configure the garbage collection service, on the Garbage Collection page:
1. Take one of these actions:
– To delete deletion, purge, prune, and disposition records from the transaction log after a set period of time:
• Select the Keep deletion records in the transaction log for option.
• In the days field, type the number of days you want these records to remain in the transaction log. Valid values are integers in the range zero through 999. Zero means delete the records immediately.
– To keep delete deletion, purge, prune, and disposition records in the transaction log indefinitely, select the Keep deletion records in the transaction log forever option.
By default, the garbage collection service is configured to delete deletion, purge, prune, and disposition records from the transaction log after 90 days.
2. Click on the Update Settings button.
366 Chapter 11: HCP services
Administering HCP
Capacity balancing service
Capacity balancing service
The capacity balancing service ensures that the percent of HCP storage space used on the storage nodes in the system remains roughly equivalent across the nodes when new nodes are added.
When the capacity balancing service runs, it evaluates the storage level for each node without regard to the individual logical volumes the node manages (the amounts of available storage may vary greatly among those volumes). If the storage levels for the nodes differ by a wide margin, the service moves objects around to bring the levels closer to a balanced state.
The capacity balancing service runs only when started manually. Typically, an authorized HCP service provider starts this service after adding new storage nodes to the system.
Roles: To run the capacity balancing service, you need the service role.
Capacity balancing service processing
The capacity balancing service has two main functions: detecting imbalances in storage availability across nodes and repairing those imbalances.
Detecting capacity imbalances
To detect imbalances in storage usage, the capacity balancing service compares node storage usage statistics.
Repairing capacity imbalances
If the capacity balancing service determines that storage usage is imbalanced across nodes:
1. The service determines whether the storage managed by each node is a source of objects to move or a target to move them to.
2. From the storage for each source node, the service moves objects one at a time to storage managed by a target node as long as these conditions apply:
– The percent of space that’s free on the source node is less than or equal to the average percent of free space on all the nodes in the system.
Chapter 11: HCP services
Administering HCP
367
Storage tiering service
– The percent of space that’s free on the target node is greater than the average percent of free space on all the nodes in the system.
– The storage managed by the target node doesn’t have a copy of the object to be moved.
When selecting objects to move, the capacity balancing service considers the size not only of the object data but also of any custom metadata the object includes.
Maintaining capacity balance
HCP is unlikely ever to be in a perfectly balanced state. Two factors contribute to this:
• Additions and deletions of objects to and from the system do not trigger capacity balancing service runs.
• When all the objects in a directory have been deleted, the empty directory remains in the namespace. Directories in the default namespace, whether empty or not, have metadata, which takes up space.
Storage tiering service
Each namespace has a service plan that defines both a storage tiering strategy and a data protection strategy for the objects in that namespace.
At any given point in the lifecycle of an object, its storage tiering strategy specifies the types of storage on which copies of that object must be stored, and its data protection strategy specifies the number of object copies that must be stored on each type of storage.
The storage tiering service performs these functions according to rules specified in service plans:
• Moving copies of the objects in a given namespace among all of the storage tiers that are defined for that namespace by its service plan
(see
“Moving copies of objects among storage tiers” on page 369)
• Creating and deleting copies of objects in a given namespace on each storage tier that’s defined for that namespace to ensure that each tier always contains the correct number of copies of each object (see
“Maintaining the correct number of object copies on each tier” on page 371)
368 Chapter 11: HCP services
Administering HCP
Storage tiering service
• Changing objects stored on primary running storage to be metadata-only or restoring data to metadata-only objects (see
“Making objects metadata-only” on page 372)
For information on service plans, see
“Working with service plans” on page 210.
The storage tiering service runs according to the active service schedule.
For information on service schedules, see “Scheduling services” on page 388.
Important: HCP S Series Nodes run the risk of reaching maximum storage capacity. Objects do not tier to S Series Nodes that are full.
Moving copies of objects among storage tiers
One of the functions of the storage tiering service is to move copies of objects in a namespace among storage tiers that are defined for that namespace by its service plan.
The service plan for a given namespace defines one or more storage tiers that can be used to store copies of the objects in that namespace.
Because HCP initially stores every object on primary running storage, every service plan automatically has primary runnng storage defined as the initial storage tier, called the ingest tier.
For each storage tier, including the ingest tier, the service plan for a given namespace specifies:
• The storage pools that are used to store copies of each object on the tier. Each storage pool consists of one or more storage components.
Each storage component represents a type of primary storage
(running or spindown), an extended storage device, or a cloud storage service endpoint.
• For each object that’s stored on the tier, the number of copies of the object data that HCP must maintain on each storage pool and the number of copies of object metadata that HCP must maintain on the ingest tier.
• The transition criteria for each tier except for the ingest tier. The
transition criteria for a storage tier are the rules that determine when one or more copies of each object in the namespace must be stored on the tier:
Chapter 11: HCP services
Administering HCP
369
Storage tiering service
– The object age (number of days since ingest) at which one or more copies of the object data must be moved from the previous tier onto this tier
– For service plans that define exactly two tiers, including the ingest tier, whether a threshold will be applied to the second tier, and if so, the percentage of primary running storage capacity that must be used (the threshold) before object data can be moved to the second storage tier
• For a namespace that’s currently being replicated to another system, whether the copies of the object that are stored on the tier are to be made metadata-only.
Regardless of the transition criteria that are specified for a metadata-only tier, objects are moved to such a tier only after they are replicated. When a replicated object is moved to a metadata-only tier, all existing copies of the object data are deleted from the previous tier and from primary running storage, and stores the specified number of copies of the object metadata on primary running storage.
• Whether the data for each object stored on the tier is rehydrated (that is, restored on primary running storage) upon being read from the tier, and if so, the number of days HCP is required to keep a rehydrated copy of object data on primary running storage
If the service plan for a given namespace defines multiple storage tiers, then for each object in that namespace, the storage tiering service:
• Moves copies of the object data among the storage tiers that are defined for the namespace to satisfy the transition criteria that are defined for each storage tier
• Upon moving all existing copies of the data for an object from one tier to another:
– If the new tier has a different DPL than the previous tier, creates or deletes the number of copies of object data that’s required to satisfy the DPL setting for the new tier
– If the new tier has a different primary running storage metadata protection level (MPL), than the previous tier, creates or deletes the number of copies of object data that’s required to satisfy the DPL setting for the new tier
370 Chapter 11: HCP services
Administering HCP
Storage tiering service
• Upon moving a replicated object to a metadata-only tier, deletes all copies of the object data from the previous tier, and if the previous tier is not the ingest tier, deletes any copies of the object data that exist on primary runnng storage
• Checks to see if the object data has been read from a data storage tier for which rehydration is enabled, and if so, creates an extra copy of the object data on primary running storage
• After moving a replicated object to a metadata-only tier for which rehydration is enabled and making that object metadata-only, checks to see whether that object has been read from a remote system, and if so, restores the data to each copy of the object that’s stored on primary running storage
For information on creating and configuring service plans and assigning
each plan to a namespace, see “Working with service plans” on page 210.
Maintaining the correct number of object copies on each tier
Another function of the storage tiering service is to maintain the correct number of copies of each object in a namespace on each storage tier that’s defined for that namespace by its service plan.
If the number of object copies on a storage tier is less than the number of object copies specified for that tier in the applicable service plan, the storage tiering service creates the appropriate number of new copies of that object on that tier. If the number of copies of an object on a storage tier is higher than the number of object copies specified for that tier in the applicable service plan, the storage tiering service deletes all unnecessary copies of that object from that tier.
Differences between the storage tiering service and the protection service
The protection service performs work that is nearly identical to the work performed by the storage tiering service to maintain the correct number of copies of object data and metadata on each service tier that’s defined for a namespace. However, the two services perform the work that they do in slightly different ways.
The storage tiering service runs only when it’s scheduled to run. When the storage tiering service processes an object in a given namespace, the storage tiering service first checks to see whether copies of the object data are stored on the correct storage tier and moves the object data among tiers if necessary. The storage tiering service then checks to see whether the correct number of object copies exists on each tier that’s defined for the namespace and takes corrective action if necessary.
Chapter 11: HCP services
Administering HCP
371
Storage tiering service
The protection service runs when it’s scheduled to run and in response to its triggers (see
“Protection service triggers” on page 344). When
protection service processes an object in a given namespace, the service first checks to see whether the correct number of copies of the object exist on all storage tiers. If not, the protection service first checks to see whether the correct number of object copies exist on the active storage tier (the one on which the object is currently supposed to be stored) and takes corrective action if necessary. The protection service then checks to see if the correct number of object copies exists on the other storage tiers and takes corrective action if necessary.
The storage tiering service is designed to optimize storage utilization. The storage tiering service, therefore, first moves objects among storage tiers and then checks to make sure all copies of each object in a given namespace have been stored on the correct storage tiers.
The protection service is designed to optimize data availability and maintain the correct level of data redundancy for each object in a given namespace. The protection service, therefore, constantly checks to see whether the correct number of copies of the object data are available to clients, and takes corrective action as soon as a violation occurs. When the protection service runs on a schedule, it checks the availability of each object on the active storage tier first, and then checks whether the correct number of objects copies exists on the other tiers.
Making objects metadata-only
The third function of the storage tiering service is to delete all existing copies of the data for any object that’s moved to a metadata-only storage tier and ensure that the correct number of copies of the metadata for that object are stored on primary running storage.
The storage tiering service also restores data to metadata-only objects on primary running storage. Restoring data to an object on primary running storage is called rehydrating the object.
When the storage tiering service moves an object off of primary running storage and onto another storage tier, the service removes all copies of the object data from primary running storage and stores the specified number of copies of the object data on the new storage tier. However, at least one copy of the object metadata must always remain on primary running storage. For each storage tier that’s defined for a given namespace, the service plan specifies the number of copies of object data that must be stored on the tier and the number of copies of object metadata that must be stored on primary running storage.
372 Chapter 11: HCP services
Administering HCP
Storage tiering service
If a given namespace is being replicated to another system, you can configure the service plan for that namespace to define a metadata-only storage tier. This type of tier specifies the number of copies of object metadata that must be stored on primary running storage, but it also specifies that no copies of the object data can be stored on any storage tier, including the ingest tier. Read-from-remote functionality enables clients to read the data for replicated metadata-only objects.
The storage tiering service makes objects metadata-only only when all of these conditions are true:
• The service plan for the namespace that contains the object defines a metadata-only storage tier.
• The object is on the storage tier that immediately precedes the metadata-only tier defined in the namespace service plan, and the object meets the transition criteria specified for the metadata-only storage tier.
• A copy of the object data exists on at least one other HCP system in the replication topology in which the current system participates. (This is possible because service plans with the same name can have different definitions on different systems.)
When all of these conditions are true, the storage tiering service deletes all copies of the object data from the preceding storage tier. If the preceding storage tier is not primary running storage, the storage tiering service also deletes any copies of the object data that exist on primary running storage. After deleting all copies of the object data, the storage tiering service creates or deletes copies of the object metadata on primary running storage as necessary to ensure that the number of copies of object metad the service plan.
If rehydration is enabled for a metadata-only storage tier, when rehydrating a replicated object that’s been read from primary running storage on a remote system, the storage tiering service rehydrates all copies of the object on primary running storage on the local system.
When replicating an object in a namespace to a system on which objects in that namespace can be made metadata-only, HCP replicates only the object metadata if the object is larger than one MB. If the object is smaller than one MB, HCP replicates both the data and metadata.
Chapter 11: HCP services
Administering HCP
373
Storage tiering service
Here’s a scenario that shows how allowing metadata-only objects can be used to advantage:
You have a many-to-one replication topology in which the HCP systems at the outlying sites are much smaller than the central HCP system to which they all replicate. To optimize the use of storage on the outlying systems, you allow the namespaces on those systems to have metadata-only objects while requiring the central system to have the object data. The outlying systems respond to client requests for object data by reading the data from the central system.
In this scenario, the replication topology should include a disaster recovery system (that is, a replica of the central system) to protect against data loss in case of a catastrophic failure of the central system.
Important: HCP does not prevent you from removing a namespace from a replication topology even if the namespace contains metadata-only objects on one or more systems in that topology. This can result in data for objects in that namespace being permanently inaccessible from those systems.
In most cases, HCP warns you if the modification you’re making to a replication link would cause this condition to occur.
Note: For the HDDS search facility to index the data for metadata-only objects, the objects must be rehydrated.
For more information on replication, see Replicating Tenants and
Namespaces.
Storage tiering service processing
The storage tiering service processes one object at a time. For each object, the service checks the applicable service plan to determine the storage tiers on which copies of the object data should be stored, the number of copies of the object data that should be stored on each tier, and the number of copies of the object metadata that should be stored on primary running storage. The storage tiering service then checks to see whether the object data has been read from a storage tier for which rehydration is enabled. Finally, the storage tiering service checks to see whether the object data has been read from a remote system because that
374 Chapter 11: HCP services
Administering HCP
Storage tiering service object is metadata-only on the local system, and if so, the service checks to see whether rehydration is enabled for the metadata-only tier on which the object resides.
For each object in a namespace, if all of these conditions are true, the storage plan takes no action on that object:
• The object is stored on the correct storage tier.
• The correct number of copies of the object data exist on the current storage tier.
• The correct number of copies of the object metadata exist on primary running storage.
• If the object is on a storage tier for which rehydration is enabled, the correct number of rehydrated copies of the object exist on primary running storage.
If one or more of the above conditions is not true, then the storage tiering service takes the appropriate actions to bring the object into compliance with the namespace service plan, as described in
“Moving copies of objects among storage tiers” on page 369.
Understanding storage tiering statistics
The Storage page in the HCP System Management Console displays graphs and statistics that provide information about the use of primary running storage, primary spindown storage, and each type of extended storage that’s used to store objects in a repository. The Storage page also provides information about metadata-only objects.
To display the Storage page, in the System Management Console, click on
Storage .
For information on using the Storage page to view storage usage statistics and to view metadata-only object creation and storage usage statistics,
see “Monitoring storage pools and components” on page 193.
Roles: To view the Storage page, you need the monitor or administrator role. To modify the configuration of extended storage or to create, modify, or delete service plans, you need the administrator role.
Chapter 11: HCP services
Administering HCP
375
Migration service
Migration service
The migration service migrates data off of selected storage nodes in an
HCP RAIN system or off of selected storage arrays in an HCP SAIN system in preparation for retiring those devices. During a data migration, the service copies objects and, if applicable, the metadata query engine index from the selected devices to free storage on the remaining devices. Before you start a data migration, you need to ensure that those devices have enough unused capacity to hold the data to be migrated.
After copying an object, the service deletes it from the source device.
Once the migration is complete, you can submit a request to your authorized HCP service provider to finalize the migration and remove the retired devices from the system.
Important: After the migration of data off of a storage node in an HCP
RAIN system is finalized, the system can never again include a node with the same fourth octet in its back-end IP address as that node had.
Retiring a node is not part of the normal procedure for replacing a node that has failed or for upgrading to newer hardware. In these cases, the new node can use the same back-end IP address as the one being replaced.
The migration service runs only when you explicitly start a data migration.
When the migration is complete, the service stops automatically.
When you start a data migration, the selected nodes or storage arrays automatically become read-only (except for allowing the migration service to delete objects). After the migration is complete, they remain read-only.
When you start a migration of data off of selected nodes in a RAIN system,
HCP automatically removes any NFS volumes from those nodes and associates those volumes with other nodes in the system.
Typically, for a RAIN system, before starting a data migration, you submit a request to your authorized HCP service provider to add new nodes to the
HCP system in order to maintain (or increase) the system storage capacity.
However, if the nodes not selected for migration have sufficient free space to accommodate all the data to be migrated, adding new nodes before the data migration is not required.
For a SAIN system, before starting a data migration, your SAN storage administrator, working in conjunction with your authorized HCP service provider, needs to add logical volumes (LUNs) from new or existing storage arrays to any nodes on which all the existing LUNs on all the existing
376 Chapter 11: HCP services
Administering HCP
Migration service arrays are being retired. Migrated data, however, can be written to any node, and does not necessarily have to be written to the same node from which the data is being migrated.
The HCP system cannot be upgraded while a data migration is in progress.
Before the system can be upgraded, you need to either allow the migration to finish or cancel the migration. If you cancel the migration, you can configure a new migration of data off the same devices after the system is upgraded.
The migration service is not available for HCP VM systems.
Important: To prevent data loss in namespaces that are not being replicated and that have service plans that set the ingest tier DPL to 1, always migrate data off of a device before submitting a request to your authorized HCP service provider to remove the device from the HCP system.
Considerations for migrations on RAIN systems
Using the migration service to retire nodes in a RAIN system entails removing nodes from the system and, optionally, adding new nodes. After any new nodes are added to the HCP system but before you begin the data migration, you need to:
• For each combination of domain and network configured in the DNS, remove the IP addresses of the nodes being retired and add the IP addresses of any new nodes
• For each replication link that identifies the HCP system by its IP addresses, remove from the link configuration the IP addresses of the nodes that are being retired and add the IP addresses of any new nodes
Target storage requirements for SAIN systems
The information in this section is intended for your SAN storage administrator. It outlines storage requirements that, if not met, prevent a data migration from being started.
Each node in an HCP SAIN system must have one OS LUN and at least two data LUNs. If a LUN being migrated is the OS LUN for a node, a replacement for that LUN must be added to the node before the data migration can occur. If the existing LUN is number zero, the new LUN must
Chapter 11: HCP services
Administering HCP
377
Migration service be number 128. If the existing LUN is number 128, the new LUN must be number zero. Additionally, the new LUN must have a capacity of at least
30 GB.
Migration procedure
The complete procedure for retiring a device is:
1. Take one of these actions:
– Optionally, for a RAIN system, submit a request to your authorized
HCP service provider to add one or more storage nodes to the system. After a data migration is finalized, the HCP system must still have at least four storage nodes.
– For a SAIN system, submit a request to your SAN storage administrator and your authorized service provider to work together to add LUNs to the nodes on which all of the existing LUNs are on the storage arrays that you’re retiring.
2. For a RAIN system, update the DNS and any replication links as needed. For more information on this, see
“Considerations for migrations on RAIN systems” on page 377.
3. Configure the data migration by selecting the devices to be retired.
HCP can perform only one data migration at a time. Therefore, you should select all of the devices that you want to retire so that you don’t have to run multiple sequential data migrations.
Note: Certain hardware errors, such as a degraded RAID group on a source or target node, prevent you from configuring a data migration.
In such cases, you need to fix the problem before you can continue.
4. Review the configuration of the data migration.
If the migration configuration is not acceptable, HCP provides detailed information about the problems.
5. Submit requests to your authorized HCP service provider and/or your
SAN administrator (if you’re migrating storage off of a SAIN system), as necessary, to fix any reported problems.
6. Optionally, enter a description for the data migration and/or change the performance level for the migration service.
7. Ensure that all of the nodes in the HCP system are running and healthy.
378 Chapter 11: HCP services
Administering HCP
Migration service
8. Start the data migration.
If any nodes become unavailable while the migration service is running, the service stops migrating data. When those nodes become available, the service automatically starts migrating data again.
9. Monitor the data migration and manage it by changing the performance level or pausing the migration, as needed. You can also modify the migration description at any time (for example, to record when and how long the migration was paused).
10.When the data migration is complete (that is, the migration status is
Migrated ):
– If a migration report is available, review it. This report identifies tenants that own namespaces containing unacknowledged irreparable objects. For the default tenant and for HCP tenants that are configured to allow system-level users to manage them, the report also lists the unacknowledged irreparable objects in those namespaces.
Note: If the migration service encounters one or more objects that it cannot migrate, it marks those objects as irreparable (if they weren’t already marked that way).
– If the data migration statistics show that not all objects were migrated, contact your authorized service provider for help.
11.Submit a request to your authorized service provider to finalize the migration and remove the retired hardware.
Migration page
The Migration page in the HCP System Management Console lets you configure, monitor, and manage data migrations. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
Chapter 11: HCP services
Administering HCP
379
Migration service
2. In the secondary menu, click on Migration .
Note: You can also perform a migration using the Retire Primary Storage wizard, which walks you through the data migration process that’s outlined in this chapter. You can access this wizard from the Retirement panel on the Storage page in the System Management Console. For information on
using this wizard, see “Retiring primary storage devices” on page 186.
Roles: To monitor data migrations, you need the monitor or administrator role. To configure and manage data migrations, you need the administrator role.
Configuring a data migration
When configuring a data migration on a RAIN system, you select nodes to be retired. When configuring a data migration on a SAIN system, you select storage arrays.
Configuring a migration on a RAIN system
To configure a data migration on a RAIN system:
1. On the left side of the Migration page, click on Configuration .
The Configuration panel displays step 1 (one) of the migration configuration ( Choose items for migration ). The Select Hardware for
Retirement section lists the storage nodes in the HCP system.
2. Select the nodes from which you want to migrate the data.
To clear your selections and start over, click on the Cancel button.
3. Click on the Next button.
The Configuration panel displays step two of the migration configuration
( Review configuration summary and confirm ). The Configuration
Summary section in this panel indicates whether the migration configuration is acceptable.
Note: When you click on the Next button, HCP checks that the system is in a valid state to perform the migration. This includes checking for degraded RAID groups. This check can take up to 90 seconds.
380 Chapter 11: HCP services
Administering HCP
Migration service
If the configuration is not acceptable, you can click on the view details link in the Configuration Summary section to display the specific reasons why. You can also click on the Configuration Report link to download the configuration summary and details to a file. The default name for this file is
Configuration-Report.txt
.
The Configuration Details section in the step-two panel lists the nodes selected for migration:
– To change the migration configuration, click on the Modify
Configuration button. The Configuration panel redisplays step 1, which shows your current selections.
– To restart the migration configuration, click on the Cancel button.
The Configuration panel redisplays step 1 with all selections cleared.
4. Optionally, add a description of the data migration and/or change the performance level for the migration service:
– To add a description: a.
Click on the Add description link.
b.
In the text box that opens, type a description of the migration.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
– To change the performance level, in the Performance Level field, select Low , Medium , or High . The higher the performance level, the greater the load on the HCP system.
5. Click on the Start Migration button.
The migration service begins preparing for the data migration, and the
Migration page switches to the Overview panel.
Configuring a migration on a SAIN system
To configure a data migration on a SAIN system:
1. On the left side of the Migration page, click on Configuration .
The Configuration panel displays step 1 (one) of the migration configuration ( Choose items for migration ). The Select Hardware for
Retirement section lists the storage arrays used by the HCP system.
Chapter 11: HCP services
Administering HCP
381
Migration service
Each array is assigned a number, starting from zero. Below this list, the section shows the number of LUNs currently selected for migration out of the total number of LUNs for each node.
To view additional details about the LUNs, click in the row for the node you’re interested in or click on the expand all link to see details about the LUNs on all nodes. After displaying details for all the LUNs, you can click on the collapse all link to hide the details.
The details shown for each LUN are:
– The number of the array the LUN comes from.
– The LUN number.
– The worldwide identification number (WWID) for the LUN.
– The type of LUN (OS, data, or standby). Standby means that the
LUN mapping provides zero-copy-failover support for a data LUN on
a different node. For more information on this, see Appendix C,
“Zero-copy failover behavior,” on page 575.
– The LUN size.
2. Select the storage arrays from which you want to migrate the data.
When you select an array for migration, all HCP LUNs on the array are selected automatically. You cannot select or deselect the LUNs individually.
To clear your selections and start over, click on the Cancel button.
3. Click on the Next button.
The Configuration panel displays step two of the migration configuration
( Review configuration summary and confirm ). The Configuration
Summary section in this panel indicates whether the migration configuration is acceptable.
Note: When you click on the Next button, HCP checks that the system is in a valid state to perform the migration. This check can take up to
90 seconds.
If the configuration is not acceptable, you can click on the view details link in the Configuration Summary section to display the specific reasons why. You can also click on the Configuration Report link to download the
382 Chapter 11: HCP services
Administering HCP
Migration service configuration summary and details to a file. The default name for this file is
Configuration-Report.txt
. You can send this file to your SAN storage administrator, who can then correct the problems.
The Configuration Details section in the step-two panel lists the devices selected for migration. It also shows the number of LUNs currently selected for migration out of the total number of LUNs for each node.
As in the step-1 panel, you can view details about the selected LUNs.
In this case, the details have an additional column, Migration Status , that indicates whether the data on the LUN can ( Ready ) or cannot ( Not
Ready ) be successfully migrated.
To change the migration configuration, click on the Modify Configuration button. The Configuration panel redisplays step 1, which shows your current selections.
To restart the migration configuration, click on the Cancel button. The
Configuration panel redisplays step 1 with all selections cleared.
4. Optionally, add a description of the data migration and/or change the performance level for the migration service:
– To add a description: a.
Click on the Add description link.
b.
In the text box that opens, type a description of the migration.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
– To change the performance level, in the Performance Level field, select Low , Medium , or High . The higher the performance level, the greater the load on the HCP system.
5. Click on the Start Migration button.
The migration service begins preparing for the data migration, and the
Migration page switches to the Overview panel.
Monitoring a data migration
To monitor a data migration, you use the Overview panel on the Migration page. This page shows information both about the current data migration and about the last completed or canceled data migration, if any.
Chapter 11: HCP services
Administering HCP
383
Migration service
Information about the current data migration
The top of the Overview panel displays this information about the current data migration and the migration service:
• The current status of the migration service:
– Not Migrating — The migration service is not running. No migration is in progress.
– Starting Migration — The migration service is preparing for the data migration. This includes determining the number of objects to be migrated and the size of the data to be migrated. It also includes changing the HCP system configuration to prevent data from being written to the selected devices.
– Migrating — The migration service is actively migrating data off the selected devices.
– Paused — A data migration is in progress, but the migration service is not actively migrating data at this time.
– Completing Migration — The migration service is verifying that the migration was successful and waiting while HCP rebalances metadata.
– Migrated — The migration service has finished migrating data off the selected devices and is no longer running.
If the Overview panel displays a Migration Report link, click on the link to download the migration report to a file. The default name for this file is
Migrationnumber
-Report.txt
., where number is the number automatically assigned to the migration when the copying process started.
Be sure to review the migration report before having your authorized service provider finalize the migration.
• The estimated amount of time remaining to complete the current data migration.
• The amount of time the migration service has been running. This value does not include any time during which the service was paused.
• The time the migration service started.
384 Chapter 11: HCP services
Administering HCP
Migration service
• The number of objects migrated so far out of the total number of objects to be migrated, along with a progress bar and text indicating the percent of objects migrated.
• The amount of data migrated so far, in KB, out of the total amount of data to be migrated, along with a progress bar and text indicating the percent of data migrated.
• The current performance-level setting for the migration service.
• The description of the current data migration.
To modify the description:
1.
Click on the Edit description link.
2.
In the text box that opens, edit the migration description.
3.
Click on the Submit button.
To view the configuration of the current data migration:
1. Click on the View details link.
The Current Migration Details window opens. This window shows the same Configuration Summary and Configuration Details sections as step-two of the Configuration panel.
2. After viewing the migration configuration, click on the Close button.
Information about the last data migration
The Migration History section in the Overview panel displays this information about the last completed or canceled data migration:
• The time at which the data migration was completed or canceled.
• The total amount of time the migration service took to perform the data migration. This value does not include any time during which the service was paused.
• The number of objects migrated out of the total number of objects that were to be migrated, along with a progress bar and text indicating the percent of objects migrated.
Chapter 11: HCP services
Administering HCP
385
Migration service
• The amount of data migrated, in KB, out of the total amount of data that was to be migrated, along with a progress bar and text indicating the percent of data migrated.
• The description of the data migration.
To modify the description:
1.
Click on the Edit description link.
2.
In the text box that opens, edit the migration description.
3.
Click on the Submit button.
To view the configuration of the data migration:
1. Click on the View details link.
The Previous Migration Details window opens. This window shows the same Configuration Summary and Configuration Details sections as step-two of the Configuration panel.
2. After reviewing the migration configuration, click on the Close button.
Managing a data migration
While the migration service is migrating data, you can use the Management panel on the Migration page to:
• Change the performance level of the migration service
• Change the description of the data migration
• Pause or resume the data migration
• Cancel the data migration
Changing the performance level
The performance level determines how much load the migration service puts on the HCP system. If the system load from other activities is heavy, you can lower the performance level for the migration service to make more system resources available to those activities. If the system load from other activities is light, you can increase the performance level for the migration service, thereby allowing the service to use more system resources.
386 Chapter 11: HCP services
Administering HCP
Migration service
To change the performance level for the migration service, in the
Management panel:
1. In the Performance Level field, select Low , Medium , or High .
2. Click on the Update Settings button.
3. In response to the confirming message, click on the Update Settings button.
HCP pauses the data migration and changes the performance level.
4. Click on the Resume button.
Pausing or resuming a migration
You can pause or resume the data migration at any time while the migration service is copying objects. You would do this, for example, if you need to make changes to HCP networking or during periods of heavy namespace activity. While the migration is paused, the selected devices remain read-only.
To pause or resume a data migration, in the Management panel, click on the Pause or Resume button, as applicable.
Canceling a migration
You can cancel the data migration at any time while the migration service is copying objects or while the migration is paused. When you do this, the migration service stops and the selected devices become read-write. Any data that was already migrated remains in its new location. Additionally, information about the data migration moves to the Migration History section in the Overview panel.
To cancel a data migration, in the Management panel:
1. Click on the Cancel button.
2. In response to the confirming message, click on the Cancel Migration button.
Chapter 11: HCP services
Administering HCP
387
Scheduling services
Scheduling services
The protection, content verification, scavenging, compression, duplicate elimination, disposition, garbage collection, and storage tiering services run according to a schedule. A service schedule consists of periods of time during which one or more services are scheduled to run.
Within a time period, each scheduled service has a performance level of low, medium, or high. The performance level determines how much load the service puts on the HCP system. The higher the performance level, the greater the load.
HCP comes with a predefined service schedule named HCP Default
Schedule. This schedule cannot be modified or deleted.
HCP SAIN systems with spindown storage come with an additional predefined schedule named HCP Spindown Schedule. This schedule is optimized for storage tiering service activity against spindown storage.
The HCP Spindown Schedule is modifiable.
You can create as many other schedules as you want. However, only one schedule at a time can be active. At any time, you can change which schedule is active.
After creating a service schedule, you can modify or delete it. You can modify a schedule regardless of whether it’s active. You can delete a schedule only while it’s not active.
Note: Although you can modify or delete the HCP Spindown Schedule, this is not recommended because once the schedule is modified or deleted, you cannot restore it. Instead, create a new schedule based on the HCP Spindown Schedule and modify the new one.
How scheduled services work
The protection, content verification, scavenging, compression, duplicate elimination, disposition, garbage collection, and storage tiering services each examine objects one at a time, determine whether any action needs to be taken with the object, and if so, take the appropriate action. The services, except for scavenging, start with the primary metadata and use that to find the object data. The scavenging service starts with the secondary metadata, which is stored with the object data.
388 Chapter 11: HCP services
Administering HCP
Scheduling services
If the HCP system does not include any spindown storage, the services look at the object data for each object regardless of which node the data is stored on.
If the HCP system does include spindown storage, on most days, all scheduled services except duplicate elimination look at the object data on only a subset of the nodes in the system, each day looking at the data on a different set of nodes. This prevents spindown volumes that are spun down from being spun up frequently or for long periods of time.
Periodically, however, to address cases where the data for an object spans nodes in different sets, the services don’t restrict the nodes they look at on one day.
The duplicate elimination service always looks at object data regardless of which node the data is stored on because the service needs to correlate data from all locations. This can result in all spindown volumes being spun up at the same time. You should keep this in mind when scheduling the duplicate elimination service.
The length of time required for a service to examine every object in the repository depends on several factors, including the number of objects in the repository, for how much time the service is scheduled to run each week, and the performance level at which the service runs.
If the HCP system includes spindown storage, services scheduled to run on only one day a week take a minimum of three to five weeks to examine all objects, depending on the number of nodes in the system. You can shorten this time by scheduling the services to run on more than one day a week.
Note: Services may examine some objects twice during a run. Rarely, this can result in the reported number of objects examined being larger than the number of objects in the repository. If an irreparable object is examined twice by the protection or content verification service, that object is counted twice in the reported number of violations found.
About the Service Schedule page
The Schedule page in the HCP System Management Console lets you create, view, modify, activate, and delete service schedules, as well as view log messages about service activity. This page has a service legend, a schedule grid, and an optionally displayed list of log messages.
On the schedule grid, each time period in which at least one service is scheduled to run is represented by a rectangle. These rectangles are numbered in the upper left corner for ease of reference.
Chapter 11: HCP services
Administering HCP
389
Scheduling services
To display the Schedule page:
1. In the top-level menu in the System Management Console, mouse over
Services to display a secondary menu.
2. In the secondary menu, click on Schedule .
Roles: To view service schedules and log messages about service activity, you need the monitor or administrator role. To create, modify, activate, and delete service schedules, you need the administrator role.
Service legend
The top part of the Schedule page contains a legend that associates each service with an icon. These icons are used to identify services in the schedule grid. The icons are:
•
•
•
— Compression service.
— Content verification service.
— Disposition service.
•
•
•
— Duplicate elimination service.
— Garbage collection service.
— Protection service.
• — Scavenging service.
• — Storage tiering service.
When you mouse over a time period in the schedule grid:
• The legend heading shows the period reference number and the start and end times for the period
• The services scheduled in the time period are highlighted in the legend
390 Chapter 11: HCP services
Administering HCP
Scheduling services
Schedule grid
The schedule grid on the Schedule page shows the weekdays from Sunday through Saturday with each day each broken out into 24 hours. The time periods for a schedule are laid out on this grid.
The heading for each time period shows the period reference number and the start and end times for the period, if they fit in the width of the rectangle. Within each rectangle, either of these is displayed, depending on the size of the rectangle:
• For each scheduled service, the service icon with a bar under it indicating the performance level for the service:
– Low:
– Medium:
– High:
• The number of services scheduled to run during the time period.
If a service in one time block preempts a service in an overlapping time block, the background color of the rectangle containing the preempted service is pink ( ). When you mouse over the rectangle, the service involved is highlighted in red in the service legend. Text below the legend tells you which other service is preempting that service.
Displaying a service schedule
By default, when you open the Schedule page, the schedule grid shows the active schedule. To display a different schedule, select the schedule you want in the field on the left above the schedule grid.
If the displayed schedule is active, the word Active appears on a green background to the right of the schedule selection field.
Viewing the schedule for an individual service
By default, the schedule grid shows all scheduled services in the time periods for the displayed schedule. You can choose to show only a selected service in the scheduled time periods. To do this, select the service you want in the field on the right above the schedule grid.
To show all services again, select All services in the same field.
Chapter 11: HCP services
Administering HCP
391
Scheduling services
Service log messages
HCP writes messages about service activity to the system log. These messages are displayed in the Service Events section on the Schedule page as well as in other displays of the log.
The messages displayed depend on the selection in the field on the right above the schedule grid. If All services is selected, the list of messages includes all service-related messages. If a specific service is selected, the list includes only the messages related to that service.
Service schedule considerations
These considerations apply to service schedules:
• You cannot modify or delete the service schedule named HCP Default
Schedule.
• You cannot activate a service schedule that does not include the garbage collection service. Likewise, you cannot completely remove the garbage collection service from the currently active service schedule.
• If the HCP system includes spindown storage but the currently active service schedule does not include the storage tiering service, the
Overview page in the System Management Console displays an alert indicating that this situation exists.
• The minimum amount of time for a time period is two hours.
• Time periods can overlap. For example, on a given day, you can have a five-hour time period that starts at 1:00 a.m., a six-hour time period that starts at 1:00 a.m., and a three-hour time period that starts at
3:00 a.m.
• Overlapping time periods cannot include the same service.
• A service that is scheduled in contiguous time periods stops at the end of the first time period and restarts at the beginning of the next one.
392 Chapter 11: HCP services
Administering HCP
Scheduling services
• Time periods cannot span days. That is, you cannot create a single time period that starts before midnight on one day and continues after midnight on the next day. However, you can schedule the same service to run in one time period that ends at midnight and another that starts at the beginning of the next day.
• The recommended maximum number of services to schedule in a time period is half the number of hours in the time period, rounded down.
• The more services you schedule to run at the same time, the more the services compete for system resources.
• Each time a service runs, it picks up from where it left off the last time
it ran. For more information on service runs, see “How scheduled services work” on page 388.
• After a service completes a full run (that is, after it has examined every object in the repository), it does not start again for at least 24 hours regardless of the service schedule.
• When a service requires spindown volumes to be spun up, it waits while the volumes spin up. This uses up a small amount of time in the time period in which the service is running.
• When a service in one time period preempts a service in another time period, the preempted service stops. If the preempting service stops before the end of the time period containing the preempted service, the preempted service restarts only if at least ten minutes remain in the time period after HCP recognizes that the preempting service has stopped. HCP can take up to five minutes to recognize the stop.
For information on which services preempt which others, see “Service precedence” on page 334.
• When you modify the active schedule, any service that is currently running stops. The service restarts only if the current time is in a time period in which the service is scheduled to run and only if at least ten minutes remain in that time period.
Creating a service schedule
You can create new service schedules from existing schedules. In this case, the new schedule is initially the same as the schedule from which you created it. After creating the schedule, you can modify it in any way you want.
Chapter 11: HCP services
Administering HCP
393
Scheduling services
Alternatively, you can create a new schedule by starting with a blank schedule grid.
Tip: To facilitate modification of a new schedule, create the schedule from the existing schedule that’s the most similar to what you want the new schedule to be.
To create a service schedule:
1. Optionally, if you’re creating the new schedule from an existing schedule, in the field on the left above the schedule grid, select the existing schedule.
2. Click on the Create New Schedule button.
3. In the Create New Schedule window:
– Type a name for the new schedule. Schedule names must be from one through 64 characters long, can contain only alphanumeric characters, hyphens (-), underscores (_), periods (.), commas (,), and spaces, and are not case sensitive.
You cannot use the name HCP Default Schedule or HCP Spindown
Schedule for a schedule you create.
– Select either the From currently loaded schedule option to create the schedule from the existing schedule you selected or the From blank schedule option to start with a blank schedule grid.
4. Click on the Save button.
The schedule grid shows the new schedule. This schedule is not active.
Modifying a service schedule
To modify a service schedule:
1. In the field on the left above the schedule grid, select the service schedule you want to modify.
2. Add, modify, or delete time periods in the schedule as needed. For information on these activities, see:
–
–
“Modifying a time period” on page 396
394 Chapter 11: HCP services
Administering HCP
Scheduling services
–
“Deleting a time period” on page 397
3. Click on the Update Schedule button.
Adding a time period
To add a time period to a service schedule:
1. In the field on the left above the schedule grid, select the service schedule to which you want to add the time period.
2. Do one of these in the schedule grid:
– Click in the hour at which you want the time period to start. By default, this defines a two-hour time period. You can change the start and end times before saving the time period.
– Click and drag from one hour (the start time) to another (the end time) in the same day. You can change the start and end times before saving the time period.
– Click on an existing time period.
– Click on the name of a weekday. This defines a 24-hour time period for that day. When you save this time period, all other time periods that are scheduled for that day are deleted.
– Click on All . This defines seven 24-hour time periods — one for each day of the week. When you save these time periods, all other time periods in the schedule are deleted.
An Edit window appears. For a time period other than a weekday or all, the top of this window shows the number of hours in the time period and the start and end times.
The Edit window lists the schedulable services. For each service, the window contains a Level field. The window also indicates the status of the service:
– Service not scheduled — The service is not scheduled in the time period you’re editing or in any time period that overlaps the time period you’re editing. The performance level is Off .
– Service scheduled — The service is scheduled in the time period you’re editing. The performance level is Low , Medium , or High .
Chapter 11: HCP services
Administering HCP
395
Scheduling services
– Service already scheduled — The service is scheduled in a time period that overlaps the time period you’re editing. No performance level is shown.
– Service preempted — The service is preempted by another service already scheduled in the time period you’re editing. No performance level is shown.
3. Optionally, for a time period other than a weekday or all, select a different start time in the From field.
4. Optionally, for a time period other than a weekday or all, select a different end time in the To field.
5. For each service you want to run during the time period, select a performance level of Low , Medium , or High in the Level field. At least one service must be scheduled to run in the time period.
For each service you don’t want to run during the time period, select
Off .
6. Do either of these:
– If you started by clicking on the grid, dragging, clicking on a weekday, or clicking on All , click on the Update Schedule button.
– If you started by clicking on an existing time period, click on the
Create New Period button. This creates a new time period only if you scheduled a service that was not scheduled in the original time period.
Modifying a time period
To modify an existing time period in a schedule:
1. In the field on the left above the schedule grid, select the service schedule in which you want to modify the time period.
2. In the schedule grid, click on the time period you want to modify.
3. In the Edit window, make the changes you want.
4. Click on the Update Schedule button.
396 Chapter 11: HCP services
Administering HCP
Scheduling services
Deleting a time period
To delete an existing time period:
1. In the field on the left above the schedule grid, select the service schedule from which you want to delete the time period.
2. In the schedule grid, click on the time period you want to delete.
3. In the Edit window, do either of these:
– Click on the Delete Period button.
– Set the performance level for all services to Off . Then click on the
Update Schedule button.
Setting the active service schedule
To set the active service schedule:
1. In the field on the left above the schedule grid, select the service schedule you want to make active.
In the dropdown list for this field, the currently active service schedule is marked with an asterisk (*).
2. Click on the Activate Schedule button.
The Activate Schedule button is present only if the displayed schedule is not active.
Deleting a service schedule
To delete a service schedule:
1. In the field on the left above the schedule grid, select the service schedule you want to delete.
You cannot delete the active schedule. If the schedule you want to delete is currently active, activate a different schedule before you display the one you want to delete.
2. Click on the Delete Schedule button.
3. In response to the confirming message, click on the Delete Schedule button.
Chapter 11: HCP services
Administering HCP
397
Scheduling services
HCP deletes the schedule, and the schedule grid displays the active schedule.
398 Chapter 11: HCP services
Administering HCP
12
System security
Through the HCP System Management Console, you can set various options that affect HCP system security. In addition to creating and managing user and group accounts and login settings, you can:
• Specify whether HCP nodes should respond to ping requests
• Allow or disallow SSH access to HCP nodes
• Create domains and associate SSL server certificates with them
• Allow or deny access to the System Management Console from specific
IP addresses
• Control the use of the HCP management API by users with system-level user accounts
• Allow or deny access to the Search Console for the default tenant from specific IP addresses
• Configure support for Windows Active Directory or Windows workgroups
• Clear the Active Directory cache
• Set up connections to RADIUS servers
• Set the systemwide permission mask for access to namespaces
This chapter provides instructions for each of the activities listed above.
For information on user and group accounts and login settings, see
Chapter 3, “Account administration,” on page 51.
399 Chapter 12: System security
Administering HCP
Setting network security
Setting network security
The Network Security page in the HCP System Management Console lets you allow or prevent these services on HCP nodes:
• Ping — When you enable this service, you can use ping to check network connectivity to HCP nodes.
• SSH login by authorized service and support representatives —
Enabling SSH facilitates troubleshooting when you request support.
To display the Network Security page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
2. In the secondary menu, click on Network Security .
Roles: To view the Network Security page, you need the monitor or administrator role. To change network security settings, you need the administrator role.
To enable or disable ping and SSH on nodes:
1. On the Network Security page:
– To allow HCP nodes to respond to ping requests, select the Enable ping option. To prevent HCP nodes from responding to ping requests, deselect this option.
– To allow authorized service and support representatives to use SSH to log into HCP nodes, select the Enable SSH option. To prevent the use of SSH for access to HCP nodes, deselect this option.
2. Click on the Update Settings button.
Managing domains and SSL server certificates
You can create multiple domains in HCP and associate one or more SSL server certificates with each domain. HCP uses these domains and certificates to facilitate and secure communications over its built-in and
400 Chapter 12: System security
Administering HCP
Managing domains and SSL server certificates
You can configure an HCP system to periodically send its domains and SSL server certificates to every other system with which it participates as a sending system in a replication link. For information on doing this, see
Replicating Tenants and Namespaces.
About domains
A domain is a group of computers or devices that are administered as a unit. In terms of HCP, a domain consists of nodes in a single HCP system.
Domains are associated with networks. Clients that communicate with
HCP over a given network can use the name of the domain associated with that network to identify the system.
Each network specifies IP addresses for the system nodes. A single domain can be associated with multiple networks. Therefore, a single domain can correspond to multiple sets of IP addresses.
An HCP system can have at most 201 domains. You can create domains at any time. You can delete a domain only while it is not associated with any networks.
Domain names
Every domain has a name. A domain name can contain only letters, numbers, and hyphens (-). It must consist of at least three segments, separated by periods (.). Each segment must be one through 63 characters long. The entire domain name, including the periods between segments, must be less than 128 characters long.
When specifying a domain name, you can use both uppercase and lowercase letters. However, when you save the domain, HCP converts any uppercase letters to lowercase.
If the HCP system is configured to use DNS, the higher-level portion
(minimally, the last two segments) of the name of each domain that you create must identify a DNS domain to which you have administrative access.
Domains cannot be subdomains of each other. For example, if a domain named hcp.example.com already exists, you cannot specify cust1.hcp.example.com as the name of another domain.
In the URL for access to a tenant, the tenant name is inserted before the name of the domain. For this reason, you should not specify the tenant name as part of the domain name.
Chapter 12: System security
Administering HCP
401
Managing domains and SSL server certificates
For example, suppose you create a tenant named finance for Customer-1 and a domain named finance.cust1.com. If you select finance.cust1.com as the domain for the network you associate with the finance tenant for management purposes, the URL for access to the Tenant Management
Console for the finance tenant is https://finance.finance.cust1.com.
During HCP installation, one domain is created automatically. The name of this domain is the name specified for the system during the installation procedure. This domain is created regardless of whether the system is configured to use DNS.
Domains and DNS
Typically, domains are defined in a DNS. For each domain, the DNS lists all node IP addresses assigned to each network with which the domain is associated.
With DNS, you can manage domains in a single set of corporate DNS servers. Alternatively, you can set up separate DNS servers for different networks that use the same domain. Or, you can use a combination of these two techniques. In any case, you need to ensure that your networking environment and DNS configuration allow client requests to be routed to the correct HCP network.
If DNS is in use at your site, you can take advantage of DNS configuration options to further enhance the security of the HCP networks. However,
HCP does not require the use of DNS. Without DNS, you can still define multiple domains in HCP and associate them with networks. In this case, to enable client requests to be routed to an HCP network, users would use the hosts
file on each client computer to map the node IP addresses assigned to the network to the fully qualified domain name (FQDN) of the domain associated with the network.
From the Networks page in the HCP System Management Console, you can display the stub zone definition that you need to include in the DNS for each combination of domain and network. For more information on this,
see “Viewing the DNS zone definition for a network domain” on page 265.
About SSL server certificates
Each domain in HCP must have at least one SSL server certificate or certificate signing request (CSR). SSL server certificates are used to verify to clients that the HCP system is the system it claims to be and to set up secure communications between the system and those clients.
402 Chapter 12: System security
Administering HCP
Managing domains and SSL server certificates
HCP uses SSL to provide security for:
• The System Management, Tenant Management, and Search Consoles
• The HCP management API
• Replication
• The HTTP, HS3, and WebDAV protocols
• The HCP metadata query API
• The Namespace Browser
• HCP Data Migrator
HCP comes with one self-signed SSL server certificate, which is generated and installed automatically when the system is installed. This certificate is associated with the domain that’s created during installation.
Self-signed SSL server certificates are not automatically trusted by web browsers and other HTTP client tools. However, clients can choose to trust them.
For information on CSRs, see
replication and certificate changes, see Replicating Tenants and
Namespaces.
Certificates for domains
You add the first SSL server certificate to a domain as part of creating the domain. Once a domain exists, you can add certificates to it at any time.
You can also delete certificates from a domain. However, if the domain is associated with any networks, you cannot delete the last certificate.
For example, you might choose to add a certificate from a trusted vendor and then delete any self-signed certificates associated with the domain.
Or, you might choose to add a certificate before the last valid certificate for the domain expires.
You can add a certificate to a domain in these ways:
• By having HCP generate and install a new self-signed certificate. In this case, the new certificate has an expiration date that’s five years later than the current date.
Chapter 12: System security
Administering HCP
403
Managing domains and SSL server certificates
• By generating a certificate signing request (CSR), sending it to a certificate authority (CA), and installing the returned certificate (see
“Certificate signing requests and returned certificates” below).
A domain can have only one outstanding CSR at a time.
•
At any given time, the combined number of certificates and outstanding
CSRs for a domain cannot exceed ten.
certificate or CSR, see “Deleting a certificate or CSR” on page 412.
Certificate signing requests and returned certificates
SSL server certificates are available from several trusted sources. To obtain a certificate, you need to create a certificate signing request (CSR) and present it to a certificate authority (CA). The CA then generates the requested certificate and makes it available to you either as an email attachment, as text embedded in the body of an email, or as a download from a web page:
• If the certificate is an email attachment, save it to disk.
Tip: Use .cer as the extension for the certificate file name.
• If the certificate is embedded in an email or downloadable from a web page, copy and paste it into a new text file. Then save the file to disk.
Important: Use a simple text editor to do this. Do not use Microsoft
®
Word or any other word-processing program to create the text file.
You can create a CSR by using the HCP System Management Console or a third-party tool. When you use the System Management Console, however, HCP securely stores the private key needed for installing the returned certificate, so you don’t need to save it yourself.
For a list of trusted certificate providers, see
Appendix H, “SSL server certificate providers,” on page 627.
404 Chapter 12: System security
Administering HCP
Managing domains and SSL server certificates
For information on creating a certificate signing request in the System
Management Console, see
“Installing the certificate returned for an HCP-generated CSR” on page 411.
Certificates created outside HCP
You can create an SSL server certificate yourself by using a third-party tool such as OpenSSL, which is publicly available. Or, you can create a CSR yourself and use that to get a certificate from a CA.
Certificates created outside HCP have two passwords — one for the
PKCS12 object containing the certificate and one for the private key for the certificate. To install the certificate in HCP, these passwords must be identical.
For instructions on installing a certificate that was created outside of HCP,
see “Installing a certificate created outside HCP” on page 411.
Common names
Every SSL server certificate has a common name. In HCP, the common name for a certificate must represent a subdomain of the domain with which the certificate is associated. The first segment of the common name can be an asterisk (*) by itself, which represents any valid domain name segment. A common name can be at most 255 characters long.
Here are some examples of common names for certificates associated with the domain named hcp.example.com:
*.hcp.example.com
admin.hcp.example.com
ten1.hcp.example.com
*.ten1.hcp.example.com
ns1.ten1.hcp.example.com
Chapter 12: System security
Administering HCP
405
Managing domains and SSL server certificates
The common name for the certificate generated during HCP installation is an asterisk followed by the name of the domain created during installation.
Notes:
• HCP supports subject alternative names for certificates created outside the system.
• In an HCP system that was upgraded from a release earlier than 6.0, the domain associated with the [hcp_system] network may have a certificate with a common name that does not match the domain name. HCP ignores common name mismatches when choosing which certificate to use for a given domain. For information on how HCP chooses certificates, see
“Certificate selection” below.
Certificate selection
At any given time, an SSL server certificate is in one of these three states: valid, expired, or future (that is, not yet valid). When choosing which certificate to present to a client for a given domain:
1. HCP first looks for a valid certificate for the domain and, if it finds any, uses the one with the earliest start date and time.
2. If the domain has no valid certificates, HCP looks for an expired certificate for the domain and, if it finds any, uses the one with the latest expiration date and time.
3. If the domain has no expired certificates, HCP uses the future certificate with the earliest start date and time.
HCP consistently chooses the same certificate. Any of these events, however, can cause HCP to start choosing a different certificate:
• The chosen certificate expires or is deleted.
• A future certificate for the domain becomes valid.
• A new certificate is added to the domain.
Note: After an event that causes HCP to choose a different certificate, the system may continue using the certificate initially chosen for a client session until the applicable cache is cleared.
406 Chapter 12: System security
Administering HCP
Managing domains and SSL server certificates
HCP does not take the common name into consideration when choosing a certificate. This means that in response to a client request, HCP can use any certificate for the domain associated with the network over which the request arrives (subject to the selection process described above).
For example, suppose the domain named hcp.example.com has a certificate with the common name *.ten1.hcp.example.com. Suppose also that the management network for the tenant named ten2 uses the hcp.example.com domain. In response to a client request with a URL that specifies ten2.hcp.example.com, HCP could present the certificate with the common name *.ten1.hcp.example.com. The client is responsible for deciding how to handle certificates with common names that don’t match the requested URL.
About the Domains and Certificates page
To view, create, and delete domains and the SSL server certificates associated with them, you use the Domains and Certificates page in the HCP
System Management Console. To display this page:
1. In the top-level menu, mouse over Security to display a secondary menu.
2. In the secondary menu, click on Domains & Certificates .
Roles: To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.
Managing the domain list
The Domains and Certificates page lists existing domains. For each domain, the list shows the domain name.
You can sort the domain list in ascending or descending order by domain name. To change the sort order, click on the Name column heading. Each time you click on the column heading, the sort order switches between ascending and descending.
Understanding the certificate list for a domain
To view the SSL server certificates and outstanding CSRs associated with a domain, click on the domain name in the domain list. The panel that opens contains a list of the existing certificates and outstanding CSRs for that domain.
Chapter 12: System security
Administering HCP
407
Managing domains and SSL server certificates
For each certificate or CSR, the certificate list contains a Certificate Details or CSR Details section, respectively. This section shows the distinguished name (DN) of the existing or requested certificate. The distinguished name of a certificate consists of the common name and any of this optional information:
• An organizational unit (OU)
• An organization (O)
• A location (L)
• A state or province (ST)
• A two-letter country code (C)
Additionally, for each existing certificate, the Certificate Details section shows:
• Not valid before — The date and time at which the certificate goes (or went) into effect
• Not valid after — The date and time at which the certificate expires
(or expired)
Creating a domain
To create a domain, on the Domains and Certificates page:
1. Click on Create Domain .
2. In the Domain Name field, type a unique name for the domain. For the rules for domain names, see
3. In the Certificates field, select one of these options:
– Generate and install self-signed certificate .
– Generate CSR . Then follow the instructions in
“Creating a certificate signing request” on page 409.
– Install PKCS12 certificate
. Then follow the instructions in “Installing a certificate created outside HCP” on page 411.
4. Click on the Create Domain button.
408 Chapter 12: System security
Administering HCP
Managing domains and SSL server certificates
Adding a certificate to a domain
To add an SSL server certificate to an existing domain, on the Domains and
Certificates page:
1. In the list of domains, click on the name of the domain for which you want to add a certificate.
2. In the panel that opens, click on New Certificate .
3. In the field in the New Certificate window, select one of these options:
– Generate and install self-signed certificate .
– Generate CSR . Then follow the instructions in
“Creating a certificate signing request” below.
– Install PKCS12 certificate
. Then follow the instructions in “Installing a certificate created outside HCP” on page 411.
4. Take one of these actions:
– If you selected the Generate and install self-signed certificate option, click on the Generate Certificate button.
– If you selected the Generate CSR option, click on the Generate CSR button.
– If you selected the Install PKCS12 certificate option, click on the
Install Certificate button.
After you generate a CSR, you need to download it to a file that you can send to the CA. When you receive the certificate from the CA, you need to upload it to HCP.
“Installing the certificate returned for an HCP-generated CSR” on page 411.
Creating a certificate signing request
To create a CSR, you need to select the Generate CSR option when creating a new domain or when adding a new certificate to an existing domain.
When you select this option, the Generate CSR section appears. This
Chapter 12: System security
Administering HCP
409
Managing domains and SSL server certificates section prompts for the information that a CA needs in order to generate an SSL server certificate for you. To know exactly which information is required, you need to check with the CA that you plan to use.
Except where otherwise noted, the values that you specify in the Generate
CSR section can be from zero through 64 characters long and can contain any Latin-1 characters, including white space. Your CA, however, may place other restrictions on these values.
To specify the CSR information, fill in the fields in the Generate CSR section, as needed:
• In the Common Name (CN) field, type the common name for the certificate you want. The common name from be from one through 255 characters long.
The Common Name (CN) field is always required.
For the rules for common names, see
• In the Organizational Unit (OU) field, type the name of the organizational unit that will be using the certificate (for example, the name of a division or a name under which your company does business).
• In the Organization (O) field, type the full legal name of your company.
• In the Location (L) field, type the name of the city in which your company headquarters are located.
• In the State/Province (ST) field, type the full name of the state or province in which your company headquarters are located.
• In the Country (C) field, type the two-letter ISO 3166-1 abbreviation for the country in which your company headquarters are located (for example, US for the United States).
For instructions on creating a domain, see
410 Chapter 12: System security
Administering HCP
Managing domains and SSL server certificates
Downloading a CSR
To download a CSR, on the Domains and Certificates page:
1. In the list of domains, click on the name of the domain for which you want to download a CSR.
2. In the panel that opens, click on the Download CSR button in the CSR
Details section for the applicable CSR.
3. When prompted, save the file containing the CSR to the location of your choice. This is a plain text file. By default, the file name is certificate.txt
.
Installing the certificate returned for an HCP-generated CSR
To install the SSL server certificate returned in response to an
HCP-generated CSR, on the Domains and Certificates page:
1. In the list of domains, click on the name of the domain that has the
HCP-generated CSR for the SSL server certificate you want to install.
2. In the panel that opens, click on the Browse button in the CSR Details section for the applicable CSR. Then select the file containing the returned certificate.
3. Click on the Upload Certificate button.
Installing a certificate created outside HCP
To install a certificate that was created outside HCP, you need to select the
Install PKCS12 certificate option when creating a domain or when adding a certificate to an existing domain. When you select this option, the Install
PKCS12 certificate section appears. This section prompts you to select the file containing the certificate that you want to install and specify the password for that certificate.
To select the certificate file and specify the password, in the Install PKCS12 certificate section:
• Click on the Browse button for the PKCS12 Certificate field. Then select the file containing the PKCS12 object.
• In the PKCS12 Password field, type the password for the PKCS12 object.
Chapter 12: System security
Administering HCP
411
Controlling access to the System Management Console
For instructions on creating a domain, see
Deleting a certificate or CSR
You can delete an SSL server certificate or CSR from a domain at any time, subject to these restrictions:
• If the domain is associated with any networks, it must have at least one certificate.
• If the domain is not associated with any networks, it must have at least one certificate or CSR.
To delete an SSL server certificate or CSR, on the Domains and Certificates page:
1. In the list of domains, click on the name of the domain that has the certificate or CSR that you want to delete.
2. In the panel that opens, click on the delete control ( ) in the
Certificate Details or CSR Details section for the applicable certificate or
CSR, respectively.
3. In response to the confirming message, click on the Delete button.
Deleting a domain
You can delete a domain only if it’s not associated with any networks. To delete a domain, on the Domains and Certificates page:
1. In the list of domains, click on the delete control ( ) for the domain that you want to delete.
2. In response to the confirming message, click on the Delete button.
Controlling access to the System Management Console
The Console Security page in the HCP System Management Console lets you control access to the Console from specified IP addresses. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
412 Chapter 12: System security
Administering HCP
Controlling access to the System Management Console
2. In the secondary menu, click on Console Security .
Roles: To view and modify information on the Console Security page, you need the security role.
You can choose to allow access to the HCP System Management Console only from specific IP addresses. Similarly, you can choose to deny access to the Console from specific IP addresses.
To control access to the System Management Console, on the Console
Security page:
• Optionally, specify IP addresses to be allowed access to the Console. To do this:
1.
Click on the Allow tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• Optionally, specify IP addresses to be denied access to the Console. To do this:
1.
Click on the Deny tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• To specify how HCP should handle IP addresses that appear in both or neither of the Allow and Deny lists, select or deselect the Allow request when same IP is used in both lists option. Changes to this option take effect immediately.
For the effects of this option, see
“Allow and Deny list handling” on page 414.
Adding and removing entries in Allow and Deny lists
To add an entry to an Allow or Deny list:
1. In the field above the list, type the entry you want. For a description of
valid entries, see “Valid Allow and Deny list entries” below.
Chapter 12: System security
Administering HCP
413
Controlling access to the System Management Console
2. Click on Add .
To remove entries from an Allow or Deny list:
• To remove a single entry, click on the delete control ( ) for that entry.
• To remove all entries, click on Delete All .
Changes you make to either list of IP addresses take effect immediately.
Valid Allow and Deny list entries
Each Allow or Deny list entry can be used to specify one of these:
• A single IP address
• A comma-separated list of IP addresses
• A range of IPv4 addresses specified as ip-address / subnet-mask (for example, 192.168.100.197/255.255.255.0) or in CIDR format (for example, 192.168.100.0/24)
• A range of IPv6 addresses specified in CIDR format (for example,
2001:0db8::/32)
The CIDR entry that matches all IPv4 addresses is 0.0.0.0/0. The CIDR entry that matches all IPv6 addresses is 0::0/0.
Allow and Deny list handling
IP addresses can be included in one, both, or neither of the Allow and Deny lists. To specify how HCP should handle access requests from IP addresses that are either included in both lists or excluded from both lists, select or deselect the Allow request when same IP is used in both lists option. The table below describes the effects of selecting and deselecting this option.
List entries
Allow list: empty
Deny list: empty
Allow list: at least one entry
Deny list: empty
Allow Requests When Same IP Is Used in Both Lists
Selected
All IP addresses have access.
All IP addresses have access.
Not selected
No IP addresses have access.
Only IP addresses in the Allow list have access.
414 Chapter 12: System security
Administering HCP
Controlling access to HCP through the management API
(Continued)
List entries
Allow list: empty
Deny list: at least one entry
Allow list: at least one entry
Deny list: at least one entry
Allow Requests When Same IP Is Used in Both Lists
Selected Not selected
All IP addresses not in the Deny list have access. IP addresses in the Deny do not.
IP addresses appearing in both or neither of the lists have access.
No IP addresses have access.
IP addresses appearing in both or neither of the lists do not have access.
Controlling access to HCP through the management API
You configure HCP to enable and disable the HCP management API and to control access to the API at both the system level and the tenant level.
To allow system-level users to access the management API for the HCP system to create, modify, and delete tenants and manage replication, the
API must be enabled at the system level. To allow tenant-level and system-level users with administrative access to a specific HCP tenant to access the management API for that tenant, the API must be enabled at both the system and tenant levels.
You can access the HCP management API using a system-level URL (that is, a URL that starts https://admin...
) only if at least one of your client IP addresses is allowed to access the management API for the HCP system.
You can access the HCP management API using a tenant-level URL (that is, a URL that starts https:// tenant-name
...
) only if at least one of your client
IP addresses is allowed to access the management API for the HCP tenant specified in the URL.
You use the Management API page in the HCP System Management
Console to enable the HCP management API at the system level and to configure HCP to control access to the management API for the HCP system. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
2. In the secondary menu, click on MAPI .
Roles: To view and modify the HCP management API configuration, you need the security role.
Chapter 12: System security
Administering HCP
415
Controlling access to HCP through the management API
To enable the HCP management API at the system level and to configure
HCP to control access to the management API for the HCP system, on the
Management API page:
• To enable the management API, in the Management API Settings section:
1.
Select the Enable the management API option.
2.
Click on the Update Settings button.
• Optionally, specify IP addresses to be allowed access to HCP through the management API. To do this:
1.
Click on the Allow tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• Optionally, specify IP addresses to be denied access to HCP through the management API. To do this:
1.
Click on the Deny tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• To specify how HCP should handle access requests from IP addresses that appear in both or neither of the Allow and Deny lists, select or deselect the Allow request when same IP is used in both lists option.
Changes to this option take effect immediately.
For the effects of selecting and deselecting this option, see “Allow and
Deny list handling” on page 414.
For more information on the HCP management API:
• For a brief introduction to the management API, see
• For information on enabling the HCP management API at the tenant level and configuring HCP to control access to the management API for a specific HCP tenant, see Managing a Tenant and Its Namespaces.
• For information on using the HCP management API, see HCP
Management API Reference.
416 Chapter 12: System security
Administering HCP
Controlling access to the Search Console for the default tenant
Controlling access to the Search Console for the default tenant
The Search Console for the default tenant enables users to search the default namespace and any namespaces owned by HCP tenants that allow system-level administrative access to themselves. You can choose to allow access to the Search Console for the default tenant only from specific IP addresses. Similarly, you can choose to deny access to the Search Console for the default tenant from specific IP addresses.
You use the Search Security page in the System Management Console to control access to the Search Console for the default tenant. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
2. In the secondary menu, click on Search Security .
Roles: To view and modify information on the Search Security page, you need the security role.
To control access to the Search Console for the default tenant, on the
Search Security page:
• Optionally, specify IP addresses to be allowed access to the Search
Console. To do this:
1.
Click on the Allow tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• Optionally, specify IP addresses to be denied access to the Search
Console. To do this:
1.
Click on the Deny tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
Chapter 12: System security
Administering HCP
417
Configuring Active Directory or Windows workgroup support
• To specify how HCP should handle access requests from IP addresses that appear in both or neither of the Allow and Deny lists, select or deselect the Allow request when same IP is used in both lists option.
Changes to this option take effect immediately.
For the effects of selecting and deselecting this option, see “Allow and
Deny list handling” on page 414.
Namespaces.
Configuring Active Directory or Windows workgroup support
You can configure HCP to support either Windows Active Directory or
Windows workgroups. HCP cannot support both AD and Windows workgroups at the same time.
Windows Active Directory is a Microsoft product that, among other features, provides user authentication services. You can configure HCP to support access by users authenticated by AD. With HCP configured this way, an authenticated AD user can use any HCP interface that requires authentication, such as the System Management Console, the Search
Console, or the applicable namespace access protocols (provided that the user has the applicable permissions in HCP). For more information on AD,
see “About Active Directory” below.
Important: If you have more than one HCP system for which you are enabling support for AD, one or more of those systems may need to be reconfigured to prevent conflicts. Before enabling support for AD for any of the HCP systems, contact your authorized HCP service provider. Your provider can determine whether any reconfiguration is required and then make the necessary changes.
418 Chapter 12: System security
Administering HCP
Configuring Active Directory or Windows workgroup support
Notes:
• For authenticated AD users to use a tenant- or namespace-level interface, such as the Tenant Management Console and the namespace access protocols, the tenant must also be configured to support AD authentication.
• If you disable support for AD after it has been enabled, tenants for which the only supported type of authentication is AD will not be able to access the Tenant Management Console. Therefore, before disabling
AD support, you should ensure that all tenants support local authentication. Additionally, you should notify all tenant administrators that they need to create at least one locally authenticated user account with the security role.
A Windows workgroup is a named collection of computers on a LAN that share resources such as printers and file servers. User accounts are specific to each computer in a workgroup. No authentication is required for access to the shared resources.
When you configure HCP to support Windows workgroups, you provide the name of the workgroup in which you want CIFS-enabled namespaces to be shared resources. If HCP is on the same LAN as the computers in the workgroup, all CIFS-enabled namespaces are automatically exposed in the workgroup. HCP namespaces each appear as a single shared resource with a name in this format: tenant-name_namespace-name (for example, finance_accounts-receivable
). The default namespace appears as two shared resources, fcfs_data
and fcfs_metadata
.
Note: If the CIFS protocol is configured to require authentication for access to a given namespace, that namespace cannot be accessed through a workgroup.
You use the Authentication page in the HCP System Management Console to configure support for AD and Windows workgroups. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
2. In the secondary menu, click on Authentication .
Roles: To view and modify information on the Authentication page, you need the security role.
Chapter 12: System security
Administering HCP
419
Configuring Active Directory or Windows workgroup support
HCP to support Windows workgroups, see “Configuring support for
Windows workgroups” on page 426.
About Active Directory
The following sections provide more information about using AD with HCP.
For instructions on configuring AD to support HCP, see Appendix F,
“Configuring Active Directory to support HCP,” on page 597.
User authentication with Active Directory
When an AD user tries to access HCP using a client application that supports Integrated Windows authentication (such as Firefox, Internet
Explorer, or Windows Explorer):
• While logged into Windows with a recognized AD user account,
HCP accepts the already authenticated credentials from the client computer and lets the user access the requested interface. This is called single sign-on.
NOTE: Tenant administrators can configure individual namespaces not to support single sign-on with HTTP-based interfaces (such as the HCP
Namespace Browser).
• With a recognized AD user account other than the one with
which the user is currently logged into Windows, HCP sends the specified user credentials to AD for authentication. If AD successfully authenticates the user, HCP lets the user access the requested interface.
As defined in “Console access” on page 34, a recognized AD user
account is an AD user account for a user that belongs to one or more AD groups for which corresponding group accounts are defined in HCP. For more information on group accounts, see
“About user and group accounts” on page 52.
HCP configuration for Active Directory support
For HCP to support AD, you need to configure HCP to identify the domain in the AD forest to be used for HCP user authentication and provide credentials for an existing AD account in that domain. This AD user account is used to configure HCP in the AD domain.
420 Chapter 12: System security
Administering HCP
Configuring Active Directory or Windows workgroup support
All AD domain controllers configured for the domain used for HCP user authentication must be able to communicate with HCP over the
[hcp_system] network. Therefore, each AD domain controller must have at least one IPv4 or IPv6 address that is routable from the [hcp_system] network.
You also need to specify (or accept the defaults for) the existing organizational unit (OU) in which computer accounts will be created for the
HCP nodes, along with the name of a computer account that HCP will use when querying AD for groups and other information. That computer account will be in the same AD groups as the user account you specify.
You can choose to enable secure communication between HCP and AD for the configuration of the computer account that HCP will use for querying
AD. In this case, HCP needs a copy of the SSL certificate that allows clients to connect securely to the LDAP server used by AD. You need to export this certificate from AD as a base-64-encoded X509 certificate and then upload it to HCP on the Authentication page.
For secure communication with AD when configuring the computer accounts for the HCP nodes, HCP uses NTLM by default. When configuring support for AD, you can specify that HCP should use NTLMv2 instead.
Considerations for the information you need to supply
These considerations apply to the information you need to supply when configuring HCP support for AD:
• Before configuring AD support in HCP:
– Create an AD group in the target domain. Give the group permission to add members to itself. Then give it these permissions in the specified OU:
• Read all properties on descendant computer objects
• Write all properties on descendant computer objects
• Change password on descendant computer objects
• Reset password on descendant computer objects
• Delete on descendant computer objects
• Create computer objects in this object and all descendant objects
Chapter 12: System security
Administering HCP
421
Configuring Active Directory or Windows workgroup support
• Delete computer objects in this object and all descendant objects
– Create an AD user account and add it to only that group. This is the user to specify as the domain user in the AD configuration in HCP.
• Allow a new computer account for use in querying AD for groups to be created automatically. Do not create this account ahead of time.
• If you have more than one HCP system for which you are enabling support for AD, specify a computer account name that’s unique among those systems.
By default, for the OU in which computer accounts will be created, HCP uses CN=Computers. For the computer account, HCP uses
HCPSrv-hcp-name (for example, HCPSrv-hcp), where hcp-name is the first segment of the domain name associated with the [hcp_system] network.
Service principal name attributes for HCP
When you enable AD support in HCP, HCP creates a service principal name
(SPN) attribute on the HCP computer account in AD. The SPN attribute initially has attributes for:
• The System Management Console
• The default tenant if it already exists
• Each node in the HCP system
Subsequently, attributes are added for:
• Each tenant that supports AD authentication
• Each namespace that has both the HTTP protocol and AD single sign-on enabled
• The default tenant if support for AD is already enabled when the tenant is created
• Each node added to the HCP system
422 Chapter 12: System security
Administering HCP
Configuring Active Directory or Windows workgroup support
Each item for which an attribute is created on the SPN is referred to as a
single sign-on location. If any of the above single sign-on locations is removed from the system, the attribute for that location is removed from the SPN attribute on the HCP computer account in AD.
AD has a size limit on attributes that applies to the SPN attribute. Any system-level operation in HCP that would cause this limit to be exceeded fails with a message indicating that the failure is related to the number of single sign-on locations. Any tenant-level operation that would cause this limit to be exceeded fails with a message indicating that single sign-on cannot be enabled.
Considerations for using Active Directory with HCP
These considerations apply to the use of Active Directory with HCP:
• For HCP to use AD for user authentication:
– HCP must be able to contact at least one DNS server that can resolve the AD domain name. Additionally, HCP must be able to do a reverse DNS lookup of the IP addresses that HCP uses to communicate with each domain controller in that domain. (That is, the DNS configuration must include PTR records for all of the AD domain controller IP addresses that HCP uses to communicate with
AD.)
– The AD time must be the within five minutes the HCP system time.
The recommended configuration is for HCP and AD to use the same time server.
– All the domains in the AD forest HCP uses for user authentication must minimally be at the 2003 functional level.
• To ensure that AD users have continuous access to HCP, the AD infrastructure should have a robust and fault tolerant configuration.
Configuring support for Active Directory
Before you configure support for AD in HCP, you need to prepare AD for access by HCP. For instructions on doing this, see
Active Directory to support HCP,” on page 597.
Chapter 12: System security
Administering HCP
423
Configuring Active Directory or Windows workgroup support
To enable and configure support for AD in HCP, on the Authentication page:
1. Select one of these options:
– Active Directory with SSL — Enables both support for AD and secure communication with the AD
– Active Directory without SSL — Enables support for AD without enabling secure communication with the AD
With either of these options selected, the Authentication page displays a
Status section. This section contains alerts that report the status of various elements of HCP support for Active Directory. For descriptions
of these alerts, see “Authentication page alerts” on page 531.
2. If you selected the Active Directory with SSL option: a.
In the Certificates panel, click on the Browse button. Then select the file containing the AD SSL certificate.
b.
Click on Upload Certificate button.
The Certificates section shows the uploaded certificate.
Note: You can download or delete the uploaded certificate if needed.
To download the certificate, click on the download control for it ( ).
To delete the certificate, click on the delete control ( ) for it.
3. In the Configuration Settings section, select the Enable Active Directory option. Then:
– In the Domain field, type the fully qualified name of the AD domain in the AD forest that is to be used for HCP user authentication. All letters in this domain name must be uppercase.
– In the Domain User field, type the username of an existing AD user account in the applicable AD domain. Make sure the user account belongs to one or more groups that have the applicable permissions, as described earlier in this section.
If the username that you specify is not all lowercase, HCP converts it to all lowercase before passing it to AD.
424 Chapter 12: System security
Administering HCP
Configuring Active Directory or Windows workgroup support
– In the Password field, type the password that goes with the specified username. Passwords are case sensitive.
Note: HCP uses the password that you type only to authenticate the username with the AD server. To help maintain AD security,
HCP discards both the username and password after you submit the page. If you’re modifying the AD configuration, you need to specify the password again.
– Optionally, to specify an organization unit and computer account other than the defaults and to use NTLMv2 instead of NTLM, click on the Advanced Configuration link. Then:
• In the Organizational Unit , type the distinguished name of the existing organizational unit in which you want the HCP computer accounts to be created. This is the distinguished name relative to the AD domain (for example, OU=HCP, OU=Storage). Do not include the domain name elements.
• In the HCP Computer Account field, type the name of the computer account that HCP will use when querying AD for groups. This can be the name of an existing account in the specified organizational unit or the name of a new account to be created automatically in that organizational unit.
For a new computer account, the name must be from one through 64 characters long, can contain only alphanumeric characters and hyphens (-), and cannot consist only of digits.
If a computer account with the specified name already exists in a different organizational unit in the same Active Directory domain, the request to configure Active Directory support will fail.
• Optionally, select the Use NTLMv2 authentication option to use
NTLMv2 instead of NTLM for secure communication with AD when configuring the computer accounts for the HCP nodes.
4. Click on the Update Settings button.
This update may take few minutes to finish.
Chapter 12: System security
Administering HCP
425
Clearing the Active Directory cache
Configuring support for Windows workgroups
To enable and configure HCP support for Windows workgroups, on the
Authentication page:
1. Select the Windows workgroup option.
2. In the Windows Workgroup field, type the name of the Windows workgroup in which you want HCP to automatically expose
CIFS-enabled namespaces. The workgroup name can be up to 15 characters long.
3. Click on the Update Settings button.
Clearing the Active Directory cache
HCP caches information about authenticated AD users that access any of its interfaces. The cache also includes information about the AD groups to which those users belong. As long as the applicable information is in the cache, AD-authenticated users can perform any HCP activities for which they have permission without being reauthenticated.
HCP uses the same cache to store information about all the domains included in the AD forest that HCP uses for user authentication. HCP uses this information to supply the list of allowable domains in the Domain field on the login pages for its GUI interfaces.
You can clear the AD cache at any time. You might do this, for example, if the account for an authenticated AD user is deleted from AD. In this case, because the user information is already cached, the user can continue to access HCP even though the user account is no longer valid. Clearing the cache prevents the user from continuing to access HCP with the invalid account.
You also might clear the cache if a domain is added to or removed from the
AD forest. This forces an immediate update to the list of allowable domains on the HCP login pages.
You use the Authentication page in the HCP System Management Console to clear the AD cache. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
426 Chapter 12: System security
Administering HCP
Configuring connections to RADIUS servers
2. In the secondary menu, click on Authentication .
Roles: To view the Authentication page and clear the AD cache, you need the security role.
To clear the AD cache, on the Authentication page:
1. If support for AD is not currently enabled: a.
Select the Active Directory option.
b.
Select the Enable Active Directory option.
2. Click on the Clear Cache button.
Configuring connections to RADIUS servers
For RADIUS authentication of an HCP user account, the HCP system must have network access to one or more RADIUS servers. To enable HCP to communicate with RADIUS, each RADIUS server must have at least one
IPv4 or IPv6 address that is routable from the [hcp_system] network. To add and manage connections to one or more RADIUS servers, you use the
RADIUS page in the HCP System Management Console. To display this page:
1. In the top-level menu, mouse over Security to display a secondary menu.
2. In the secondary menu, click on RADIUS .
Roles: To add, view, test, and manage connections to RADIUS servers, you need the security role.
For information on RADIUS authentication of HCP user accounts, see
“RADIUS authentication” on page 65.
Understanding the RADIUS server list
The RADIUS page lists the currently configured RADIUS servers. For each server, the page shows:
• The relative order in which HCP contacts the server. For more
information on this, see “Reordering RADIUS servers” on page 430.
Chapter 12: System security
Administering HCP
427
Configuring connections to RADIUS servers
• The hostname of the RADIUS server or the IPv4 or IPv6 address that
HCP uses to communicate with the RADIUS server.
• The number of the UDP port on which the RADIUS server listens for authentication requests from HCP.
• The protocol the RADIUS server uses to authenticate users.
HCP does not limit the number of servers you can add to this list.
Adding a RADIUS server
To add a RADIUS server for remote authentication:
1. On the RADIUS page in the System Management Console, click on Add
RADIUS Server .
2. In the Add RADIUS Server panel:
– In the RADIUS Host field, type the hostname of the RADIUS server or the IP address that HCP uses to communicate with the RADIUS server.
If you specify the RADIUS server hostname, then at least one IPv4 or IPv6 address assigned to the RADIUS server must be routable from the [hcp_system] network.
If you specify an IPv4 or IPv6 address assigned to the RADIUS server, then that IP address must be routable from the
[hcp_system] network.
Note: Optionally, if a RADIUS server has multiple IP addresses that are routable from the [hcp_system] network, you can configure multiple RADIUS server list entries for that server — one list entry for each routable IP address.
– In the Port field, type the number of the UDP port on which the
RADIUS server listens for authentication requests from HCP.
Typically, this is port number 1812.
– In the Shared Secret field, type the text string that serves as a password for communications between HCP and the RADIUS server.
The text string can contain any characters, including white space, and can be any length.
428 Chapter 12: System security
Administering HCP
Configuring connections to RADIUS servers
– In the Retries field, type the number of times HCP should try again to contact the RADIUS server before giving up. Valid values are integers greater than or equal to zero.
– In the Timeout field, type the number of seconds HCP should wait for a response from the RADIUS server before retrying the request.
Valid values are integers greater than or equal to zero. A value of 0 tells HCP to wait indefinitely.
– For the Protocol option, select the protocol the RADIUS server uses to authenticate users.
3. Click on the Add RADIUS Server button.
Tip: After adding a RADIUS server, test the connection to it, as described in
“Testing the connection to a RADIUS server” below.
Testing the connection to a RADIUS server
You test the connection to a RADIUS server by sending the server a username and password it knows about. HCP indicates that the test was successful if all of these conditions apply:
• The connection information is correct.
• The RADIUS server is running.
• The specified username and password are known to the RADIUS server.
If any of these conditions don’t apply, HCP indicates that the test failed.
Note: A successful test does not log the user in.
To test the connection to a RADIUS server:
1. On the RADIUS page in the System Management Console, click on the test control ( ) for the server you want to test.
2. In the Test RADIUS Server window:
– In the Username field, type the username to use for the test.
Chapter 12: System security
Administering HCP
429
Configuring connections to RADIUS servers
– In the Password field, type the password that goes with the specified username.
3. Click on the Test RADIUS Server button.
If the test is successful, the panel displays this message:
Connected to RADIUS server and user was authenticated successfully.
4. When you’re done testing the connection, click on the Cancel button.
Modifying a RADIUS server
To modify a RADIUS server:
1. On the RADIUS page in the System Management Console, click on the edit control ( ) for the server you want to modify.
2. In the Edit RADIUS Server window, make the changes you want.
If you leave the Shared Secret field empty, the previously set shared secret remains in effect.
3. Click on the Update RADIUS Server button.
4. Click on the Close button.
Reordering RADIUS servers
When checking a login with remote authentication, HCP contacts the
RADIUS servers in the order in which they’re listed on the RADIUS page until one authenticates the user. If none of the servers authenticate the user, the user cannot log in.
You can change the order in which HCP contacts multiple RADIUS servers.
If you have configured separate RADIUS server list entries for multiple IP addresses assigned to the same server, you can change the order in which
HCP attempts to use those IP addresses to connect to the RADIUS server.
To do this, on the RADIUS page in the System Management Console:
• To move a RADIUS server hostname or IP address up in the list, click on the move up control ( ) for that entry in the RADIUS server list.
• To move a a RADIUS server hostname or IP address down in the list, click on the move down control ( ) for that entry in the RADIUS server list.
430 Chapter 12: System security
Administering HCP
Setting the systemwide permission mask
Deleting a RADIUS server
To delete a RADIUS server IP address or hostname from the RADIUS server list:
1. On the RADIUS page in the System Management Console, click on the delete control ( ) for the RADIUS server IP address or hostname you want to delete.
2. In response to the confirming message, click on the Delete button.
Setting the systemwide permission mask
A data access permission mask determines which of these operations are allowed in a namespace: read, write, delete, purge (delete all versions of an object), privileged delete (delete an object that’s under retention), and search. Data access permission masks are set at the system, tenant, and namespace levels:
• The system-level mask applies across all namespaces (that is, systemwide).
• The tenant-level mask is set individually for each tenant. This mask applies only to the namespaces owned by that tenant.
• The namespace-level mask is set individually for each namespace and applies only to that namespace.
The effective permissions for a tenant are the operations allowed by both the system-level and tenant-level permission masks. That is, to be in effect for a tenant, a permission must be included in the system-level permission mask and in the tenant-level permission mask.
The effective permissions for a namespace are the operations that are allowed by the masks at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.
Chapter 12: System security
Administering HCP
431
Setting the systemwide permission mask
The table below shows an example of the effective permissions for a namespace given a set of data access permission masks.
Permissions
Permission Mask
Systemwide permission mask
Tenant permission mask
Namespace permission mask
Effective permission mask
What an individual user can do in a namespace is also limited by the permissions the user has from the applicable user or group accounts and, for HCP namespaces, the minimum data access permissions for the namespace.
user and group accounts and minimum data access permissions, see
Managing a Tenant and Its Namespaces.
The Permissions page in the HCP System Management Console lets you set the systemwide permission mask. You can change this mask at any time.
Tip: Before changing the systemwide permission mask, you should notify your tenant contacts.
To display the Permissions page:
1. In the top-level menu in the System Management Console, mouse over
Security to display a secondary menu.
2. In the secondary menu, click on Permissions .
Roles: To view the Permissions page, you need the monitor or administrator role. To set the systemwide permission mask, you need the administrator role.
432 Chapter 12: System security
Administering HCP
Setting the systemwide permission mask
To set the systemwide permission mask for an HCP system:
1. On the Permissions page, select the permissions you want to include in the systemwide permission mask:
– Read — Lets users:
• Read and retrieve objects, including object metadata (system metadata, custom metadata, and ACLs)
• List directory contents
• View namespace information
– Write — Lets users:
• Add objects to a namespace.
• Modify system metadata. For the default namespace, this includes holding and releasing objects. For HCP namespaces, these operations also require privileged permission.
• Add or replace custom metadata.
• Add or replace ACLs.
• Change object owners.
• View namespace information
– Delete — Lets users:
• Delete objects, custom metadata, and ACLs from a namespace
• View namespace information
– Purge — Lets users:
• Delete all versions of an object with a single operation. For users to perform purge operations, delete operations must also be allowed.
• View namespace information.
Selecting Purge automatically selects Delete .
Chapter 12: System security
Administering HCP
433
Setting the systemwide permission mask
– Privileged — Lets users:
• Delete or purge objects that are under retention. For users to perform privileged delete operations, delete operations must also be allowed. For users to perform privileged purge operations, delete and purge operations must also be allowed.
• Hold and release objects in HCP namespaces. For users to perform hold and release operations in these namespaces, write operations must also be allowed.
• View namespace information.
– Search — Lets users use the HCP metadata query API and the HCP
Search Console to query or search namespaces. For users to query or search a namespace, read operations must also be allowed.
Selecting Search automatically selects Read .
2. Click on the Update Settings button.
434 Chapter 12: System security
Administering HCP
13
System monitoring
HCP maintains a system log in which it records messages about events that happen within the system. You can view this log in the HCP System
Management Console. You also have the option of sending system log messages to syslog servers, SNMP managers, and/or email addresses.
Additionally, you can use SNMP to view and, when allowed, change HCP system settings.
The System Management Console lets you monitor CPU, memory, logical-volume, and network usage. You can use the information presented to analyze trends in the use of these resources and to decide when you need to take action to ensure that HCP uses its resources effectively.
To track system capacity and bandwidth usage at the tenant and namespace levels, you can generate chargeback reports. These reports can be used as input to billing applications.
You can configure HCP to push information to Hitachi Device Manager
(HDvM) so you can monitor and manage HCP along with your other Hitachi storage systems from a single console.
This chapter:
• Describes the information available in the system log and explains how to view the log
• Explains how to send system log messages to specified syslog servers,
SNMP managers, and email addresses
• Explains how to configure SNMP for viewing and changing system settings
• Describes the information available about system resource usage
435 Chapter 13: System monitoring
Administering HCP
Understanding the HCP system log
• Explains how to generate chargeback reports
• Explains how to configure the HDvM connection (SAIN systems only)
Understanding the HCP system log
While the Overview page in the System Management Console gives you a view of the system as a whole, the HCP system log lets you monitor system activity on a more detailed level. The log records system events such as:
• Nodes and services starting
• Changes to the system configuration
• Logical volume failures
• User logins to the HCP System Management Console
Each recorded entry about an event is called a message. The system log contains all the messages written to it since the HCP system was installed.
The System Management Console provides several views of the log:
• The All Events panel on the System Events page displays all the messages in the system log that your roles allow you to see.
• The Security panel on the System Events page displays only messages about attempts to log into the System Management Console with an invalid username. Only users with the security role can see this panel.
• The Logs section on the Resources page displays all the messages in the system log that your roles allow you to see.
• The Major Events section on the Overview page displays only messages about major events (for example, the addition or failure of a node).
• The Events section on the Storage Node page displays only messages about events that relate to a particular node.
• The Service Events section on the Schedule page displays only messages related to HCP services that can be scheduled to run at specific times.
436 Chapter 13: System monitoring
Administering HCP
Understanding the HCP system log
For information on the messages that can appear in the system log and
how to respond to them, see Appendix B, “HCP system log messages,” on page 535.
Viewing the complete event log
The All Events panel on the System Events page lists all event messages logged since the HCP system was installed. By default, the panel displays
20 messages at a time in reverse chronological order.
Roles: To view the All Events panel, you need the monitor, administrator, security, service, or compliance role. However, only users with the security role can see messages about attempts to log into the System
Management Console with an invalid username.
To display the All Events panel:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on System Events .
3. On the left side of the System Events page, click on All Events .
For a description of the information provided by each log message, see
“Understanding log messages” on page 438. For information on managing
the message display, see
“Managing the message list” on page 440.
Viewing the system security log
The Security Events panel on the System Events page lists all messages about attempts to log into the System Management Console with an invalid username that have occurred since the HCP system was installed. By default, the panel displays 20 messages at a time in reverse chronological order.
Roles: To view the Security Events panel, you need the security role.
To display the Security Events panel:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
Chapter 13: System monitoring
Administering HCP
437
Understanding the HCP system log
2. In the secondary menu, click on System Events .
3. On the left side of the System Events page, click on Security Events .
For a description of the information provided by each log message, see
“Understanding log messages” below. For information on managing the
message display, see
“Managing the message list” on page 440.
Understanding log messages
Each message displayed in the All Events and Security Events panels includes this information about an event:
• The username of the event initiator:
– For user-initiated events, this is the username currently associated with the user account used by the user who initiated the event.
These considerations apply:
• For an HCP user account, if the account has been deleted, the username is followed by the letter D in parentheses.
• For an AD user account, if the account has been deleted or if
HCP currently cannot contact AD, the username for the message is blank.
– For system-initiated events, the username is [internal] .
– For events initiated through SNMP, the username is [snmp] .
– For events initiated by HCP service or support personnel by means other than the System Management Console or SNMP, the username is [service] .
• The severity of the event. Possible values are:
– Notice — The event is normal and requires no special action.
Events of this severity are informational only. Examples are:
• Node started
• Protection service finished: run complete
• Syslog settings changed
438 Chapter 13: System monitoring
Administering HCP
Understanding the HCP system log
– Warning — The event is out of the ordinary and may require manual intervention. Examples are:
• Storage capacity warning
• Protection service beginning repairs
• Remote authentication server error
– Error — The event is serious and most likely requires manual intervention. Examples are:
• Storage capacity critical
• Volume failure
• Network interface down
• The date and time at which the event occurred, shown for the time zone in which the HCP system is located.
• A short description of the event.
To view more details about an event, click anywhere in the row containing the event message. To hide the details, click again in the row.
The details displayed for an event are:
• The user ID of the event initiator
• For user-initiated events, the port through which HCP received the event request
• For user-initiated events, the IP address from which the event request was sent
• The message ID
• The number of the node on which the event occurred
• If the event applies to a specific logical volume, the volume ID
• The full text of the event message
Chapter 13: System monitoring
Administering HCP
439
Configuring syslog logging
Managing the message list
You can take the following actions in any of the views of the system log:
• To display details for all the listed events, click on the expand all link.
To hide all details, click on the collapse all link.
• To view a different number of messages per page, select the number you want in the Items field.
• To page forward or backward through the messages, click on the next
( ) or back ( ) control, respectively.
Configuring syslog logging
You can have HCP send system log messages to one or more syslog servers. When you do this, you can use tools in your syslog environment to perform functions such as sorting the messages, querying for certain events, or forwarding error messages to a mobile device.
Tenant-level administrators can choose to include tenant log messages along with the system log messages sent to the syslog servers.
If you identify any syslog servers to HCP, HCP also sends the results of diagnostic commands to those servers. For information on diagnostic commands, see
“Running diagnostics” on page 482.
Log messages sent to syslog servers
For each system log message about an event, HCP sends this information to the specified syslog servers:
• A unique identifier for the system log entry.
• A message segment number, if applicable. Messages that exceed 1,024 characters are split into two or more messages, all of which have the same log entry identifier. These message segments are numbered sequentially, starting with 0 (zero) for the first segment.
HCP sends at most 100 segments for a log message, for a total of
102,400 characters. Any text beyond that is not sent.
• The message ID.
• The date and time the event occurred.
440 Chapter 13: System monitoring
Administering HCP
Configuring syslog logging
• The severity of the event.
• The front-end network IP addresses and node number assigned to the node on which the event occurred.
• If the event applies to a specific logical volume, the volume identifier.
• The username and ID of the event initiator.
• The full message text.
You can choose the severity level of the log messages to be sent. You can also choose whether or not to send messages about security events (that is, attempts to log into the System Management Console with an invalid username) and compliance events. Compliance events happen at the namespace level, so these messages are sent to the syslog servers only if syslog logging is enabled at the tenant level.
Note: System log messages are not guaranteed to arrive at the syslog servers to which they’re sent. This is because the syslog protocol uses
UDP for data transmission.
Enabling syslog logging
For HCP to send log messages through syslog, you need to specify the IP addresses of one or more syslog servers. Each syslog server IP address that you specify must be routable from the [hcp_system] network. For this reason, if you specify an IPv6 unique local address (ULA) for a syslog server, then the [hcp_system] network must be configured with an IPv6
ULA that can be used to connect to that syslog server. When you specify multiple servers, HCP sends log messages to all of the specified servers.
You also need to select the syslog local facility to which to direct the log messages. This selection applies to all the syslog servers that you specify.
You use the Syslog page in the HCP System Management Console to set up logging through syslog. You also use this page to test the connections to the syslog servers you specify.
To display the Syslog page:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
Chapter 13: System monitoring
Administering HCP
441
Configuring syslog logging
2. In the secondary menu, click on Syslog .
Roles: To view the Syslog page, you need the monitor, administrator, security, or compliance role. To configure syslog logging and test the connections to syslog servers, you need the administrator or security role.
To configure HCP to send log messages to syslog servers, on the Syslog page:
• Specify syslog settings:
– Select the Enable syslog option.
– To include log messages about compliance events, select the Send compliance events option.
– To include log messages about security events, select the Send security events option.
– In the Send log messages at this level or higher field, select the severity level of messages to be sent to the specified syslog servers:
• OFF tells HCP not to send any log messages.
• NOTICE sends messages with a severity level of Notice,
Warning, or Error.
• WARNING sends messages with a severity level of Warning or
Error.
• ERROR sends only messages with a severity level of Error.
– In the Facility field, select the syslog local facility to which to direct log messages. The options are local0 through local7 .
Then click on the Update Settings button.
Tip: Before you submit your changes, you can test the connections to
the specified syslog servers, as described in “Testing syslog connections” below.
442 Chapter 13: System monitoring
Administering HCP
Configuring syslog logging
• Specify one or more syslog server IP addresses. For each syslog server that you want to use with HCP, specify the IPv4 or IPv6 address that you want HCP to use to connect to that server.
You specify each syslog server IP address as a separate entry in the syslog server list. To add an IP address to the syslog server list:
1.
In the Syslog Server IP Addresses field, type the IP address, optionally followed by a colon and a port number. If you omit the port number, HCP uses port number 514.
Each entry in this list must be a single IP address. IP address ranges and comma-separated lists are not valid.
2.
Click on Add .
The specified IP address moves into the list below the field.
To remove an IP address from the syslog server list, click on the delete control ( ) for that IP address. To remove all the IP addresses from the list, click on Delete All .
Testing syslog connections
At any time, you can test the connections to the syslog servers whose IP addresses appear on the Syslog page. Testing the connections causes HCP to send a message to the target IP addresses. To verify that the connections are working, you need to use your syslog tools to check that the message arrived.
The message HCP sends to the syslog servers has a severity level of
Notice. Therefore, for the message to be sent successfully, the severity level of messages to be sent must be set to NOTICE .
To test the connections to the specified syslog servers:
1. On the Syslog page, click on the Test button. HCP sends this message to the syslog servers:
User username sent system log test message.
2. Check each syslog server to ensure that the message arrived.
If a syslog server doesn’t receive the message:
• Check that you’ve correctly specified the target IP address.
Chapter 13: System monitoring
Administering HCP
443
Configuring SNMP
• Check that you can successfully ping the target IP address.
If you’re unable to determine the cause of the problem, contact your authorized HCP service provider for help.
Configuring SNMP
You can configure HCP to work with SNMP. With SNMP enabled, you can have HCP send system log messages to one or more specified SNMP managers. When you do this, you can use tools in your SNMP environment to perform functions such as sorting the messages, querying for certain events, or forwarding error messages to a mobile device.
To use HCP to send log messages to external SNMP managers, each SNMP manager must be configured to use at least one IPv4 or IPv6 address that is routable from the [hcp_system] network. For this reason, if you specify an IPv6 unique local address (ULA) for an external SNMP manager, then the [hcp_system] network must be configured with an IPv6 ULA that can be used to connect to that SNMP manager.
To send the log messages, HCP uses the arcAdminLogEvent trap in its own management information base (MIB), HCP-MIB. You can download this
MIB from the SNMP page of the HCP System Management Console.
HCP can also send notification of certain types of events to the specified
SNMP managers. These event types are determined by traps in several standard MIBs available to SNMP clients.
Tenant-level administrators can choose to include tenant log messages along with the system log messages sent to the SNMP managers.
Additionally, with SNMP enabled, you can use SNMP tools to view almost all the system settings available in the System Management Console, as well as other settings available only through standard MIBs. You can also allow or disallow the use of SNMP to change HCP settings such as the shredding rate or whether nodes should respond to ping requests. You can specify IP addresses from which viewing and changing these settings is allowed or denied.
To use SNMP for event notification, receiving log messages, and viewing and modifying system settings, you need to have an SNMP tool installed on your client. SNMP tools are available from multiple sources.
444 Chapter 13: System monitoring
Administering HCP
Configuring SNMP
For information on the standard MIB files HCP supports, see Appendix D,
“SNMP MIB support,” on page 581.
Note: When you change the SNMP configuration while SNMP is enabled,
SNMP functions are briefly disrupted.
Log messages sent to SNMP managers
For each system log message about an event, HCP sends the information shown in the table below to the specified SNMP managers.
Information Field in HCP-MIB
Severity of the event hcpAdminLogEventSeverity
Data type
INTEGER. Possible values are:
• 3 — Error
• 4 — Warning
• 5 — Notice
DateAndTime Date time the event occurred
Message ID
Full message text hcpAdminLogEventTimestamp hcpAdminLogEventType hcpAdminLogEventMessage
Integer32
LongDisplayString (up to
1,024 bytes)
You can choose the severity level of the log messages to be sent. You can also choose whether or not to send messages about security events (that is, attempts to log into the System Management Console with an invalid username) and compliance events. Compliance events happen at the namespace level, so these messages are sent to the SNMP managers only if SNMP logging is enabled at the tenant level.
Notes:
• System log messages are not guaranteed to arrive at the SNMP managers to which they’re sent. This is because the SNMP protocol uses UDP for data transmission.
• Some HCP startup events occur before the internal SNMP server starts.
Therefore, messages about these startup events are not sent to SNMP managers.
Chapter 13: System monitoring
Administering HCP
445
Configuring SNMP
Enabling SNMP
You use the SNMP page in the HCP System Management Console to enable and configure SNMP for HCP. You also use this page to test the connections to the SNMP managers that you specify.
To display the SNMP page:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on SNMP .
Roles: To view the SNMP page, you need the monitor, administrator, security, or compliance role. To configure SNMP for HCP and test connections to SNMP managers, you need the administrator or security role.
To enable and configure SNMP for HCP, on the SNMP page:
• Specify SNMP settings:
– To enable all uses of SNMP with HCP, select the Enable SNMP at snmp.
hcp-domain-name option.
– Optionally, select the Allow writes/updates of HCP settings through
SNMP option to allow users to change the HCP system configuration through SNMP. This option applies only when SNMP is enabled.
– To indicate the version of SNMP you want to use, select either the
Use version 1 or 2c or Use version 3 option.
Note: SNMP version 1 does not support fields with the Counter64 data type. In the HCP MIB, several fields have that data type.
When you use SNMP version 1 to retrieve system information, it will not return values for those fields.
– To secure access to HCP through SNMP:
• For SNMP version 1 or 2c, type the name of a community in the
Community field. Community names can contain only alphanumeric characters and hyphens (-) and can be from 1 through 63 characters long. Community names are case sensitive.
446 Chapter 13: System monitoring
Administering HCP
Configuring SNMP
• For SNMP version 3:
• In the New Password field, type a password to go with the system-supplied name in the Username field. Passwords must be at least eight characters long and can contain any valid UTF-8 characters, including white space; however, the recommended usage is to limit the password to only ASCII characters. Passwords are case sensitive.
If you’re modifying the SNMP settings and you leave the New
Password field empty, the previously set password remains in effect.
• In the Confirm Password field, type the password again.
• In the Community field, type a community access string.
Community access strings can contain only alphanumeric characters and hyphens (-) and can be from 1 through 63 characters long. These strings are case sensitive.
– To include log messages about compliance events with the messages sent to the specified SNMP managers, select the Send compliance events option.
– To include log messages about security events with the messages sent to the specified SNMP managers, select the Send security events option.
– In the Send log messages at this level or higher field, select the severity level of log messages to be sent to the specified SNMP managers:
• OFF tells HCP not to send any log messages.
• NOTICE sends messages with a severity level of Notice,
Warning, or Error.
• WARNING sends messages with a severity level of Warning or
Error.
• ERROR sends only messages with a severity level of Error.
Then click on the Update Settings button.
Tip: Before you submit your changes, you can test the connections to
the specified SNMP managers, as described in “Testing SNMP connections” below.
Chapter 13: System monitoring
Administering HCP
447
Configuring SNMP
• Optionally, specify IP addresses to be allowed access to HCP through
SNMP. To do this:
1.
Click on the Allow tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• Optionally, specify IP addresses to be denied access to HCP through
SNMP. To do this:
1.
Click on the Deny tab.
2.
Follow the instructions in
“Adding and removing entries in Allow and
• To specify how HCP should handle IP addresses that appear in both or neither of the Allow and Deny lists, select or deselect the Allow request when same IP is used in both lists option. Changes to this option take effect immediately.
For the effects of this option, see
“Allow and Deny list handling” on page 414.
• Optionally, specify one or more external SNMP manager IP addresses.
For each external SNMP manager that you want to use with HCP, specify the IPv4 or IPv6 address that you want HCP to use to connect to that SNMP manager.
You specify each external SNMP manager IP address as a separate entry in the SNMP trap addresses list. To add an IP address to the
SNMP trap addresses list:
1.
In the Trap Addresses field, type the IP address. Each entry in this list must be a single IP address. IP address ranges and comma-separated lists are not valid.
2.
Click on Add .
The IP address moves into the list below the field.
448 Chapter 13: System monitoring
Administering HCP
Configuring SNMP
To remove an external SNMP manager IP address from the list, click on the delete control ( ) for that IP address. To remove all the IP addresses from the list, click on Delete All .
Note: IP addresses that appear in both the Trap Addresses list and the
Deny list do not receive trap notifications.
Testing SNMP connections
At any time, you can test the connections to the external SNMP managers whose IP addresses appear on the SNMP page. Testing the connections causes HCP to send a message to the target IP addresses. To verify that the connections are working, you need to use your SNMP tools to check that the message arrived.
The message HCP sends to the SNMP managers has a severity level of
Notice. Therefore, for the message to be sent successfully, the severity level of messages to be sent must be set to NOTICE .
To test the connections to the specified external SNMP managers:
1. On the SNMP page, click on the Test button. HCP sends this message to the specified SNMP managers:
User username sent system log test message.
2. Check each SNMP manager to ensure that the message arrived.
If an SNMP manager doesn’t receive the message:
• Check that you’ve correctly specified the target IP address.
• Check that you can successfully ping the target IP address.
If you’re unable to determine the cause of the problem, please contact your authorized HCP service provider.
Viewing and downloading the HCP-MIB.txt file
The SNMP MIB for HCP is described in the
HCP-MIB.txt
file. To use this MIB, you need to download the file to your SNMP tool.
Tip: You can download the
HCP-MIB.txt
file even if your user account includes only the monitor role.
Chapter 13: System monitoring
Administering HCP
449
Configuring email notification
To view the
HCP-MIB.txt
file, click on the HCP-MIB.txt
link on the SNMP page. The
HCP-MIB.txt
file opens in the System Management Console browser window.
To download the
HCP-MIB.txt
file:
1. Right-click on the HCP-MIB.txt
link on the SNMP page and select the browser-specific option for downloading the file.
2. Save the file as
HCP-MIB.txt
in the applicable directory for your SNMP tool.
For more information on the
HCP-MIB.txt
file, see Appendix D, “SNMP MIB support,” on page 581.
Using SNMP to view or change HCP settings
You can use the fields HCP-MIB and other MIBs to view and, when allowed, change HCP settings. The interface you use for these activities depends on your SNMP tool. Here are examples of viewing and changing HCP settings with the command-line tool net-snmp :
• To view the total storage capacity of the HCP system:
Command: snmpget -v 2c -c public -m +/usr/share/snmp/mibs/HCP-MIB.txt snmp.hcp-ma.example.com HCP-MIB::totalCapacity.0
Response: HCP-MIB::totalCapacity.0 = Counter64: 562110914560
• To set the shredding rate to low:
Command: snmpset -v 2c -c public -m +/usr/share/snmp/mibs/HCP-MIB.txt snmp.hcp-ma.example.com HCP-MIB::shreddingRate.0 i 5000
Response: HCP-MIB::shreddingRate.0 = INTEGER: low(5000) net-snmp is a publicly available tool. You can download it from http://www.net-snmp.org
.
Configuring email notification
You can configure HCP to send email to specified recipients to notify them about messages added to the system log. You can configure each recipient to receive notification of only selected messages based on the message importance, severity, and type. Important messages are those that
450 Chapter 13: System monitoring
Administering HCP
Configuring email notification appear in the Major Events section on the Overview page in the System
Management Console. Message severity levels are notice, warning, and error. Message types are general, security, and compliance. In all cases,
HCP makes a best effort to send the applicable email in a timely manner.
Recipients are added to the blind carbon copy (bcc) list for each email, so the recipients of an email are not visible to one another. The To list remains empty.
You can configure the content of the email that HCP sends. For example, you could choose to have HCP send the full text, severity, date and time, and node number for each log message. Or, if you’re concerned about exposing system information in what is by nature an insecure medium, you could format the email to say only that a log message was recorded.
To enable HCP to send email notifications, you need to identify the email server that you want HCP to use and make that email server known to
HCP. Typically, this is your corporate email server.
To enable HCP to communicate with the email server, you need to specify the IP address that you want HCP to use to connect to that server. The email server IP address that you specify must be an IPv4 or IPv6 address that is routable from the [hcp_system] network. For this reason, if you specify an IPv6 unique local address (ULA) for the email server, then the
[hcp_system] network must be configured with an IPv6 ULA that can be used to connect to that email server.
HCP writes messages to the system log about email that the email server fails to accept. The messages about failed email are not sent to email recipients.
You use the Email page in the HCP System Management Console to enable and configure email notification. You also use this page to test the connection to the email server that you specify.
To display the Email page:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on Email .
Roles: To view the Email page, you need the monitor, administrator, security, or compliance role. To configure email notification and test the connection to the email server, you need the administrator or security role.
Chapter 13: System monitoring
Administering HCP
451
Configuring email notification
Enabling email notification
To configure HCP to send email about log messages, on the Email page:
1. Select the Enable email notification option.
2. Specify the email server through which you want HCP to send email.
For instructions on this, see “Specifying the email server” below.
3. Optionally, test the email server settings. For instructions on this, see
“Testing the connection to the email server” on page 453.
4. Optionally, change the format of the email to be sent. For instructions on this, see
“Constructing the email message template” on page 453.
5. Specify one or more recipients to receive email about log messages.
For instructions on this, see “Specifying email recipients” on page 456.
Specifying the email server
To specify the email server through which you want HCP to send email about log messages, on the Email page:
1. Click on SMTP Settings .
2. In the SMTP Settings panel:
– In the Host field, type the hostname or IP address that you want
HCP to use to connect to the email server.
– In the Port field, type the port on which the email server listens for email messages.
– In the Security field, select the security protocol used by the email server ( SSL or STARTTLS ) or None if the email server doesn’t use a security protocol.
– If the email server is configured to require authentication, select the
Authenticated option. Then:
• In the Username field, type the username for an email account that’s authorized to establish the connection between HCP and the email server.
• In the Password field, type the password for the email account.
452 Chapter 13: System monitoring
Administering HCP
Configuring email notification
If you have previously set a password and you leave the password field empty, the previously set password is replaced by no password.
3. Optionally, test the email server settings. For instructions on this, see
“Testing the connection to the email server” below.
4. In the SMTP Settings panel, click on the Update Settings button.
Testing the connection to the email server
You can test the connection to the email server at any time regardless of whether support for email notification is enabled. Testing the connection causes HCP to send an email to an address that you specify. This email comes from the email address specified in the From field in the Message
Settings section on the Email page. The email subject is “Test email from
HCP.”
To test the connection to the email server, on the Email page:
1. Click on SMTP Settings .
2. In the SMTP Settings panel, click on the Test button.
3. In the Test Email Notification window, type the email address to which you want HCP to send the test email.
4. Click on the Send button.
If the test email cannot be sent, the System Management Console displays an error message that specifies the reason returned by the email server. If the Console displays a success message but the email does not arrive, verify the settings in the SMTP Settings panel and ensure that you’ve correctly specified the email address to which you want the email sent. If the email still doesn’t arrive, contact your email administrator for help.
Constructing the email message template
The content of the email messages HCP sends is determined by the message template specified in the Message Settings section on the Email page. You can modify this template at any time. The Message Preview section shows a sample email that uses the current template.
Chapter 13: System monitoring
Administering HCP
453
Configuring email notification
The email template has three fields, each of which can be filled in with any combination of plain text and email template variables:
• The From field specifies the content of the email From line. This field must have a value. That value must have the form of a valid email address.
Some email servers require that the value in the From line be an email address that is already known to the server.
• The Subject field specifies the content of the email Subject line. This field must have a value.
For the email template subject, plain text can include spaces but not line breaks or tabs.
• The Body field specifies the body of the email. This field is optional.
For the email template body, plain text can include spaces and line breaks but not tabs. The character sequence consisting of a backslash
(\) followed by a lowercase n creates a line break.
For a description of email template variables, see
“Email template variables” below.
HCP comes with a default email template. At any time, you can change the email template back to the default. For instructions on this, see
“Restoring the default template” on page 456.
To modify the template HCP uses for email notification about log messages, on the Email page:
1. In the From , Subject , and Body fields in the Message Settings section, specify the values that you want to use.
2. Optionally, click on the Preview button to preview the sample email with the specified format in the Message Preview field.
3. Click on the Update Settings button at the bottom of the page.
454 Chapter 13: System monitoring
Administering HCP
Configuring email notification
Email template variables
The values you specify in the From , Subject , and Body fields in the email template can include variables that correspond to the information available for each log message (for example, the severity of the event that triggered the message or the short description of the event). When sending email,
HCP replaces the variables in the email message with the applicable information.
To include a variable in the email template, you specify the variable name preceded by the dollar sign ($). A dollar sign followed by anything other than a variable name is displayed as a dollar sign in the email HCP sends.
The table below lists the variables you can use in the email template.
Variable
$action
$date
$fullText
$id
$location
$node
$origin
$reason
$scope
$severity
$shortText
$type
$user
Description
The action to take in response to the message
The date and time at which the event occurred (for example, Wed Feb 8 2012 3:15:57 PM EST)
The full text of the message
The message ID
The fully qualified name of the HCP system on which the event occurred (for example, hcp-ma.example.com)
The number of the node on which the event occurred
For user-initiated events, the IP address from which the event request was sent and the port through which HCP received the event request, separated by a colon (for example, 192.168.152.181:8000)
The reason why HCP issued the message
Always System
The severity of the event that triggered the message
A brief description of the event that triggered the message
The type of message (General, Security, or Compliance), preceded by Important and a comma if the message is important (for example, Important, Security)
The user ID and username of the event initiator (for example, 105ff38f-4770-4f98-b5b3-8371ab0af359 lgreen)
For more information on log messages, see “Understanding log messages”
on page 438 and Appendix B, “HCP system log messages,” on page 535.
Chapter 13: System monitoring
Administering HCP
455
Configuring email notification
Restoring the default template
The table below shows the format of the default email template.
From
Subject
Body
Field Default value log@$location
[$severity] $shortText
The following event occurred on $date:
$fullText
Reason:
$reason
Action:
$action
Details:
Node: $node
User: $user
Origin: $origin
To change the email template back to the default, on the Email page:
1. Click on the Reset button.
2. Optionally, click on the Preview button to preview the sample email with the default format in the Message Preview field.
3. Click on the Update Settings button at the bottom of the page.
Specifying email recipients
You use the Recipients section on the Email page to specify the email addresses to which HCP sends email about log messages. HCP sends email as blind carbon copies, so email recipients are not visible to one another.
Each row in the Recipients section contains one or more email addresses and indicates which messages are sent to those addresses. The section can have at most 25 rows.
456 Chapter 13: System monitoring
Administering HCP
Configuring email notification
Because each row in the Recipients section can contain multiple email addresses, you can specify a total of more than 25 addresses in this section. However, HCP sends each email only to an arbitrary 25 of the addresses that are supposed to receive the email. For example, if 34 email addresses are supposed to receive email about log messages that are important and have a severity level of error and a type of general, HCP sends such email only to 25 of those addresses.
You can add, modify, and delete rows in the Recipients section at any time.
Understanding the recipients list
Each row in the Recipients section specifies:
• One or more email addresses.
• Whether to send email only about important log messages ( Major ) to the specified email addresses or to send email about all log messages
( All ).
• The severity of the log messages about which to send email:
– Notice tells HCP to send email about log messages with a severity level of notice, warning, or error.
– Warning tells HCP to send email about log messages with a severity level of warning or error.
– Error tells HCP to send email only about log messages with a severity level of error.
• Whether to send email about general log messages ( ). General log messages are all messages that do not have a type of security or compliance.
• Whether to send email about log messages with a type of security
( ).
• Whether to send email about log messages with a type of compliance
( ).
Email recipients receive email only about log messages that have all the selected properties.
Chapter 13: System monitoring
Administering HCP
457
Configuring email notification
Adding, modifying, and deleting rows in the recipients list
To add, modify, and/or delete rows in the recipients list, on the Email page:
1. Take one or more of these actions:
– To add a row:
1.
Optionally, in the Recipients field, type a comma-separated list of one or more well-formed email addresses.
2.
Click on Add .
A new row appears in the recipients list with importance set to
Major , severity set to Error , and only general selected as the type. The row is highlighted in green.
To remove the new row, click on the delete control ( ) for the row.
– To modify a row:
• Optionally, in the Address field, type additional well-formed email addresses and/or modify or delete existing addresses. This field must contain at least one well-formed email address and no incorrectly formed addresses.
• Optionally, change the properties based on which HCP sends email to the specified addresses.
If you deselect all the types, no email is sent to the specified addresses.
– To delete a row, click on the delete control ( ) for the row.
The row turns red. To undo the deletion, click again on the delete control.
2. Click on the Update Settings button at the bottom of the page.
458 Chapter 13: System monitoring
Administering HCP
Monitoring resources
Monitoring resources
You use the Resources page in the HCP System Management Console to monitor the use of system resources. The information on this page can help you determine the causes of system issues such as slowed responses to client read and write requests or abnormal conditions reported in the system log.
The Resources page uses graphs to show statistics about the use of these resources over time:
• CPU
• Local logical volumes
• Memory
• Front-end and back-end networks
The graphs let you analyze trends across individual storage nodes and compare node performance to the performance of the system as a whole.
The graphs are coordinated with each other, allowing you to easily view the use of multiple resources during the same time period. Additionally, the
Resources page can display the HCP system log, so you can correlate resource usage with system events.
To diagnose issues, you should review all the graphs for the applicable time period. Some issues become apparent only when you compare graphs for multiple resources.
To display the Resources page:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on Resources .
Roles: To view the Resources page, you need the monitor or administrator role.
Chapter 13: System monitoring
Administering HCP
459
Monitoring resources
About the resource usage graphs
HCP uses System Activity Reporter (SAR) data as the basis for resource usage reporting. SAR is a utility that runs on each node in the HCP system. Every ten minutes, SAR records statistics representing the average use of various resources in the node during the past ten-minute interval. The graphs on the Resources page in the System Management
Console show these statistics for a subset of those resources.
For the CPU, memory, and network resources, the graphs can show either the average of the SAR statistics across all storage nodes or this average along with the SAR statistics for an individual storage node. For the logical volume resource, the graphs can show can show the SAR statistics only for an individual logical volume.
CPU
CPU statistics provide information about the processing load on the HCP system. HCP reports CPU statistics in these graphs:
• CPU Usage — This graph shows both the percent of CPU capacity used by the operating system kernel ( OS in the graph legend) and the percent of CPU capacity used by HCP processes ( HCP in the graph legend).
• CPU IO Wait — This graph shows the percent of CPU capacity spent waiting to access logical volumes that are in use by other processes.
These two statistics together equal the total processing load on the system.
If CPU usage is consistently high across all nodes and system performance is degraded, the namespace application workload may be too heavy for the system to handle efficiently. In this case, you may need to add nodes to the system or upgrade the existing nodes to nodes with greater CPU capacity.
If CPU usage is high on a recurring basis, check the system log to see whether the high CPU usage correlates with recurring events such as services running. If the high usage correlates with services running, you may want to change the service schedule. For information on doing this,
see “Scheduling services” on page 388.
460 Chapter 13: System monitoring
Administering HCP
Monitoring resources
High CPU usage on only a small number of nodes may mean that applications are repeatedly using the same IP addresses to access the system. In this case, you may want to suggest to tenant administrators that their applications use DNS or some other mechanism to help balance the workload across all the nodes in the system.
Consistently high CPU IO wait with low CPU usage may mean that HCP cannot access the system storage fast enough to keep up with application demand. In this case, you may need to add storage to the system so that attempts to access storage are spread across a larger number of logical volumes.
In an HCP SAIN system with spindown storage, high IO wait on nodes with logical volumes that can be spun down may indicate that these volumes are being spun up frequently. Check the LUN Utilization graph for the load on spindown volumes. If the load is high, you may want to redefine service plans to have a longer wait time before objects are moved to spindown storage. To see which logical volumes are spindown volumes, check the Hardware page in the System Management Console. For
information on service plans, see “Working with service plans” on page 210.
A brief period of high CPU IO wait that corresponds to increased workload does not necessarily indicate a problem.
Logical volumes
Logical volume usage statistics provide information about the load on storage managed by HCP. These statistics are available only for individual logical volumes. HCP reports logical volume usage statistics in these graphs:
• LUN Read/Write — This graph shows the number of blocks read from the logical volume per second and the number of blocks written to the logical volume per second.
• LUN Utilization — This graph shows the usage of the communication channel between the operating system and the logical volume as a percent of the channel bandwidth.
The way logical volumes are used depends on the HCP system configuration. Some logical volumes can store only objects, some can store only the metadata query engine index, and some can store both.
Additionally, in an HCP SAIN system, some logical volumes may used for spindown storage. How you interpret the statistics in the logical volume usage graphs is partly dependent on the these factors.
Chapter 13: System monitoring
Administering HCP
461
Monitoring resources
High read, write, and access values for all logical volumes along with low
CPU usage may mean that the HCP system storage has insufficient bandwidth to support its workload. In this case, you may need to add storage to the system to spread read and write operations across more logical volumes.
High read and write rates for some but not all logical volumes may mean that the distribution of objects across the nodes in the system is uneven.
To verify that this is the case, check the logical volume usage statistics on the Hardware page in the System Management Console. To resolve the issue, submit a request to your authorized HCP service provider to run the capacity balancing service to bring the object distribution to a more balanced state.
Memory
HCP reports on memory usage in the Memory Swap graph. This graph shows the number of pages swapped out of memory per second.
Typically, the page-swap rate for an HCP system is less than one page per second. A consistently high page-swap rate may indicate that the system has insufficient memory to handle its workload. In this case, you may need to add nodes to the system, add memory to the existing nodes, or upgrade existing nodes to nodes with more memory to resolve the issue.
Networks
Network statistics provide information about bandwidth usage on the front-end and back-end networks used by the HCP system. HCP reports network statistics in these graphs:
• Front-end Network — This graph shows the number of bytes read from the node per second and the number of bytes written to the node per second over the front-end network. These are the total numbers of bytes across the [hcp_system] network and all user-defined networks.
• Back-end Network — This graph shows the number of bytes read from the node per second and the number of bytes written to the node per second over the back-end network.
Note: The amount of back-end network traffic generated by any given namespace is directly related to the ingest tier DPL defined for the namespace by its service plan. The higher the ingest tier DPL, the more back-end network traffic the namespace creates.
462 Chapter 13: System monitoring
Administering HCP
Monitoring resources
Heavy traffic (greater than 120 MB per second) on both the front-end and back-end networks may mean that the HCP system has insufficient bandwidth to accommodate its workload. In this case, you may need to add nodes to the HCP system to increase the available bandwidth.
Heavy front-end traffic on some nodes, but not all of them, may indicate one of the following problems:
• The HCP subdomain is not correctly configured in your DNS. For information on configuring DNS for HCP, see
• Applications are repeatedly using the same IP addresses to access the system. In this case, you may want to suggest to tenant administrators that their applications use DNS or some other mechanism to help balance the workload across all the nodes in the system.
Heavy back-end traffic on some but not all nodes may mean that the distribution of objects across the nodes in the system is uneven. To verify that this is the case, check the logical volume usage statistics on the
Hardware page in the System Management Console. To resolve the issue, submit a request to your authorized HCP service provider to run the capacity balancing service to bring the object distribution to a more balanced state.
Managing the resource usage graphs
To manage the resource usage graphs on the Resources page, you can:
• Choose which graphs to display
• Choose whether the graphs show information about an individual node or all nodes
• Zoom in to more easily see the individual data points in the graphs
• Select a time for which you want to know the resource usage details
• Specify the time period you want to see in the graph windows
• Scroll left and right to change the time period shown in the graph windows
Chapter 13: System monitoring
Administering HCP
463
Monitoring resources
Switching graphs
The Resources page shows four graphs at a time. By default, the page shows these graphs: CPU Usage , CPU IO Wait , Back-end Network , and
Front-end Network . At any time, you can change which graphs are shown.
•
•
•
•
•
•
To switch one graph for another, in the title bar of the graph you want to switch, click on the icon for the graph you want. The graph icons are:
• (%) — CPU Usage
(IO) — CPU IO Wait
(r/w) — LUN Read/Write
(%) — LUN Utilization
(M) — Memory Swap
(F) — Front-end Network
(B) — Back-end Network
Setting the scope
The CPU, memory, and network graphs can show statistics for all nodes or for an individual node along with the statistics for all nodes. The logical volume graphs can show statistics only for an individual volume and only while a node is selected for display in the other graphs.
To set the scope of the information shown in the graphs, select either All
Nodes or the node you want in the field above the top right graph. The selection applies to all the graphs.
To set the logical volume for a logical volume graph, while an individual node is selected for display, select the volume you want in the field in the graph title bar. The selection applies only to that graph.
Zooming
The graphs on the Resources page can show resource usage statistics for at most 30 days (or fewer if the system was installed less than 30 days ago).
However, the longer the time period shown, the harder it is to see short-term changes in resource usage.
464 Chapter 13: System monitoring
Administering HCP
Monitoring resources
You can zoom in on the graphs to more easily see the individual data points in them. Zooming in changes the time period visible in each graph but does not change the height of the graphs. You can zoom in until the visible time period is one day. You can zoom out until the visible time period is 30 days.
Zooming affects all the graphs equally.
To zoom in, click on the plus control ( ) above the top left graph.
To zoom out, click on the minus control ( ) above the top left graph.
After each zoom action, the zoom controls are momentarily greyed.
You can set the amount by which zooming increases or decreases the visible time period each time you zoom. To do this:
1. On the Resources page, click on the edit control ( ) above the top left graph.
2. In the Modify Zoom and Scroll Settings window, select one of these in the
Zoom Settings section:
– Incremental zoom to increase or decrease the visible time period by a factor of two each time you zoom in or out
– Maximum zoom to decrease the visible time period to one day when you zoom in or to increase the visible time period to 30 days (or fewer if the system was installed less than 30 days ago) when you zoom out
3. Click on the Update Settings button.
Viewing details for a point in time
In each resource usage graph, a vertical line serves as a time marker. The marked time is displayed in the middle above the graphs. The graph legends show the detailed resource usage statistics for the marked time.
To show detailed statistics for a different time, you reposition the time marker. The time marker is always in the same location in all the graphs, so when you reposition it in one graph, it changes in all.
To reposition the time marker, click in the graph at the point in time to which you want the marker to move.
Chapter 13: System monitoring
Administering HCP
465
Monitoring resources
Specifying a time period
Above the resource usage graphs, the Resources page displays the start time of the currently visible time period on the left and the end time on the right. By default, when you open the page, the graphs show statistics for
30 days (or fewer if the system was installed less than 30 days ago), ending with the day of the most recently recorded SAR data.
You can change the time period shown in the graphs by selecting new start and end dates. The time period you specify can be at most 30 days. This time period applies to all the graphs.
HCP keeps SAR data for 180 days. As a result, the start date you specify cannot be more than 180 days in the past.
To change the time period shown in the resource usage graphs:
1. On the Resources page, click on the calendar control ( ) above the top left graph.
2. In the Modify Date Range window:
– In the From field, specify the start date for the time period you want the graphs to cover. If you leave this field blank, the graphs use a start date of 30 days before the date specified in the To field (or fewer if the system was installed less than 30 days ago).
– In the To field, specify the end date for the time period you want the graphs to cover. If you leave this field blank, the graphs use an end date of 30 days after the date specified in the From field (or fewer if the From date is less than 30 days ago).
In both fields, you can specify the date in either of these ways:
– Click on the calendar control ( ) next to the applicable field and select the date you want.
– Type the date you want, in this format: m/d/y
In this format, m
is the one- or two digit month, d
is the one- or two-digit day, and y
is the two- or four-digit year.
You can specify values in either or both of the From and To fields. You cannot leave both fields empty.
3. Click on the Update Settings button.
466 Chapter 13: System monitoring
Administering HCP
Monitoring resources
Scrolling
You can scroll left and right in the resource usage graphs to shift the time period that’s visible in the graphs. Scrolling affects all graphs equally.
To scroll left to see an earlier time period, click on the left arrow ( ) above the top left graph.
To scroll right to see a later time period, click on the right arrow ( ) above the top left graph.
To scroll right or left to see the time period with the currently marked time in the middle, click on the vertical line ( ) above the top left graph.
After each scroll action, the scroll controls are momentarily greyed.
You can set the percent by which scrolling shifts the visible time period each time you scroll left or right. To do this:
1. On the Resources page, click on the edit control ( ) above the top left graph.
2. In the Modify Zoom and Scroll Settings window, select one of these in the
Scroll Settings section:
– Move left/right by 25% to shift the visible time period by 25% each time you scroll left or right.
– Move left/right by 50% to shift the visible time period by 50% each time you scroll left or right.
– Move left/right by 100% to shift the visible time period by 100% each time you scroll left or right.
3. Click on the Update Settings button.
Chapter 13: System monitoring
Administering HCP
467
Generating chargeback reports
Viewing system log messages on the Resources page
To display the HCP system log on the Resources page, click on Logs at the bottom of the page.
When the Logs section opens, the message at the top of the list is the most recently recorded message before the end of the time period shown in the graphs.
Generating chargeback reports
You can generate chargeback reports from the HCP System Management
Console. A chargeback report contains current and historical storage usage statistics for HCP tenants and their namespaces. For each chargeback report, you specify the start and end dates of the report
period, which is the time period that’s covered by the report, and select the reporting interval, which determines whether HCP generates hourly, daily, or total storage usage statistics for the specified report period.
Chargeback reports are a good source of information for system analysis, enabling you to adjust storage and bandwidth allocations based on usage patterns. These reports can also serve as input to billing systems that need to determine charges for capacity and bandwidth usage at the tenant or namespace level.
Chargeback reports cover only HCP tenants and their namespaces. They do not include the default tenant or its namespace.
About chargeback reports
A chargeback report contains aggregated namespace statistics for each
HCP tenant that’s defined on the HCP system. For any given tenant, the total number of reads shown for a specific reporting interval is the total number of read operations that occurred during that interval in all the namespaces owned by that tenant.
Chargeback reports also contain aggregated HCP-tenant statistics for the
HCP system as a whole. For example, the total number of reads for an
HCP system shown for a specific reporting interval is the total number of successful read operations that occurred during that interval in each namespace that’s owned by each HCP tenant that’s defined on the HCP system. System statistics shown in chargeback reports do not include storage usage data for the default tenant or the default namespace.
468 Chapter 13: System monitoring
Administering HCP
Generating chargeback reports
If an HCP tenant has been configured to allow system-level users to manage it, chargeback reports also contain statistics for each individual namespace that’s owned by that tenant.
When generated from the System Management Console, chargeback reports are in CSV format. Each line in a report contains the values for one namespace, for one tenant, or for the entire HCP system during a specific reporting interval (that is, during a specific hour, during a specific day, or during the entire report period).
The lines in a chargeback report are ordered alphabetically by tenant name. If the report includes the namespaces that are owned by a tenant, the lines for those namespaces are ordered alphabetically below the lines for that tenant. The lines for the HCP system are at the end of the report.
Multiple lines for a tenant, a namespace, or the HCP system are ordered in ascending chronological order.
For information on how chargeback data is collected, see
“Chargeback statistics collection” on page 472. For information on the contents of
chargeback reports, see “Chargeback report content” on page 473.
Generating a chargeback report
In the System Management Console, you can use either the Chargeback page or the Reports panel on the Storage page to generate chargeback reports for HCP tenants and their namespaces.
This section explains how to use the Chargeback page to generate chargeback reports. For instructions on using the Reports panel on the
Storage page to generate chargeback reports, see
“Monitoring storage pools and components” on page 193.
For each chargeback report you generate, you use the controls on the
Chargeback page to specify the start and end dates of the report period, select the reporting interval, and then generate and download the chargeback report.
The report period is the period of time for which you want to generate tenant and namespace storage usage statistics. To define a report period, you specify the start and end dates for the time period covered by the report. For any given report period, the earliest start date you can specify is either 30 days earlier than the current date or the day on which the HCP system was installed (if the system was installed less than 30 days ago).
The latest report period end date that you can specify is the current date.
You can use the same date as the start date and the end date of the report period. In this case, the report period starts at 12:00:00 a.m. on the specified date and ends at 11:59:59 p.m. on that date.
Chapter 13: System monitoring
Administering HCP
469
Generating chargeback reports
Once you define the report period on the Chargeback page, you can select the appropriate reporting interval to generate an hourly, daily, or total storage usage report for the specified report period:
• An hourly storage usage report includes cumulative, hourly storage usage statistics for each hour of the report period for which storage usage statistics were available for all or part of the hour.
If the report period starts on the day on which the HCP system was installed, the first set of statistics in the report are the statistics that accumulated between the time when the system came online and the end of the last minute in that hour. For example, if the system came online at 2:30:20 p.m. on July 25 th , and the report period starts on July
25 th
, the first set of statistics in the report are the statistics that accumulated between 2:30:20 p.m. and 2:59:59 p.m. on July 25 th .
If the review period ends on the current date, the last set of statistics in the report are the statistics that accumulated from the beginning of the current hour to the time at which you requested the chargeback report.
For example, if you requested an hourly storage usage report at
2:30:15 p.m., the last set of statistics in the report would be the statistics that accumulated between 2:00:00 p.m. and 2:30:15 p.m.
• A daily storage usage report includes cumulative, daily storage usage statistics for each day of the report period for which storage usage statistics were available for all or part of the day.
Each day of the report period is defined as the time period between
12:00:00 a.m. and 11:59:59 p.m. on a specific date that’s in the range of dates that’s defined for the report period.
If the report period starts on the day on which the HCP system was installed, the first set of statistics in the report are the statistics that accumulated between the time when the system came online and
11:59:59 p.m. on that day. For example, if the system came online at
2:30:20 p.m. on July 25 th , and the report period starts on July 25 th , the first set of statistics in the report are the statistics that accumulated between 2:30:20 p.m. and 11:59:59 p.m. on July 25 th .
If the review period ends on the current date, the last set of statistics in the report are the statistics that accumulated from 12:00:00 a.m. on the current date to the time at which you requested the chargeback report. For example, if you requested an hourly storage usage report at 2:30:15 p.m., the last set of statistics in the report would be the statistics that accumulated between 12:00:00 a.m. and 2:30:15 p.m.
470 Chapter 13: System monitoring
Administering HCP
Generating chargeback reports
• A total storage usage report includes the statistics that accumulated during the entire report period.
Unless the report period includes the date on which the HCP system was installed or the date on which you requested the report, a total storage usage report includes the statistics that accumulated between
12:00:00 a.m. on the first day of the report period and 11:59:59 p.m. on the last day of the report period.
If the report period includes the day on which the HCP system was installed, the total storage usage report includes the statistics that accumulated between the time at which the system came online and either 11:59:59 p.m. on the last day of the report period or the time at which you requested the report on the currrent date.
For example, if you requested a total storage usage report at
2:50:25 p.m. on August 7 th , the system came online at 2:30:20 p.m. on July 25 th , and you defined the report period with a start date of July
25 th and an end date of August 7 th , the total storage usage report would include the statistics that accumulated between 2:30:20 p.m. on
July 25 th and 2:50:25 p.m. on August 7 th .
Note: The statistics reported for the current hour may not reflect some reads and writes that have already occurred during the hour. After the hour is past, however, the statistics reported for it are complete.
Tip: You can use the HCP management API to generate chargeback reports that cover time periods that are longer than one month and are in
XML, JSON, or CSV format. You can use this feature to create applications that generate chargeback reports at regular intervals and feed those reports to a billing system. For information on using the management API to generate chargeback reports, see HCP Management API Reference.
Roles: To generate a chargeback report, you need the monitor or administrator role.
To generate a chargeback report:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on Chargeback .
Chapter 13: System monitoring
Administering HCP
471
Generating chargeback reports
3. On the Chargeback page select the appropriate reporting interval for the type of storage usage report that you want to generate, and specify the start and end dates for the report period:
– In the Reporting Interval field, select Hour , Day , or Total to generate an hourly, daily, or total storage usage report, respectively.
– Use the Start Date field to specify the start date of the report period.
Take one of these actions:
• Enter the start date in the text field in mm/dd/yyyy
format.
• Click on the calendar icon to display a monthly calendar. Then use the arrows at the top of the calendar to navigate to the month containing the start date that you want to define for the report period, and click on that date to select it.
– Use the End Date field to specify the end date of the report period.
Take one of these actions:
• Enter the end date in the text field in mm/dd/yyyy
format.
• Click on the calendar icon to display a monthly calendar. Then use the arrows at the top of the calendar to navigate to the month containing the end date that you want to define for the report period, and click on that date to select it.
The Chargeback page displays four graphs showing the storage usage statistics for each reporting interval during the report period. These graphs show the total number of bytes written, the total number of bytes read, the total number of write operations, and the total number of read operations for all tenants defined on the system for each reporting interval during the specified report period,
4. To generate and download a complete, detailed chargeback report, click on the Download Report button.
By default, the name of the downloaded report file is
Hourly-Chargeback-Report.csv
,
Daily-Chargeback-Report.csv
, or
Monthly-Chargeback-Report.csv
, as applicable.
Chargeback statistics collection
For chargeback reports downloaded from the Chargeback page, statistics included in a given report either reflect a specific point in time or are dynamic. Point-in-time statistics are measurements taken at the end of a reporting interval, such as the used storage capacity for a namespace at
472 Chapter 13: System monitoring
Administering HCP
Generating chargeback reports the end of an hour. Dynamic statistics are measurements, such as the number of reads or writes to a namespace, that are accumulated over time.
HCP accumulates dynamic statistics on an hourly basis, starting at the beginning of each hour. So, for example, one statistic might represent the number of successful writes to a namespace that occurred between
11:00:00 and 11:59:59. Another might represent the number of successful writes to the same namespace that occurred between 12:00:00 and 12:59:59.
Chargeback report content
The first line of a chargeback report contains identifiers for the values in the subsequent lines. The table below describes each of these values and indicates whether it is point in time (P) or dynamic (D).
Identifier systemName tenantName
Type
N/A One of:
N/A
Value
• The name of the domain associated with the
[hcp_system] network for the HCP system to which the set of aggregated statistics in the line applies
• The name of the domain associated with the data access network for the tenant to which the set of aggregated statistics in the line applies
• The name of the domain associated with the data access network for the tenant that owns the namespace to which the set of statistics in the line applies
For information on networks, see
“About virtual networking with HCP” on page 224.
Either:
• The name of the tenant to which the set of statistics in the line applies
• The name of the tenant that owns the namespace to which the set of statistics in the line applies
In lines that contain systemwide statistics, this field has no value.
Chapter 13: System monitoring
Administering HCP
473
Generating chargeback reports
(Continued)
Identifier namespaceName startTime endTime objectCount ingestedVolume storageCapacityUsed bytesIn
Type
N/A
Value
The name of the namespace to which the set of statistics in the line applies.
N/A
In lines that contain tenant or systemwide statistics, this field has no value.
The start time of the reporting interval for the set of statistics in the line, in this format:
N/A
P
P
P
D
yyyy-MM-dd hh:mm:ss hh
is hours on a 24-hour clock.
For example: 2010-10-07 14:00:00
The end time of the reporting interval for the set of statistics in the line, in the same format as is used for the startTime value.
The number of objects in the identified namespace, in all the namespaces owned by the identified tenant, or in all the HCP namespaces in the HCP system.
The total size of the stored data and custom metadata, in bytes, before it was added to the identified namespace, to any of the namespaces owned by the identified tenant, or to any of the
HCP namespaces in the HCP system.
The total number of bytes of primary running storage that’s occupied by stored data for the identified namespace, for all the namespaces owned by the identified tenant, or for all the HCP namespaces in the HCP system. This includes object data, metadata, and any redundant data required to satisfy the applicable service plan.
The total number of bytes successfully written to the identified namespace, to any of the namespaces owned by the identified tenant, or to any of the HCP namespaces in the HCP system during the reporting interval.
If data was compressed before being transmitted, this is the number of bytes before compression.
474 Chapter 13: System monitoring
Administering HCP
Generating chargeback reports
(Continued)
Identifier bytesOut reads writes deletes tieredObjects tieredBytes metadataOnlyObjects metadataOnlyBytes
Type
D
Value
The total number of bytes read from the identified namespace, from any of the namespaces owned by the identified tenant, or from any of the HCP namespaces in the HCP system during the reporting interval.
D
D
D
P
P
P
P
If data (including XML for directory listings) was compressed before being transmitted, this is the number of bytes before compression.
The total number of read operations performed in the identified namespace, in all the namespaces owned by the identified tenant, or in all the HCP namespaces in the HCP system during the reporting interval.
The total number of write operations successfully performed in the identified namespace, in all the namespaces owned by the identified tenant, or in all the HCP namespaces in the HCP system during the reporting interval.
The total number of delete and purge operations successfully performed in the identified namespace, in all the namespaces owned by the identified tenant, or in all the HCP namespaces in the HCP system during the reporting interval.
The total number of objects with data currently stored in primary spindown storage (if it’s used) and in extended storage for the identified namespace, for all the namespaces owned by the identified tenant, or for all the HCP namespaces in the HCP system.
Total number of bytes of object data currently stored in primary spindown storage (if it’s used) and in extended storage for the identified namespace, for all the namespaces owned by the identified tenant, or for all the HCP namespaces in the HCP system.
The total number of objects that are currently metadata-only in the identified namespace, in all the namespaces owned by the identified tenant, or in all the HCP namespaces in the HCP system.
The total number of bytes of object data currently not stored for metadata-only objects in the identified namespace, in all the namespaces owned by the identified tenant, or in all the HCP namespaces in the HCP system.
Chapter 13: System monitoring
Administering HCP
475
Generating chargeback reports
(Continued)
Identifier deleted valid
Type
N/A One of:
N/A
Value
• true — The namespace or tenant was deleted after the statistics in the set were collected.
• false — The namespace or tenant currently exists.
• included — For a tenant or the HCP system, the statistics in the set include values for one or more namespaces that were subsequently deleted.
The status of the set of statistics in the line.
Possible values are:
• true — HCP successfully collected all statistics in the set.
• false — The statistics in the set do not reflect all the activity that occurred during the reporting interval. This may be due, for example, to one or more nodes being unavailable during that time, to a network failure, or to other hardware issues.
Sample chargeback report
The next page shows an example of an hourly chargeback report, where the report was requested at 2:30:15 p.m. on October 7, 2012. It shows statistics for the HR and Finance tenants. Because system-level users have administrative access to the Finance tenant, it also shows statistics for each individual namespace owned by the Finance tenant. The report is shown as it would appear in a spreadsheet.
476 Chapter 13: System monitoring
Administering HCP
Generating chargeback reports
Chapter 13: System monitoring
Administering HCP
477
Configuring the Hitachi Device Manager connection
Configuring the Hitachi Device Manager connection
With SAIN systems only, HCP can push information to Hitachi Device
Manager (HDvM), so you can monitor and manage HCP along with your other Hitachi storage systems from a single console. You use the HDvM page in the HCP System Management Console to configure and test the connection between HCP and HDvM.
NOTE: HCP supports IPv4 and IPv6 network connections to HDvM servers. However, HDvM support for IPv6 network connections varies based on the HDvM server operating system. For information on requirements for HDvM servers that support IPv6 networks, see the applicable Hitachi Command Suite documentation.
You can configure HCP to automatically push the information. You can also manually request a push at any time.
To display the HDvM page:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on HDvM .
Roles: To view the HDvM page, you need the monitor or administrator role. To configure the HDvM connection, you need the administrator role.
The HDvM page shows the date and time HCP last pushed information to
HDvM and the HDvM response to that action. If the last attempt to push information was unsuccessful, the panel also shows the time of and response to the last successful push.
Note: A response message of “Partial update” may be the result of a transient error (for example, a LUN scan that hasn’t finished yet). If you see this message, wait a few minutes. Then request the information push again. If you see this message repeatedly, contact your authorized HCP service provider for help.
For information on using HDvM, see the applicable HDvM documentation.
To configure HCP to work with HDvM:
1. On the HDvM page of the System Management Console:
478 Chapter 13: System monitoring
Administering HCP
Configuring the Hitachi Device Manager connection
– To have HCP automatically push information to HDvM, select the
Enable scheduled updates to HDvM option.
– In the Device Manager Server field, type the hostname or IP address that you want HCP to use to connect to HDvM.
– In the Username field, type your username for logging into HDvM.
– In the Password field, type your password.
If you’re modifying the HDvM settings and you leave the Password field empty, the previously set password remains in effect.
– In the Frequency field, select the frequency with which you want
HCP to automatically update HDvM with new information.
Tip: You can use the Send Now button on this page to force an update at any time.
2. Optionally, click on the Test button to verify that HCP can contact HDvM with the settings you’ve specified.
HCP displays a message at the top of the page indicating whether the test was successful. If it wasn’t, correct the settings.
Tip: You can use the Test button to test the HDvM connection at any time.
3. Click on the Update HDvM Settings button.
Chapter 13: System monitoring
Administering HCP
479
Configuring the Hitachi Device Manager connection
480 Chapter 13: System monitoring
Administering HCP
14
Troubleshooting
From the system console for any HCP node, you can run selected diagnostics that can help with analyzing and resolving issues with interactions between the node and other components in the HCP environment.
Additionally, HCP maintains internal logs that can help HCP support personnel with problem resolution. Using the System Management
Console, you can insert messages into these internal logs. You can use this capability, for example, to describe conditions that may indicate a problem with the HCP system. If problems occur with the HCP system, you can download the internal logs into a single file, which you can then send to your HCP support center.
This chapter:
• Describes the available diagnostics and explains how to run them
• Contains instructions for marking and downloading the HCP internal logs
Chapter 14: Troubleshooting
Administering HCP
481
Running diagnostics
Running diagnostics
You can run selected diagnostics on the nodes in an HCP system to help analyze and resolve issues related to interactions between the nodes and other components in the HCP environment. The available diagnostics let you:
• Ping a specified device ( ping )
• Display the network path being used for communications between the node and a specified device ( traceroute )
• Query the DNS for the records that match a specified IP address or domain name ( dig )
• Display the routing table for the node ( route )
• Display the NFS exports table for a specified device ( showmount )
• On SAIN systems, display information about the logical volumes that are mapped to the node on the Fibre Channel SAN arrays ( fchbainfo )
You run diagnostics from the system console for a node. To use the system console, you need a keyboard and monitor.
To run diagnostics, you use the Appliance Diagnostics menu. To display this menu in the system console, press Alt+F8.
482
To run diagnostics from the Appliance Diagnostics menu:
• To execute a diagnostic command, enter the option number for that command. If the command requires an argument, HCP prompts you to enter a valid value for that argument. HCP then executes the command and displays the results on the screen.
• To cancel a command before it finishes, press Ctrl+C.
Chapter 14: Troubleshooting
Administering HCP
ping
Running diagnostics
• If the information displayed in response to a command is longer than the space available on the screen, use Shift+PgUp and Shift+PgDn to scroll the display up or down, respectively.
• To return to the Appliance Diagnostics menu after viewing the information displayed by a command, press Enter.
• To clear the screen and redisplay the Appliance Diagnostics menu at the top, use option c from the menu.
• To return to the console login prompt from the Appliance Diagnostics menu, press Alt+F1.
In addition to being displayed on screen, the results of each diagnostic command that you execute are sent to the syslog servers that you specify on the Syslog page in the HCP System Management Console. For
information on specifying syslog servers, see “Enabling syslog logging” on page 441.
For more information on the diagnostic commands that you can execute from the Appliance Diagnostics menu, see the man pages for the commands on a Linux system.
The ping command pings a device that you identify by IP address or fully qualified domain name (FQDN). You might run this diagnostic, for example, to determine whether the node you’re on can communicate with a specific DNS server, external time server, or external storage device.
The ping command pings the specified device ten times, displaying the result of the ping each time. However, if the device is unreachable, the command displays only the summary of the ping attempts after the ten tries.
To execute the ping command:
1. From the Appliance Diagnostics menu, enter 1 .
A prompt for an IP address or FQDN appears.
2. Enter the target device IP address or FQDN.
Chapter 14: Troubleshooting
Administering HCP
483
Running diagnostics
The results of the ping command are displayed on the screen.
3. After viewing the display, press Enter to return to the Appliance
Diagnostics menu.
Here’s a sample response to the ping command:
traceroute
The traceroute command displays the network path through which the node you’re on communicates with a device that you identify by IP address or FQDN. You might run this diagnostic, for example, if communication between the node and another device, such as a DNS server, is taking longer than expected.
For each pair of points in the network path, the traceroute command displays the round-trip time between the two points for each of three probes. You can use this information, for example, to determine whether the network topology is configured correctly.
To execute the traceroute command:
1. From the Appliance Diagnostics menu, enter 2 .
A prompt for an IP address or FQDN appears.
2. Enter the target device IP address or FQDN.
The results of the traceroute command are displayed on the screen.
484 Chapter 14: Troubleshooting
Administering HCP
Running diagnostics
3. After viewing the display, press Enter to return to the Appliance
Diagnostics menu.
Here’s a sample response to the traceroute command:
dig
The dig command queries the DNS for records that match an IP address or
FQDN that you specify. You might run this diagnostic with an HCP domain name, for example, if you have user-defined networks that are not working as expected.
When you execute the dig command, you are prompted for arguments.
Although you can specify any dig command arguments, this document describes only IP addresses and FQDNs.
To execute the dig command:
1. From the Appliance Diagnostics menu, enter 3 .
A prompt for dig command arguments appears.
2. Enter one of these arguments:
– -x followed by an IP address (for example, -x 172.20.33.40)
– An FQDN
3. In response to the confirming prompt, enter y to confirm your entry or n to try again.
When you enter y, the results of the dig command are displayed on the screen.
4. After viewing the display, press Enter to return to the Appliance
Diagnostics menu.
Chapter 14: Troubleshooting
Administering HCP
485
Running diagnostics
Here’s a sample response to the dig command with the argument
hcp.example.com:
route
The route command displays the routing table for the node you’re on. This table shows the subnets that the node belongs to. The information for each subnet includes the subnet mask and the network interface. For the
[hcp_system] network (shown as default) and the network used for replication, the subnet information also includes the network gateway IP address.
This diagnostic is useful, for example, for exposing network connectivity problems such as missing interfaces. If you’ve created multiple networks in HCP, the display from the route command should show the subnet and interface for each network for which the node has an IP address.
To execute the route command:
1. From the Appliance Diagnostics menu, enter 4 .
The results of the route command are displayed on the screen.
2. After viewing the display, press Enter to return to the Appliance
Diagnostics menu.
486 Chapter 14: Troubleshooting
Administering HCP
Here’s a sample response to the route command:
Running diagnostics
showmount
The showmount command displays the NFS exports table for a device that you identify by IP address or FQDN or for the node you’re on. You might run this diagnostic, for example, to check whether shares associated with external storage volumes are properly exported on the external storage device.
Each line in the exports table shows a path that can be mounted by other devices. For an HCP node, the exports table includes the paths to namespaces for which the NFS protocol is enabled.
To execute the showmount command:
1. From the Appliance Diagnostics menu, enter 5 .
A prompt for an IP address or FQDN appears.
2. Enter the target device IP address or FQDN. For the FQDN of the node you’re on, use localhost.
The results of the showmount command are displayed on the screen.
3. After viewing the display, press Enter to return to the Appliance
Diagnostics menu.
Here’s a sample response to the showmount command:
Chapter 14: Troubleshooting
Administering HCP
487
Running diagnostics
fchbainfo
For SAIN systems only, the fchbainfo command displays information about the logical volumes that are mapped the node you’re on for all the Fibre
Channel SAN arrays to which the node is connected. You might run this command, for example, to diagnose issues with zero-copy failover.
The information displayed by the fchbainfo command is broken out by HBA port. For each logical volume that maps to the port, the display includes the volume number and size.
To execute the fchbainfo command:
1. From the Appliance Diagnostics menu, enter 6 .
The results of the fchbainfo command are displayed on the screen.
2. After viewing the display, press Enter to return to the Appliance
Diagnostics menu.
488 Chapter 14: Troubleshooting
Administering HCP
Working with the HCP internal logs
Here’s a sample response to the fchbainfo command:
Working with the HCP internal logs
In addition to the HCP system log, which is displayed in the System
Management Console, HCP maintains internal logs. These logs record the processing activity of various components of the HCP system. If a problem with the system occurs, the internal logs can help HCP support personnel diagnose and resolve it.
Internal logs can be generated for both HCP General Nodes and HCP S
Series Nodes. The logs can be created separately for the two types of nodes or together.
Chapter 14: Troubleshooting
Administering HCP
489
Working with the HCP internal logs
At any time, you can insert a comment into the internal logs. You can use this capability, for example, to note unusual events that occur in the HCP system. This can later help support personnel understand the symptoms that indicate a possible problem. It can also help them determine when a problem started.
To help with troubleshooting, you can download the internal logs and send them to your HCP support center. For ease of handling, HCP downloads the logs into a single file.
HCP keeps internal logs for at most 35 days. You can download the logs for any length of time within that period. When taking this action, be sure to include all the days on which you observed problems with the system.
When downloading the logs, you can provide a message for the support center. This message should include a description of the problem, your contact information, the applicable case number (if one has been assigned), and any other information that can help support personnel resolve the problem.
HCP encrypts the downloaded log files to ensure their privacy. Only HCP support personnel have the key required to decrypt the logs.
Important: Downloading the internal logs puts a heavy load on the HCP system. Do not take this action unless explicitly told to do so by HCP support personnel.
You use the Internal Logs page in the HCP System Management Console to insert comments into and download the HCP internal logs. To display this page:
1. In the top-level menu in the System Management Console, mouse over
Monitoring to display a secondary menu.
2. In the secondary menu, click on Internal Logs .
Roles: To insert comments into the internal logs, you need the monitor, administrator, or security role. To download the HCP internal logs, you need the administrator role.
Adding a comment to the internal logs
To insert a comment into the HCP internal logs:
1. On the Internal Logs page, click on Mark Internal Logs .
490 Chapter 14: Troubleshooting
Administering HCP
Working with the HCP internal logs
2. In the Insert this message into the internal logs field in the Mark Internal
Logs panel, type the comment text. This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
3. Click on the Mark Internal Logs button.
Downloading the internal logs for one or more storage nodes
The internal logs for both HCP primary and economy storage can be downloaded. Any logs generated by HCP S Series Nodes appear in their own separate Storage Preparation Status panel . If the HCP system doesn’t use economy storage, this panel does not exist.
To prepare and download the HCP internal logs:
1. On the Internal Logs page, click on Download Internal Logs to expand that section on the page.
2. In the Download Internal Logs section:
– Use the Start Date and End Date fields to specify the start and end dates for the time period for which you want to generate the internal logs. For the date format, use
mm/dd/yyyy
.
Note: The time period for which HCP generates the internal logs includes the specified start and end dates.
– Optionally, in the Insert this message into the internal logs field, type a message to be inserted into the logs before they’re downloaded and to be included in the manifest that accompanies the downloaded logs. This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
3. Click on the Prepare Internal Logs button.
HCP prepares the logs for downloading. During this process, in the
Download Internal Logs panel, the active Prepare Internal Logs button changes to a greyed-out Download Internal Logs button, and the panel displays the Preparation Status table, which lists the nodes in the HCP
Chapter 14: Troubleshooting
Administering HCP
491
Working with the HCP internal logs system in numeric order (by node number), and reports on the status of the log preparation process on each node. You do not need to remain on the Internal Logs page during the log preparation process.
Note: HCP can perform only one log preparation operation at a time.
When HCP finishes preparing the logs, the node and S Series Node
Preparation Status tables show the status of each node in the HCP system, and the checkboxes at the end of each row become selectable.
Tip: If you want to prepare the logs again before you download them
(for example, to prepare the logs for a different time period), click on the Cancel button to reactivate the Prepare Internal Logs button.
4. Optionally, insert a message into the logs before downloading them: a.
Click on Mark Internal Logs to expand that section on the page.
b.
In the Insert this message into the internal logs field, type a message to be inserted into the logs before they’re downloaded and to be included in the manifest that accompanies the downloaded logs.
This text can be up to 1,024 characters long and can contain any valid UTF-8 characters, including white space.
5. In the Download Internal Logs section, use the checkboxes in the last column in the Preparation Status table to select the nodes for which you want to download the internal logs.:
Note: By default, all nodes for which the logs were successfully prepared are automatically selected.
6. When you finish selecting the nodes for which you want to download the internal logs, click on the Download Internal Logs button.
HCP downloads the logs from the selected nodes and creates a .zip file that contains all of the internal logs for those nodes. For each selected node, HCP reports the progress of the log download in the Download
Internal Logs panel. You do not need to remain on the Internal Logs page during this process.
492 Chapter 14: Troubleshooting
Administering HCP
Working with the HCP internal logs
7. When prompted, save the .zip file containing the downloaded logs in the location of your choice.
Note: If the System Management Console session times out due to inactivity before the prompt to save the file appears, the download fails. If this happens, increase the inactivity timeout interval; then try the download again. For information on changing the inactivity timeout interval, see
“Changing user account and login settings” on page 76.
8. Take one of these actions:
– To create another .zip file that contains the internal logs you just
generated for any or all of the HCP storage nodes, repeat step 4
through
Note: You can perform any number of log download procedures for
the time frame that you selected in step 2 , and you can download
these logs for each node any number of times.
– If you’re finished downloading all of the internal logs you need, or if you need to prepare the logs again before downloading any additional logs, click on the Cancel button.
The Internal Logs page displays a success message and collapses the Mark Internal Logs and Download Internal Logs panels on the page.
Chapter 14: Troubleshooting
Administering HCP
493
Working with the HCP internal logs
494 Chapter 14: Troubleshooting
Administering HCP
A
System Management Console alerts
The HCP System Management Console uses icons with mouse-over text, called alerts, to provide high-level health status reports for specific elements of the HCP system and to identify problems that need your attention.
System Management Console alerts appear on the Overview , Hardware ,
Storage Node , Storage , Networks , Tenants , Domains and Certificates , and
Authentication pages.
The System Management Console uses two types of alert icons:
• System health icons — Indicate the current health of one or more elements of the HCP system, such as the metadata query engine or the power supplies for a storage node. These icons appear on the
Overview , Hardware , Storage Node , Tenants , Domains and Certificates , and Authentication pages. System health icons on the Overview ,
Storage Node , and Authentication pages are also accompanied by text.
• Error and warning icons — Indicate error and warning conditions related to one or more elements of the HCP system. This type of icon appears only when an error or warning condition exists. These icons appear on the Storage and Networks pages.
This appendix describes the alerts that can appear on the Console pages and tells you how to respond to alerts that indicate problems. The appendix does not list alerts pertaining to HCP S Series Nodes. For more information on those alerts, see HCP S Series Node Help.
495 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
Overview page alerts
The System Management Console uses system health icons for alerts that appear on the Overview page. These alerts are described in the table below. The alerts are listed alphabetically by their mouse-over text.
Icon Mouse-over text
Abnormal temperature
Abnormal voltage
Active Directory certificates expire soon
Active Directory certificates expire soon
Active Directory secure connection issue
AD credentials invalid
Description
IPMI sensors are detecting one or more nodes with temperature readings outside the recommended range. For details, see the applicable Storage Node pages.
IPMI sensors are detecting one or more nodes with voltage readings outside the recommended range. For details, see the applicable Storage
Node pages.
One or more AD SSL certificates will expire within
90 days. If a certificate expires, communication with AD may fail.
To ensure that communication with AD is not disrupted, export a new SSL certificate from AD and upload it to HCP.
One or more AD SSL certificates will expire within
30 days. If a certificate expires, communication with AD may fail.
To ensure that communication with AD is not disrupted, export a new SSL certificate from AD and upload it to HCP.
HCP could not communicate with AD due to a problem with the AD SSL server certificate uploaded to HCP. Ensure that you have the correct certificate. Then upload the certificate again on the Authentication page in the HCP
System Management Console. If the problem persists, please contact your authorized HCP service provider.
The credentials for the HCP computer account used to query AD for groups are invalid.
Reconfigure support for AD on the Authentication page in the HCP System Management Console.
The recommended procedure is to specify an HCP computer account that does not already exist in
AD, thereby allowing the account to be created automatically.
496 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
AD partially configured
All metadata is intact
Description
AD authentication is enabled only for the default namespace and is not currently supported for
HCP namespaces. This can happen after an upgrade, where the CIFS protocol was enabled for the default namespace with AD authentication before the upgrade occurred. To enable support for AD for HCP namespaces, enable HCP support for AD on the Authentication page in the HCP
System Management Console.
HCP policies have found no problems with object metadata.
All objects are intact HCP services have found no problems with object data.
All operation-types operations are disabled
The indicated types of operations are currently not allowed. This alert appears when any permissions are disabled in the systemwide permission mask. For information on the
systemwide permission mask, see “Setting the systemwide permission mask” on page 431.
An unrecoverable error has occurred HCP is experiencing a problem it cannot fix by itself. Please contact your authorized HCP service provider.
Authentication of HDDS user failed HDDS cannot validate the username and password specified for the HDDS search facility statistics user. On the Search page in the HCP
System Management Console, specify valid credentials for an HDDS user account in the
Administrator group.
Back-end switch error
BBU charging
This alert appears only while the HDDS search facility is enabled.
One or more back-end switches are not operating normally. Please contact your authorized HCP service provider.
For RAIN systems only, the battery backup unit in one or more nodes is charging.
BBU degraded; charging
BBU degraded; discharging
For RAIN systems only, the battery backup unit in one or more nodes is charging. The write-cache is disabled on those nodes.
For RAIN systems only, the battery backup unit in one or more nodes is discharging. The write-cache is disabled on those nodes.
Appendix A: System Management Console alerts
Administering HCP
497
Overview page alerts
(Continued)
Icon Mouse-over text
BBU discharging
Description
For RAIN systems only, the battery backup unit in one or more nodes is discharging.
BBU failed
BBU in learn cycle
Below metadata protection level.
Repairing...
Broken fan
For RAIN systems only, the battery backup unit in one or more nodes has failed. The write-cache is disabled on those nodes. If this alert appears for more than a few hours, please contact your authorized HCP service provider.
For RAIN systems only, the battery backup unit in one or more nodes is in a learn cycle. System performance may be temporarily degraded.
Primary running storage contains too few copies of metadata for one or more objects. The ingest tier metadata DPL defined for the namespace that contains each object is higher than the number of copies of metadata for that object currently found in primary running storage. The protection service is in the process of repairing this problem.
IPMI sensors are detecting one or more nodes or
CB 320 server chassis with fan speeds outside the recommended range. For details, see the applicable Storage Node pages (for nodes) or the
Hardware page (for chassis).
Cannot access Key Distribution Center HCP cannot access the Key Distribution Center in the AD domain specified in the HCP AD configuration. Check that both the AD domain controller and the network connection between
HCP and that server are healthy. If they both appear to be working properly, please contact your authorized HCP service provider.
Cannot access LDAP server HCP cannot access the LDAP server for the AD domain specified in the HCP AD configuration.
Check that both the LDAP server and the network connection between HCP and that server are healthy. If they both appear to be working properly, please contact your authorized HCP service provider.
Cannot communicate with chassis The storage node specified in the CB 320 server chassis configuration cannot communicate with one or more chassis. Ensure that the chassis configuration is correct. If it is, please contact your authorized HCP service provider.
498 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
Cannot connect to AD server
CIFS AD access disabled
CIFS/NFS limit exceeded
CIFS/NFS limit reached
Content verification repair disabled
Data access failover
Description
HCP cannot connect to the server for the AD domain specified in the HCP AD configuration.
Check that both the AD domain controller and the network connection between HCP and that server are healthy. Also ensure that AD is correctly configured in your DNS. If the problem persists, please contact your authorized HCP service provider.
One of these conditions is true:
• The SPN attribute for one or more HCP nodes is missing from the AD domain.
• An internal error with the CIFS protocol occurred on one or more HCP nodes.
In either case, reconfigure HCP support for AD on the Authentication page in the HCP System
Management Console. If the problem persists, please contact your authorized HCP service provider.
The number of namespaces with the CIFS or NFS protocol enabled is above the maximum supported by HCP. System performance may be slower as a result.
If this is an issue, ask one or more tenant administrators to disable CIFS and NFS for one or more of their namespaces.
The number of namespaces with the CIFS or NFS protocol enabled is at the maximum supported by
HCP. Enabling CIFS or NFS for additional namespaces may slow system performance.
The content verification service is currently not checking for or repairing objects with corrupted data. This alert appears when the Do not check and repair objects option is selected on the
Content Verification page. For information on
this option, see “Configuring the content verification service” on page 348.
For SAIN systems with zero-copy failover enabled, a node has taken over management of storage normally managed by another node.
Please contact your authorized HCP service provider.
Appendix A: System Management Console alerts
Administering HCP
499
Overview page alerts
(Continued)
Icon Mouse-over text
Degraded network assigned
Empty network assigned
Error spinning down volume
Error spinning up volume
Expired Active Directory certificates
Description
One or more tenants are associated with a degraded network for management or data access purposes. A degraded network presents a single point of failure for clients accessing HCP over that network.
Check the Networks page for degraded networks that are associated with tenants. Then reconfigure each network to assign IP addresses to one or more additional nodes.
One or more tenants are associated with an empty network for management or data access purposes. A tenant with an empty management network cannot be accessed through the Tenant
Management Console or HCP management API.
Namespaces belonging to a tenant with an empty data access network are inaccessible.
Check the Networks page for empty networks that are associated with tenants. Then reconfigure each network to assign IP addresses to one or more nodes.
An error occurred while a logical volume was in the process of spinning up. Please contact your authorized HCP service provider.
An error occurred while a logical volume was in the process of spinning down. Please contact your authorized HCP service provider.
One or more AD SSL certificates have expired.
Communication with AD may fail.
To ensure that communication with AD is not disrupted, export a new SSL certificate from AD and upload it to HCP.
500 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
Expired replication certificates
Description
One or more trusted replication server certificates have expired. Replication with the systems from which the applicable certificates were obtained has stopped.
Expired SSL server certificate
When the other system in any of the applicable replication pairs installs a new SSL server certificate, download that certificate and upload it to this system as a trusted replication server certificate.
For ease of maintenance, delete expired certificates from the list of trusted replication server certificates.
One or more SSL server certificates for one or more HCP domains have expired. If a domain has no valid certificates, clients must accept the invalid certificate presented by HCP for access to namespaces in that domain. If the domain associated with the replication network has no valid certificates, replication fails.
Check the Domains and Certificates page to see which certificates have expired. Then ensure that each affected domain has at least one valid certificate.
External storage volumes unavailable One or more external storage volumes have a status of unavailable, broken, or initializing.
Check the Storage page to see which volumes are having problems. Then ensure that the devices hosting those volumes and the network connections to those devices are functioning properly. Also ensure that the exported shares are configured correctly, that any NFS servers being used are running on each device, and that any NFS security software on the device is not blocking access by any of the HCP nodes.
Front-end connection error
If the problem persists for a volume, remount the
volume in HCP., as described in “Remounting an
NFS volume” on page 184. If that doesn’t resolve
the problem, contact your authorized HCP service provider for help.
All front-end connections to one or more storage nodes are unavailable. If this system is currently a source for replication, some objects will not be replicated. If the system is a replication target, replication performance is degraded.
Appendix A: System Management Console alerts
Administering HCP
501
Overview page alerts
(Continued)
Icon Mouse-over text
Full file system
Hardware functioning properly
HCP computer account missing
HCP upgrade is in progress
HDDS connection failure
High load or swap
IP mode mismatch
Last HDvM update failed
Description
One or more file systems have no more available space or no more available inodes. Please contact your authorized HCP service provider.
All of the HCP hardware is functioning normally.
The HCP computer account is missing from the
AD domain. Reconfigure HCP support for AD on the Authentication page in the HCP System
Management Console.
The HCP software is being upgraded to a new release with the HCP system online (that is, without shutting down the system).
HCP cannot connect to the HDDS server. Check that both the HDDS server and the network connection between HCP and that server are healthy. If both appear to be working properly, please contact your authorized HCP service provider.
This alert appears only while the HDDS search facility is enabled.
One or more nodes are experiencing a heavy load or a high rate of page swapping. Please contact your authorized HCP service provider.
The system-level front-end network IP mode is
Dual, but the [hcp_system] network is configured to use only IPv4 addresses or only IPv6 addresses.
Submit a request to your authorized service provider to set the system-level IP mode and set the [hcp_system] network IP mode, to provide support only for the type(s) of IP address you want to configure for user-defined networks.
The most recent attempt to push information to
Hitachi Device Manager was unsuccessful. For details, check the HDvM page. For information on this page, see
“Configuring the Hitachi Device
Manager connection” on page 478.
502 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
Maximum namespaces exceeded
Maximum namespaces reached
Metadata balancing...
Migration completing - balancing metadata
Migration in progress
Description
The number of namespaces defined in the HCP system is greater than the maximum number allowed.
This situation can happen if one or more HCP tenants being replicated to a given HCP system have namespace quotas on their source systems that cause the total number of allocated namespaces on the target system to exceed the number allowed for an HCP system. While these tenants are included in their respective replication links, neither the actual number of namespaces they own nor their quotas count on the target system. However, if one or more of the tenants are removed from their links, the namespaces and quotas for those tenants then count on the target system. This can result in the total number of namespaces defined on the target system exceeding the total allowed for the system.
To ensure proper system operation, if the maximum number of namespaces allowed for the system is exceeded, you should lower the number of namespaces as soon as possible. To do this, you need to have one or more tenant administrators delete one or more of their namespaces.
The number of namespaces defined in the HCP system is the maximum number allowed.
HCP is in the process of moving object metadata between nodes to achieve a more even distribution of the metadata.
The migration service has completed the process of copying objects during a data migration and is now in the process of moving metadata between the remaining nodes to achieve a more even distribution of the metadata.
A data migration is in progress. For information
on data migrations, see “Migration service” on page 376.
Appendix A: System Management Console alerts
Administering HCP
503
Overview page alerts
(Continued)
Icon Mouse-over text
MQE index at 50%
Description
The size of the metadata query engine index is 50 to less than 80 percent of either the maximum size allowed for the index or the actual space available for the index, whichever is less. HCP can no longer optimize the space used by the index. As the index grows, responses to metadata query engine API requests will become slower, as will responses to searches in the
Search Console when that Console is using the metadata query engine. Consider adding more storage capacity for the metadata query engine index.
If the index includes custom metadata, you can create more space for the index by deleting and then rebuilding the index with custom metadata indexing disabled.
MQE index at 80%; indexing disabled The size of the metadata query engine index is 80 or more percent of either the maximum size allowed for the index or the actual space available for the index, whichever is less. Metadata query engine indexing has stopped. To enable indexing to continue, add more storage capacity for the metadata query engine index.
MQE index partially unavailable
MQE indexing unavailable
If the index includes custom metadata, you can create more space for the index by deleting and then rebuilding the index with custom metadata indexing disabled.
At least one part of the metadata query engine index is unavailable. As a result, indexing has stopped, the metadata query API does not support object-based queries, and, if the metadata query engine is selected for use with the Search Console, searches in that Console return an error.
This status can appear, for example, while an index-enabled logical volume is unavailable.
When the situation is resolved, indexing automatically resumes.
Metadata query engine indexing is disabled due to insufficient memory. Increase the system memory either by adding storage nodes or by adding memory to existing storage nodes.
504 Appendix A: System Management Console alerts
Administering HCP
(Continued)
Icon Mouse-over text
Multipath degraded to one
Network error
Overview page alerts
Description
For SAIN systems configured with multipathing, the physical connection between a node and the
SAN storage has failed. Please contact your authorized HCP service provider.
One or more nodes are experiencing problems with one or more of their networks. Possible causes for this alert include:
• One or more physical network connections to one or more nodes are not working. Check the Storage Node page for each indicated node to see which network interfaces show errors. Then correct any problems with the applicable physical networks. If the networks appear to be working properly, please contact your authorized HCP service provider.
• One or more network interfaces are missing in one or more nodes. Check the Networks page to see which networks have this problem. Then restart those networks. If the problem persists, please contact your authorized HCP service provider.
• One or more nodes have one or more network interfaces for networks in which the nodes do not have IP addresses. Check the Networks page to see which networks have this problem. Then restart those networks. If the problem persists, please contact your authorized HCP service provider.
Appendix A: System Management Console alerts
Administering HCP
505
Overview page alerts
(Continued)
Icon Mouse-over text
Network warning
No external time server configured
No Key Distribution Center found
No LDAP server found
Description
One or more nodes are experiencing problems with one or more of their networks. Possible causes for this alert include:
• The current MTU for one or more networks on one or more nodes does not match the configured MTU. If the problem is with a user-defined network, restart the network. If that doesn’t resolve the problem, reboot the applicable nodes. If the problem persists, please contact your authorized HCP service provider.
• The current speed of the [hcp_system] network on one or more nodes does not match the configured speed. Please contact your authorized HCP service provider. (This alert does not apply if the [hcp_system] network speed is set to auto.)
• The current speed of the [hcp_backend] network on one or more nodes is not the maximum speed possible for that network.
Please contact your authorized HCP service provider.
HCP is configured to use itself as a time server.
For HCP to work with AD, HCP time must be within five minutes of AD time. The recommended configuration is for HCP and AD to use the same external time server.
HCP cannot find a Key Distribution Center for the
AD domain specified in the HCP AD configuration.
Ensure that AD is correctly configured in your
DNS. If the problem persists, please contact your authorized HCP service provider.
HCP cannot find an LDAP server for the AD domain specified in the HCP AD configuration.
Ensure that AD is correctly configured in your
DNS. If the problem persists, please contact your authorized HCP service provider.
506 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
OpenStack Identity Service connection failure
Partial network assigned
Description
HCP could not connect to the OpenStack Identity
Service URL. This connectivity issue could be caused by your HCP or Keystone configuration.
On the Openstack page, check that your
OpenStack Identity Service is enabled, that your
Identity Service URL and Keystone credentials are correct, and that you’re using a domain name in your Identity Service URL instead of an IP address. If you’re using HTTPS, check that you have a certificate for your Server Domain, or that your current one has not expired.
One or more tenants are associated with a partial network for management or data access purposes. The load from client requests for access to those tenants or their namespaces is not being fully distributed across the nodes in the
HCP system.
Check the Tenants page to see which tenants have partial networks. Then either reconfigure each network to assign IP addresses to all nodes in the HCP system, or select different networks for the affected tenants.
Partial network assigned to replication The network selected for replication is a partial network. The load from replication activity is not being fully distributed across the nodes in the system.
Power supply failure
Processor failure
Regions per node is low
Check the replication Settings page to see which network is selected for replication. Then either reconfigure that network to assign IP addresses to all nodes in the HCP system, or select a different network for replication.
One or more power supplies are not working on one or more nodes or CB 320 server chassis.
Please contact your authorized HCP service provider.
IPMI sensors are detecting one or more nodes with processors that are not working. Please contact your authorized HCP service provider.
HCP storage management is currently not configured for optimal performance. To resolve this issue, please contact your authorized HCP service provider.
Appendix A: System Management Console alerts
Administering HCP
507
Overview page alerts
(Continued)
Icon Mouse-over text
Remote storage almost full
Description
Primary running storage space on the remote system for a replication link is at least 90% used.
Consider adding more primary running storage capacity to the remote system or changing storage tiering strategies on that system to create more space in the existing primary running storage.
For an active/active link, this alert appears only in the System Management Console for the local system. For an active/passive link, this alert appears only in the System Management Console for the primary system.
Remote storage full (link suspended) Primary running storage space on the remote system for a replication link is 94% used. The remote system cannot act on any more replication data transmissions from the local system. HCP has automatically suspended activity on the link.
Either add more primary running storage capacity to the remote system, or change storage tiering strategies on that system to create more space in the existing primary running storage. Then resume activity on the link.
Replication certificates expire soon
For an active/active link, this alert appears only in the System Management Console for the local system. For an active/passive link, this alert appears only in the System Management Console for the primary system.
One or more trusted replication server certificates will expire within 90 days. If a certificate expires, replication with the system from which the certificate was obtained will fail.
To ensure that replication is not disrupted, when the other system in the replication pair installs a new SSL server certificate for the domain that’s associated with the replication network, download that certificate and upload it to this system as a trusted replication server certificate.
508 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
Replication certificates expire soon
Replication link failure
Replication link has autopaused tenants
Replication link pending
Replication link stalled
Replication links shut down
Description
One or more trusted replication server certificates will expire within 30 days. If a certificate expires, replication with the system from which the certificate was obtained will fail.
To ensure that replication is not disrupted, when the other system in the replication pair installs a new SSL server certificate for the domain that’s associated with the replication network, download that certificate and upload it to this system as a trusted replication server certificate.
An active/active or outbound active/passive replication link is not working as expected. Check the network connection between the two systems involved in the link. If the connection appears to be working properly, contact your authorized HCP service provider for help.
HCP has automatically paused replication of one or more HCP tenants. For each tenant, correct the situation that caused replication to be paused.
Then resume replication of the tenant.
Either the system has sent a request for a replication link to another system and is waiting for a response, or the system has received a request for a replication link and has not yet responded.
Replication has unexpectedly stopped on a replication link. Check the network connection between the two systems involved in the link. If the connection appears to be working properly, contact your authorized HCP service provider for help.
All replication links in which this system is involved are shut down. No replication or recovery activity is occurring on these links, and the links cannot be used for read-from-remote or object-repair purposes.
Appendix A: System Management Console alerts
Administering HCP
509
Overview page alerts
(Continued)
Icon Mouse-over text
Reverse IP lookup failed for Key
Distribution Center
Reverse IP lookup failed for Key
Distribution Center
Reverse IP lookup failed for LDAP server
Reverse IP lookup failed for LDAP server
Description
HCP was able to do a reverse IP lookup of an IP address used for communication with the primary
AD domain controller for the Key Distribution
Center. However, HCP was unable to do a reverse
IP lookup of an IP address used for communication with another AD domain controller in the same domain or in another domain. For more information on the problem, go to the Authentication page in the HCP System
Management Console.
HCP was unable to do a reverse IP lookup of an IP address used to communicate with the primary
AD domain controller for the Key Distribution
Center. For more information on the problem, go to the Authentication page in the HCP System
Management Console.
HCP was able to do a reverse IP lookup of an IP address used to communicate with the primary
AD domain controller for the LDAP server.
However, HCP was unable to do a reverse IP lookup of an IP address used to communicate with another domain controller in the same domain or in another domain. For more information on the problem, go to the
Authentication page in the HCP System
Management Console.
HCP was unable to do a reverse IP lookup of an IP address used to communicate with the primary
AD domain controller for the LDAP server. For more information on the problem, go to the
Authentication page in the HCP System
Management Console.
510 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
Single sign-on issue
Some nodes not using the correct time source
Spindown storage usage is percent-used
Spindown storage usage is percent-used
Spindown storage usage is percent-used
Spindown storage without storage tiering service
Description
The SPN attribute for one or more tenants or namespaces is missing from the AD domain. If the HCP system is involved in replication, these tenants and namespaces could be defined in any system in the replication topology. For information on which tenants are involved, see the Status section on the Authentication page in the HCP System Management Console.
If the missing SPN attribute is for a namespace, have the administrator for the tenant that owns the namespace disable and reenable AD single sign-on for the namespace. If the missing SPN attribute is for a tenant, disable and reenable AD authentication for the tenant. If the issue is still not resolved, reconfigure HCP support for AD on the Authentication page in the HCP System
Management Console.
If the problem persists, please contact your authorized HCP service provider.
One or more nodes are using a time source other than what is configured for the system. That is, they are using internal time when external time is configured, or they are using external time when internal time is configured.
For SAIN systems with spindown storage, spindown storage is less than 75 percent full.
For SAIN systems with spindown storage, spindown storage is 75 to less than 90 percent full. Consider adding more spindown storage capacity to the HCP system.
For SAIN systems with spindown storage, spindown storage is 90 or more percent full. HCP will not move any more objects to spindown storage until either objects are removed from spindown storage or spindown storage capacity is increased.
The HCP system includes spindown storage, but the active service schedule does not include the storage tiering service. No objects will be moved between running storage and spindown storage.
Appendix A: System Management Console alerts
Administering HCP
511
Overview page alerts
(Continued)
Icon Mouse-over text
SSL server certificate expires soon
Description
One or more SSL server certificates for one or more HCP domains will expire within 90 days. If a domain has no valid certificates, clients must accept the invalid certificate presented by HCP for access to namespaces in that domain. If the domain associated with the replication network has no valid certificates, replication fails.
SSL server certificate expires soon
Check the Domains and Certificates page to see which certificates are expiring. Then ensure that each affected domain has at least one certificate that will be valid when the expiring certificates expire.
One or more SSL server certificates for one or more HCP domains will expire within 30 days. If a domain has no valid certificates, HTTPS access to namespaces in that domain is not allowed. If the domain associated with the replication network has no valid certificates, replication fails.
Storage device reporting errors
Storage license has expired
Storage license is not a valid license for this system
Storage usage is percent-used
Check the Domains and Certificates page to see which certificates are expiring. Then ensure that each affected domain has at least one certificate that will be valid when the expiring certificates expire.
One or more physical drives are experiencing problems. Please contact your authorized HCP service provider.
The storage license is past its expiration date and no longer valid. Please contact HCP support to procure a new license.
The HCP system serial number does not match the serial number on the storage license. A new storage license must be uploaded with a matching serial number. Please contact HCP support to procure a new license.
The storage managed by the storage nodes is less than 75 percent full.
In a SAIN system with spindown storage, this value applies only to running storage.
512 Appendix A: System Management Console alerts
Administering HCP
Overview page alerts
(Continued)
Icon Mouse-over text
Storage usage is percent-used
Storage usage is percent-used
Default service plan DPL setting is 1
System is starting
Description
The storage managed by the storage nodes is 75 to less than 90 percent full. Consider adding more storage capacity to the HCP system.
In a SAIN system with spindown storage, this value applies only to running storage.
The storage managed by the storage nodes is 90 or more percent full. HCP will not store any new objects or any new or replacement custom metadata. It will, however, continue to allow metadata changes.
In a SAIN system with spindown storage, this value applies only to running storage.
For RAIN systems only, the ingest tier DPL defined for namespaces by the default service plan is 1
(one). To ensure that stored data is protected, all
HCP namespaces that use the default service plan should be replicated. Additionally, if the default namespace uses the default service plan, all directories in that namespace should be replicated.
The HCP system is in the process of starting up.
Tenants inaccessible due to network configuration
One or more tenants are associated with a network other than [hcp_system], but virtual network management is disabled. A tenant with a management network other than [hcp_system] cannot be accessed through the Tenant
Management Console or HCP management API.
Namespaces belonging to a tenant with a data access network other than [hcp_system] are inaccessible.
This error can occur when tenants on an HCP system that has virtual network management enabled are replicated to a system that does not.
To have virtual network management enabled, contact your authorized HCP service provider.
Appendix A: System Management Console alerts
Administering HCP
513
Overview page alerts
(Continued)
Icon Mouse-over text
Tenants inaccessible due to network configuration
Description
One or more networks specified as the management or data access network for one or more tenants do not exist. A tenant with a nonexistent management network cannot be accessed through the Tenant Management
Console or HCP management API. Namespaces belonging to a tenant with a nonexistent data access network are inaccessible.
This error can occur on an HCP system that’s a replication target when a network defined on a source system is not defined on the target system.
Time out of sync between replicating systems
Check the Networks page for the list of nonexistent networks that are associated with tenants. For each listed network, create a network with the same name.
The system time on this system is more than one minute out of sync with the system time on one or more other systems with which this system participates in a replication link.
Unavailable nodes
Usage has exceeded license capacity for (active | extended | active and extended) storage
Username mapping invalid
The recommended practice is to have all HCP systems in a replication topology use the same external time server.
One or more nodes are unavailable. If the status of a node changes spontaneously from available to unavailable and the node does not restart automatically, please contact your authorized HCP service provider. Do not try to restart the node manually, as that may cause the loss of information needed to diagnose the problem.
The storage capacity of the
(active|extended|active and extended) component of your storage license has been exceeded. Please contact HCP support to procure a new license.
In the username mapping file used by the CIFS protocol for the default namespace, one or more usernames map to the same UID. Only one username can map to any given UID.
514 Appendix A: System Management Console alerts
Administering HCP
Hardware page alerts
Hardware page alerts
The System Management Console uses system health icons for alerts that appear on the Hardware page. These alerts are described in the table below. The alerts are listed alphabetically by their mouse-over text. Alerts with text beginning with a number are listed first, in alphabetical order by the variable that represents the number.
Icon Mouse-over text
bad-fan-count of fan-count chassis fans indicating problems
bad-power-supply-count of
power-supply-count chassis power supplies indicating problems
fan-count of fan-count chassis fans operating normally
power-supply-count of
power-supply-count chassis power supplies operating normally
BBU charging
BBU degraded; charging
BBU degraded; discharging
BBU discharging
BBU failed
Fan speed critical
Description
One or more fans in one or more CB 320 server chassis are not functioning properly. Please contact your authorized HCP service provider.
One or more power supplies in one or more CB
320 server chassis are not functioning properly.
Please contact your authorized HCP service provider.
All fans on all CB 320 server chassis are functioning properly.
All power supplies on all CB 320 server chassis are functioning properly.
For RAIN systems only, the battery backup unit in the node is charging.
For RAIN systems only, the battery backup unit in the node is charging. The write-cache is disabled on the node.
For RAIN systems only, the battery backup unit in the node is discharging. The write-cache is disabled on the node.
For RAIN systems only, the battery backup unit in the node is discharging.
For RAIN systems only, the battery backup unit in the node has failed. The write-cache is disabled on the node. If this alert appears for more than a few hours, please contact your authorized HCP service provider.
IPMI sensors are detecting one or more fans with critically high or low speeds. Shut down the node and contact your authorized HCP service provider.
For instructions on shutting down the node, see
“Restarting an individual node” on page 111.
Appendix A: System Management Console alerts
Administering HCP
515
Hardware page alerts
(Continued)
Icon Mouse-over text
Fan speed out of normal range
File system failure
Metadata query engine failure
Multipath degraded
Description
IPMI sensors are detecting one or more fans with speeds above or below the recommended range, but not critically so. Monitor the fan speeds on the Storage Node page. If they do not return to normal, please contact your authorized HCP service provider.
One or more file systems have no more available space or no more available inodes. Please contact your authorized HCP service provider.
The metadata query engine is not running on the node, most likely because the node is unavailable.
When the node becomes available again, the engine should automatically restart on it. If it doesn’t, disable and then reenable metadata query engine indexing. If the problem persists, please contact your authorized HCP service provider.
For SAIN systems configured with multipathing, the physical connection between the node and the
SAN storage has failed. Please contact your authorized HCP service provider.
516 Appendix A: System Management Console alerts
Administering HCP
Hardware page alerts
(Continued)
Icon Mouse-over text
NIC failure
No IPMI status available for chassis fans
No IPMI status available for chassis power supplies
Node has been removed
Node problem
Power supply error
Description
The node is experiencing problems with one or more of its networks. Possible causes for this alert include:
• One or more physical network connections to the node are not working. Check the Storage
Node page for the node to see which network interfaces show errors. Then correct any problems with the applicable physical networks. If the networks appear to be working properly, please contact your authorized HCP service provider.
• The node is missing one or more network interfaces. Check the Networks page to see which networks have this problem. Then restart those networks. If the problem persists, please contact your authorized HCP service provider.
• The node has one or more network interfaces for networks in which it does not have IP addresses. Check the Networks page to see which networks have this problem. Then restart those networks. If the problem persists, please contact your authorized HCP service provider.
The storage node specified in the CB 320 server chassis configuration cannot communicate with one or more chassis. Ensure that the chassis configuration is correct. If it is, please contact your authorized HCP service provider.
The storage node specified in the CB 320 server chassis configuration cannot communicate with one or more chassis. Ensure that the chassis configuration is correct. If it is, please contact your authorized HCP service provider.
The node has been permanently removed from the HCP system. You cannot reuse its back-end
IP address for any nodes you subsequently add to the system.
The node is experiencing a heavy load or a high rate of page swapping. Please contact your authorized HCP service provider.
The node has only one power supply working normally. Please contact your authorized HCP service provider.
Appendix A: System Management Console alerts
Administering HCP
517
Storage Node page alerts
(Continued)
Icon Mouse-over text
Storage failure
Temperature critical
Temperature out of normal range
Voltage critical
Voltage out of normal range
Description
One or more physical storage devices managed by the node are not functioning properly. Please contact your authorized HCP service provider.
IPMI sensors are detecting one or more components with critically high or low temperature readings. Shut down the node and contact your authorized HCP service provider. For instructions on shutting down the node, see
“Restarting an individual node” on page 111.
IPMI sensors are detecting one or more components with high or low, but not critical, temperature readings. Monitor the temperature readings on the Storage Node page. If they do not return to normal, please contact your authorized HCP service provider.
IPMI sensors are detecting one or more components with critically high or low voltage readings. Shut down the node and contact your authorized HCP service provider. For instructions on shutting down the node, see
“Restarting an individual node” on page 111.
IPMI sensors are detecting one or more components with high or low, but not critical, voltage readings. Monitor the voltage readings on the Storage Node page. If they do not return to normal, please contact your authorized HCP service provider.
Storage Node page alerts
The System Management Console uses system health icons for alerts that appear on the Storage Node page for each node. These alerts are described in the table below. The alerts are listed alphabetically by their mouse-over text. Alerts with text beginning with a number are listed first, in alphabetical order by the variable that represents the number.
Icon Mouse-over text
bad-interface-count of
interface-count network interfaces are not functioning properly
Description
One or more NICs in the node are not functioning properly. Please contact your authorized HCP service provider.
bad-storage-device-count of
storage-device-count storage devices are not functioning correctly
One or more physical storage devices managed by the node are not functioning properly. Please contact your authorized HCP service provider.
518 Appendix A: System Management Console alerts
Administering HCP
Storage Node page alerts
(Continued)
Icon Mouse-over text
file-system-count file systems on
storage-device-count devices
sensor-count IPMI sensors are indicating problems
Description
The node has the indicated number of file systems, which map to the indicated number of physical storage devices.
The indicated number of IPMI sensors are detecting one or more problems in the node. For more information, review the IPMI details.
All the file systems on the node have space and inodes available for storing additional objects.
All file-system-count file systems have sufficient space and inodes
All IPMI sensors report normal operation
All components monitored by IPMI are functioning normally.
All network interfaces are functioning properly
All NICs in the node are functioning properly.
Core hardware is functioning normally The load and rate of page swapping on the node are within the acceptable range.
Core hardware may need attention
File system is running out of space or inodes
One or more file systems have no more available space or no more available inodes. Please contact your authorized HCP service provider.
Logical volume usage The logical volumes managed by the node have the status, capacity, and used space shown when you expand the alert.
Multipath degraded
The node is experiencing a heavy load or a high rate of page swapping. Please contact your authorized HCP service provider.
No IPMI status is available
For SAIN systems configured with multipathing, a physical connection between the node and the
SAN storage has failed. Please contact your authorized HCP service provider.
The node does not contain IPMI sensors.
Node has been removed The node has been permanently removed from the HCP system. You cannot reuse its back-end
IP address for any nodes you subsequently add to the system.
Appendix A: System Management Console alerts
Administering HCP
519
Storage page alerts
(Continued)
Icon Mouse-over text
Node is not available
Description
The node is unavailable for one of these reasons:
• It is starting up but not yet able to perform
HCP functions.
• It is shutting down and no longer able to perform HCP functions.
• It is not running or is unable to communicate with the rest of the HCP system.
Storage page alerts
The System Management Console uses error and warning icons for alerts that appear on the Storage page.
The icon used to indicate an error condition is a white triangle containing a red exclamation point. When this icon appears in a table row, that row is highlighted in red.
The icon used to indicate a warning condition is a white circle containing an orange exclamation point. When this icon appears in a table row, that row is highlighted in orange.
The error and warning condition alerts that appear on the Storage page are described in two separate sections below.
Storage page error condition alerts
Error condition alerts that appear on the Storage page are described in the table below. These alerts are listed alphabetically by their mouse-over text.
Icon Mouse-over text
Storage components list
One or more volumes in this storage pool have problems
Description
One or more of the external storage volumes in the external storage pool have a status other than available. To see which volumes have problems, open the panel for the storage pool. For more information on problem volumes, check the HCP system log.
520 Appendix A: System Management Console alerts
Administering HCP
Storage page alerts
(Continued)
Icon
Storage pools list
Mouse-over text
External volume volume-id on node
node-number - volume-status
Description
The external storage volume has a status other than available. For information on the cause, check the HCP system log.
If the status is broken, check the export configuration and verify that the NFS server is running. If the configuration is correct and the
NFS server is running, ensure that the device is functioning properly and that the network connecting HCP to the device is healthy. For additional possible resolutions to the problem, see
“Considerations for using NFS volumes” on page 146.
If the status is unavailable and does not change to available or broken within a short amount of time, try remounting the volume, as described in
“Remounting an NFS volume” on page 184.
If this alert persists, contact your authorized HCP service provider for help.
Storage page warning condition alerts
Warning condition alerts that appear on the Storage page are described in the table below. These alerts are listed alphabetically by their mouse-over text.
Icon Mouse-over text
Storage components list
One or more volumes in this storage pool have problems
Description
One or more of the external storage volumes in the external storage pool have a status other than available. To see which volumes have problems, open the panel for the storage pool. For more information on problem volumes, check the HCP system log.
Appendix A: System Management Console alerts
Administering HCP
521
Networks page alerts
(Continued)
Icon
Storage pools list
Mouse-over text
External volume volume-id on node
node-number - volume-status
Description
The external storage volume has a status other than available. For information on the cause, check the HCP system log.
If the status is broken, check the export configuration and verify that the NFS server is running. If the configuration is correct and the
NFS server is running, ensure that the device is functioning properly and that the network connecting HCP to the device is healthy. For additional possible resolutions to the problem, see
“Considerations for using NFS volumes” on page 146.
If the status is unavailable and does not change to available or broken within a short amount of time, try remounting the volume, as described in
“Remounting an NFS volume” on page 184.
If this alert persists, contact your authorized HCP service provider for help.
Networks page alerts
The System Management Console uses error and warning icons for alerts that appear on the Networks page.
The icon used to indicate an error condition is a white triangle containing a red exclamation point. When this icon appears in a table row, that row is highlighted in red.
The icon used to indicate a warning condition is a white circle containing an orange exclamation point. When this icon appears in a table row, that row is highlighted in orange.
The error and warning condition alerts that appear on the Networks page are described in two separate sections below.
522 Appendix A: System Management Console alerts
Administering HCP
Networks page alerts
Networks page error condition alerts
Error condition alerts that appear on the Networks page are described in the table below. These alerts are listed alphabetically by their mouse-over text
Mouse-over text
Network has no node IP addresses
Network not functioning properly
Description
The network is empty; that is, no nodes have any
IP addresses defined for the network. Clients cannot access the HCP system over an empty network.
Configure the network to assign IP addresses to one or more nodes. Each node must have a separate IP address on each subnet defined for the network.
The network is experiencing problems on one or more nodes. Possible causes for this error condition alert include:
• One or more physical network connections to one or more nodes are not working. Check the Storage Node page for each node to see which network interfaces show errors. Then correct any problems with the applicable physical networks. If the networks appear to be working properly, please contact your authorized HCP service provider.
• The network interface for the network is missing in one or more nodes. Restart the network. If the problem persists, please contact your authorized HCP service provider.
• One or more nodes have network interfaces for the network but do not have IP addresses in the network. Restart the network. If the problem persists, please contact your authorized HCP service provider.
Appendix A: System Management Console alerts
Administering HCP
523
Networks page alerts
Networks page warning condition alerts
Warning condition alerts that appear on the Networks page are described in the table below. These alerts are listed alphabetically by their mouse-over text
Mouse-over text
Network disabled
Description
The network has been manually disabled by a system administrator. Clients cannot access the
HCP system over a disabled network and tenants and namespaces cannot be replicated over a disabled network.
Check the Tenants page to determine whether the disabled network is assigned to any tenants.
Also check the replication Settings page to determine whether the disabled network is selected as the replication network.
If the network is assigned to one or more tenants, take one of these actions:
• On the Tenants page, reconfigure the affected tenants to use only enabled networks for data and management access.
• On the Networks page, click on the gear icon next to the disabled network to display the network Settings panel. Then select the option to enable the network and click on the
Update Settings button.
If the network is selected as the replication network, take one of these actions:
• On the replication Settings page, select a different network for replication.
• On the Networks page, click on the gear icon next to the disabled network to display the network Settings panel. Then select the option to enable the network and click on the
Update Settings button.
If the network is not assigned to any tenants, and is not used for replication, no action is required.
You can use the Networks page to reconfigure, reenable, or delete the network at any time without affecting access to the HCP system.
524 Appendix A: System Management Console alerts
Administering HCP
Mouse-over text
IP mode mismatch
Network has only one node IP address
Network is missing node IP addresses
Networks page alerts
Description
The system-level front-end network IP mode is
Dual, but the [hcp_system] network is configured to use only IPv4 addresses or only IPv6 addresses.
Submit a request to your authorized service provider to set the system-level IP mode and set the [hcp_system] network IP mode, to provide support only for the type(s) of IP address you want to configure for user-defined networks.
The network is degraded; that is, only one node has IP addresses defined for the network. A degraded network presents a single point of failure for clients accessing HCP over that network.
Reconfigure the network to assign IP addresses to one or more additional nodes.
The network is a partial network; that is, at least two nodes have IP addresses defined for the network and at least one node does not. The load from client requests over a partial network is not fully distributed across the nodes in the HCP system.
Reconfigure the network to assign IP addresses to all the nodes in the HCP system. Each node must have an IP address on each subnet defined for the network.
Appendix A: System Management Console alerts
Administering HCP
525
Tenants page alerts
Mouse-over text
Network not functioning properly
Description
The network is experiencing problems on one or more nodes. Possible causes for this warning condition alert include:
• The current MTU for the network on one or more nodes does not match the configured
MTU. If the problem is with a user-defined network, restart the network. If that doesn’t resolve the problem, reboot the applicable nodes. If the problem persists, please contact your authorized HCP service provider.
• For the [hcp_system] network, the current speed of the network on one or more nodes does not match the configured speed. Please contact your authorized HCP service provider.
(This does not apply if the speed is set to auto.)
• For the [hcp_backend] network, the current speed of the network on one or more nodes is not the maximum speed possible for that network. Please contact your authorized HCP service provider.
Tenants page alerts
The alerts in the table below are listed alphabetically by their mouse-over text.
Icon Mouse-over text
Degraded network assigned
Description
The tenant is associated with a degraded network for management or data access purposes. A degraded network presents a single point of failure for clients accessing the tenant or its namespaces over that network.
Take one of these actions:
• On the Tenants page, reconfigure the affected tenant to use only networks that have IP addresses defined for at least two nodes in the HCP system.
• On the Networks page, reconfigure each degraded network to assign IP addresses to one or more additional nodes.
526 Appendix A: System Management Console alerts
Administering HCP
(Continued)
Icon Mouse-over text
Empty network assigned
Inaccessible due to network configuration
Tenants page alerts
Description
The tenant is associated with an empty network for management or data access purposes. If the management network is empty, the tenant cannot be accessed through the Tenant Management
Console or HCP management API. If the data access network is empty, namespaces belonging to a tenant are inaccessible.
Take one of these actions:
• On the Tenants page, reconfigure the affected tenant to use only networks that have IP addresses defined for at least two nodes in the HCP system.
• On the Networks page, configure each empty network to assign IP addresses to one or more nodes. Each node must have a separate IP address on each subnet defined for the network.
The management and/or data access network specified for the tenant does not exist. If the management network does not exist, the tenant cannot be accessed through the Tenant
Management Console or HCP management API.
If the data access network does not exist, namespaces belonging to a tenant are inaccessible.
This error can occur on an HCP system that’s a replication target when a network defined on a source system is not defined on the target system.
For each undefined network, create a network with the name of the undefined network.
Appendix A: System Management Console alerts
Administering HCP
527
Tenants page alerts
(Continued)
Icon Mouse-over text
Namespace quota exceeded
Namespace quota reached
Partial network assigned
Description
The number of namespaces owned by the tenant is greater than the namespace quota for the tenant.
This situation can happen if the tenant is included in an active/active replication link. With this type of link, namespaces can be created for the tenant independently on each system involved in the link. Namespaces from both systems can then be added to the link such that the total number of namespaces replicated on the link exceeds the namespace quota for the tenant. As a result, the total number of namespaces for the tenant on each system exceeds the namespace quota for the tenant.
The number of namespaces owned by the tenant equals the namespace quota for the tenant.
The tenant is associated with a partial network for management or data access purposes. The load from client requests for access to the tenant or its namespaces is not being fully distributed across the nodes in the HCP system.
Take one of these actions:
• On the Tenants page, reconfigure the affected tenant to use only networks that have IP addresses defined for all nodes in the HCP system.
• On the Networks page, reconfigure each partial network to assign IP addresses to all nodes in the HCP system. Each node must have a separate IP address on each subnet defined for the network.
528 Appendix A: System Management Console alerts
Administering HCP
Tenants page alerts
(Continued)
Icon Mouse-over text
Read-only, set by replication
Description
For HCP tenants only, the tenant is read-only because it’s included in an active/passive link and one of the following is true:
• The current system is the replica for the link, and normal replication is occurring on the link.
• The current system is the primary system for the link, and the initial stage of data recovery is occurring on the link.
Soft quota exceeded
Tenant tenant-name has
irreparable-object-count irreparable objects
Tenant tenant-name has
irreparable-object-count irreparable objects and unavailable-object-count unavailable objects
Tenant tenant-name has
unavailable-object-count unavailable objects
Tenant may have directories that are not being replicated
• The current system is either the primary system or the replica for the link, and the final stage of data recovery is occurring on the link.
For HCP tenants only, the amount of storage used by all namespaces owned by a tenant exceeds the soft quota configured for the tenant. Contact the tenant administrator about increasing the hard quota for the tenant.
One or more namespaces owned by the tenant contain the indicated total number of irreparable objects. Please contact your authorized HCP service provider.
One or more namespaces owned by the tenant contain the indicated total number of irreparable objects, and one or more namespaces owned by the tenant contain the indicated total number of unavailable objects. Please contact your authorized HCP service provider.
One or more namespaces owned by the tenant contain the indicated total number of unavailable objects. This is most likely due to one or more nodes being unavailable, If the situation persists, please contact your authorized HCP service provider.
For the default tenant in RAIN systems only, the default namespace has a DPL of one and at least one of the directories in it is being replicated.
When the default namespace has a DPL of one, all directories in it should be replicated to ensure that the stored data is protected.
Chapter A: System Management Console alerts
Administering HCP
529
Domains and Certificates page alerts
(Continued)
Icon Mouse-over text
Tenant with DPL 1 namespaces that are not replicating
Description
In RAIN systems only:
• For HCP tenants, the tenant owns one or more namespaces that have a DPL of one and are not being replicated. All HCP namespaces with a DPL of one should be replicated to ensure that the stored data is protected.
• For the default tenant, the default namespace has a DPL of one and none of the directories in it are being replicated. When the default namespace has a DPL of one, all directories in it should be replicated to ensure that the stored data is protected.
Domains and Certificates page alerts
The alerts in the table below are listed alphabetically by their mouse-over text.
Icon
Domain list
Mouse-over text Description
All certificates for domain are invalid All the certificates associated with the domain have either an expiration date in the past or a start date in the future. Add a valid certificate to the domain.
All valid certificates for the domain are expiring
All the valid certificates associated with the domain will expire within 30 days. Ensure that the domain has at least one certificate that will be valid when the expiring certificate expires.
Certificate list
Certificate has a start date in the future
The start date for the certificate is in the future, so the certificate is currently invalid. Ensure that the domain has at least on valid certificate.
Certificate is expired
Certificate is expiring
The certificate has expired and is no longer valid.
Delete the certificate.
The certificate will expire within 90 days. Ensure that the domain has at least one certificate that will be valid when this certificate expires.
530 Chapter A: System Management Console alerts
Administering HCP
Authentication page alerts
(Continued)
Icon Mouse-over text
Common name for certificate does not match domain name
Description
The common name of the certificate does not represent a subdomain of the domain with which the certificate is associated. The certificate is invalid. If a domain has no valid certificates, clients must accept the invalid certificate presented by HCP for access to namespaces in that domain. If the domain associated with the replication network has no valid certificates, replication fails.
Ensure that domain has at least one valid certificate. Then delete the certificate with the common name mismatch.
Authentication page alerts
The alerts in the table below are listed alphabetically by their mouse-over text.
Icon Mouse-over text
Active Directory enabled for default namespace only.
Active Directory secure connection issue
Description
Either:
• AD authentication is enabled only for the default namespace and is not currently supported for HCP namespaces. This can happen after an upgrade, where the CIFS protocol was enabled for the default namespace with AD authentication before the upgrade occurred. To enable support for AD for HCP namespaces, enable HCP support for
AD on the Authentication page in the HCP
System Management Console.
• In the username mapping file used by the
CIFS protocol for the default namespace, one or more usernames map to the same UID.
Only one username can map to any given
UID.
HCP could not communicate with AD due to a problem with the AD SSL server certificate uploaded to HCP. Ensure that you have the correct certificate. Then upload the certificate again on the Authentication page in the HCP
System Management Console. If the problem persists, please contact your authorized HCP service provider.
Chapter A: System Management Console alerts
Administering HCP
531
Authentication page alerts
(Continued)
Icon Mouse-over text Description
Cannot access Key Distribution Center HCP cannot access the Key Distribution Center in the AD domain specified in the HCP AD configuration. Check that both the AD domain controller and the network connection between
HCP and that AD domain controller are healthy. If they both appear to be working properly, please contact your authorized HCP service provider.
Cannot access LDAP server HCP cannot access the LDAP server for the AD domain specified in the HCP AD configuration.
Check that both the LDAP server and the network connection between HCP and that server are healthy. If they both appear to be working properly, please contact your authorized HCP service provider.
Could not establish connection with
Active Directory - add certificate again.
DNS correctly configured.
HCP could not communicate with AD due to a problem with the AD SSL server certificate uploaded to HCP. Ensure that you have the correct certificate. Then upload the certificate again on the Authentication page in the HCP
System Management Console. If the problem persists, please contact your authorized HCP service provider.
HCP is configured to use DNS.
DNS is not enabled. Active Directory requires DNS be enabled.
HCP is not configured to use DNS. For HCP to work with AD, HCP must be configured as a subdomain in your DNS. For instructions on configuring the HCP subdomain, see
“Configuring DNS for HCP,” on page 585.
HCP computer account missing.
IP lookup failed for Active Directory server server-name.
The HCP computer account is missing from the
AD domain. Reconfigure HCP support for AD on the Authentication page in the HCP System
Management Console.
HCP was unable to do an IP lookup of an IP address used to communicate with the AD domain controller for either the Key Distribution Center or the LDAP server. Ensure that the DNS configuration includes all A and AAAA records needed to resolve the IP addresses that HCP uses to communicate with the indicated domain controller.
532 Chapter A: System Management Console alerts
Administering HCP
Authentication page alerts
(Continued)
Icon Mouse-over text
No external time server configured.
Active Directory requires an external time server.
No Key Distribution Center found
No LDAP server found
Nodes correctly configured.
Description
HCP is configured to use itself as a time server.
For HCP to work with AD, HCP time must be within five minutes of AD time. The recommended configuration is for HCP and AD to use the same external time server.
HCP cannot find a Key Distribution Center in the
AD domain specified in the HCP AD configuration.
Ensure that AD is correctly configured in your
DNS. If the problem persists, please contact your authorized HCP service provider.
HCP cannot find an LDAP server in the AD domain specified in the HCP AD configuration. Ensure that AD is correctly configured in your DNS. If the problem persists, please contact your authorized HCP service provider.
All of these conditions are true:
Nodes misconfigured.
• The computer accounts for all nodes are present in the AD domain. These accounts are created automatically when you configure
HCP to support AD.
• All nodes have valid credentials for the HCP computer account used to query AD for groups.
• All nodes can connect to AD.
At least one of these conditions is true:
• The computer account for one or more nodes is missing from the AD domain. These accounts are created automatically when you configure HCP to support AD.
• The credentials for the HCP computer account used to query AD for groups and other information are invalid on one or more nodes.
• One or more nodes cannot connect to AD.
To resolve these issues, reconfigure support for
AD on the Authentication page in the HCP System
Management Console. If the problem persists, please contact your authorized HCP service provider.
Chapter A: System Management Console alerts
Administering HCP
533
Authentication page alerts
(Continued)
Icon Mouse-over text Description
Reverse IP lookup failed for Active
Directory server server-name.
Record for server-ip-address not found.
Reverse IP lookup mismatch for
Active Directory server server-name.
Record for server-ip-address points to server other-server-name.
Given the indicated IP address, HCP was unable to do a reverse IP lookup of the hostname of the
AD domain controller. Ensure that your DNS includes a PTR record for that IP address that specifies the correct domain controller hostname.
HCP was able to do a reverse IP lookup of an IP address used to communicate with the AD domain controller, but the PTR record identifies a different domain controller. Ensure that your DNS configuration includes a PTR record for the indicated IP address that specifies the correct domain controller hostname.
Service principal names are missing.
The SPN attribute for one or more tenants or namespaces is missing from the AD domain. If the HCP system is involved in replication, these tenants and namespaces could be defined in any system in the replication topology.
System correctly configured.
Time server correctly configured.
If the missing SPN attribute is for a namespace, have the administrator for the tenant that owns the namespace disable and reenable AD single sign-on for the namespace. If the missing SPN attribute is for a tenant, disable and reenable AD authentication for the tenant. If the issue is still not resolved, reconfigure HCP support for AD on the Authentication page in the HCP System
Management Console.
If the problem persists, please contact your authorized HCP service provider.
All of the following are true:
• No HCP components are missing from the AD domain.
• The HCP configuration of AD support is complete (that is, it’s not configured only for the CIFS protocol for the default namespace).
• The username mapping file used by the CIFS protocol does not contain any invalid mappings.
HCP is configured to use an external time server.
534 Chapter A: System Management Console alerts
Administering HCP
B
HCP system log messages
HCP maintains a log that records messages about events that happen in the system. The table in this appendix lists the messages HCP can write to the system log. The messages are listed in order by message ID.
For each message, the table shows:
• The message ID
• The short form of the message, which identifies the event to which the message applies
• An explanation of the message
• The action, if any, you should take in response to the message
• The message severity
For more information on the system log, see “Understanding the HCP system log” on page 436.
Appendix B: HCP system log messages
Administering HCP
535
ID Event
1000 HCP started
1001 HCP shutting down
1002 Node started
1003 Node shut down
1004 Volume started
1005 Volume shut down
1006 Volume failure
1007 Node removed
1008 Time sync problem
1009 Node added
1010 Previously removed node re-added
1012 Metadata DPL is 1
Explanation
The HCP system started.
The HCP system is shutting down.
Action Severity
No action is required.
If any nodes do not power off automatically, wait a few minutes and then power them off manually.
Notice
Notice
A node started.
A node shut down.
No action is required.
If this event is unexpected and the node does not restart automatically, contact your authorized service provider. Do not try to restart the node manually, as that may cause the loss of information needed to diagnose the problem.
Notice
Notice
Notice A logical volume came online.
A logical volume went offline.
A logical volume failed.
No action is required.
Contact your authorized service provider.
Contact your authorized service provider.
No action is required.
A node has been permanently removed from the HCP system.
The internal clock on a node is out of sync with the clocks on the nodes in the rest of the HCP system.
A new node has been added to the HCP system.
If the problem persists, contact your authorized service provider.
No action is required.
Notice
Error
Notice
Error
Notice
A node that was removed from the system has been powered on again.
Remove the node again.
The system was configured with metadata
DPL 1.
No action is required.
Error
Warning
536 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID
1013 Failover
Event
1014 HCP rebooting
Explanation Action Severity
A node in a cross-mapped pair failed. The other node has taken over management of the logical volumes previously managed by the failed node.
The HCP system is restarting.
If the failed node does not restart automatically, contact your authorized service provider. Do not try to restart the node manually, as that may cause the loss of information needed to diagnose the problem.
No action is required.
Error
Notice
1015 Failover
1016 Volume recovered
1017 Node down for an extended amount of time
1018 HCP is read-only
A node in a cross-mapped pair failed. The other node will take over management of the logical volumes previously managed by the failed node.
A logical volume recovered.
If the failed node does not restart automatically, contact your authorized service provider. Do not try to restart the node manually, as that may cause the loss of information needed to diagnose the problem.
No action is required.
Error
Notice
Error A node has been unavailable for an extended amount of time.
The HCP system has become read-only due to metadata unavailability.
Configuration changes and changes to namespace content are not allowed.
Services have been suspended.
Contact your authorized service provider.
Contact your authorized service provider.
Error
1019 HCP is no longer read-only The previously unavailable metadata has become available, so the HCP system is no longer read-only due to metadata unavailability.
1020 Region-count setting is invalid
The region count was changed to a value that is either too large, too small, or not a number. The actual number of regions has not changed.
No action is required.
Contact your authorized service provider.
Notice
Error
Appendix B: HCP system log messages
Administering HCP
537
(Continued)
ID Event Explanation Action
1021 Region count is changing The region count was set to a new value.
1022 Region count has changed The region count has finished changing to a new value.
No action is required.
No action is required.
1023 Region-count change has been canceled
1024 Support for DPL 1 changed
1025 External storage volume added
1026 External storage volume updated
1027 External storage volume deleted
1028 External storage volume missing necessary permissions
1029 Cannot mount external storage volume
1030 Cannot mount external storage volume
1031 External volume started
1032 External volume unavailable
Severity
Notice
Notice
The region-count change was canceled.
Support for DPL 1 was either enabled or disabled.
No action is required.
No action is required.
No action is required.
A user added an external storage volume.
A user updated an external storage volume.
No action is required.
Notice
Warning
Notice
Notice
A user deleted an external storage volume.
No action is required.
The share for a new or updated external storage volume was exported without permissions that
HCP needs in order to mount the volume.
Ensure that the share is exported with the necessary permissions.
An external storage volume became available.
An external storage volume is unavailable.
No action is required.
Ensure that the share is exported with the correct configuration on the external device and that the HCP node managing the volume is available.
Notice
Warning
HCP was unable to mount a new or updated external storage volume.
Ensure that the share is exported with the correct configuration on the external device. For more information on this event, see the mount command output displayed with the log message.
Warning
HCP was unable to mount a new or updated external storage volume.
Ensure that the share is exported with the correct configuration on the external device.
Warning
Notice
Notice
538 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
1033 External volume failure
1050 Storage pool created
1051 Storage pool updated
1052 Storage pool deleted
1053 Storage component created
1054 Storage component updated
1055 Storage component deleted
1056 Storage component abandoned
1057 Storage tiering SSL certificate downloaded
1058 New storage tiering SSL certificate added
Explanation
HCP was unable to connect to an external storage volume.
Action
Ensure that the share is exported with the correct configuration on the external device and that all HCP nodes are allowed to mount the share.
No action is required.
A user created a storage pool.
A user updated a storage pool.
A user deleted a storage pool.
A user created a storage component.
A user updated a storage component.
A user deleted a storage component.
A user abandoned a storage component.
No action is required.
No action is required.
No action is required.
No action is required.
No action is required.
No action is required.
A user downloaded an SSL server certificate for storage tiering.
No action is required.
A user added a new storage tiering client certificate.
No action is required.
1059 Storage tiering SSL certificate delete
A user deleted a storage tiering client certificate.
1060 New storage license added New (active |extended | active and extended) storage license was added.
1063 OpenStack SSL certificate downloaded
An SSL server certificate for OpenStack has been downloaded.
No action is required.
No action required.
1061 Storage license expired Storage license expired.
Upload a new storage license.
1062 Storage license exceeded Storage license exceeded. Delete or relocate objects within the repository or add more licensed capacity.
No action is required.
Severity
Error
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Warning
Warning
Notice
Appendix B: HCP system log messages
Administering HCP
539
(Continued)
ID Event
1064 New OpenStack SSL certificate added
1065 OpenStack SSL certificate deleted
Explanation
A user has created
OpenStack SSL certificate.
An existing OpenStack
SSL certificate has been deleted.
Action
No action is required
No action is required
Severity
Notice
Notice
1066 Storage license invalid
1100 Storage capacity warning
1101 Storage capacity critical
1104 Internal SLAB process down
Storage license is not a valid license for this system.
The amount of free storage on the HCP storage nodes is low.
Upload a new storage license.
Warning
Consider adding storage capacity to the HCP system before the amount of free storage becomes critically low.
Warning
Error The amount of free storage on the HCP storage nodes may be insufficient to support the addition of new objects.
The internal SLAB process is not running. The node will reboot automatically in order to restart the process.
Increase the amount of free storage by adding more storage capacity or deleting objects from the repository.
No action is required. If this problem persists, contact your authorized service provider.
Error
1105 IPMI status became unavailable
Warning
1107 Adding logical volumes
1108 Logical volumes added
1109 Logical volumes added
A hardware condition has rendered IPMI status unavailable.
New logical volumes are being added to a node.
New logical volumes were added to a node, thereby increasing the storage capacity of the node.
New logical volumes were added to a node. These are standby volumes for zero-copy failover.
No action is required.
No action is required.
No action is required.
No action is required.
Notice
Notice
Notice
1110 Failed to add logical volumes
1111 Front-end communication status became unavailable
The addition of new logical volumes to a node failed.
Contact your authorized service provider.
No action is required.
A hardware condition has rendered front-end communication status unavailable.
Error
Warning
540 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
1112 Storage status became unavailable
1113 Spindown capacity warning
1114 Spindown capacity critical
1200 Last update sent to HDvM was unsuccessful
1220 Successfully downloaded logs
Explanation
A hardware condition has rendered storage status unavailable.
The amount of free spindown storage on the
HCP storage nodes is low.
The amount of free spindown storage on the
HCP storage nodes may be insufficient to support the addition of new objects.
HCP is unable to communicate with the
HDvM server.
The HCP internal logs have been successfully downloaded.
Action
No action is required.
Severity
Warning
Consider adding spindown storage capacity to the
HCP system before the amount of free spindown storage becomes critically low.
Warning
Increase the amount of free spindown storage by adding more storage capacity or deleting objects from the repository.
Ensure that you have correctly configured HDvM in the System
Management Console and that the HDvM server is healthy.
Error
Error
No action is required.
Notice 1201 Log handler test message A user sent a test message to the syslog servers or SNMP managers.
1202 About to change syslog settings
A user changed the settings for syslog logging.
1203 Syslog settings changed
1204 About to change SNMP settings
1205 SNMP settings changed
A user changed the settings for syslog logging.
A user changed the settings for SNMP logging.
1206 Email notification failed
A user changed the settings for SNMP logging.
SMTP or email settings may be incorrect.
No action is required.
No action is required.
No action is required.
No action is required.
Notice
Notice
Notice
Notice
Check the SMTP and email settings. If the settings are correct, contact your
SMTP administrator for help.
Warning
No action is required.
Notice
Appendix B: HCP system log messages
Administering HCP
541
(Continued)
ID Event Explanation
1221 Started to download logs A user has requested a download of the HCP internal logs.
1222 Failed to download logs The requested download of the HCP internal logs has failed.
Action
No action is required.
Try to download the logs again. If that fails, contact your authorized service provider.
No action is required.
1223 Started to download logs for node
1224 Successfully downloaded logs for node
1227 Log encryption key uploaded
1228 Log encryption key deleted
HCP has started downloading the internal logs on a node.
HCP has finished downloading the internal logs on a node.
A user uploaded an encryption key for use when downloading the
HCP internal logs.
A user deleted an encryption key that was used when downloading the HCP internal logs.
No action is required.
1225 Failed to download logs for node
HCP failed to download the internal logs from a node and is continuing with the next node.
1226 Logs marked
No action is required.
A user inserted a message into the HCP internal logs.
No action is required.
No action is required.
No action is required.
1229 Log download preparation started
A user has requested a download of the HCP internal logs.
No action is required.
1230 Log download preparation complete
Log download preparation is complete, and the HCP internal logs are ready to be download.
No action is required.
Severity
Notice
Warning
Notice
Notice
Warning
Notice
Notice
Notice
Notice
Notice
1231 Log download started
1232 Log download complete
The HCP internal logs have begun streaming to an HTTP client.
The HCP internal logs have been downloaded.
No action is required.
No action is required.
Notice
Notice
542 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event Explanation Action Severity
1233 Log download preparation complete with issues
Log download preparation finished with issues. The unaffected HCP internal logs are ready to be downloaded.
1905 Service start skipped A service was not started because the time remaining until a scheduled stop was less than the minimum runtime for the service.
Download one or more of the available logs. Check the nodes identified in the error message.
Warning
No action is required.
Notice
1906 Scheduled service time period too short
A scheduled time period for a service is shorter than the minimum runtime for the service.
The service will not run in that time period.
1980 Service schedule activated A user activated a service schedule.
1981 Service schedule activation failed
A user tried to activate a service schedule, but the activation failed.
Increase the length of the applicable time period in the service schedule.
Warning
No action is required.
Check that the schedule has not been deleted. If the schedule has not been deleted, contact your authorized service provider.
No action is required.
Notice
Error
Notice 1982 Service schedule created A user created a service schedule.
1983 Service schedule updated A user updated a service schedule.
1984 Service schedule deleted A user deleted a service schedule.
No action is required.
No action is required.
Notice
Notice
Notice 2000 Protection service started The protection service has started.
No action is required.
2001 Protection service stopped: run complete
The protection service finished successfully.
No action is required.
2002 Protection service stopped without finishing
The protection service was interrupted without validating all objects.
No action is required.
2003 Protection service stopped without finishing
The protection service was interrupted without validating all objects.
No action is required.
2004 Protection service changed protection sets
The protection service changed protection sets.
No action is required.
Notice
Notice
Warning
Notice
Appendix B: HCP system log messages
Administering HCP
543
(Continued)
ID Event
2007 Protection service beginning repairs
2008 Protection service: irreparable object
Explanation Action
The protection service has begun fixing violations.
No action is required.
The protection service detected a violation it could not fix.
Contact your authorized service provider.
2009 Protection service: unavailable object
The protection service detected a violation it could not fix.
2010 Garbage collection service started
The garbage collection service has started.
Contact your authorized service provider.
No action is required.
2011 Garbage collection service finished: run complete
The garbage collection service finished successfully.
2012 Garbage collection stopped without finishing
The garbage collection service stopped without completing its run.
Garbage collection will resume automatically at a later time.
No action is required.
No action is required.
2013 Garbage collection stopped without finishing
The garbage collection service stopped without completing its run.
Garbage collection will resume automatically at a later time.
No action is required.
2017 Garbage collection service beginning repairs
The garbage collection service has begun fixing violations.
No action is required.
2020 Scavenging service started
2021 Scavenging service stopped: run complete
2022 Scavenging service stopped: run bypassed object(s)
2023 Scavenging service stopped without finishing
The scavenging service has started.
The scavenging service finished successfully.
No action is required.
No action is required.
The scavenging service finished successfully.
Some objects were not scavenged in this run.
They will be checked in a future run.
No action is required.
The scavenging service stopped without completing its run.
Scavenging will resume at a later time.
No action is required.
Severity
Warning
Error
Warning
Notice
Notice
Notice
Warning
Notice
Notice
Notice
Notice
Warning
544 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2024 Scavenging service stopped without finishing
Explanation Action
The scavenging service stopped without completing its run.
Scavenging will resume at a later time.
The scavenging service has begun repairs.
No action is required.
No action is required.
2027 Scavenging service beginning repairs
2029 Scavenging service irreparable object
2030 Capacity balancing service started
The scavenging service was unable to repair the object. The repair may be retried at a later time.
The capacity balancing service has started.
Use the System
Management Console to verify the health of the system. If the problem persists, contact your authorized service provider.
No action is required.
2031 Capacity balancing service stopped: run complete
The capacity balancing service finished successfully.
No action is required.
2032 Capacity balancing service finished: run bypassed object(s)
Some objects were bypassed during this run of the capacity balancing service. Those objects will be handled in a future run.
No action is required.
No action is required.
2033 Capacity balancing service stopped without finishing
The capacity balancing service stopped without completing its run.
2034 Capacity balancing service stopped without finishing
The capacity balancing service stopped without completing its run.
No action is required.
2037 Capacity balancing service beginning repairs
Capacity balancing service has begun repairs.
No action is required.
2040 Content verification service started
The authentication service has started.
No action is required.
2041 Content verification service stopped: run complete
2042 Content verification service stopped without finishing
The authentication service finished successfully.
No action is required.
The content verification service stopped without completing its run. The service will resume at some point in the future.
No action is required.
Severity
Notice
Warning
Error
Notice
Notice
Notice
Warning
Notice
Warning
Notice
Notice
Notice
Appendix B: HCP system log messages
Administering HCP
545
(Continued)
ID Event Explanation
2043 Content verification service stopped without finishing
2045 Content verification service: unavailable object
The content verification service stopped without completing its run. The service will resume at some point in the future.
The content verification service detected a violation it could not fix.
2047 Content verification service beginning repairs
2048 Content verification service: irreparable object
2050 Duplicate elimination service started
2051 Duplicate elimination service stopped: run complete
2052 Duplicate elimination service stopped: run bypassed object(s)
2053 Duplicate elimination service stopped without finishing
2054 Duplicate elimination service stopped without finishing
2057 Duplicate elimination service beginning repairs
2058 Service beginning repairs from a remote system
Action
No action is required.
Contact your authorized service provider.
The content verification service has begun repairs.
The content verification service detected a violation it could not fix.
The duplicate elimination service has started.
The duplicate elimination service finished successfully.
No action is required.
Contact your authorized service provider.
No action is required.
No action is required.
The duplicate elimination service finished successfully. Some objects were not checked during this run. They will be checked in a future run.
The duplicate elimination service stopped during its merge phase without completing its run. The service will resume at some point in the future.
No action is required.
No action is required.
The duplicate elimination service stopped during its merge phase without completing its run. The service will resume at some point in the future.
The duplicate elimination service has begun merging objects.
A service has begun making repairs from a remote system.
No action is required.
No action is required.
No action is required.
Severity
Warning
Warning
Warning
Error
Notice
Notice
Notice
Warning
Notice
Notice
Notice
546 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2079 Compression service stopped without finishing
Explanation
The compression service stopped without completing its run. The service will resume at some point in the future.
The compression service has started.
Action
No action is required.
2080 Compression service started
2081 Compression service stopped: run complete
2082 Compression service stopped without finishing
2085 Disposition service stopped: run complete
2086 Disposition service stopped without finishing
The compression service finished successfully.
The compression service stopped without completing its run. The service will resume at some point in the future.
The disposition service finished successfully.
The disposition service stopped without completing its run. The service will resume at some point in the future.
No action is required.
No action is required.
No action is required.
2083 Service could not start A service was requested to run but could not start for some reason.
2084 Disposition service started The disposition service has started.
No action is required.
No action is required.
No action is required.
No action is required.
Severity
Notice
Notice
Notice
Warning
Warning
Notice
Notice
Warning
2091 Disposition service stopped without finishing
2105 Replication link created
The disposition service stopped without completing its run. The service will resume at some point in the future.
A user created a replication link.
No action is required.
No action is required.
Notice
Notice
2106 Replication link suspended A replication link has been suspended.
2107 Replication link resumed A suspended replication link has been resumed.
No action is required.
No action is required.
2108 Replication link failure A replication link is not working.
Check network connectivity to the remote system.
Notice
Notice
Error
Appendix B: HCP system log messages
Administering HCP
547
(Continued)
ID Event
2109 Replication link deleted
Explanation
A replication link was deleted.
Action
If this event is unexpected, contact your authorized service provider.
No action is required.
Severity
Warning
2110 Replication link read-only The tenants and directories included in a replication link are now read-only on this system.
2111 Replication link authorized A replication link was authorized.
2112 Replication link updated A user updated the configuration of a replication link.
No action is required.
No action is required.
Notice
Notice
Notice
2113 Replication link failed over A user failed over a replication link. The replicated tenants and directories are now read-write on the replica and read-only on the primary system.
2114 Replication link failed back A user failed back a replication link.
2115 Replication data recovery started
2116 Replication data recovery completed
Redirect client requests to the replica.
No action is required.
Notice
Notice
Data recovery has started on a replication link. The replicated tenants and directories are read-write on the replica and read-only on the primary system.
Monitor the recovery progress in the System
Management Console.
Warning
Data recovery has completed on a replication link. The replicated tenants and directories are now read-write on the primary system and read-only on the replica.
Redirect client requests to the primary system.
Warning
2117 Replication link missing on remote system
A replication link configured on this system is missing on the remote system. The link has been suspended.
Restore the replication link to begin the recovery process.
Error
548 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2118 Object replicated with collisions
2119 Object did not replicate
2120 Object did not replicate; will retry later
2121 Duplicate elimination service sort started
2122 Duplicate elimination service sort finished
2123 Duplicate elimination service sort stopped without finishing
2126 Replica capacity limit reached
2127 Time sync problem
2128 Collisions occurred on replication link
Explanation Action
An object being replicated conflicts with an existing object on the target system. The object has been stored in the
.lost+found directory on the target system.
An object was not replicated.
No action is required.
Contact your authorized service provider.
Severity
Warning
Error
An object was not replicated. Replication of the object will be retried later.
Monitor the replica to see whether this object is eventually replicated. If the object does not replicate within one week, contact your authorized service provider.
No action is required.
Warning
Notice The duplicate elimination service has started the sort phase of its run.
The duplicate elimination service successfully finished the sort phase of its run.
The duplicate elimination service stopped during its sort phase without completing its run. The service will resume at some point in the future.
No action is required.
No action is required.
Notice
Notice
Warning HCP suspended a replication link due to insufficient capacity on the replica.
Add storage capacity to the replica and resume the replication link.
The time on this system is not in sync with the time on the other system in a replication link in which this system participates.
Ensure that time is synchronized on all the
HCP systems in the replication topology.
One or more collisions occurred on a replication link in the last 24 hours.
No action is required.
Warning
Warning
Appendix B: HCP system log messages
Administering HCP
549
(Continued)
ID Event Explanation Action Severity
2129 Replication link failed over automatically
A replication link failed over automatically because communication was disrupted for an extended period of time.
The replicated tenants and directories are now read-write on the replica and read-only on the primary system.
2130 Replication link failed over automatically
A replication link failed over automatically because communication was disrupted for an extended period of time.
Redirect client requests to the replica.
Notice
No action is required.
Notice
Warning 2131 Replication link final data recovery started automatically
2132 Replication link automatically failed back
Final data recovery has started automatically on a replication link. The replicated tenants and directories are now read-only on both the primary system and the replica.
A replication link failed back automatically.
No action is required.
No action is required.
2140 Replication SSL certificate downloaded
A user downloaded an SSL server certificate for replication.
No action is required.
2141 New replication SSL certificate uploaded
A user uploaded a new replication client certificate.
No action is required.
2142 Replication SSL certificate deleted
A user deleted a replication client certificate.
2143 Replication link progress checkpoints reset
A user set the replication progress checkpoints to a specified time. Replication will begin from this new point in time.
No action is required.
No action is required.
2144 Replication link rejected A replication link was rejected.
If this event is unexpected, contact your authorized service provider.
Notice
Notice
Notice
Notice
Warning
Warning
550 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event Explanation
2145 Replication link final data recovery pass started
The final data recovery pass has started on a replication link. The replicated tenants and directories are now read-only on both the primary system and the replica.
2146 Replication link suspended automatically
A replication link was suspended because of a problem.
Action
No action is required.
Ensure that the primary system, the replica, and the network are healthy.
Then resume the link.
2147 Replication adversely affected due to failed network connections
A front-end network connection is unavailable.
2148 Replication automatically paused for a tenant due to error
Replication was automatically paused for a tenant due to a problem from which HCP could not recover by itself.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
Ensure that the primary system, the replica, and the network are healthy and that no tenant collisions have occurred.
Then resume replication for the paused tenant.
2149 Replication paused for a tenant
2150 Replication resumed for a tenant
A user paused replication of a tenant.
A user resumed replication of a tenant.
No action is required.
No action is required.
2151 Replication link suspended according to schedule
A replication link was suspended according to schedule.
2152 Replication link performance level changed according to schedule
The performance level of a replication link changed according to schedule.
No action is required.
No action is required.
2153 Replication link schedule updated
No action is required.
2161 All replication links shut down
2162 All replication links reestablished
The schedule for a replication link was updated.
A user shut down all replication links.
A user reestablished all replication links.
No action is required.
No action is required.
Severity
Warning
Error
Error
Error
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Appendix B: HCP system log messages
Administering HCP
551
(Continued)
ID Event
2163 Replication stalled
Explanation Action
Replication stalled while replicating an object.
If the problem persists, contact your authorized service provider.
The storage tiering service has started.
No action is required.
Severity
Error
2200 Storage tiering service started
2201 Storage tiering service stopped: run complete
2203 Storage tiering service stopped without finishing
2204 Storage tiering service stopped without finishing
2300 User account created
2301 User account updated
2302 User account deleted
The storage tiering service finished successfully.
No action is required.
The storage tiering service was interrupted without examining all objects.
No action is required.
The storage tiering service was interrupted without examining all objects.
A user created a user account.
No action is required.
No action is required.
A user updated a user account.
A user deleted a user account.
No action is required.
No action is required.
Notice
Notice
Warning
Notice
Notice
Notice
Notice
2303 User authenticated A user login to the System
Management Console was successfully authenticated.
No action is required.
2304 Authentication attempt by unknown user
A user tried to log in with an unknown username.
Have the user log in with a valid username and password.
Notice
Warning
2305 Account reenabled by timer
2306 Account is disabled
A disabled security user account has been automatically reenabled.
A user tried to log in with a disabled account.
No action is required.
Reenable the user account to allow the user to log in.
Notice
Warning
Reenable the user account to allow the user to log in.
Warning 2307 Account has been inactive for too long
A user tried to log in with an account that was disabled due to inactivity.
2308 Account does not include the required roles
A user tried to log in with an account that does not include a required role.
2309 Password is invalid A user tried to log in with an invalid password.
Update the account to include the required role to allow the user to log in.
Warning
Have the user log in with a valid username and password.
Warning
552 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2310 Remote authentication server error
Explanation
The login for a remotely authenticated user failed due to an error communicating with a
RADIUS server.
Action
Check the health of the
RADIUS servers and the connections to them. If you cannot detect any problems, contact your authorized service provider.
No action is required.
Severity
Warning
2311 Password changed
2312 Account enabled
2313 Account disabled
No action is required.
No action is required.
Notice
Notice
Notice
2314 Account disabled due to too many failed logins
A user account was automatically disabled due to too many failed login attempts.
Reenable the user account and have the user log in with a valid username and password.
No action is required.
Warning
Notice 2315 Account will be reenabled A security user account will be reenabled automatically after a waiting period.
2316 All accounts reset Warning
2317 User authenticated
A user reset user accounts to their initial configuration. All accounts have been deleted and the initial accounts have been recreated.
No action is required.
A user login to the Search
Console was successfully authenticated.
No action is required.
Notice
2319 Active Directory server error
A user changed the password for a user account.
A user account has been enabled.
A user account has been disabled.
2330 RADIUS server created
2331 RADIUS server updated
2332 RADIUS server deleted
A user tried to log in with an invalid Active Directory username or password.
A user configured a new
RADIUS server.
Have the user log in with a valid username and password.
No action is required.
Warning
Notice
A user updated the configuration of a RADIUS server.
A user deleted a RADIUS server.
No action is required.
No action is required.
Notice
Notice
Appendix B: HCP system log messages
Administering HCP
553
(Continued)
ID Event Explanation
2333 RADIUS server promoted A user moved a RADIUS server up in the list.
2334 RADIUS server demoted A user moved a RADIUS server down in the list.
2335 All RADIUS servers deleted
2340 An exception occurred while removing Service
Principal Name from
Active Directory
2342 Successfully added
Service Principal Name to
Active Directory
2344 Failed to add Service
Principal Name to Active
Directory
2346 An exception occurred while adding Service
Principal Name to Active
Directory
2350 Group account created
Action
No action is required.
No action is required.
Severity
Notice
Notice
A user deleted all RADIUS servers. The list of
RADIUS servers is now empty.
No action is required.
HCP failed to remove a
Service Principal Name from Active Directory.
Verify that the Service
Principal Name was removed from Active
Directory.
No action is required.
HCP successfully added a
Service Principal Name to
Active Directory.
HCP failed to add a
Service Principal Name to
Active Directory.
HCP failed to add a
Service Principal Name to
Active Directory.
Verify that the Service
Principal Name was added to Active Directory.
Verify that the Service
Principal Name was added to Active Directory.
Warning
Warning
Notice
Warning
Warning
Notice
2352 Group account updated
2354 Group account deleted
2356 Active Directory SSL certificate downloaded
2357 New Active Directory SSL certificate uploaded
2358 Active Directory SSL certificate deleted
2359 Active Directory authentication enabled
A user created a group account.
A user updated a group account.
A user deleted a group account.
No action is required.
No action is required.
No action is required.
A user downloaded an SSL server certificate for
Active Directory.
No action is required.
A user uploaded a new
Active Directory SSL server certificate.
No action is required.
A user deleted an Active
Directory SSL server certificate.
A user enabled Active
Directory authentication for the HCP system.
No action is required.
No action is required.
Notice
Notice
Notice
Notice
Notice
Notice
554 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2360 Active Directory authentication disabled
Explanation
A user disabled Active
Directory authentication for the HCP system.
A user cleared the Active
Directory cache.
Action
No action is required.
2361 Active Directory cache cleared
No action is required.
2362 Active Directory partially configured
2363 Active Directory computer account is invalid
CIFS configuration is not complete on the indicated node.
Reconfigure support for
Active Directory in the
System Management
Console.
The Active Directory computer account is invalid.
Reconfigure support for
Active Directory in the
System Management
Console.
2364 Active Directory communication disrupted
The CIFS services are no longer running on the indicated node.
2365 Attempt to access the
Active Directory server failed
A connection issue occurred while the indicated node was trying to access the Active
Directory server.
2366 Active Directory configuration restored
2367 Active Directory computer account restored
A user updated the Active
Directory configuration.
No action is required.
A user updated the Active
Directory computer account.
No action is required.
No action is required.
2368 Active Directory communication restored
2369 Communication restored when trying to access the
Active Directory server
The indicated node can now communicate with the Active Directory server. HCP can again service CIFS requests.
The indicated node can now communicate with the Active Directory server.
2370 Could not establish secure connection to the Active
Directory server
The Active Directory computer account credentials are invalid, or there is no current Active
Directory SSL server certificate.
Reconfigure support for
Active Directory in the
System Management
Console to restart the
CIFS service.
No action is required.
No action is required.
Update the Active
Directory credentials or
SSL server certificate.
Severity
Notice
Notice
Warning
Warning
Warning
Warning
Notice
Notice
Notice
Notice
Notice
Appendix B: HCP system log messages
Administering HCP
555
(Continued)
ID Event
2371 Secure connection to
Active Directory server restored
2372 Active Directory single sign-on misconfigured
2373 Active Directory single sign-on restored
2375 Active Directory service record lookup failed
2376 Active Directory DNS reverse lookup succeeded
2377 Active Directory DNS reverse lookup failed
2378 Active Directory service records were not found.
2379 Winbind unavailable
2380 Failed to check Active
Directory service account and connectivity
Explanation Action Severity
A user updated the Active
Directory computer account credentials or SSL server certificate.
No action is required.
Notice
The Active Directory SPN for a tenant and or namespace does not exist.
Update the Active
Directory single sign-on setting for the tenant and or namespace. For information on which tenants are involved, see the Status section on the
Authentication page in the
HCP System Management
Console.
Warning
The Active Directory SPN was created for the misconfigured tenants and or namespaces.
No action is required.
The Active Directory service record lookup failed for the indicated domain.
Check the DNS configuration.
The Active Directory DNS reverse lookup succeeded for the indicated domain.
The Active Directory DNS reverse lookup failed for the indicated domain.
No action is required.
Check the DNS configuration.
Warning
Warning
Notice
Warning
The Active Directory service records were not found during an Active
Directory health check.
Winbind was found to be unavailable during an
Active Directory health check.
Check the DNS configuration.
Update your Active
Directory configuration.
Warning
Warning
Exception occurred while validating service account and connectivity for Active
Directory during health check.
Check the Active Directory connection and service account.
Warning
556 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2381 Samba not running
2382 Missing SPN(s) on Active
Directory Server
2383 Active Directory LDAP service record lookup succeeded
2384 Active Directory LDAP service record lookup failed
2385 Active Directory kerberos service record lookup succeeded
2386 Active Directory Kerberos service record lookup failed
2387 Active Directory service account creation successful
2388 Failed to create Active
Directory service account
2389 Active Directory node account created
2390 Active Directory successfully disabled
2391 Failed to disable Active
Directory
2392 Active Directory node account deleted
Explanation Action
HCP could not get the status of Samba during an
Active Directory health check.
Update your Active
Directory configuration.
One or more tenant/namespace SPN/s are missing from the
Active Directory database.
Update your Active
Directory configuration.
Severity
Warning
Warning
HCP successfully looked up the LDAP service record for the indicated
Active Directory domain.
Failed to look up the LDAP service record for Active
Directory domain.
No action is required.
Check that the DNS server is configured to publish
LDAP service records.
Notice
Warning
HCP successfully looked up the Kerberos service record for the indicated
Active Directory domain.
Failed to look up the
Kerberos service record for Active Directory domain.
No action is required.
Notice
Check that the DNS server is configured to publish
Kerberos service record and kerberos server is running.
Warning
HCP successfully created an Active Directory service account on the indicated
Active Directory server.
HCP failed to create a service user account.
No action is required.
Check that the user name and password are correct.
Notice
Warning
No action is required.
Notice An Active Directory node account was successfully created for the indicated node.
A user disabled support for Active Directory.
No action is required.
Notice
A user attempt to disable
Active Directory configuration failed.
Active Directory node account was successfully deleted.
Check that the Active
Directory server was running and not already disabled.
No action is required.
Warning
Notice
Appendix B: HCP system log messages
Administering HCP
557
(Continued)
ID Event
2393 Active Directory service user password updated
2394 Failed to update Active
Directory service user password
2395 Successfully removed
Service Principal Name from Active Directory.
Successfully removed
Service Principal Name from the Active Directory.
2400 New SSL server certificate uploaded
A user uploaded an SSL server certificate.
No action is required.
2401 New SSL server certificate signing request generated
A user requested a new certificate signing request.
No action is required.
2402 New SSL server certificate generated
A user requested the creation of a new SSL server certificate.
No action is required.
2403 SSL server certificate expires soon
2404 SSL server certificate expired
2405 Trusted replication server certificate expires soon
Explanation
Automatic password updated because password refresh period elapsed.
HCP may not have sufficient permissions to update the service user password.
Action
No action is required.
Update Active Directory configuration and provide a domain user with sufficient permissions for password update.
No action is required.
Severity
Warning
Warning
Notice
Notice
Notice
Notice
The SSL server certificate for this system expires soon. If the certificate expires, HTTPS access to the system will fail, and replication will fail.
The SSL server certificate for this system has expired. HTTPS access to the system is not allowed, and replication has stopped.
Install a new SSL server certificate with a later expiration date.
Install a new SSL server certificate with a later expiration date.
Warning
Error
The indicated trusted replication server certificate expires soon. If the certificate expires, replication with the system from which the certificate was obtained will fail.
When the other system in the replication pair installs a new SSL server certificate, obtain that certificate and upload it to this system as a trusted replication server certificate.
Warning
558 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2406 Trusted replication server certificate expired
2407 Active Directory server certificate expires soon
2408 Active Directory server certificate expired
Explanation
The indicated trusted replication server certificate has expired.
Replication with the system from which the certificate was obtained has stopped.
Action Severity
When the other system in the replication pair installs a new SSL server certificate, obtain that certificate and upload it to this system as a trusted replication server certificate.
Install a new Active
Directory SSL server certificate with a later expiration date.
Error
Warning The Active Directory SSL server certificate expires soon. If the certificate expires, access to the
Active Directory server may fail.
The Active Directory SSL server certificate has expired. Access to the
Active Directory server may fail.
A user deleted an SSL server certificate.
Install a new Active
Directory SSL server certificate with a later expiration date.
No action is required.
A user downloaded an SSL certificate signing request.
No action is required.
Error
Notice
Notice
2409 SSL server certificate deleted
2410 SSL server certificate signing request downloaded
2411 Active Directory service account deletion successful
2412 Failed to delete Active
Directory service account
2413 Failed to join domain and create Active Directory node account
2414 Failed to leave domain and delete Active Directory node account
2415 Active Directory domain resolution successful
HCP successfully deleted an Active Directory service account on the indicated
Active Directory server.
No action is required.
The Active Directory server is either unreachable or the node account does not exist.
HCP successfully resolved an Active Directory domain.
Notice
The Active Directory server is either unreachable or the service account does not exist.
Check that the user name and password are correct, and that the server is reachable.
Warning
The Active Directory server is either unreachable or the node account does not exist.
Check that the user name and password are correct, and that the server is reachable.
Warning
Check that the user name and password are correct, and that the server is reachable.
No action is required.
Warning
Notice
Appendix B: HCP system log messages
Administering HCP
559
(Continued)
ID Event
2416 Active Directory domain resolution failed
2417 Active Directory domain join failed
Explanation
The DNS server may not be configured to return
Active Directory server IP addresses.
The Active Directory domain may be unreachable, or the user account may be invalid.
Action Severity
Check that the DNS server is configured to resolve domain name of the Active
Directory server.
Warning
Check that the KDC, LDAP, and Global Catalog servers are running on the domain controller, and that the service account is valid.
Warning
Warning 2418 An error occured while communicating with
Active Directory
2500 NDMP signing key uploaded
2501 NDMP encryption key uploaded
2502 NDMP key deleted
The Active Directory domain may be unreachable, or the service user account may be invalid.
Check that the service account is valid and the
Active Directory server is reachable.
A user uploaded an NDMP signing key.
No action is required.
A user uploaded an NDMP encryption key.
No action is required.
A user deleted an NDMP signing or encryption key.
No action is required.
No action is required.
2600 Node shutdown requested from System Management
Console
A user shut down a node from the System
Management Console.
2601 HCP shutdown requested from System Management
Console
A user shut down HCP from the System
Management Console.
No action is required.
2602 Service started
2603 Service stopped
2604 Service enabled
2605 Service disabled
2606 Configuration changed
A user started a service from the System
Management Console.
A user stopped a service from the System
Management Console.
A user enabled a service from the System
Management Console.
A user disabled a service from the System
Management Console.
A user changed a configuration value of an
HCP component.
No action is required.
No action is required.
No action is required.
No action is required.
No action is required.
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
560 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2607 Version upgraded
Explanation
A user completed a software upgrade by updating the internal messaging version.
A user acknowledged an irreparable object.
Action
No action is required.
2609 Irreparable object acknowledged
2610 All irreparable objects acknowledged
2611 Eject CD requested from
System Management
Console
2614 Unauthorized action
A user acknowledged all irreparable objects.
A user requested the ejection of the CD tray from a node.
A user has requested an operation that is not authorized for the user account.
No action is required.
No action is required.
No action is required.
If the user should be allowed to perform this operation, add the required role to the user account.
No action is required.
2615 Configuration changed A user changed a configuration value of an
HCP component.
2616 Upgrade started
2617 Node restart requested from System Management
Console
A user has started an upgrade of the HCP software.
A user restarted a node from the System
Management Console.
No action is required.
No action is required.
2618 HCP restart requested from System Management
Console
A user restarted HCP from the System Management
Console.
No action is required.
2619 Restart or shutdown command could not be executed
An attempt to restart or shut down a node was could not be executed.
The node may already be down.
No action is required.
2620 Upgrade completed successfully
2621 OpenStack Identity
Service cache cleared
An upgrade of the HCP software completed successfully.
The OpenStack identity
Service cache has been cleared. Credentials need to be manually re-authenticated.
No action is required.
No action is required.
Severity
Notice
Warning
Warning
Notice
Warning
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Appendix B: HCP system log messages
Administering HCP
561
(Continued)
ID Event
2622 OpenStack Identity
Service authentication enabled
2623 OpenStack Identity
Service authentication disabled
Explanation Action
The OpenStack Identity
Service authentication has been enabled.
No action is required
The OpenStack Identity
Service authentication has been disabled.
No action is required
2624 Connection to OpenStack
Identity Service failed
2625 Connection to OpenStack
Identity Service restored
2700 Simple search query performed
2701 Advanced search query performed
2702 Connection to HDDS server failed
A user performed a simple search.
A user performed an advanced search.
No action is required.
No action is required.
HCP could not connect to the HDDS server.
Check the health of the
HDDS server and the network connecting HCP to that server.
No action is required.
2703 Connection to HDDS server restored
2704 HDDS statistics credentials authentication failed
2705 HDDS statistics credentials authentication successful
The connection to the
HDDS server has been restored.
HDDS authentication failed using the configured statistics credentials.
Ensure that the statistics credentials specified for the HDDS search facility are valid.
No action is required.
HDDS authentication succeeded using the configured statistics credentials.
2706 Search facility configuration changed
2707 Search Console disabled
HCP could not connect to the OpenStack Identity
Service.
The connection to the
OpenStack Identity
Service has been restored.
No action is required
No action is required
A user changed the search facility configuration.
No action is required.
A user changed the search facility selection for the
Search Console to none, thereby disabling the ability to perform searches in that Console.
No action is required.
Severity
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
562 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
2800 Network interface down
Explanation
A network interface went down.
Action
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
Severity
Error
2801 Network interface up
2802 Temperature sensor alarm A temperature sensor is
2807 Voltage sensor alarm removed
A network interface came up.
reporting a temperature that is out of the recommended range.
Notice
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
Error
Notice 2803 Temperature sensor alarm removed
A temperature sensor is reporting a return to an acceptable operating temperature.
2804 Fan sensor alarm A fan sensor is reporting a fan speed that is out of the recommended range.
2805 Fan sensor alarm removed A fan sensor is reporting a return to an acceptable fan speed.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
2806 Voltage sensor alarm
Error
Notice
Error A voltage sensor is reporting a voltage that is out of the recommended range.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
A voltage sensor is reporting a return to an acceptable operating voltage.
Notice
2808 File system alarm
2809 File system alarm removed
A file system has reached the capacity warning threshold.
A file system has fallen below the capacity warning threshold.
Consider adding storage capacity to the HCP system before the amount of free storage becomes critically low.
No action is required.
Error
Notice
Appendix B: HCP system log messages
Administering HCP
563
(Continued)
ID Event
2810 Disk device alarm
Explanation
A disk device is reporting that it is not in a fully functional state.
Action
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
Severity
Error
2811 Disk device alarm removed
2812 Power supply alarm
A disk device is reporting that it has returned to a fully functional state.
A power supply is indicating a problem.
Notice
2813 Power supply alarm removed
2816 Multipath degraded
A power supply is reporting that it has returned to a fully functional state.
2814 Processor alarm
2815 Processor alarm removed
A processor is indicating a problem.
A processor is reporting that it has returned to a fully functional state.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
Error
Notice
Error
2817 Multipath restored
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
Error
Notice
Redundant fibre channel connections to storage are not functioning correctly.
Redundant access to the underlying storage has been restored.
Check the connections to the storage. If a problem exists, contact your authorized service provider.
No action is required.
Notice
2820 IP configuration information changed
2830 Time is unsynchronized
A user changed network configuration settings through the System
Management Console.
Neither the external nor internal time servers could be reached for synchronization.
No action is required.
Check that network and time settings are correct.
Notice
Warning
564 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event Explanation Action Severity
2831 Using internal time server The external time server could not be reached for synchronization.
If your system is configured to use the internal time server, no action is required.
Otherwise, check that network and time settings are correct.
Notice
2832 Using external time server The external time server was successfully contacted for synchronization.
No action is required.
Notice
2833 Lost connection to external time server
2834 System time changed due to resynchronization with external time server
The external time server could not be contacted for synchronization.
Check that network and time settings are correct.
When HCP started, the system time was resynchronized to an external time server because the system time was off by more than
1000 seconds. This time change may affect object retention.
Check that network and time settings are correct.
2835 Battery backup unit failed A battery backup unit sensor is reporting that a
BBU has failed.
2836 Battery backup unit restored
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
Notice
Warning
Error
Notice
2837 Battery backup unit degraded
A battery backup unit sensor is reporting that a
BBU has returned to a fully functional state.
A battery backup unit sensor is reporting that the BBU is degraded.
2843 Front-end Ethernet communication error
A network switch may have become unavailable.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
Error
Error
2844 Front-end Ethernet communication restored
The front-end Ethernet interface has returned to a normal state.
No action is required.
Notice
Appendix B: HCP system log messages
Administering HCP
565
(Continued)
ID Event
2845 Network interface degraded
2846 Network interface recovered
2847 Network interface not functioning properly
2848 Network interface recovered
2849 Network interface degraded
2850 Network interface recovered
2851 Front-end IPv6 communication error
2852 Front-end IPv6 communication restored
3000 System updated
3001 Tenant created
3002 Tenant updated
3003 Tenant deleted
Explanation Action
Either the network interfaces in a bonded network interface are not operating at the same speed, or they are not operating at the requested speed.
Check that the hardware is functioning properly. If the problem persists, contact your authorized service provider.
A network interface is now operating correctly.
No action is required.
Severity
Error
Notice
Either a network interface is missing, or a network interface exists on a node with no IP address assigned.
Check that the physical network is functioning properly. If it is, try resetting the network. If the problem persists, contact your authorized service provider.
A network interface is now operating correctly.
No action is required.
A network interface is not operating at the requested
MTU.
Check that the hardware is functioning properly. If it is, try resetting the network. If the problem persists, contact your authorized service provider.
A network interface is now operating correctly.
No action is required.
Error
Notice
Error
Notice
A network switch may have become unavailable, or IPv6 may not be functioning on the indicated interface.
Check that the hardware is functioning properly. If a problem exists, contact your authorized service provider.
No action is required.
IPv6 communication through the indicated front-end Ethernet interface has been restored.
Error
Notice
HCP system properties have been updated.
A user created a tenant.
No action is required.
No action is required.
A user updated a tenant.
No action is required.
A user deleted a tenant.
No action is required.
Notice
Notice
Notice
Notice
566 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
3026 Tenant over soft quota
3027 Tenant under soft quota
Explanation
The amount of storage used by all namespaces owned by a tenant exceeds the soft quota configured for the tenant.
The amount of storage used by all namespaces owned by a tenant is under the soft quota configured for the tenant.
Action
Contact the tenant administrator about increasing the hard quota for the tenant.
No action is required.
Severity
Warning
Warning
3029 Installed new HCP version A new version of the HCP software was successfully installed.
3030 Tenant at namespace quota
The number of namespaces owned by the tenant is equal to the namespace quota for the tenant.
No action is required.
No action is required.
3031 Tenant over namespace quota
3034 Namespace maximum reached
3035 Namespace maximum exceeded
3036 Username conflict
Notice
Warning
The number of namespaces owned by the tenant is greater than the namespace quota for the tenant.
Either increase the namespace quota for the tenant or have the tenant administrator delete one or more namespaces.
No action is required.
The current number of namespaces is the maximum allowed for the
HCP system.
The current number of namespaces is greater than the maximum allowed for the HCP system.
The indicated tenant has multiple user accounts with the same name. For any given tenant, all user accounts must have a unique username.
Have the administrators for one or more tenants delete one or more namespaces to reduce the total number of namespaces to at or below the maximum allowed for the HCP system.
Warning
Warning
Warning
Have the administrator for the tenant rename one account or merge duplicate accounts together.
Warning
3500 Running migration The migration service has begun migrating data.
No action is required.
Notice
Appendix B: HCP system log messages
Administering HCP
567
(Continued)
ID Event
3501 Migration complete
3502 Pausing migration
3503 Preparing migration
3504 Verifying migration
Explanation
The migration service has completed the data migration.
Action
To remove the decommissioned hardware, contact your authorized service provider.
No action is required.
A user paused the data migration.
The migration service has begun preparing to migrate data.
The migration service has begun verifying the data migration.
No action is required.
No action is required.
3505 Migration service off
3506 Migration service performance level updated
The migration service is no longer running.
A user changed the migration service performance level.
3507 Migration description updated
3509 Migration service: irreparable object
A user changed the migration description.
The migration service was unable to migrate an object and has marked it irreparable.
No action is required.
No action is required.
No action is required.
Contact your authorized service provider.
3510 Pausing migration Contact your authorized service provider.
3511 Error completing migration
4106 Ingest-time override setting has been changed
The migration service automatically paused the data migration because the HCP system does not have enough available space for the objects being migrated.
The migration service encountered an unrecoverable error while trying to complete the data migration.
The ingest-time override setting was changed.
Contact your authorized service provider.
No action is required.
Severity
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Error
Error
Error
Warning
568 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
4107 Chassis communication error
4108 Communication from unknown node
Explanation
HCP cannot communicate with the indicated chassis through SNMP.
Nodes from another HCP system were detected on the network.
Action Severity
Check network connectivity to the chassis. Also check that the chassis is configured to accept SNMP requests from the lowest-numbered available storage node in the HCP system.
Check the back-end network. A back-end network can support only one HCP system.
Error
Error
Check the back-end network. A back-end network can support only one HCP system.
No action is required.
Error
Notice
4109 Communication from node at previous version
4110 Metadata query engine indexing started
Nodes from another HCP version were detected on the network, and no upgrade is in process.
A user enabled metadata query engine indexing.
4111 Metadata query engine indexing stopped
4112 Metadata query engine is available
A user disabled metadata query engine indexing.
The metadata query engine is running on the indicated node.
4113 Metadata query engine is not available
4116 Metadata query engine index capacity warning
4117 Metadata query engine index capacity error
The metadata query engine is not running on the indicated node. As a result, the query API is unavailable for object-based queries. If the Search Console is using the query engine, searching through the
Console is also unavailable.
The size of the metadata query engine index has reached a warning threshold.
The size of the metadata query engine index has reached an error threshold.
No action is required.
No action is required.
No action is required. If this situation persists, contact your authorized service provider.
Increase the maximum size allowed for the metadata query engine index.
Increase the maximum size allowed for the metadata query engine index.
Warning
Notice
Warning
Warning
Error
Appendix B: HCP system log messages
Administering HCP
569
(Continued)
ID Event
4118 Metadata query engine index capacity reached
4119 Metadata query engine index partially unavailable
Explanation
The size of the metadata query engine index has reached the maximum threshold.
Part of the metadata query engine index is unavailable due to one or more logical volumes being unavailable.
Indexing is temporarily paused, and queries cannot be serviced.
Action
Increase the maximum size allowed for the metadata query engine index.
Make the unavailable logical volumes available.
Alternatively, rebuild the index by first deleting it and then reenabling indexing. Note that rebuilding the index can take a significant amount of time.
4120 Metadata query engine out of memory for indexing
No more memory is available for metadata query engine indexing.
Indexing was automatically disabled.
4200 RAID group spun down A RAID group was spun down.
4201 RAID group spun up
4202 Error spinning down RAID group
A RAID group was spun up.
An error occurred while spinning down a RAID group.
4203 Error spinning up RAID group
4204 Back-end switch communication failure
An error occurred while spinning up a RAID group.
A back-end switch is not communicating with HCP.
4205 Back-end switch failure
4206 Back-end switch restored
A back-end switch is reporting a problem.
A back-end switch is reporting a return to a functional state.
Add memory to the system by adding nodes or upgrading existing nodes. Then reenable metadata query engine indexing.
No action is required.
No action is required.
Contact your authorized service provider.
Contact your authorized service provider.
Check that the switch is functioning properly. If the problem persists, contact your authorized service provider.
Check that the switch is functioning properly. If the problem persists, contact your authorized service provider.
No action is required.
Severity
Error
Error
Error
Notice
Notice
Error
Error
Error
Error
Notice
570 Appendix B: HCP system log messages
Administering HCP
(Continued)
ID Event
4207 Objects read from spindown storage
4208 Objects read from spindown storage
4209 Time server changed
4210 Current time changed
4211 Time zone changed
4212 Service plan created
4213 Service plan updated
4214 Service plan deleted
4215 Failover completed
4216 Failback started
4217 Failback completed
Explanation
For the indicated tenant, one or more clients read objects from spindown storage.
For the indicated namespace, one or more clients read objects from spindown storage.
Action
Ensure that the service plan in use is appropriate for the data usage pattern.
Ensure that the service plan in use is appropriate for the data usage pattern.
A user changed the time server for the HCP system.
A user changed the current time for the HCP system.
A user changed the time zone for the HCP system.
A user created a service plan.
A user updated a service plan.
A user deleted a service plan.
No action is required.
No action is required.
No action is required.
No action is required.
No action is required.
No action is required.
A node in a cross-mapped pair became unavailable.
The other node in the pair has finished taking over management of the logical volumes previously managed by the unavailable node.
No action is required.
A previously unavailable node in a cross-mapped pair has become available again and has begun the process of taking back management of its logical volumes from the other node in the pair.
No action is required.
A node in a cross-mapped pair has finished taking back management of its logical volumes, which had previously failed over to the other node in the pair.
No action is required.
Severity
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Warning
Warning
Notice
Chapter B: HCP system log messages
Administering HCP
571
(Continued)
ID Event
4218 Monitored component added
4219 Monitored component deleted
Explanation Action
A user added a monitored component.
No action is required.
A user deleted a monitored component.
No action is required.
4221 Tenant tags updated
4222 Time settings compliance mode changed
4223 Failover completed
4224 Failback started
5100 Network created
5101 Network updated
5102 Network deleted
5103 Network alias created
5104 Network alias updated
5105 Network alias deleted
A user updated the tags for a tenant.
A user changed the time settings compliance mode for the HCP system.
No action is required.
No action is required.
A node in a cross-mapped pair became unavailable.
The other node in the pair has finished taking over management of the logical volumes previously managed by the unavailable node.
No action is required.
A previously unavailable node in a cross-mapped pair has become available again and has begun the process of taking back management of its logical volumes from the other node in the pair.
No action is required.
A user created a network.
No action is required.
A user updated a network. No action is required.
A user deleted a network.
No action is required.
A user created a network alias.
No action is required.
A user updated a network alias.
No action is required.
A user deleted a network alias.
No action is required.
5106 Network IP address assigned to node
A user assigned a network
IP address to a node.
5107 Node IP address changed A user changed a network
IP address for a node.
No action is required.
No action is required.
5108 Network IP address removed from node
5109 Network reset
A user removed a network
IP address from a node.
A user reset a network.
No action is required.
No action is required.
Warning
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Notice
Severity
Notice
Notice
Notice
Notice
572 Chapter B: HCP system log messages
Administering HCP
(Continued)
ID Event
5110 Domain created
5111 Domain deleted
Explanation Action
A user created a domain.
No action is required.
A user deleted a domain.
No action is required.
Severity
Notice
Notice
5112 Network status changed
5113 Replication network changed
5114 Domain renamed
5115 Objects read from external storage
The status of a network changed due to one or more node IP addresses being added or removed.
A user chose a new replication network.
No action is required.
No action is required.
A user renamed a domain. No action is required.
For the indicated tenant, one or more clients read objects from external storage.
Ensure that the service plan in use is appropriate for the data usage pattern.
Notice
Notice
Notice
Notice
5116 Objects read from external storage
For the indicated namespace, one or more clients read objects from external storage.
5117 System IP mode updated A user updated advanced network settings.
5118 Virtual network management updated
5119 Failure accessing cloud storage
A user updated advanced network settings.
The HCP system encountered errors while accessing cloud storage.
5120 Service plans created during upgrade
5121 Running retirement
5122 Retirement service performance level updated
5123 Pausing retirement
A user changed the retirement service performance level.
A user paused the retirement service.
Ensure that the service plan in use is appropriate for the data usage pattern.
No action is required.
No action is required.
Check network connectivity to the cloud storage. Also check account credentials and permissions.
Warning
New retired service plans were created during upgrade to satisfy namespace DPL requirements.
The retirement service has begun storage volume retirement.
Review your service plans. Notice
No action is required.
Notice
No action is required.
Notice
No action is required.
Notice
Notice
Notice
Notice
5124 Retirement service off The retirement service is no longer running.
No action is required.
Notice
Chapter B: HCP system log messages
Administering HCP
573
(Continued)
ID Event
5200 Default protocol optimization setting updated
5201 Namespace optimized
Explanation Action
The default protocol optimization setting has been updated to optimize for cloud protocols only or all access protocols.
No action is required
Eligible namespaces have been optimized for cloud protocols.
No action is required
Severity
Notice
Notice
574 Chapter B: HCP system log messages
Administering HCP
C
Zero-copy failover behavior
In a SAIN system, zero-copy failover is the process of one node automatically taking over management of storage previously managed by another node that has failed. Support for zero-copy failover is configured at the storage tier and enabled in the HCP system configuration.
Zero-copy failover is supported for storage nodes only.
This chapter describes the storage setup required to support zero-copy failover and explains how zero-copy failover works.
Appendix C: Zero-copy failover behavior
Administering HCP
575
Storage setup for zero-copy failover
Storage setup for zero-copy failover
In a SAIN system, nodes have both physical and logical connections to the
SAN storage. The physical connections are through paths established by
Fibre Channel cables and, in some systems, Fibre Channel switches. The logical connections are through mappings of the logical volumes in the storage array to the nodes.
Physical paths
In an HCP SAIN system, each node has two physical paths to the storage array. This is called multipathing.
The figure below shows two nodes, A and B, at the bottom, each with a multipath connection to the storage array at the top.
Storage array
Logical volumes Logical volumes
Node A Node B
Logical mappings
To support zero-copy failover, the logical volumes in the storage array must be cross-mapped to the nodes. Cross-mapping means that each logical volume that maps to one node (A) must also map to the same second node (B), called the peer node. The mappings to node A are the primary
mappings for those logical volumes, and the mappings to node B are the
standby mappings. Similarly, each logical volume with a primary mapping to node B must have a standby mapping to node A.
576 Appendix C: Zero-copy failover behavior
Administering HCP
Failing over and failing back
The figure below shows two sets of logical volumes in a storage array that map to two nodes, A and B. The primary mappings for each node are shown in blue. The secondary mappings are shown in red.
Storage array
Logical volumes Logical volumes
Node A Node B
Failing over and failing back
Under normal circumstances, each node in a cross-mapped pair manages the logical volumes with primary mappings to it. However if one node becomes unavailable and zero-copy failover is enabled, its peer can take over management of those volumes. The process of one node taking over storage management from another is called failover.
When an unavailable node rejoins the HCP system, it normally takes back management of its own logical volumes. This process is called failback.
Notes:
• During failover, all spindown volumes on the node taking over are spun up. During failback, all spindown volumes on both nodes are spun up.
• Zero-copy failover does not apply to external storage volumes. If a node becomes unavailable, the external storage volumes it manages also become unavailable.
System Management Console information on failover
During failover, the logical volumes associated with the node that became unavailable first appear as initialized ( ) on the Hardware page in the
HCP System Management Console. After the peer takes over a logical volume, the icon moves from the row for the unavailable node to the row
Appendix C: Zero-copy failover behavior
Administering HCP
577
Failing over and failing back for the peer, where it once again shows as available ( ). For information on how logical volume status is represented on the Hardware page, see
“About the Nodes page” on page 92.
While any logical volumes are in a failed-over state, this alert appears in the alerts section on the Overview page:
Data access failover
For information on the alerts section of the Overview
page, see “Alerts” on page 81.
Data outages during failover
While a logical volume is failing over, the data stored on it is temporarily unavailable. If the node that managed the volume became unavailable because you shut it down from the System Management Console, the data outage lasts less than five minutes.
If the node became unavailable for some other reason (for example, all physical paths between the node and the storage array broke, or the node itself failed), the data outage can last significantly longer. Factors that affect how long it lasts include:
• The number of logical volumes involved
• The size of the logical volumes
• The number of objects stored on the logical volumes
• The amount of data storage activity occurring when the node became unavailable
Data outages during node restart
When you restart a node from the System Management Console, its storage fails over to its peer during the shutdown part of the restart. The failover process finishes before the node completes its shutdown processing. The data outage caused by the failover lasts less than five minutes.
When the node comes back up, the failback process extends the startup processing by about 15 to 30 seconds. The data outage caused by the failback also lasts less than five minutes.
578 Appendix C: Zero-copy failover behavior
Administering HCP
Failing over and failing back
Data protection mechanism
Zero-copy failover uses a data protection mechanism that prevents the two nodes in a peer group from accidentally overwriting each other’s storage.
This mechanism needs to be accessible on all storage paths. It is used any time a node in the pair needs to mount or unmount a storage volume. This occurs when:
• A node starts
• A node stops
• A node takes over storage management from its peer (failover)
• A node releases control of storage it’s managing (failback)
To ensure access to the data protection mechanism, both paths between the node and the storage array must be available during these transitions.
If either path is not available, the node makes itself unavailable to guarantee the safety of the data.
If a path outage occurs, you should find and repair the cause of the outage before trying to start or stop any affected node.
Failover and physical path outages
When one physical path between a node and the storage array breaks, processing continues normally. If the second path for that node breaks while the first one is still broken, the node becomes unavailable, and failover occurs.
To return the node to service and fail back the logical volumes, you need to fix both paths before you reboot the node. The node will not return to service while either path is broken.
If a node managing failed-over storage has a path outage while its peer is still unavailable, processing continues normally. However, if the peer returns to service and takes back its storage, the node with the path outage then becomes unavailable, and failover occurs in the other direction. That is:
1. Node A fails.
2. Node A storage fails over to node B.
3. Node B has a path outage.
4. Node A returns to service.
Appendix C: Zero-copy failover behavior
Administering HCP
579
Failing over and failing back
5. Node A storage fails back to node A.
6. Node B becomes unavailable.
7. Node B storage fails over to node A.
580 Appendix C: Zero-copy failover behavior
Administering HCP
D
SNMP MIB support
You can use SNMP with HCP to view and modify system settings and receive notifications of certain types of events. HCP comes with a MIB, defined in the
HCP-MIB.txt
file, that includes fields and traps specific to the system. HCP also supports many of the standard Linux-based MIBs available with SNMP.
HCP-MIB exposes information about the HCP system as a whole, so you get the same information regardless of which storage node you access.
The standard MIBs, on the other hand, expose information about individual nodes, so the information you get applies only to the specific storage node that you access.
You can use many of the fields in HCP-MIB to both view and modify system values. With the fields in the standard MIBs, you can only view system values.
This appendix lists the supported standard MIBs and explains how to find out which fields are exposed through them. (HCP exposes all the fields in
HCP-MIB.)
For more information on using SNMP with HCP, see
“Configuring SNMP” on page 444. For descriptions of the fields HCP exposes in each supported
MIB, including HCP-MIB, see the MIBs themselves. For information on downloading the
HCP-MIB.txt
file, see
HCP-MIB.txt file” on page 449.
Appendix D: SNMP MIB support
Administering HCP
581
Supported standard MIB files
Supported standard MIB files
The standard MIBs that HCP supports contain fields in subtrees under the mib-2 and ucdavis roots. The fields HCP exposes are in the following MIBs, with exclusions as noted:
• With fields under mib-2:
– DISMAN-EVENT-MIB
– HOST-RESOURCES-MIB
– IF-MIB
– IP-FORWARD-MIB
– IP-MIB (excluding these groups: ipAddrTable, ipRouteTable, and ipNetToMediaEntry)
– IPV6-MIB
– MTA-MIB
– NOTIFICATION-LOG-MIB
– RFC1213-MIB (excluding this group: atTable)
– SNMPv2-MIB
– TCP-MIB (excluding this group: tcpConnTable)
– UDP-MIB (excluding this group: udpTable)
• With fields under ucdavis:
– LM-SENSORS-MIB
– UCD-DISKIO-MIB
– UCD-DLMOD-MIB
– UCD-SNMP-MIB
582 Appendix D: SNMP MIB support
Administering HCP
Walking the MIB
You can download:
• Files for all these MIBs, except MTA-MIB and RFC1213-MIB, from http://www.net-snmp.org/docs/mibs
• The file for MTA-MIB from http://www.oidview.com/mibs/0/MTA-MIB.html
• The file for RFC1213-MIB from http://www.oidview.com/mibs/0/RFC1213-MIB.html
.
Walking the MIB
To find out exactly which fields HCP exposes under mib-2 and ucdavis, you can walk the MIB. Walking the MIB means having the SNMP client query
HCP for the exposed fields.
How you walk the MIB depends on your SNMP tool. The instruction below uses the command-line tool from the publicly available net-snmp package.
You can download this package from http://www.net-snmp.org
.
To walk the MIB with net-snmp, you use the snmpwalk command with this format:
snmpwalk -v snmp-version -c snmp-community-name
node-ip-address-or-hostname mib-root node-ip-address-or-hostname
is a valid front-end IP address or hostname of a storage node in the HCP system. The node that you specify must be running and healthy (that is, it must be available to the system).
This sample snmpwalk command queries the node with the IP address
192.168.210.16 for the fields that HCP exposes in subtrees branching from mib-2: snmpwalk -v 2c -c public 192.168.210.16 mib-2
Appendix D: SNMP MIB support
Administering HCP
583
Walking the MIB
584 Appendix D: SNMP MIB support
Administering HCP
E
Configuring DNS for HCP
Domain name system (DNS) is a network service that translates, or
resolves, domain names (for example, example.com) into IP addresses for client access. The service is provided by one or more servers, called
name servers, that share responsibility for resolving client requests.
An HCP system can exist as multiple domains in the DNS — one for each front-end network defined in the system. Each of these domains must be a subdomain of a DNS domain to which you have administrative access, such as your corporate domain. All nodes that have IP addresses defined for a given front-end network belong to the HCP domain defined for that network.
To enable access to HCP by domain name on any given network, you need to configure the HCP domain for that network in your DNS. To do this, you can use either secondary zones (also called slave zones) or stub zones.
This chapter contains:
• A discussion of the advantages of using DNS
• A description of zones, secondary zones, and stub zones
• Windows and Unix instructions for configuring HCP domains in the DNS
• Instructions for verifying the HCP domain definitions
• DNS considerations for implementing HCP service by remote systems
For information on domains defined in HCP, see
page 401. For information on HCP networks, see “About virtual networking with HCP” on page 224.
585 Appendix E: Configuring DNS for HCP
Administering HCP
DNS advantages
Notes:
• HCP does not require DNS. For information on using HCP without DNS, see
“System Management Console URL” on page 37.
• When communicating with a DNS server, HCP may send packets that are larger than 512 bytes. You need to ensure that these packets can pass through your corporate firewall.
DNS advantages
Using DNS provides several advantages over using IP addresses for access to the HCP system. For example:
• When you use a domain name for namespace access, the HCP DNS manager, which runs on all storage nodes, is responsible for distributing client requests among those nodes. If you use IP addresses, you are responsible for ensuring that the processing load is balanced across the
HCP nodes.
• If an application uses a domain name for access to the HCP system and you change the IP addresses of the HCP nodes, you don’t need to change the application. If the application uses IP addresses and you change the node IP addresses, you need to update the application to specify the new IP addresses.
• If both IPv4 and IPv6 addresses are defined for a front-end network, an application can use the domain name associated with that network to access the HCP system from client computers that have IPv4 addresses
and from client computers that have IPv6 addresses. If an application uses IP addresses to access the HCP system over a front-end network with multiple IP addresses defined for each node, you need to be able to configure that application to access the HCP system using only the IP addresses that are routable from the client computer on which the application is running.
• If you use a domain name to identify the other system when you create a replication link and the IP addresses for that domain are changed on that system, replication continues without interruption. If you use IP addresses to identify the system and the IP addresses for the system change, replication stops until you change the IP addresses in the definition of the replication link.
586 Appendix E: Configuring DNS for HCP
Administering HCP
Zones
• If you use domain names to identify the systems in a replication topology and you enable DNS failover on those systems, client requests can be automatically redirected to other systems in the topology if the target system fails. If you use IP addresses to identify a system in a replication topology and that system fails, client requests that target that system cannot be automatically redirected to other systems.
For information on replication and DNS failover, see Replicating Tenants
and Namespaces.
Zones
The domain names resolved by DNS are divided into zones, where each zone is defined by set of related hostnames. A corporate domain, for example, is associated with a zone.
Each domain you define in HCP is a subdomain of a higher-level domain.
In the DNS, you need an HCP domain definition for each combination of network and domain you define in HCP. The IP addresses for each HCP domain in the DNS make up a zone within the zone for the applicable higher-level domain.
For example, suppose that you configure HCP to define two domains, hcp-ma.example.com and hcp-ca.example.com. Suppose also that you configure HCP to define three user-defined networks, net1, net2, and net3, and you configure these three networks to associate net1 and net2 with domain hcp-ma.example.com and associate net3 with domain hcp-ca.example.com. In this case, you need to add three zones to the
DNS, one for each of these domain and network combinations:
Domain name: hcp-ma.example.com
Node IP addresses defined for network net1
Domain name: hcp-ma.example.com
Node IP addresses defined for network net2
Domain name: hcp-ca.example.com
Node IP addresses defined for nodes in network net3
Appendix E: Configuring DNS for HCP
Administering HCP
587
Secondary zones and stub zones
Secondary zones and stub zones
In the DNS, you configure each HCP domain as a secondary zone (also called a slave zone) or as a stub zone. A DNS server in which a given
HCP domain is configured as a secondary zone maintains a full copy of the
HCP DNS information for that domain and can, therefore, satisfy requests for resolution of the HCP domain name by itself. You might use secondary zones, for example, if the firewall that HCP sits behind is configured to allow client requests for DNS name resolution to go only to a corporate
DNS server.
A DNS server in which a given HCP domain is configured as a stub zone gets only partial DNS information for that domain from HCP. Stub zones minimize zone replication and are less resource intensive for the DNS server.
If you enable hidden master or notify for a network, the HCP domain for that network must be configured as a secondary zone, not a stub zone, on each DNS server specified in the network configuration.
Secondary zone and stub zone definitions are basically the same. Each definition lists the IP addresses of master name servers for a domain but does not include individual records for those servers. Those records are stored on the master name servers themselves. The DNS servers get the individual name server records from the master name servers listed in the zone definition.
For each network defined in HCP, HCP automatically generates name server records for all storage nodes that have IP addresses in that network. Each of those storage nodes stores a copy of these records, thereby making each storage node eligible to be a master name server for the applicable domain.
Before HCP can accept client requests that identify the system by a domain name, you need to register some or all of the eligible nodes as master name servers for the applicable HCP secondary zone or stub zone. You register a node by listing its IP addresses in the secondary zone or stub zone definition.
For any given HCP domain, all storage nodes with IP addresses defined for the applicable network can act as name servers for the HCP DNS manager, regardless of whether they’re registered as master name servers.
However, for HCP to be accessible over that network, at least one
588 Appendix E: Configuring DNS for HCP
Administering HCP
Configuring an HCP secondary zone or stub zone in Windows registered node must be running. Therefore, you need to register a sufficient number of nodes for each network to minimize the risk that all registered nodes for a given network will fail at the same time.
Tip: If HCP has a small number of storage nodes, consider registering them all as master name servers. The more nodes you register, the more distributed the DNS queries will be.
When defining a secondary zone or stub zone for an HCP domain, you specify a fully qualified domain name for the HCP system. This is the name of the domain associated with the network that is defined in HCP.
Configuring an HCP secondary zone or stub zone in
Windows
You can use either the GUI or a command line to configure a secondary zone or stub zone in Windows. The following sections present the GUI configuration procedure for Windows 2008. The procedures for Windows
2003 and Windows 2012 are basically the same.
Configuring an HCP secondary zone in Windows
To configure an HCP domain as a secondary zone in Windows:
1. Open the DNS manager: a.
In the Windows Control Panel, double-click on Administrative Tools .
b.
In the Administrative Tools window, double-click on DNS .
The DNS Manager window shows the hierarchy of zones currently defined in the DNS.
2. In the DNS Manager window, right-click on Forward Lookup Zones under the higher-level zone within which you want to configure the HCP secondary zone. On the dropdown menu, select New Zone .
The New Zone Wizard window opens.
3. In the New Zone Wizard window, click on the Next button.
4. On the Zone Type page, select the Secondary zone option. Then click on the Next button.
Appendix E: Configuring DNS for HCP
Administering HCP
589
Configuring an HCP secondary zone or stub zone in Windows
5. In the Zone name field on the Zone Name page, type the applicable fully qualified domain name for the HCP system. Then click on the Next button.
6. On the Master DNS Servers page, for each HCP storage node you want to register as a master name server, in the list box, type the IPv4 and
IPv6 addresses assigned to the node for the applicable network. Then press Enter.
When you’re finished adding all the node IP addresses, click on the
Next button.
7. Click on the Finish button.
The HCP new secondary zone appears in the zone hierarchy in the DNS manager window.
Configuring an HCP stub zone in Windows
To configure an HCP domain as a stub zone in Windows:
1. Open the DNS manager: a.
In the Windows Control Panel, double-click on Administrative Tools .
b.
In the Administrative Tools window, double-click on DNS .
The DNS Manager window shows the hierarchy of zones currently defined in the DNS.
2. In the DNS Manager window, right-click on Forward Lookup Zones under higher-level zone within which you want to configure the HCP stub zone. On the dropdown menu, select New Zone .
The New Zone Wizard window opens.
3. In the New Zone Wizard window, click on the Next button.
4. On the Zone Type page, select the Stub zone option.
5. Take one of these actions:
– To configure the stub zone with Windows Active Directory integration: a.
Select the Store the zone in Active Directory option.
590 Appendix E: Configuring DNS for HCP
Administering HCP
Configuring an HCP secondary zone or stub zone in Unix b.
On the Active Directory Zone Replication Scope page, select the option for the way in which you want DNS data to be replicated throughout your network.
Then click on the Next button.
Note: You need to configure the stub zone with Windows Active
Directory integration if you plan to enable HCP support for AD. For
information on doing that, see “Configuring Active Directory or
Windows workgroup support” on page 418.
– To configure the stub zone without Windows Active Directory integration, click on the Next button.
6. In the Zone name field on the Zone Name page, type the applicable fully qualified domain name for the HCP system. Then click on the Next button.
7. On the Zone File page, select the Create a new file with this file name option and leave the default file name in the option field. Then click on the Next button.
8. On the Master DNS Servers page, for each HCP storage node you want to register as a master name server, in the list box, type the IPv4 and
IPv6 addresses assigned to the node for the applicable network. Then press Enter.
When you’re adding all the node IP addresses, click on the Next button.
9. Click on the Finish button.
The HCP new stub zone appears in the zone hierarchy in the DNS manager window.
Configuring an HCP secondary zone or stub zone in Unix
With BIND in Unix, zones are defined in the
/etc/named.conf
file on the DNS servers. In the definition of a secondary zone or stub zone for an HCP domain, you specify:
• The applicable fully qualified domain name for the HCP system
• The zone type ( slave for a secondary zone or stub for a stub zone)
Appendix E: Configuring DNS for HCP
Administering HCP
591
Configuring an HCP secondary zone or stub zone in Unix
• The name of the file you want the system to use to cache DNS query results for faster lookup
• A list of the IP addresses of the master name servers for the secondary zone or stub zone (be sure to use all of the node IP addresses assigned to each node for the applicable network)
Here’s a sample zone statement that defines a secondary zone for an HCP domain with the domain name hcp-ma.example.com and four registered master name servers: zone "hcp-ma.example.com" IN { type slave; file "/var/named/slave/hcp-ma.example.com"; masters
{192.168.210.15;192.168.210.16;192.168.210.17;192.168.210.18;2001:0db8::101;
2001:0db8::102;2001:0db8::103;2001:0db8::104;};
};
Here’s a sample zone statement that defines a stub zone for the same domain: zone "hcp-ma.example.com" IN { type stub; file "/var/named/stub/hcp-ma.example.com"; masters
{192.168.210.15;192.168.210.16;192.168.210.17;192.168.210.18;2001:0db8::101;
2001:0db8::102;2001:0db8::103;2001:0db8::104;};
};
Tip: From the Networks page in the HCP System Management Console, you can display the Unix zone definition for any network defined in HCP.
592 Appendix E: Configuring DNS for HCP
Administering HCP
Verifying the configuration
Verifying the configuration
You can verify that an HCP secondary zone or stub zone is working properly from either a Windows command-prompt window or a Unix shell.
In both cases, you use either the dig or nslookup command, depending on which is available. The syntax for this is:
dig|nslookup (admin|nfs|cifs|www).hcp-domain-name
The response to this command should be a list of the IP addresses of all the HCP storage nodes that have IP addresses defined for the network for which the secondary zone or stub zone is defined.
Here’s an example of the output from the nslookup command when six out of the ten nodes in the network are registered as master name servers for the secondary zone or stub zone:
# nslookup www.hcp-ma.example.com
Server: adc1850.example.com
Addresses: 192.168.80.45
2001:0db8::201
Name: www.hcp-ma.example.com
Addresses: 192.168.210.11, 2001:0db8::101, 1192.168.210.12, 2001:0db8::102,
192.168.210.13, 2001:0db8::103, 192.168.210.14, 2001:0db8::104, 192.168.210.15,
2001:0db8::105, 192.168.210.16, 2001:0db8::106, 192.168.210.17, 2001:0db8::107,
192.168.210.18, 2001:0db8::108, 192.168.210.19, 2001:0db8::109, 192.168.210.20,
2001:0db8::10a
If you don’t see the expected node list, the secondary zone or stub zone is not defined correctly.
DNS considerations for service by remote systems
When you configure a secondary zone or stub zone for an HCP system, you specify a domain name and the IP addresses of the master name servers for the applicable HCP domain. This causes client requests that identify the system by that domain name to be forwarded to those master name servers.
Namespaces can be configured to accept client requests on HCP systems other than the system targeted by the request when that system is unavailable. To enable this redirection to occur automatically for a namespace:
• DNS failover must have been enabled on the target system.
Appendix E: Configuring DNS for HCP
Administering HCP
593
DNS considerations for service by remote systems
594
• The applicable replication link must be failed over. The applicable replication link is the link between the target system and the system to which requests should be redirected.
• The applicable secondary zone or stub zone for the target system must include the IP addresses of the applicable master name servers for the system to which requests should be redirected, where:
– The applicable secondary zone or stub zone on the target system is the one defined for the data network for the tenant that owns the namespace
– The applicable master name servers for the system to which requests should be redirected are the ones included in the secondary zone or stub zone for the network with the same name as the tenant data network on the target system
For example, suppose:
• The data network for a tenant is the network named net1.
• The system targeted by a client request has master name servers with
IPv4 addresses 192.168.210.15, 16, 17, and 18 and with IPv6 addresses 2001:0db8::101, 102, 103, and 104 for net1.
• The system to which requests should be redirected has master name servers with IPv4 addresses 192.168.24.72, 73, 74, and 75 and with
IPv6 addresses 2001:0db8::201, 202, 203, and 204 for net1.
In this case, the secondary zone or stub zone for net1 on the target system would have these IP addresses:
192.168.210.15
2001:0db8::101
192.168.210.16
2001:0db8::102
192.168.210.17
2001:0db8::103
192.168.210.18
2001:0db8::104
192.168.24.72
2001:0db8::201
192.168.24.73
2001:0db8::202
192.168.24.74
2001:0db8::203
192.168.24.75
2001:0db8::204
Appendix E: Configuring DNS for HCP
Administering HCP
DNS considerations for service by remote systems
The secondary zone or stub zone for net1 on the system to which requests should be redirected would have these IP addresses:
192.168.24.72
2001:0db8::201
192.168.24.73
2001:0db8::202
192.168.24.74
2001:0db8::203
192.168.24.75
2001:0db8::204
To enable redirection in both directions between two HCP systems that participate in an active/active replication link, the secondary zone or stub zone for each of the systems must include the IP addresses of the master name servers for the other system.
To enable client requests targeted to one system to be serviced by any of the other systems in a replication topology, the secondary zone or stub zone for that system must include the IP addresses of the master name servers for each of the other systems.
For example, suppose a replication topology includes systems A, B, C, and
D. For systems B, C, and D to be able to service requests targeted to system A, the secondary zone or stub zone for system A must include the
IP addresses of the master name servers for systems B, C, and D. For systems C, D, and A to be able to service requests targeted to system B, the secondary zone or stub zone for system B must include the IP addresses of the master name servers for systems C, D, and A.
For information on replication and DNS failover, see Replicating Tenants
and Namespaces. For information on configuring namespaces to accept redirected requests, see Managing a Tenant and Its Namespaces or
Managing the Default Tenant and Namespace.
Note: If you are not enabling DNS failover on an HCP system, do not include IP addresses for the master name servers for other systems in the secondary zones or stub zones for that system.
Chapter E: Configuring DNS for HCP
Administering HCP
595
DNS considerations for service by remote systems
596 Chapter E: Configuring DNS for HCP
Administering HCP
F
Configuring Active Directory to support HCP
An HCP system can be configured to support Active Directory. With the system configured this way, you can create HCP group accounts that correspond to AD groups at both the system and tenant levels. AD users in those AD groups then have access to HCP through the various HCP interfaces, subject to the roles and permissions associated with the HCP group accounts.
For HCP to work with AD, you first need to prepare AD for access by HCP.
Then you need to configure HCP to support AD. The table below outlines the major steps in this procedure.
Step
1
2
3
4
5
6
Activity More information
If you want to secure communication between
HCP and AD, create an SSL certificate in AD.
This certificate will allow HCP to connect securely to the LDAP server used by AD.
Export the SSL certificate you created so it can be uploaded to HCP.
“Step 1 (optional): Create the SSL certificate” on page 600
“Step 2 (conditional): Export the SSL certificate” on page 606
Create an AD group to which you can add the
AD user account you create in the step 5 below.
“Step 3: Create the AD group” on page 607
Give the AD group permissions for the organizational unit (OU) or common name
(CN) in which computer accounts will be created for the HCP nodes.
“Step 4: Give the AD group permissions for the OU or CN for the HCP computer accounts” on page 610
Create an AD user account to be used as the domain user in the HCP configuration of support for AD.
Create a reverse lookup zone for the applicable AD domain in your DNS.
“Step 5: Create the AD user account” on page 614
“Step 6: Create the reverse lookup zone for the AD domain” on page 617
597 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Prerequisites for configuring support for HCP in AD
(Continued)
Step
7
Activity
Configure support for AD in HCP.
More information
“Step 7: Configure support for AD in HCP” on page 621
This appendix describes the prerequisites for configuring AD to support
HCP and contains instructions for the first six steps outlined above. These instructions are for Windows Server 2008 R2, but the concepts are the same for Windows Server 2012 and earlier versions.
For information and instructions on configuring support for AD in HCP, see
“Configuring Active Directory or Windows workgroup support” on
Namespaces.
Prerequisites for configuring support for HCP in AD
This appendix assumes:
• You have a basic understanding of AD concepts.
• You have an AD user account with the administrator role in the AD domain you plan to use when configuring support for AD in HCP.
• If you plan to secure communication between HCP and AD:
– The applicable AD domain is configured with a certificate authority.
– You have access to a Windows server running the AD certificate authority.
– You have access to the Windows client from which you plan to access the HCP System Management Console for the purpose of configuring support for AD.
• For creating the AD group and user account, you have a access to a
Windows server from which you can access AD.
• The OU or CN in which you want to create the AD group already exists in the applicable domain.
• The OU or CN in which you want to create the AD user account already exists in the applicable domain. This can be, but does not have to be, the same OU or CN as the one in which you create the AD group.
598 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Required permissions for Active Directory Domain
• The OU or CN in which computer accounts will be created for the HCP nodes already exists in the applicable domain. This is the OU or CN you specify as the organizational unit in the HCP configuration of support for AD. The default for this in HCP is the CN Computers.
• Your DNS is configured on a Windows server.
• Your DNS contains a stub zone for HCP that’s configured for AD integration. For information on configuring the HCP stub zone, see
“Configuring an HCP secondary zone or stub zone in Windows” on page 589.
• Your DNS contains a forward lookup zone definition for the applicable
AD domain.
• You have access to a Windows server from which you can configure your DNS.
Required permissions for Active Directory Domain
When HCP joins a domain, it creates an HCP Computer account by authenticating with the user account created by the Active Directory domain admin. The HCP Computer Account is utilized in all Active Directory operations unless the HCP needs to rejoin the domain. Using the HCP
Computer Account for authentication, HCP then joins each of the HCP nodes to the domain through Samba which is required for CIFS and NFS authentication of legacy applications.
Once HCP has successfully joined the domain, the HCP Computer Account will update SPNs and add new nodes to the domain if physical nodes are added to the HCP system. HCP will automatically change the password of the HCP Computer Account every 30 days.
The following permissions are required by HCP to join the Active Directory
Domain:
• For the HCP Admins SELF group you need read and write permissions.
They are required to add the computer object to the group OU permissions.
• Create Computer objects and Delete Computer objects permissions are required to create the HCP Computer Account.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
599
Step 1 (optional): Create the SSL certificate
• Change Password and Reset Password permissions are required to reset the password of the HCP Computer Account.
• Read All Properties, Write All Properties, and Delete permissions are required to create and update SPNs.
Follow the steps below to set the permissions.
Step 1 (optional): Create the SSL certificate
If you want to secure communication between HCP and AD, you need create an SSL certificate that will enable this. If you don’t want to secure communication, skip this step.
To create the SSL certificate:
1. On the Windows server running the AD certificate authority, click on the
Start button.
2. In the Search programs and files field, enter: mmc
The Console1 - [Console Root] window opens.
600
3. On the File menu, select Add/Remove Snap-in .
Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 1 (optional): Create the SSL certificate
The Add or Remove Snap-ins window opens.
4. In the Available snap-ins list, select Certificates . Then click on the Add button.
The Certificates snap-in window opens.
5. Select Computer account . Then click on the Next button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
601
Step 1 (optional): Create the SSL certificate
The Select Computer window opens.
6. Click on the Finish button.
Certificates (Local Computer) appears in the Selected snap-ins list in the
Add or Remove Snap-ins window.
602
7. Click on the OK button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 1 (optional): Create the SSL certificate
8. In the tree view in the left panel of the Console1 - [Console Root] window, expand Certificates (Local Computer) Personal . Then select
Certificates .
The middle panel in the window lists information about the CA root certificate.
9. On the Action menu, select All Tasks Request New Certificate .
Appendix F: Configuring Active Directory to support HCP
Administering HCP
603
Step 1 (optional): Create the SSL certificate
The Certificate Enrollment window opens.
10.Click on the Next button.
The Select Certificate Enrollment Policy page appears.
604
11.Click on the Next button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 1 (optional): Create the SSL certificate
The Request Certificates page appears.
12.Select Domain Controller . Then click on the Enroll button.
The Certificates Installation Results page appears.
13.Click on the Finish button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
605
Step 2 (conditional): Export the SSL certificate
The Certificates list now includes the SSL certificate for LDAP communication. The value in the Issued To column for this certificate is the concatenation of the computer name and the FQDN of the AD domain (for example, WIN-AD-SERVER.example.local).
Step 2 (conditional): Export the SSL certificate
If you are securing communication between HCP and AD, you need to export the SSL certificate you created in
uploading the certificate to HCP, see “Configuring support for Active
If you did not create an SSL certificate, skip this step.
To export the SSL certificate:
1. On the Windows server running the AD certificate authority, click on the
Start button.
2. In the Search programs and files field, enter: cmd
A Windows command prompt window opens.
606 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 3: Create the AD group
3. Change to the directory to which you want to write the file containing the exported certificate.
4. Enter this command to export the certificate: certutil -ca.cert cert-name .cer
In this command, cert-name is the name (minus the .cer extension) of the file that will contain the exported certificate.
If the export is successful, the window displays the contents of the certificate followed by this message:
CertUtil: -ca.cert command complete successfully.
If you don’t see this message, try the procedure again, starting from
in
“Step 1 (optional): Create the SSL certificate” on page 600.
5. Copy the file containing the exported certificate to the Windows client from which you plan to access the HCP System Management Console.
Step 3: Create the AD group
Before you can create the AD user account to be used as the domain user in the HCP configuration of support for AD, you need to create an AD group to which you can add that user account.
To create the AD group:
1. On the Windows server from which you can access AD, click on the
Start button and select Administrative Tools Server Manager .
Appendix F: Configuring Active Directory to support HCP
Administering HCP
607
Step 3: Create the AD group
The Server Manager window opens.
2. Under Roles in the tree view in the left panel of the Server Manager window, expand Active Directory Domain Services Active Directory Users and Computers ad-domain-name .
3. On the View menu, select Advanced Features .
4. Under ad-domain-name, right-click on the OU or CN in which you want to create the AD group and select New Group from the dropdown menu.
608 Appendix F: Configuring Active Directory to support HCP
Administering HCP
The New Object - Group window opens.
Step 3: Create the AD group
5. In the Group name field, type a name for the new group (for example,
HCP Admins). Then click on the OK button.
6. In the left panel of the Server Manager window, double-click on the OU or CN in which you created the new group.
The middle panel of the Server Manager window lists the items in the
OU or CN, including the group you just created.
7. Right-click on the new group and select Properties from the dropdown menu.
The Properties window opens.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
609
Step 4: Give the AD group permissions for the OU or CN for the HCP computer accounts
8. Click on the Security tab.
9. With SELF selected in the Group or user names list, select the box for
Write in the Allow column under Permissions for SELF . Then click on the
OK button.
Step 4: Give the AD group permissions for the OU or CN for the HCP computer accounts
To give the AD group the necessary permissions for the OU or CN in which computer accounts will be created for the HCP nodes:
1. In the left panel of the Server Manager window, right-click on the OU or
CN in which you want computer accounts for the HCP nodes to be created and select Properties from the dropdown menu.
The Properties window opens.
2. Click on the Security tab.
3. On the Security tab, click on the Advanced button.
610 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 4: Give the AD group permissions for the OU or CN for the HCP computer accounts
The Advanced Security Settings window opens.
4. Click on the Add button.
The Select User, Computer, Service Account, or Group window opens.
5. In the Enter object name to select field, type the name of the group you just created. Then click on the OK button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
611
Step 4: Give the AD group permissions for the OU or CN for the HCP computer accounts
The Permission Entry window opens.
612 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 4: Give the AD group permissions for the OU or CN for the HCP computer accounts
6. In the Permission Entry window:
– In the Apply to field, select Descendant Computer objects .
– Under Permissions , select the boxes in the Allow column for:
Read all properties
Write all properties
Delete
Change password
Reset password
Then click on the OK button.
7. In the Advanced Settings window, click on the Add button again.
The Select User, Computer, Service Account, or Group window opens.
8. In the Enter object name to select field, type the name of the group again. Then click on the OK button.
The Permission Entry window opens.
9. In the Permission Entry window:
– In the Apply to field, select This object and all descendant objects .
– Under Permissions , select the boxes in the Allow column for:
Create Computer objects
Delete Computer objects
Appendix F: Configuring Active Directory to support HCP
Administering HCP
613
Step 5: Create the AD user account
Then click on the OK button.
10.In the Advanced Security Settings window, click on the OK button to close the window.
11.In the Properties window, click on the OK button to close the window.
Step 5: Create the AD user account
To create the AD user account to be used as the domain user in the HCP configuration of support for AD:
1. In the tree view in the left panel of the Server Manager window, right-click on the OU or CN in which you want to create the AD user account and select New User from the dropdown menu.
614 Appendix F: Configuring Active Directory to support HCP
Administering HCP
The New Object - User window opens.
Step 5: Create the AD user account
2. In the New Object - User window:
– In the First name field type a name for the user account (for example, HCP Admin).
– In the User logon name field, type a username for the user account
(for example, hcpadmin).
Then click on the Next button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
615
Step 5: Create the AD user account
The display in the New Object - User window changes.
616
3. In the New Object - User window:
– In the Password field, type a password for the user account.
– In the Confirm password field, type the password again.
– Deselect the User must change password at next logon option.
Then click on the Next button.
The display in the New Object - User window changes.
4. Click on the Finish button.
5. The list in the middle panel of the Server Manager window now includes the user account you just created.
6. Right-click on the new user account and select Properties from the dropdown menu.
The Properties window opens.
7. .Click on the Member Of tab.
8. On the Member Of tab, click on the Add button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 6: Create the reverse lookup zone for the AD domain
The Select Groups window opens.
9. In the Enter the object names to select field, type the name of the group you created in
“Step 3: Create the AD group” on page 607. Then click
on the OK button.
10.In the Properties window, click on the OK button to close the window.
Step 6: Create the reverse lookup zone for the AD domain
To create a reverse lookup zone for the applicable AD domain in your DNS.
1. On a Windows server from which you can configure your DNS, click on the Start button and select Administrative Tools Server Manager .
2. Under Roles in the tree view in the left panel of the Server Manager window, expand DNS Server DNS ad-domain-name Reverse Lookup
Zones .
3. Right-click on Reverse Lookup Zones and select New Zone from the dropdown menu.
The New Zone Wizard window opens.
4. In the New Zone Wizard window, click on the Next button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
617
Step 6: Create the reverse lookup zone for the AD domain
The Zone Type page appears.
5. Select the Primary zone option. Then click on the Next button.
The Active Directory Zone Replication Scope page appears.
6. Click on the Next button.
618 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 6: Create the reverse lookup zone for the AD domain
The Reverse Lookup Zone Name page appears.
7. Click on the Next button.
The Reverse Lookup Zone Name page display changes.
8. In the Network ID field, type the first three octets of the subnet for the applicable AD domain. Then click on the Next button.
Appendix F: Configuring Active Directory to support HCP
Administering HCP
619
Step 6: Create the reverse lookup zone for the AD domain
The Dynamic Update page appears.
9. Click on the Next button.
The Completing New Zone Wizard page appears.
10.Click on the Finish button.
To see the reverse lookup zone you just created, expand Reverse Lookup
Zones in the tree view in the left panel of the Server Manager window. The name of the reverse lookup zone, which appears under Reverse Lookup
Zones
, consists of the first three octets that you specified in step 8
above in reverse order, followed by in-addr.arpa., as in this sample Server Manager window.
620 Appendix F: Configuring Active Directory to support HCP
Administering HCP
Step 7: Configure support for AD in HCP
Step 7: Configure support for AD in HCP
Now that you’ve completed the steps for preparing AD for communication with HCP, you need to use the HCP System Management Console to configure support for AD in HCP. For instructions on doing this, see
“Configuring support for Active Directory” on page 423.
Chapter F: Configuring Active Directory to support HCP
Administering HCP
621
Step 7: Configure support for AD in HCP
622 Chapter F: Configuring Active Directory to support HCP
Administering HCP
G
Browser configuration for single sign-on with Active Directory
If HCP is configured to support AD, you can use a recognized AD user account to access the System Management Console with single sign-on.
However, for this to work, the web browser you use to access the Console must be configured to support single sign-on.
This appendix contains instructions for configuring Windows Internet
Explorer and Mozilla ® Firefox ® to support single sign-on. For information on configuring AD support in HCP, see
“Configuring Active Directory or
Windows workgroup support” on page 418.
Appendix G: Browser configuration for single sign-on with Active Directory
Administering HCP
623
Configuring Windows Internet Explorer for single sign-on
Configuring Windows Internet Explorer for single sign-on
To configure Windows Internet Explorer for single sign-on with Active
Directory:
1. Open Internet Explorer.
2. On the Tools menu, click on Internet Options .
3. In the Internet Options window, click on the Security tab.
4. On the Security page, select Local intranet .
5. Click on the Sites button.
6. In the Local intranet window, ensure that all the options are selected.
7. Click on the Advanced button.
8. In the Add this website to the zone field, do either of these:
– To enable single sign-on with HTTP, type: http://*.
hcp-name .
domain-name
For example: http://*.hcp.example.com
– To enable single sign-on with HTTPS, type: https://*.
hcp-name .
domain-name
For example: https://*.hcp.example.com
9. Click on the Add button.
10.Click on the Close button.
11.In the Local intranet window, click on the OK button.
12.In the Internet Options window, click on the Advanced tab.
624 Appendix G: Browser configuration for single sign-on with Active Directory
Administering HCP
Configuring Mozilla Firefox for single sign-on
13.In the Settings list, under Security , select Enable Integrated Windows
Authentication .
14.Click on the OK button.
15.Close Internet Explorer.
Configuring Mozilla Firefox for single sign-on
To configure Mozilla Firefox for single sign-on with Active Directory:
1. Open Firefox.
2. In the address field in the Firefox window, enter: about:config
3. In response to the warning message, click on the I’ll be careful, I promise!
button.
4. In the Preference Name list, double-click on network.negotiate-auth.delegation-uris .
5. In the Enter string value window, type: http://*.
hcp-name .
domain-name ,https://*.
hcp-name .
domain-name
For example: http://*.hcp.example.com,https://*.hcp.example.com
6. Click on the OK button.
7. In the Preference Name list, double-click on network.negotiate-auth.trusted-uris .
8. In the Enter string value window, type: http://*.
hcp-name .
domain-name ,https://*.
hcp-name .
domain-name
9. Click on the OK button.
10.Close Firefox.
Appendix G: Browser configuration for single sign-on with Active Directory
Administering HCP
625
Configuring Mozilla Firefox for single sign-on
626 Appendix G: Browser configuration for single sign-on with Active Directory
Administering HCP
H
SSL server certificate providers
An SSL server certificate provides security for:
• HCP System Management Console
• Tenant Management Console
• HCP management API
• Replication
• HTTP and WebDAV protocols
• HCP metadata query API
• HCP Search Console
HCP is installed with its own SSL server certificate. If you want, you can replace this with a different certificate.
SSL server certificates are available from several sources. The table in this appendix lists some vendors with products that are suitable for use with
HCP.
For information on obtaining and uploading SSL server certificates, see
“Adding a certificate to a domain” on page 409.
Appendix H: SSL server certificate providers
Administering HCP
627
Vendor thawte, Inc.
VeriSign, Inc.
Entrust, Inc.
IPS Certification
Authority, S.L.
Comodo Group
GeoTrust, Inc.
Suitable SSL products
SGC SuperCert
SSL Web Server Certificate
SSL123
Secure Site Pro
Secure Site
Entrust Certificate
Management Service
Certificado Digital de
Servidor SSL Tipo A1
PremiumSSL
PremiumSSL Wildcard
InstantSSL Pro
InstantSSL
Enterprise SSL
True BusinessID
Power Server ID
Web site http://www.thawte.com
http://www.verisign.com
http://www.entrust.com
http://www.ipsca.com/en http://www.instantssl.com
http://www.geotrust.com
628 Appendix H: SSL server certificate providers
Administering HCP
Glossary
A
access control list (ACL)
Optional metadata consisting of a set of grants of permissions to perform various operations on an object. Permissions can be granted to individual users or to groups of users.
ACLs are provided by users or applications and are specified as either
XML or JSON.
access protocol
.
ACL
See access control list (ACL) .
Active Directory (AD)
A Microsoft product that, among other features, provides user authentication services.
Active Directory domain
A structural unit within Active Directory that serves as a container for objects such as users and groups.
Active Directory forest
A structural unit within Active Directory that contains collections of
Active Directory domains.
active storage
The total amount of primary storage space, excluding the space required for system overhead and the operating system being used.
Glossary
Administering HCP
629
AD
AD
.
alert
A graphic that indicates the status of some particular element of an
HCP system in the System Management Console.
allow list
A list of IP addresses that are allowed access to the HCP system when using a particular external interface (such as the System Management
Console).
annotation
A discrete unit of custom metadata. Annotations are typically specified in XML format.
anonymous access
A method of access to a namespace wherein the user or application gains access without presenting any credentials. See also
appendable object
An object to which data can be added after it has been successfully stored. Appending data to an object does not modify the original fixed-content data, nor does it create a new version of the object.
Once the new data is added to the object, that data also cannot be modified.
Appendable objects are supported only with the CIFS and NFS protocols.
authenticated access
A method of access to the HCP system or a namespace wherein the user or application presents credentials to gain access. See also
.
authentication
.
630 Glossary
Administering HCP
compliance mode
B
bond
A pair of ports that share an IP address.
bucket
The HS3 term for a namespace.
C
capacity
The total amount of primary storage space in HCP, excluding the space required for system overhead and the operating system. This is the amount of space available for all data to be stored in primary running storage and primary spindown storage, including the fixed-content data, metadata, any redundant data required to satisfy service plans, and the metadata query engine index.
capacity balancing service
The HCP service that ensures that the percentage of space used remains roughly equivalent across all the storage nodes in the system.
chargeback report
A report that contains historical statistics about tenant or namespace capacity and bandwidth usage, broken out either by hour or by day.
CIFS
Common Internet File System. One of the namespace access protocols supported by HCP. CIFS lets Windows clients access files on a remote computer as if the files were part of the local file system.
comma-separated-values (CSV) file
A text file containing tabular data. Each line in a CSV file corresponds to a table row and contains a set of comma-separated values, each of which corresponds to a table column.
compliance mode
The retention mode in which objects under retention cannot be deleted through any mechanism. This is the more restrictive retention mode.
Glossary
Administering HCP
631
compression service
compression service
The HCP service that compresses object data, thereby freeing space for the storage of additional objects.
content verification service
The HCP service that ensures the integrity of each object by checking that the object data still matches its cryptographic hash value.
cross-mapping
In SAIN systems, the mapping of two sets of logical volumes to two nodes such that each set maps to both nodes.
cryptographic hash value
A system-generated metadata value calculated by a cryptographic hash algorithm from object data or object data and metadata. This value is used to verify that the content of an object has not changed.
CSV file
See comma-separated-values (CSV) file .
custom metadata
User-supplied information about an HCP object. Custom metadata is specified as one or more annotations, where each annotation is a discrete unit of information about the object. Users and applications can use custom metadata to understand and repurpose object content.
D
data access path
In SAIN systems, the path established by the mapping of a logical volume to a node.
data access permission mask
A set of permissions that determine which of these operations are allowed in a namespace: read (including read ACL), write (including write ACL and change owner), delete, purge, privileged operations, and search. Data access permission masks are defined at the system, tenant, and namespace level. The effective permissions for a namespace are those that are allowed at all three levels.
632 Glossary
Administering HCP
DNS
data migration
The process of moving data off devices that are being retired from an
HCP system into free storage on the remaining devices. The devices involved can be either storage nodes in an HCP RAIN system or storage arrays in an HCP SAIN system.
Data Migrator
See HCP Data Migrator (HCP-DM)
.
data outage
A situation in which one or more objects are inaccessible (for example, due to multiple concurrent node failures).
data protection level (DPL)
The number of copies of the data for an object HCP must maintain in the repository. The DPL for an object is determined by the service plan that applies to the namespace containing the object.
default namespace
A namespace that supports only anonymous access through the HTTP protocol. An HCP system can have at most one default namespace.
The default namespace is used mostly with applications that existed before release 3.0 of HCP.
default tenant
The tenant that manages the default namespace.
deny list
A list of IP addresses that are denied access to the HCP system when using a particular external interface (such as the System Management
Console).
disposition
The automatic deletion of an expired object by HCP.
disposition service
The HCP service that automatically deletes expired objects.
DNS
See domain name system (DNS) .
Glossary
Administering HCP
633
DNS manager
634
DNS manager
The HCP runtime component that provides host-name resolution services to clients. It also balances requests across all nodes to ensure maximum system throughput and availability.
domain
A group of computers and devices on a network that are administered as a unit.
domain name system (DNS)
A network service that resolves domain names into IP addresses for client access.
downstream DNS server
A DNS server through which client requests are routed to HCP.
DPL
See data protection level (DPL) .
duplicate elimination
The process of transparently eliminating redundant data associated with two or more identical objects.
duplicate elimination service
The HCP service that transparently eliminates redundant data, thereby freeing space for the storage of additional objects.
dynamic DPL
A namespace data protection level that, at any given time, matches the system-level DPL setting.
E
economy storage
.
effective permissions
For a tenant, the permissions that are included in both the system-level
and tenant-level permission masks.
For a namespace, the permissions that are included in all three of the system-level, tenant-level, and namespace-level permission masks.
Glossary
Administering HCP
fixed-content data
For a user or application accessing a given namespace, the permissions that are included in both the user permissions and the effective permission mask for the namespace.
enterprise mode
The retention mode in which these operations are allowed:
• Privileged delete
• Changing the retention class of an object to one with a shorter duration
• Reducing retention class duration
• Deleting retention classes
This is the less restrictive retention mode.
expired object
An object that is no longer under retention.
extended storage
Data tiered to storage devices outside of the HCP system.
external storage pool
A grouping of external storage volumes.
external storage volume
A logical volume on storage managed by a device that is outside the
HCP system.
F
fixed-content data
A digital asset ingested into HCP and preserved in its original form as the core part of an object. Once stored, fixed-content data cannot be modified.
Glossary
Administering HCP
635
garbage collection service
G
garbage collection service
The HCP service that deletes data and metadata left in the repository by incomplete operations, thereby freeing space for the storage of additional objects.
General node
An HCP node that manages the objects that are added to HCP and can be used for object storage. Each storage node runs the complete HCP software (except the HCP search facility software).
GID
POSIX group identifier.
group account
A representation of an Active Directory group in HCP. A group account enables Active Directory users in the Active Directory group to access one or more HCP interfaces.
H
hard quota
For an HCP tenant, the total amount of storage available to the tenant for allocation to its namespaces.
hash value
See cryptographic hash value .
HCP
See Hitachi Content Platform (HCP) .
HCP Data Migrator (HCP-DM)
An HCP utility that can transfer data from one location to another, delete data from a location, and change object metadata in a namespace. Each location can be a local file system, an HCP namespace, a default namespace, or an HCAP 2.x archive.
HCP-DM
See HCP Data Migrator (HCP-DM)
.
636 Glossary
Administering HCP
HDDS
HCP-FS
See HCP file system (HCP-FS) .
HCP file system (HCP-FS)
The HCP runtime component that represents each object in a namespace as a set of files. One of these files contains the object data.
The others contain the object metadata.
HCP management API
A RESTful HTTP interface to a subset of the administrative functions of an HCP system. Using this API, you can manage tenants, namespaces, content classes, retention classes, and tenant-level user and group accounts.
HCP metadata query API
HCP namespace
A namespace that supports user authentication for data access through the HTTP, HS3, and CIFS protocols. HCP namespaces also support storage usage quotas, access control lists, and versioning. An HCP system can have multiple HCP namespaces.
HCP node
HCP S Series Node
HCP S Series Nodes serve as storage tiering platforms, known as economy storage, for HCP systems. HCP uses the S Series HS3 API, which is compatible with Amazon® S3™, to write, retrieve, and otherwise manage objects in an S Series Node. A single HCP system can seamlessly tier data across multiple S Series Nodes, thereby enabling scalability in both capacity and performance.
HCP service
HCP tenant
A tenant created to manage HCP namespaces.
HDDS
See Hitachi Data Discovery Suite (HDDS) .
Glossary
Administering HCP
637
HDDS search facility
HDDS search facility
One of the search facilities available for use with the HCP Search
Console. This facility interacts with Hitachi Data Discovery Suite. To use this facility, you need to first install and configure HDDS, which is a separate product from HCP.
hidden master
A DNS configuration wherein the IP addresses of the master name servers for a given network are not publicly visible and client access to
HCP over the network is allowed only through one or more specified downstream DNS servers.
Hitachi Content Platform (HCP)
A distributed object-based storage system designed to support large, growing repositories of fixed-content data. HCP provides a single scalable environment that can be used for archiving, business continuity, content depots, disaster recovery, e-discovery, and other services. With its support for multitenancy, HCP securely segregates data among various constituents in a shared infrastructure. Clients can use a variety of industry-standard protocols and various HCP-specific interfaces to access and manipulate objects in an HCP repository.
Hitachi Data Discovery Suite (HDDS)
A Hitachi product that enables federated searches across multiple HCP systems and other supported systems.
hold
A condition that prevents an object from being deleted by any means and from having its metadata modified, regardless of its retention setting, until it is explicitly released.
HS3 API
One of the namespace access protocols supported by HCP. HS3 is a
RESTful, HTTP-based API that is compatible with Amazon S3. Using
HS3, users and applications can create and manage buckets and bucket contents.
HSwift API
One of the namespace access protocols supported by HCP. HSwift is a
RESTful, HTTP-based API that is compatible with OpenStack Swift.
Using HSwift, users and applications can create and manage containers and container contents.
638 Glossary
Administering HCP
IP mode
HTTP
HyperText Transfer Protocol. One of the namespace access protocols supported by HCP.
HCP also uses HTTP for client communication with the System
Management, Tenant Management, and Search Consoles, for client access through the HCP management API, and for access to namespace content through the metadata query API.
HTTPS
HTTP with SSL security. See
and
I
index
An index of the objects in namespaces that is used to support search operations. Each of the two search facilities, the metadata query engine and the HDDS search facility, creates and maintains its own separate index.
index setting
The property of an object that determines whether the metadata query engine indexes the custom metadata associated with the object.
indexing policy
The HCP policy that determines whether an object is included in the search index.
Integrated Windows authentication
A Microsoft authentication mechanism that enables clients to authenticate to a web server by using the Windows user information currently cached on the client computer, thereby removing the need to explicitly log in.
IP mode
A front-end network property that determines whether the network can be configured to use IPv4 addresses, IPv6 addresses, or both.
Glossary
Administering HCP
639
JSON
640
J
JSON
JavaScript Object Notation. A language-independent format for encoding data in the form of name/value pairs.
K
kernel
The core component of a computer operating system. The kernel provides the resource-management services that bridge the gap between the computer hardware and software.
L
LDAP
Lightweight Directory Access Protocol. The application protocol used to request directory services from Active Directory.
local authentication
Authentication wherein HCP internally checks the validity of the specified username and password.
local storage volume
A logical volume on storage that’s managed by HCP.
logical volume
A logical unit of storage that maps to the physical storage managed by a node. Logical volumes can be local or external.
M
management API
metadata
System-generated and user-supplied information about an object.
Metadata is stored as an integral part of the object it describes, thereby making the object self-describing.
Glossary
Administering HCP
namespace
metadata query API
A RESTful HTTP interface that lets you search HCP for objects that meet specified metadata-based or operation-based criteria. With this API, you can search not only for objects currently in the repository but also for information about objects that are no longer in the repository.
metadata query engine
One of the search facilities available for use with HCP. The metadata query engine works internally to perform searches and return results either through the metadata query API or to the HCP Metadata Query
Engine Console (also known as the HCP Search Console).
Metadata Query Engine Console
The web application that provides interactive access to the HCP search functionality provided by the metadata query engine.
metafile
A file containing metadata about an object. Metafiles enable file-system access to portions of the object metadata.
migration service
The HCP service that migrates data off selected storage nodes in an
HCP RAIN system or selected storage arrays in an HCP SAIN system in preparation for retiring those devices.
multipathing
In SAIN systems, multiple means of access to a logical volume from a single node.
N
name server
A server that’s part of a domain name system.
namespace
A logical partition of the objects stored in an HCP system. A namespace consists of a grouping of objects such that the objects in one namespace are not visible in any other namespace. Namespaces are configured independently of each other and, therefore, can have different properties.
Glossary
Administering HCP
641
namespace access protocol
namespace access protocol
A protocol that can be used to transfer data to and from namespaces in an HCP system. HCP supports the HTTP, HS3, WebDAV, CIFS, NFS, and
SMTP protocols for access to HCP namespaces and the default namespace. HCP also supports the NDMP protocol for access to the default namespace.
namespace quota
The number of namespaces HCP reserves for an HCP tenant out of the total number of namespaces the system can have.
NDMP
Network Data Management Protocol. The namespace access protocol
HCP supports for backing up and restoring objects in the default namespace.
NFS
Network File System. One of the namespace access protocols supported by HCP. NFS lets clients access files on a remote computer as if the files were part of the local file system.
network
In an HCP system that supports virtual networking, a named network configuration that identifies a unique subnet and specifies IP addresses for none, some, or all of the nodes in the system.
network alias
A named pointer to a network. You can select a network alias for any purpose for which you can select a network.
node
A server running HCP software and networked with other such servers to form an HCP system.
O
object
An exact digital representation of data as it existed before it was ingested into HCP, together with the system and custom metadata that describes that data. Objects can also include ACLs that give users and groups permission to perform certain operations on the object.
642 Glossary
Administering HCP
permission
An object is handled as a single unit by all transactions and services, including shredding, indexing, versioning, and replication.
object-based query
In the metadata query API, a query that searches for objects based on object metadata. This includes both system metadata and the content of custom metadata and ACLs. The query criteria can also include the object location (that is, the namespace and/or directory that contains the object).
Object-based queries search only for objects that currently exist in the repository. For objects with multiple versions, object-based queries return only the current version.
operation-based query
In the metadata query API, a query that searches not only for objects currently in the repository but also for information about objects that have been deleted by a user or application, deleted through disposition, purged, or pruned. For namespaces that support versioning, operation-based queries can return both current and old versions of objects.
Criteria for operation-based queries can include object status (for example, created or deleted), change time, index setting, and location
(that is, the namespace and/or directory that contains the object).
operation record
A record of a create, delete, purge, prune, or disposition operation.
The record identifies the object involved, the type of operation, and the time at which the operation occurred and also contains system metadata for the object. HCP updates the applicable creation record when object metadata changes.
P
permission
One of these:
– In POSIX permissions, the ability granted to the owner, the members of a group, or other users to access an object, directory, or symbolic link. A POSIX permission can be read, write, or execute.
– In a data access permission mask, the condition of allowing a specific type of operation to be performed in a namespace.
Glossary
Administering HCP
643
permission mask
– In a tenant-level user account, the granted ability to perform a specific type of operation in a given namespace.
– In an ACL associated with an object, the granted ability to perform a specific type of operation on the object.
– The granted ability to access the HCP System Management Console,
Tenant Management, or HCP Search Console and to perform a specific activity or set of activities in that Console. Permissions of this type are granted by roles associated with the user account.
permission mask
See data access permission mask
.
ping
A utility that tests whether an IP address is accessible on the network by requesting a response from it. Also, to use the ping utility.
policy
One or more settings that influence how transactions and services work on objects. Such a setting can be a property of an object, such as retention, or a property of a namespace, such as versioning.
POSIX
Portable Operating System Interface for UNIX. A set of standards that define an application programming interface (API) for software designed to run under heterogeneous operating systems. HCP-FS is a
POSIX-compliant file system, with minor variations.
primary metadata
Metadata HCP stores for an object when it’s first added to HCP.
privileged delete
A delete operation that works on an object regardless of whether the object is under retention, except if the object is on hold. This operation is available only to users and applications with explicit permission to perform it.
Privileged delete operations work only in namespaces in enterprise mode.
644 Glossary
Administering HCP
query API
privileged purge
A purge operation that works on an object regardless of whether the object is under retention, except if the object is on hold. This operation is available only to users and applications with explicit permission to perform it.
Privileged purge operations work only in namespaces in enterprise mode.
protection service
The HCP service that ensures the stability of the repository by maintaining a set level of data redundancy within each namespace, as specified by the service plan for the namespace.
protection set
A group of DPL storage nodes in which HCP tries to store all the copies of a given object.
protocol
.
protocol optimization
Improves the performance of access protocols which, in turn, increases the ingest rate when ingesting objects in to a system with a high object count.
pruning
.
purge
The operation that deletes all versions of an object.
Q
query
A request submitted to HCP to return metadata for objects that satisfy a specified set of criteria. Also, to submit such a request.
query API
Glossary
Administering HCP
645
RADIUS
R
RADIUS
Remote Authentication Dial-In User Service. A protocol for authenticating credentials that authorize access to an IP network.
RAIN
Redundant array of independent nodes. An HCP system configuration in which the nodes use internal or direct-attached storage.
recognized Active Directory user account
An Active Directory user account for a user that belongs to one or more
Active Directory groups for which corresponding group accounts are defined in HCP.
remote authentication
Authentication wherein HCP uses a remote service to check the validity of the specified username and password.
replica
The HCP system to which the replication service copies objects and other information from the primary system during normal replication.
replication
The process of keeping selected HCP tenants and namespaces and selected default-namespace directories in two HCP systems in sync with each other. Basically, this entails copying object creations, deletions, and metadata changes from each system to the other or from one system to the other. HCP also replicates tenant and namespace configuration, tenant-level user and group accounts, retention classes, content classes, all compliance log messages, and all HCP tenant log messages.
replication service
The HCP service that performs replication.
repository
The aggregate of the namespaces defined for an HCP system.
646 Glossary
Administering HCP
retention setting
REST
Representational State Transfer. A software architectural style that defines a set of rules (called constraints) for client/server communication. In a REST architecture:
• Resources (where a resource can be any coherent and meaningful concept) must be uniquely addressable.
• Representations of resources (for example, in XML format) are transferred between clients and servers. Each representation communicates the current or intended state of a resource.
• Clients communicate with servers through a uniform interface (that is, a set of methods that resources respond to) such as HTTP.
retention class
A named retention setting. The value of a retention class can be a duration, Deletion Allowed, Deletion Prohibited, or Initial Unspecified.
retention hold
retention mode
A namespace property that affects which operations are allowed on objects under retention. A namespace can be in either of two retention modes: compliance or enterprise.
retention period
The period of time during which an object cannot be deleted (except by means of a privileged delete).
retention policy
The HCP policy that determine how an object responds to deletion requests.
retention setting
The property that determines the retention period for an object.
Glossary
Administering HCP
647
role
648
role
A named collection of permissions that can be associated with an HCP user account, where each permission allows the user to perform some specific interaction or set of interactions with the HCP System
Management Console, the Tenant Management Console, the HCP management API, the metadata query API, or, for default namespaces only, the HCP Search Console. Roles generally correspond to job functions.
running storage
Storage on continuously spinning disks.
S
SAIN
SAN-attached array of independent nodes. An HCP system configuration in which the nodes use SAN-attached storage.
scavenging service
The HCP service that ensures that objects in the HCP repository have valid metadata.
Search Console
The web application that provides interactive access to HCP search functionality. When the Search Console uses the HCP metadata query engine for search functionality, it is called the Metadata Query Engine
Console.
search facility
An interface between the HCP Search Console and the search functionality provided by the metadata query engine or HDDS. Only one search facility can be selected for use with the Search Console at any given time.
search results
A list of objects that HCP or HDDS returns in response to a query.
Search results show metadata for the listed objects.
secondary metadata
The metadata stored with each copy of an object. Secondary metadata provides the redundancy that enables the protection and scavenging services to ensure object availability and integrity.
Glossary
Administering HCP
SNMP
service
A background process that performs a specific function that contributes to the continuous tuning of the HCP system. In particular, services are responsible for optimizing the use of system resources and maintaining the integrity and availability of the data stored in the HCP repository.
service plan
A named specification of an HCP service behavior that determines how
HCP manages objects in a namespace. Service plans enable you to tailor service activity to specific namespace usage patterns or properties.
shred setting
The property that determines whether an object will be shredded or simply removed when it’s deleted from HCP.
shredding
The process of deleting an object and overwriting the locations where all its copies were stored in such a way that none of its data or metadata can be reconstructed. Also called secure deletion.
shredding policy
The HCP policy that determines whether an object is shredded when it’s deleted.
shredding service
The HCP service that shreds deleted objects that are marked for shredding.
single sign-on
In a Windows environment, the use of an already authenticated Active
Directory user account to access the System Management Console,
Tenant Management Console, HCP Search Console, or Namespace
Browser without the need to explicitly log in.
SMTP
Simple Mail Transfer Protocol. The namespace access protocol HCP uses to receive and store email data directly from email servers.
SNMP
Simple Network Management Protocol. A protocol HCP uses to facilitate monitoring and management of the system through an external interface.
Glossary
Administering HCP
649
SNMP trap
650
SNMP trap
A type of event for which each occurrence causes SNMP to send notification to specified IP addresses. SNMP traps are set in management information base (MIB) files.
soft quota
The percentage point at which HCP notifies a tenant that allocated storage space is being used up. The soft quota measures the space used in all the namespaces the tenant owns.
spindown storage
Storage on disks that can be spun down and spun up as needed.
SSH
Secure Shell. A network protocol that lets you log into and execute commands in a remote computer. SSH uses encrypted keys for computer and user authentication.
SSL
Secure Sockets Layer. A key-based Internet protocol for transmitting documents through an encrypted link.
SSL server certificate
A file containing cryptographic keys and signatures. When used with the HTTP protocol, an SSL server certificate helps verify that the web site holding the certificate is authentic. An SSL server certificate also helps protect data sent to or from that site.
Storage license
A storage license gives you access to a designated amount of your HCP system disk storage capacity. The license can be created for active or extended storage.
storage node
An HCP node that manages the objects that are added to HCP and can be used for object storage. Each storage node runs the complete HCP software.
storage tiering service
The HCP service that moves object from running storage to spindown storage and from spindown storage to running storage according to rules in service plans.
Glossary
Administering HCP
Tenant Management Console
subdomain
A subset of the computers and devices in a domain.
syslog
A protocol used for forwarding log messages in an IP network. HCP uses syslog to facilitate system monitoring through an external interface.
System Management Console
The system-specific web application that lets you monitor and manage
HCP.
system metadata
System-managed properties that describe the content of an object.
System metadata includes policies, such as retention and data protection level, that influence how transactions and services affect the object.
systemwide permission mask
The data access permission mask defined at the HCP system level. The systemwide permission mask applies across all tenants and namespaces.
T
tag
An arbitrary text string associated with an HCP tenant. Tags can be used to group tenants and to filter tenant lists.
tagged network
A network that has a VLAN ID.
tenant
An administrative entity created for the purpose of owning and managing namespaces. Tenants typically correspond to customers or business units.
Tenant Management Console
The tenant-specific web application that lets you monitor and manage tenants and namespaces.
Glossary
Administering HCP
651
trap
trap
transaction log
A record of all create, delete, purge, prune, and disposition operations performed on objects in any namespace over a configurable length of time ending with the current time. Each operation is represented by an operation record.
U
UID
POSIX user ID.
Unix
Any UNIX-like operating system (such as UNIX itself or Linux).
untagged network
A network with that does not have VLAN ID.
upstream DNS server
A DNS server to which HCP routes the outbound communications it initiates (for example, for sending log messages to syslog servers or for communicating with Active Directory).
user account
A set of credentials that gives a user access to one or more of the
System Management Console, the Tenant Management Console, the
HCP management API, the HCP Search Console, namespace content through the namespace access protocols, the metadata query API, and
HCP Data Migrator.
user authentication
The process of checking that the combination of a specified username and password is valid when a user tries to log into the System
Management Console, the Tenant Management Console, or the HCP
Search Console, to access the HCP system through the management
API, or to access a namespace.
652 Glossary
Administering HCP
Windows workgroup
V
versioning
An optional namespace feature that enables the creation and management of multiple versions of an object.
versioning policy
The HCP policy that determines whether a namespace can store multiple versions of objects.
version pruning
The automatic deletion of previous versions of objects that are older than a specified amount of time.
virtual networking
A technology that enables the overlay of multiple logical network configurations onto a single physical network.
VLAN
Virtual local area network. A distinct broadcast domain that includes devices within different segments of a physical network.
VLAN ID
An identifier that’s attached to each packet routed to HCP over a particular network. This function is performed by the switches in the physical network.
volume
.
W
WebDAV
Web-based Distributed Authoring and Versioning. One of the namespace access protocols supported by HCP. WebDAV is an extension of HTTP.
Windows workgroup
A named collection of computers on a LAN that share resources such as printers and file servers.
Glossary
Administering HCP
653
workgroup
workgroup
.
WORM
Write once, read many. A data storage property that protects the stored data from being modified or overwritten.
Z
zero-copy failover
The process of one node automatically taking over management of storage previously managed by another node that has become unavailable.
zone
A set of IP addresses served by DNS.
654 Glossary
Administering HCP
Index
Symbols
.lost+found directory, irreparable objects 350
See also
[hcp_system] network
See also
[internal] event initiator 438
Numbers
A access
Tenant Management Console 55–56,
access protocols
See namespace access protocols
clearing cache 42, 53, 426–427
configuration information 420–422
configuring support for 418–420, 424–425
configuring to support HCP 597–598
considerations for use with HCP 423
creating SSL certificates for communication
exporting SSL certificates for communication
groups, creating group accounts from 74–75
groups, giving permissions to 610–614
user accounts, creating 614–617
Active Directory user accounts
See
user accounts, Active Directory
active service schedule, setting 397
adding
comments to internal logs 490, 490–491
IP addresses to Allow/Deny lists 413–414
IP addresses to SNMP notification list 448
nodes before data migrations 187, 376
SSL server certificates to domains 403–404
storage before data migrations 187, 376–377
time periods to service schedules 395–396
Advanced Downstream DNS configuration 235
alerts
Authentication page 424, 531–534
Domains and Certificates page 530–531
Storage Node page 102–103, 518–520
Index
Administering HCP
655
algorithms
algorithms
aliases
Allow lists
allowing
See also
Appliance Diagnostics menu 482–483
See also
assigning
authentication
Authentication page
clearing Active Directory cache 426–427
configuring Windows workgroup support 426
automatic deletion of old versions of objects 330
autonomic tech refresh
B back-end network
See also
Back-end Network graph 462–463
backing up
balancing storage availability 367–368
blade servers
Branding Settings page 306–307 branding, changing 305–307
C
656
capacity balancing service
maintaining capacity balance 368
CB 320 servers
IPMI information for fans and power
certificate signing requests
See also SSL server certificates
installing SSL server certificates returned for 411
certificates
See SSL certificates for communication between HCP and Active Directory ; SSL server certificates
changing
compression service settings 356–357
domain or IP addresses for replication network 269
migration service performance level 386–387
system settings through SNMP 446, 450
time to keep deletion records in transaction log 366
chargeback reports
daily storage usage reports 470
hourly storage usage reports 470
total storage usage reports 471
Index
Administering HCP
chassis
chassis
CIFS protocol
clearing Active Directory cache 42, 53, 426–427
combined data and custom metadata on reads
comments, adding to internal logs 490, 490–491
company logo
compliance
compressed reads and writes 31, 474–475
compression of objects in external storage 152–??
compression service
with duplicate elimination 355
reclaimed space in Storage Volume graph 87
Configuration Report 189, 381, 382–383
configuring
See also
;
Active Directory support 418–420, 420–422,
content verification service 348–349
data migrations for RAIN systems 188–190,
data migrations for SAIN systems 381–383
directories for exported shares 134
Firefox for single sign-on 625
garbage collection service 366
Hitachi Device Manager connection 478–479
Internet Explorer for single sign-on 624–625
secondary zones in Unix 591–592
secondary zones in Windows 589–590
Windows workgroup support 418–419, 426
connecting HCP to Hitachi Device
Console pages
See also System Management Console
Authentication 419, 424–426, 426–427
Console Security 76–78, 412–413
Domains and Certificates 407–412
Nodes 240–??, 245, ??–247, 252–??
Tenants (Create Tenant panel) 292–296
Tenants (Overview panel) 280–283
Tenants (Settings panel) 300–302
Console Security page
Index
Administering HCP
657
Console security page
user account and login settings 76–78
contact information
Content Verification page 348–349
content verification service
cryptographic hash algorithms 345
enabling/disabling hash value regeneration 348
controlling
See also
HCP management API access 415–416
copies of metadata query engine index 313
creating
See also
Active Directory groups 607–610
Active Directory user accounts 614–617
default tenant and namespace 297–??
metadata-only objects ??–203, 372–374
network aliases 258–??, 258–259, ??–259
reverse lookup zone for Active
SSL certificates for communication between
HCP and Active Directory 600–606
658
cryptographic hash algorithms
cryptographic hash values
regeneration, enabling/disabling 348
CSRs
See certificate signing requests
custom metadata
enabling/disabling indexing by metadata query engine 317
indexing with metadata query engine 314,
D data
data access
data migrations
Configuration Report 189, 381, 382–383
configuring for RAIN systems 188–190,
configuring for SAIN systems 381–383
Migration Report 190–191, 379, 384
modifying descriptions of 385–386
storage requirements for SAIN systems 377–378
Data Migrator
Index
Administering HCP
data outages
data protection level
data protection strategy
data transmission, compressed 31
deduplication
See duplicate elimination service
default email message template 456
See also
associating service plans with 300
cryptographic hash algorithm 297, 299
name 297 retention mode 297, 299
search 297–298 service plans 298
default tenant
See also
contact information 297, 298–299
defining
deleting
See also
abandoned data and metadata 365
certificate signing requests 412
expired objects automatically 362–363
IP addresses from Allow/Deny lists 414
metadata query engine index 318
Data Migrator
SSL server certificates 403, 412
time periods from service schedules 397
Deny lists
adding IP addresses 413–414 deleting IP addresses 414 handling of 414–415 valid entries 414
descriptions
data migrations 190, 379, 381, 383,
detecting
content verification service violations 346–347
protection service violations 340–341
scavenging service violations 349
diagnostics
traceroute 484–485 dig 485–486
directories
ensuring valid metadata for 350
Index
Administering HCP
659
disabled user accounts disabling
custom metadata indexing by metadata query engine 317
metadata query API 317 metadata query engine indexing 313, 317
user accounts automatically 77
disallowing
disks
displaying zone definitions for network
disposition service
DNS
configuration for service by remote systems 593–595
configuring secondary zones in
configuring secondary zones in
configuring stub zones in Unix 591–592
configuring stub zones in Windows 590–591
reverse lookup zone for Active
verifying secondary zone configuration 593 verifying stub zone configuration 593
zone definitions for network domains 265–??
zone definitions for networks with hidden master or notify 234
660 Index
Administering HCP
DNSzone definitions for network domains ??–266
domain name system
domains
adding SSL server certificates to 409–412
SSL server certificates for 402–404
Domains and Certificates page
adding certificates to domains 409–412
deleting certificates 412 deleting domains 412
downloading
certificate signing requests 411
DPL
objects in external storage 150–151
DPL settings in service plans ??–199, 336–339
drives
Duplicate Elimination page 361–362
duplicate elimination service
reclaimed space in Storage Volume graph 87
dynamic
economic storage component
E
economy storage pool ??–139, 175
editing
email message template
See also
email notification
email server 452–453 enabling 452
message template 453–456 recipients 456–458
See also
email server
specifying 452–453 testing connection to 453
empty namespaces, deleting 365
enabling
custom metadata indexing by metadata query engine 317
Hitachi Device Manager connection 478–479
metadata query API 317 metadata query engine indexing 313, 317
encryption
objects in external storage 152–??
events
See also
correlated with resource usage 468
Index
Administering HCP
exclusion criteria, compression service 357–358
expired objects, deleting automatically 362–363
See also external storage ; external storage volumes
exporting SSL certificates for communication between HCP and Active
extended storage components
external storage
See also external storage pools ; external storage volumes ;
content verification service 345
duplicate elimination service 360
moving objects to ??–152, 372–??
External Storage page
renaming external storage pools ??–200
external storage pools
See also external storage ; external storage volumes
external storage volumes
See also exported shares ; external storage ; external storage pools
661
External storage page, migration service
F
fans
CB 320 server chassis 92–??, 98–??, 98–102
fcfs_data directory 13 fcfs_metadata directory 13
features enabled per tenant 282–283
files
filtering
Active Directory group list 75
Firefox, configuring for single sign-on 625
forcing password changes 70, 77
front-end network
See also
Front-end Network graph 462–463
G
garbage collection service
configuring 366 processing 363–366
generating
certificate signing requests 409–410
self-signed SSL server certificates 409
giving permissions to Active Directory
graphs
resource usage, managing 463–467
group accounts
initial for HCP tenants 289, 294
names with deleted Active Directory groups 76
resetting tenant-level with security
modifying group accounts 75–76
groups, Active Directory
creating HCP group accounts from 74–75
H hard quotas
hardware
blade-server chassis 92–??, 98–??, 98–102 component list 102
status on Storage Node page 102–108
types reported for nodes 103–104
662 Index
Administering HCP
Hardware page
hash algorithms
See cryptographic hash algorithms
hash values
HCP
See also
administrator responsibilities 44–49
balancing unused storage capacity 367–368
front-end network 15 hardware 15–19
securing SNMP access to 446–447
service by remote systems 24–25, 593–595
system-level data access permission mask 431
See also
See also
Hardware page
HCP group accounts
HCP management API
system-level access to tenant-level activities 55–56
HCP metadata query API
HCP namespaces
statistics in chargeback reports 473–476
HCP nodes
HCP S Series Node 99–100, 153–163
creating storage component 154–156
HCP tenants
associating service plans with 296
authentication methods 288–289, 293
contact information 290, 294–295
enabling search 296 enabling service plan selection 296
management network 285–286 names 285, 292
namespace quotas 283, 287–288, 293
retention mode selection 290, 296
search 291 service plans 282, 291
Index
Administering HCP
663
HCP tenants, soft quota
statistics in chargeback reports 473–476
HCP user accounts
HCP-DM
See also
HDDS
HDDS search facility
See also
indexing metadata-only objects 203, 374
testing connection to HDDS 322
HDvM
Hitachi Content Platform
Hitachi Device Manager
hostname mappings 37–??, 38–39
HS3 API
object representation 11–12, 12
HTTP protocol
See also
RESTful HTTP object representation
object representation in default namespace 12–13
object representation in HCP namespaces 11
I
indexes
See also HDDS search facility ; indexing
;
copies for metadata query engine 313
deleting for metadata query engine 318
maximum size for metadata query
indexing
See also HDDS search facility ; indexes ;
custom metadata with metadata query engine 314
enabling/disabling for metadata query engine 313, 317
metadata-only objects 203, 374
initial
security accounts for HCP tenants 289, 294
user account, System Management
installing
SSL server certificates created outside
SSL server certificates returned for
insufficient storage capacity 81–82
internal logs
about 489–490 adding comments to 490, 490–491
downloading 490, ??–490, ??–493
internal storage architecture 16
Internet Explorer, configuring for single sign-on 624–625
IP addresses
664 Index
Administering HCP
IP addresses, changing for nodes
IP modes
network properties 229–??, 262–??
networks
choosing an IP mode for a network 239
IPMI information
blade-server chassis 92–??, 98–??, 98–102
irreparable objects
content verification service 347–348
migration service 191, 195, 379
L
log messages
See also
sending through syslog 440–441
viewing all on Resources page 468
viewing all on System Events page 437
logging
See also
configuring for syslog 441–443
testing SNMP manager connections 449
testing syslog server connections 443–444
logging in
System Management Console 39–41
logging out of System Management Console 44
logical mappings between storage and
logical volumes
metadata query engine index 314–315
SAIN system servers with internal storage 97, 103
spindown during failover/failback 577
login settings
logo
logs
LUN Utilization graph 461, 461–462
LUNs
M
maintaining capacity balance 368
management API
management information base
managing
Index
Administering HCP
665
managing, hardware
node list on Nodes page 245–247
mappings
between storage and nodes 576–577
maximum
size for metadata query engine
memory
merging duplicate objects 358–361
message for Console login pages 78
metadata
metadata query API
system-level access to HCP namespaces 56
metadata query engine
enabling/disabling custom metadata indexing 317
enabling/disabling indexing 313, 317
index-enabled logical volumes 314–315 indexing custom metadata 314
Metadata Query Engine Console 9
metadata-only objects
MIBs
supported standard 582–583 walking 583
Migration page
Configuration panel 188–??, 380–383
Migration Report 190–191, 379, 384
migration service
external storage volumes 187, 376
irreparable objects 191, 195, 379
performance level 190, 381, 383, 386–387
minimum length for passwords 77
modifying
data migration descriptions 385–386
systemwide permission mask 432–434
time periods in service schedules 396
monitoring
mount options for external storage volumes 147
666 Index
Administering HCP
Mozilla Firefox, configuring for single sign-on
Mozilla Firefox, configuring for single sign-on 625
MQE
N
names
common for SSL server certificates 405–406
default namespace 297 default tenant 297
distinguished for SSL server certificates 408
group accounts with deleted Active Directory groups 76
namespace access protocols 6–7
namespace quotas
available namespaces for tenant 283 display of 283
namespaces
See also
data access permission masks 431
mappings for HDDS search facility 319–320
number available for allocation 293
network alias
network aliases
See also
network bandwidth usage optimization 31–32
network interface cards 107–108
network per storage component ??–100, 120,
122–??, 122, 124, 127–??, 127, 128,
130, 154, 156, ??–157, ??–239, 376–??
Virtual network management 239
Network Security page 400 network security, managing 400
Network View panel
networking, HCP connections 15
networks
;
Active Directory authentication 288
aliases
assigning node IP addresses 252–255
changing domain or IP addresses 269
changing node IP addresses ??–255
IP modes
IPv4 subnet
support for IPv4 addresses
Index
Administering HCP
667
networks, sorting list of
IPv4
IPv6
deleting networks and network aliases 275
modifying network aliases 273–274
Network View panel creating network aliases
NFS
NFS protocol
NFS storage components
NFS volumes
Node View panel
nodes
See also
adding before data migration 187, 376
assigning IP addresses 252–255
balancing storage availability 367–368
events 108–109 file system status 108
IPv4 addresses for networks 229, 262
IPv6 addresses for networks 230
668 Index
Administering HCP
monitoring individually 102–111
network IP addresses for new 240
paging through list of on Nodes page 245–246
primary IPv6 addresses for networks 263
retiring ??–190, ??–193, 376–381, 383–387
secondary IPv6 addresses for networks 263
sorting list of on Nodes page 246–247
Nodes page
notify setting for networks 234
O objects
compressed in external storage 152–??
cryptographic hash values 344–345
deleting abandoned data and metadata 365
deleting expired automatically 362–363
encrypted in external storage 152–??
ensuring valid metadata 349–350
objects, in external storage
making metadata-only ??–203, 372–374
moving to external storage ??–151, 372–??
number of in repository 85 number of indexed in repository 85
number of indexed per tenant 283 number of per tenant 283
representation with HS3 API 11–12, 12 representation with non-RESTful HTTP,
WebDAV, CIFS, and NFS protocols 12–13
representation with RESTful HTTP API 11
operating system logical volume 97, 103
optimization
Overview page
P paging
node list on Nodes page 245–246
passwords
Active Directory authenticated users 66
expiration 77 forcing changes 70, 77
locally authenticated users 64–65
resetting for tenant-level security accounts 303–304
paths between nodes and storage 576
permission masks
permissions
in data access permission masks 433–434
giving to Active Directory groups 610–614
granted by system-level roles 56–59, ??–59
granted by tenant-level roles 60–64
physical paths between nodes and storage 576
ping
policies
custom metadata XML checking 330
retention 20–21, 328 shredding 21, 329
power supplies
CB 320 server chassis 92–??, 98–??, 98–102
precedence
servicing read requests 206, ??–206
precedence of services
See also precedence of services
prerequisites for configuring support for HCP in
primary metadata
primary storage
processors, IPMI information 106
product branding, changing 305–307
Index
Administering HCP
669
privileged delete
protection service
cloud protocols 309–310 default setting 309
protocols
See namespace access protocols
providers of SSL server certificates 627–628
pruning old versions of objects 330
See also
Q query API
quotas
R
RADIUS authentication
RADIUS servers
modifying 430 reordering 430 testing connections to 429–430
RAIN systems
See also
retiring nodes ??–190, ??–193, 376–381,
reads
combined data and custom metadata 31–32
precedence of servicing 206, ??–206
recognized Active Directory user accounts 34,
refreshing System Management Console pages 42
rehydration
remote authentication
remounting external storage volumes 184–??
removing
renaming
repairing
content verification service violations 347
protection service violations 341–343
scavenging service violations 350
replica, object repair from 342, 347
replication
changes to selected network 269
changing namespace quotas during failover 288
metadata-only objects 202–203, 373–374
service by remote systems 24–25, 593–595
tenant eligibility for 282, 296
repository
number of indexed objects in 85 number of objects in 85
reserved words, HCP tenant names 292
670 Index
Administering HCP
repository, managing access to resetting
resource monitoring
See also
resource usage graphs, about 460–463 resource usage graphs, managing 463–467
resource usage graphs
viewing details for points in time 465 zooming 464–465
Resources page
See also
resource graphs, about 460–463 resource graphs, managing 463–467
responsibilities, HCP administrator 44–49
restarting
RESTful HTTP object representation
See also
restoring
default email message template 456
retention
retention mode
retiring
nodes ??–190, ??–193, 376–381, 383–387
storage arrays 376–378, 381–387
Index
Administering HCP
reverse lookup zone for Active
reviewing previous data migrations 385–386
roles
changing for group accounts 75–76
system-level permissions granted by 56–59,
tenant-level permissions granted by 60–64
rules for service plans 210–??
S
SAIN systems
retiring storage arrays 376–378, 381–387
zero-copy failover 22–23, 575–580
scavenging service
scheduling services
scope of resource usage graphs, setting 464
scrolling resource usage graphs 467
search
enabling for default namespace 300
671
scrolling resource usage graphs
Search Console
See also
system-level access to HCP namespaces 56
search facilities
See also
;
HDDS search facility, about 318–321
HDDS search facility, configuring 322
metadata query engine, about 312–316
metadata query engine, configuring 317
search indexes
Search page
configuring HDDS search facility 322
configuring metadata query engine 317
enabling/disabling Search Console 325
secondary metadata
secondary zones
configuring for service by remote systems 593–595
configuring in Windows 589–590
See also
securing
security
data access permission masks 431–432
HCP access through SNMP 446–447
resetting for HCP tenants 303–304
SSL server certificates 402–403
self-signed SSL server certificates
server certificates
service by remote systems 24–25, 593–595
service plans
associating with default namespace 300
associating with HCP tenants 296
data protection strategy ??–199, ??–339
data protection strategy, about 336–??
enabling HCP tenant selection 296
replication 207 for tenants 207
service principal names for Active Directory
service schedules
See also time periods in service schedules
garbage collection service 392
services
See also capacity balancing service
;
content verification service ;
;
672 Index
Administering HCP
; garbage collection service ; migration service ; protection service ; replication service ;
; shredding service ; storage tiering service
capacity balancing 28, 367–368
content verification 20, 344–349
duplicate elimination 27, 358–362
garbage collection 27, 363–366
scheduled 335–336, 388–389 scheduling 335–336, 388–398
storage tiering 196–??, 210–??, 368–??
sessions
setting scope of resource usage graphs 464
shares, exported
shredding
See also
logging shredded objects 352, 353
objects in external storage 151
shredding service
See also
with duplicate elimination 353–354
services
shutting down
single instancing
See duplicate elimination service
single sign-on
configuring Firefox for 625 configuring Internet Explorer for 624–625
locations, Active Directory 422–423
slave zones
SMTP server for email notification 452–453
SNMP
changing system settings 446, 450
configuring 446–449 enabling 446–447
IP addresses for notification 448–449
securing HCP access through 446–447
testing manager connections 449
soft quotas
sorting
node list on Nodes page 246–247
specifying time periods for resource usage graphs 466
spindown storage
See also storage tiering service
SPNs for Active Directory support 422–423
SSH login to nodes, enabling/disabling 400
Index
Administering HCP
673
SPNEGO
SSL certificates for communication between HCP and Active Directory
SSL server certificates
adding to domains 403–404, 409–412
common names 405–406 created outside HCP, about 405
created outside HCP, installing 409, 411–412
returned from certificate authorities 404
states 406 subject alternative names 406
See also
standard MIBs, supported 582–583
See also
starter accounts
statistics
collection for chargeback reports 472–473
status in chargeback reports 476
user account for HDDS search facility 321
status
storage
See also
adding before data migrations 187, 376–377
balancing available capacity 367–368
capacity by logical volume 103
requirements for data migrations on SAIN systems 377–378
setup for zero-copy failover 576–577
storage administration
storage arrays, retiring 376–378, 381–387
exceeded license 220 expired 220 serial number 220
Storage Node page
Hardware Status section 102–108
storage pools
storage tiering service
about 196–??, 210–??, 333, 368–369
making objects metadata-only ??–203,
tiering to extended storage ??–152
tiering to external storage 150–??, 372–??
storage types
674 Index
Administering HCP
primary and extended storage 13, 115
stub zones
configuring for service by remote systems 593–595
configuring in Windows 590–591
subject alternative names for SSL server certificates 406
submitting changes in the System Management
subnets for networks 229–230, 262–??
supported standard MIBs 582–583
switching resource usage graphs 464
syslog logging
syslog servers
configuring logging to 441–443
logging shredded objects to 352, 353
testing connections to 443–444
system
System Activity Reporter 460, 466
System Events page
system log
See also
message list, complete on Resources page 468
message list, service on Schedule page 392
System Management Console
See also
storage tiering service, tiering to extended storage
permissions granted by roles 56–59, ??–59
zero-copy failover information 577–578
system settings, changing through SNMP 446,
system-level access
Tenant Management Console 302–303
systemwide permission mask
T tagged networks
tags
temperatures, IPMI information 106
template, email message 453–456
Tenant Management Console
access to for default tenant 55 accessing from System Management
permissions granted by roles 60–64
tenants
Index
Administering HCP
675
Tenant Management Console, administration
data access permission masks 431
system-level access to 55–56, 285, 302–303
Tenants page
testing
connection to email server 453
connections to RADIUS servers 429–430
connections to SNMP managers 449
connections to syslog servers 443–444
text for Console login pages 78
tiering
time periods in service schedules
See also
time servers, external 80, 483
total storage capacity
transaction log
setting deletion-record keep time 366
triggers
troubleshooting
adding comments to internal logs 490–491
downloading internal logs ??–493
U unavailable
objects, content verification service 347–348
objects, protection service 343
understanding log messages 438–439
Unix
configuring secondary zones 591–592
configuring stub zones 591–592
untagged networks
upgraded HCP systems, metadata query engine indexing 313
uploading
URLs
used storage capacity
user accounts, Active Directory
user accounts, HCP
initial for HCP tenants 289, 294
676 Index
Administering HCP
user accounts, enabling or disabling
initial for System Management Console 66
mappings for HDDS search facility 320–321
resetting passwords for tenant-level security accounts 303–304
user accounts, HDDS for statistics 321
user authentication
user-defined networks
Users page
using
System Management Console 41–42
V
variables, email message template 455
vendors, SSL server certificates 628
verifying secondary zone configuration 593 verifying stub zone configuration 593
See also
versioning
HCP tenant support for 283, 291, 296
viewing
compression statistics 355–356
details on resource usage graphs 465
duplicate elimination statistics 361–362
virtual networking
See also
VLAN IDs
VM systems
voltages, IPMI information 107
volumes
W
WebDAV protocol
Windows
configuring secondary zones 589–590 configuring stub zones 590–591
Windows Internet Explorer, configuring for single sign-on 624–625
Windows workgroups
configuring support for 418–419, 426
workgroups, configuring support for 418–419,
writes
combined data and custom metadata 31–32
X
XML checking policy for custom metadata 330
Z zero-copy failover
external storage volumes 577 failover/failback behavior 577–580 storage setup 576–577
zones, DNS
definitions for network domains,
definitions for networks with hidden master or notify 234
zooming resource usage graphs 464–465
Index
Administering HCP
677
zones, DNS, definitions for networks with hidden master or notify
678 Index
Administering HCP
Administering HCP
Hitachi Data Systems
Corporate Headquarters
2845 Lafayette Street
Santa Clara, California 95050-2627
U.S.A.
www.hds.com
Regional Contact Information
Americas
+1 408 970 1000 [email protected]
Europe, Middle East, and Africa
+44 (0) 1753 618000 [email protected]
Asia Pacific
+852 3189 7900 [email protected]
MK-95ARC011-21
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project