gateway operations guide

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-9103

1-508-435-1000www.EMC.com

EMC® Secure Remote Support GatewayRelease 1.02

Operations GuideP/N 300-007-929

REV A01

2

Copyright © 2005-2008 EMC Corporation. All rights reserved.

Published November, 2008

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to the Document/Whitepaper Library on EMC Powerlink.

EMC Secure Remote Support Gateway Release 1.02 Operations Guide

Contents

Preface

IntroductionESRS Gateway architecture ............................................................. 18

Gateway server agent................................................................ 19Gateway to EMC communication ........................................... 19

Responsibilities for the ESRS Gateway components ................... 23Customer..................................................................................... 23EMC Global Services ................................................................. 23

ESRS Gateway components............................................................. 24Gateway server .......................................................................... 24Policy Manager .......................................................................... 25

ESRS Gateway installation .............................................................. 29High-availability installation ................................................... 29Deployment Utility.................................................................... 29Gateway Extract utility (GWExt)............................................. 30Target device management....................................................... 31

PART 1 Pre-Installation Tasks

Chapter 1 Preparation for Standard InstallationOverview............................................................................................ 38

Server settings summary .......................................................... 40.NET Framework............................................................................... 41

Version 1.1................................................................................... 41Version 2.0................................................................................... 41

Internet Information Services (IIS) deployment........................... 42

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 3

Contents

Install IIS ..................................................................................... 42Configure OS to accommodate IIS........................................... 42Configure IIS .............................................................................. 44

Chapter 2 Preparation for a Non-Standard InstallationOverview............................................................................................ 54.NET Framework .............................................................................. 56

Version 1.1................................................................................... 56Version 2.0................................................................................... 56

Internet Information Services (IIS) deployment........................... 57Install IIS ..................................................................................... 57Configure IIS .............................................................................. 59

Post-installation configuration ....................................................... 70Gateway server .......................................................................... 70Policy Manager .......................................................................... 72

Chapter 3 GatewayCheck UtilityOverview............................................................................................ 76GatewayCheck system requirements ............................................ 77Installation ......................................................................................... 78Operation ........................................................................................... 79

Launching the application........................................................ 79Entering customer information ............................................... 81Selecting tests to be run ............................................................ 82Setting test configuration parameters .................................... 85Executing the test run ............................................................... 88Viewing test results ................................................................... 90Saving Test Results and exiting the application.................... 93

Required test failure resolution ...................................................... 94Version information.......................................................................... 96

PART 2 Policy Management

Chapter 4 Policy Manager AdministrationInstallation ....................................................................................... 100Startup/shutdown.......................................................................... 101Modifying the login banner .......................................................... 103Creating Policy Manager user accounts ...................................... 104

About users .............................................................................. 104Tomcat user authentication .................................................... 104Tomcat user account planning............................................... 105

EMC Secure Remote Support Gateway Release 1.02 Operations Guide4

Contents

LDAP authentication ...................................................................... 112

Chapter 5 Policy Manager Configuration and OperationSetting policy ................................................................................... 116

Log in to home page ................................................................ 116Policy settings........................................................................... 118Access rights ............................................................................. 124Access right settings ................................................................ 125Missing devices ........................................................................ 127Notifications.............................................................................. 128

Answering device access requests ................................................ 133About requests.......................................................................... 133Accept/deny pending requests ............................................. 134

Viewing the Audit Log ................................................................... 137About log messages ................................................................. 137Audit Log .................................................................................. 138

PART 3 Gateway Maintenance

Chapter 6 Server MaintenancePower sequences ............................................................................. 146Time Zone settings .......................................................................... 147Service preparation ......................................................................... 148

Gateway server......................................................................... 148Policy Manager server............................................................. 149

Policy Manager database management ....................................... 151Component files ....................................................................... 151Mode .......................................................................................... 152Backup ....................................................................................... 152

Backup guidelines and procedures .............................................. 155Server image backup ............................................................... 155Policy Manager database automated backup ...................... 156

Restoration methods....................................................................... 158Server image backup restoration ........................................... 158Installation restoration ............................................................ 162

PART 4 Appendixes

Appendix A SSL communication between the Gateway and Policy Manager

5EMC Secure Remote Support Gateway Release 1.02 Operations Guide

Contents

Policy Manager configuration ...................................................... 166Creating an SSL certificate to use for SSL communication 166Enabling SSL on Policy Manager Tomcat server ................. 166Enabling the Policy Manager application to use SSL for all communications........................................................................ 169

Gateway configuration .................................................................. 171Disabling SSL communication...................................................... 173

Policy Manager configuration ............................................... 173Gateway configuration ........................................................... 173

Appendix B Default Policy ValuesActions.............................................................................................. 176Default permissions........................................................................ 178

Appendix C TroubleshootingSymptoms ........................................................................................ 194

Service behavior....................................................................... 194OS and hardware failures....................................................... 194

Index


Title Page

Figures

1 Gateway architecture..................................................................................... 182 Heartbeat communication............................................................................. 203 Remote notification communication ........................................................... 214 Remote access communication..................................................................... 225 Policy Management settings......................................................................... 266 Pending request.............................................................................................. 277 Audit log sample ............................................................................................ 288 Default SMTP Properties............................................................................... 469 Default SMTP Message tab ........................................................................... 4610 E-mail server specification ............................................................................ 4711 Mail drop specification.................................................................................. 4812 E-mail server test ............................................................................................ 4913 Mail drop directory messages ...................................................................... 5014 Sample e-mail.................................................................................................. 5115 Windows Component Wizard ..................................................................... 5716 Files Needed dialog box ................................................................................ 5817 Inetpub directory............................................................................................ 5918 Directory structure ......................................................................................... 6019 My Computer > Manage............................................................................... 6020 Computer Management > Services and Applications .............................. 6121 Rename FTP site ............................................................................................. 6222 FTP Site IP address selection ........................................................................ 6223 Allow anonymous connections checkbox cleared..................................... 6224 IIS Manager data encryption warning ........................................................ 6325 Messages tab ................................................................................................... 6326 Inetpub path.................................................................................................... 6427 Default SMTP Properties............................................................................... 6528 Default SMTP Message Tab.......................................................................... 6529 Email server specification ............................................................................. 6630 Mail drop specification.................................................................................. 66


Figures

31 Email server test ............................................................................................. 6732 Mail drop directory messages ...................................................................... 6833 Sample email................................................................................................... 6934 Policy Manager disk changes ....................................................................... 7235 Permissions link ............................................................................................. 7236 Editing File Upload permissions ................................................................. 7237 Adding updated drive and path.................................................................. 7338 Checking entry and clicking Finish............................................................. 7339 Updated Parameter listing............................................................................ 7440 Main GatewayCheck application window................................................. 8041 GatewayCheck customer information form............................................... 8142 GatewayCheck test selection screen............................................................ 8243 GatewayCheck Configuration Parameters screen .................................... 8544 GatewayCheck Test Results screen before test run execution ................ 8845 GatewayCheck Test Results screen at test run completion ..................... 9046 GatewayCheck Test Results Logs navigation window ............................ 9147 Sample GatewayCheck Test Results log file contents .............................. 9248 Services listing .............................................................................................. 10149 Stopping the service..................................................................................... 10250 Starting the service....................................................................................... 10251 Tomcat navigation tree................................................................................ 10752 Users List screen........................................................................................... 10753 Edit Existing User Properties screen ......................................................... 10854 User Actions list box.................................................................................... 10855 Create New User Properties screen........................................................... 10956 Commit Changes button ............................................................................. 11057 User Databases ............................................................................................. 11058 Saving changes ............................................................................................. 11159 Commiting changes and logging out........................................................ 11160 Policy Manager login screen....................................................................... 11761 Policy Manager home page ........................................................................ 11762 Policy: Settings: Global................................................................................ 11963 Policy: Explore Device Groups .................................................................. 12164 Policy: Celerra: Remote Application Permissions................................... 12365 Setting an access right ................................................................................. 12566 Set All Permissions ...................................................................................... 12567 Access right lock........................................................................................... 12568 Locked and unlocked access rights ........................................................... 12569 Set All Permissions Access Rights ............................................................. 12770 Configuration: View and remove missing devices ................................. 12771 Configuration tab ......................................................................................... 12972 Notification form icons................................................................................ 12973 Global group notification settings ............................................................. 130


Figures

74 Default notification email body.................................................................. 13175 View Pending Requests and View Request Details................................. 13576 Audit Log (Global) ....................................................................................... 13877 Audit log message examples ...................................................................... 13978 Symmetrix group audit logs ....................................................................... 14179 Event Viewer System and Security Log settings...................................... 14980 Policy Manager database location.............................................................. 15181 Location of Policy Manager scripts............................................................ 15382 Policy Manager backup directory .............................................................. 15483 Backup folder ................................................................................................ 15984 Location of apmrestore.vbs script .............................................................. 16085 Restore prompt ............................................................................................. 16186 Deployment Utility screen .......................................................................... 172


Figures


Title Page

Tables

1 Gateway server standard configuration requirements.............................. 402 GatewayCheck system requirements........................................................... 773 GatewayCheck installed files ........................................................................ 784 GatewayCheck test failure resolution .......................................................... 945 Policy settings ................................................................................................ 1206 Actions (Global group default set) ............................................................. 1207 Access right descriptions.............................................................................. 1248 Substitution parameters for notifications .................................................. 1329 Policy Manager database files ..................................................................... 15110 Backup/Restore scripts ................................................................................ 15211 Keystore attributes ........................................................................................ 16812 Actions defined by Gateway solution ........................................................ 17613 Gateway default permissions ...................................................................... 17914 Gateway Device default permissions......................................................... 18015 Celerra default permissions......................................................................... 18216 EMC Centera default permissions.............................................................. 18317 CLARiiON default permissions .................................................................. 18418 Connectrix default permissions .................................................................. 18519 ControlCenter default permissions ............................................................ 18620 EDL default permissions.............................................................................. 18721 Invista default permissions.......................................................................... 18822 Switch-Brocade-B default permissions ...................................................... 18923 Switch-Cisco default permissions............................................................... 19024 Symmetrix default permissions .................................................................. 191


Tables


Preface

As part of an effort to improve and enhance the performance and capabilities of its product line, EMC from time to time releases revisions of its hardware and software. Therefore, some functions described in this guide may not be supported by all revisions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this guide, contact your EMC representative.

Audience This guide is a part of the EMC Secure Remote Support Gateway release 1.02 documentation set, and is intended for use by device policy administrators.

Readers of this guide are expected to be familiar with the following topics:

◆ The EMC Secure Remote Support Gateway system◆ EMC storage products

Relateddocumentation

Related documents include:

◆ EMC Secure Remote Support Gateway Release 1.02 Technical Description

◆ EMC Secure Remote Support Gateway Release 1.02 Site Planning Guide

◆ EMC Secure Remote Support Gateway Release 1.02 Pre-Site Checklist◆ EMC Secure Remote Support Gateway Release 1.02 Port Requirements◆ EMC Secure Remote Support Gateway Release Notes


14

Preface

Conventions used inthis guide

EMC uses the following conventions for notes, cautions, warnings, and danger notices.

Note: A note presents information that is important, but not hazard-related.

CAUTION!A caution contains information essential to avoid a hazard that will or can cause minor personal or property damage if you ignore the warning.

EMC uses the following type style conventions in this guide:

Normal In running text:• Interface elements (for example, button names, dialog box

names) outside of procedures• Items that user selects outside of procedures• Java classes and interface names• Names of resources, attributes, pools, Boolean expressions,

buttons, DQL statements, keywords, clauses, environment variables, filenames, functions, menu names, utilities

• Pathnames, URLs, filenames, directory names, computer names, links, groups, service keys, file systems, environment variables (for example, command line and text), notifications

Bold • User actions (what the user clicks, presses, or selects)• Interface elements (button names, dialog box names)• Names of keys, commands, programs, scripts, applications,

utilities, processes, notifications, system calls, services, applications, and utilities in text

Italic • Book titles• New terms in text• Emphasis in text

Courier • Prompts • System output • Filenames • Pathnames• URLs • Syntax when shown in command line or other examples

Courier, bold • User entry• Options in command-line syntax

Courier italic • Arguments in examples of command-line syntax• Variables in examples of screen or file output• Variables in pathnames

<> Angle brackets for parameter values (variables) supplied by user.


Preface

Where to get help EMC support, product and licensing information can be obtained as follows.

Product information — For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to the EMC Powerlink website (registration required) at:

http://Powerlink.EMC.com

Technical support — For technical support, go to EMC WebSupport on Powerlink. To open a case on EMC WebSupport, you must be a WebSupport customer. Information about your site configuration and the circumstances under which the problem occurred is required.

Your comments Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Please send your opinion of this guide to:

[email protected]

[] Square brackets for optional values.

| Vertical bar symbol for alternate selections. The bar means or.

... Ellipsis for nonessential information omitted from the example.


http://powerlink.emc.com

16

Preface


1

We recommend users become familiar with the EMC Secure Remote Support Gateway Release 1.02 Site Planning Guide before reading this guide. It is important to understand requirements and configurations prior to executing any administrative tasks.

This chapter introduces the EMC Secure Remote Support (ESRS) Gateway solution. Topics include:

◆ ESRS Gateway architecture .............................................................. 18◆ Responsibilities for the ESRS Gateway components .................... 23◆ ESRS Gateway components.............................................................. 24◆ ESRS Gateway installation................................................................ 29

Introduction

Introduction 17

18

Introduction

ESRS Gateway architectureThe Gateway solution's application architecture consists of a secure, asynchronous messaging system designed to support the functions of secure encrypted file transfer, monitoring of device status, and remote execution of diagnostic activities. This distributed solution is designed to provide a scalable, fault-tolerant, and minimally intrusive extension to the customer’s system support environment. Figure 1 on page 18 provides a schematic display of the processing nodes and their interconnections.

The Gateway solution requires:

◆ A server for the Gateway software (two servers preferred for high availability)

◆ A server for the Policy Manager software

The Policy Manager software may be co-located on a non- high-availability Gateway server or on another application server (for example, a Navisphere Management station).

The customer manages administration and access to these servers and applications. The preferred configuration uses two Gateway servers to create the high-availability (HA) configuration. Each Gateway pair is capable of handling 200 devices. One Policy Manager server can support up to three fully utilized Gateway server pairs.

Figure 1 Gateway architecture

PS0 PS1 PS2 PS3 PS4 SMB0 SMB1

SB

0

SB

1

SB

2

SB

3

SB

4

SB

5

SB

6

SB

7

SB

8

SB

9

SB

10

SB

11

SB

12

SB

13

SB

14

SB

15

Private management LAN(optional)

Customerspecified layer

DMZ Network

Policy Manager

EMCCentera Connectrix Gateway Proxy server

(optional)Externalfirewall

EMCfirewall

EMCfirewall

DRMapplication

servers

Applicationbridge servers

EMC support analyst

GEN-000818

Web/accessaervers

SecurityAuthority

Celerra CLARiiON

Symmetrix

Customer environment EMC backend environment

PublicInternet(https)

Gateway environment


Introduction

Gateway server agent

The Gateway server agent is an HTTP handler. The agent functions as the communications broker between the Gateway-managed devices, the Policy Manager, and the EMC® Device Relationship Manager (DRM). All messages are encoded using standard XML and SOAP application protocols. Agent message types include:

◆ Device state heartbeat polling

◆ Data file transfer

◆ Remote access session initiation

◆ User authentication requests

◆ Device management synchronization

The Gateway agent acts as a proxy, carrying information to and from the Gateway-managed devices. To maximize remote support availability, EMC configures the Gateway agent to employ built-in failover to redundant EMC remote-support enterprise systems in the event that access to the primary site is unavailable. The Gateway agent can also queue session requests in the event of a temporary local network failure.

Network traffic can be configured to route from the Gateway through proxy servers to the Internet. Such configurations include support for auto-configuration, HTTP, and SOCKS proxy standards. The agent does not have its own user interface application. All agent actions are logged to a local runtime file.

Gateway to EMC communication

All communication between the customer’s site and EMC is initiated by the Gateway server agent at the customer’s site. Using industry standard Secure Sockets Layer (SSL) encryption over the Internet and EMC-signed digital certificate authentication, the Gateway creates a communication tunnel.

The Secure Remote Support Gateway uses industry-accepted bilateral authentication for the EMC servers and the Gateway Agent. Each Gateway has a unique digital certificate that is verified by EMC whenever a Gateway makes a connection attempt. The Gateway then verifies EMC's server certificate. Only when the mutual SSL authentication passes and the client and server negotiate a shared secret does the Gateway transmit messages to EMC, securing the connection against spoofing and man-in-the-middle attacks.

The Secure Remote Support Gateway uses the SSL tunnel to EMC to perform three different functions: Heartbeat polling, remote

ESRS Gateway architecture 19

20

Introduction

notification and remote access. Each relies on the SSL tunnel, but communication processes and protocols within the tunnel vary by function. Each is discussed in the following sections.

Heartbeat polling The Heartbeat is a regular communication, at 30-second intervals, from the Gateway to the EMC DRM. The heartbeat contains a small datagram that identifies the Gateway server and provides the EMC Support Center with status information on the health of the EMC storage devices and the Gateway server. EMC servers receive the data in XML format and respond using SOAP (the Simple Object Access Protocol) commands. Once this response is received, the Gateway terminates the connection. Figure 2 on page 20 is an illustration of the heartbeat communication paths.

Figure 2 Heartbeat communication

Once every 15 minutes the Gateway determines if each managed device is available for service by making a socket connection to the device and verifying that the service applications are responding. The information is recorded by the Gateway. If a change in status is detected, the Gateway notifies EMC over the next heartbeat. The heartbeat is a continuous service and EMC monitors the values sent and may automatically trigger service requests if a Gateway fails to send heartbeats or if the values contained in a heartbeat exceed certain limits.

Remote notification The Gateway also serves as a conduit for EMC products to send remote notification event files to EMC. EMC hardware platforms use remote notification for several different purposes. Errors, warning conditions, health reports, configuration data, and script execution statuses may be sent to EMC. Figure 3 on page 21 is an illustration of the remote notification communication paths.

EMCRemote SSH socket Gateway eMessage SOAP XML

EMC storagearray

EMC web andaccess servers

GEN-000826

Secure RemoteSupport Gateway

SSL tunnel - TLS with RSA key exchange 3DES with SHA1 encryptionDevice monitoring


Introduction

Figure 3 Remote notification communication

When an alert condition occurs, the storage system generates an event message file and passes it to the ConnectEMC service (or other services) on teh decices to format the files and request a transfer to EMC. ConnectEMC uploads the file to the Secure Remote Support Gateway where it is received by one of three local transport protocols: HTTPS (if a device is qualified to send files using HTTPS), FTP, or SMTP. When an event file is received from a device, the Gateway compresses the file, opens the SSL tunnel to the EMC servers, and posts the data file to EMC. At EMC, the file is decompressed and forwarded to our DRM systems.

Remote access To establish a remote access session, the Secure Remote Support Gateway uses asynchronous messaging to ensure that all communication is initiated from the customer’s site. After being properly authenticated at EMC, a support professional makes a request to access a Gateway-managed device. The remote access session request includes a unique identifier for the user, the serial number of the target device, and the remote application he or she wants to run on that device and optionally the Service Request being used to generate the request. This request is queued at EMC until the Gateway that manages the device in question heartbeats home.

In response to the Heartbeat message, the EMC DRM sends a special status in the SOAP response. This response contains the request information as well as an address and an access server session to which the Gateway would connect. The Gateway uses its local repository to determine the local IP address of the end device, checks with the Policy Manager to see if the connection is permitted, and if approved, establishes a separate SSL connection to the access servers for the specific remote access session. This secure session allows IP traffic from the EMC internal service person to be routed through the

EMC RSC XML - HTTPS/FTP/SMTP HTTPS POST

EMC storagearray


GEN-000828


SSL tunnel - TLS with RSA key exchange3DES with SHA1 encryptionFile monitoring

ESRS Gateway architecture 21

22

Introduction

Gateway to the end device. IP socket traffic received by the access server for this session is established, wrapped in a SOAP message, and sent to the Gateway. The Gateway un-wraps the SOAP object and forwards the traffic to the IP address of the end device for which the session was established. SOAP communication flows between the Gateway and the access server through this tunnel until it is terminated or times out after a period of inactivity. Figure 4 on page 22 is an illustration of the remote access communication paths.

Figure 4 Remote access communication

As the result of an application remote access session request, the Gateway forwards traffic only to the specific ports at the IP address associated with the registered serial number of the device at time of deployment.

EMCRemote, SSH, SecureCLI... SOAP

EMC storagearray


GEN-000827


SSL tunnel - TLS with RSA keyExchange 3DES with SHA1 encryption


Introduction

Responsibilities for the ESRS Gateway componentsResponsibilities for installation, configuration, operation and maintenance are distributed as described in the sections that follow.

Customer Your network and system administrators, storage administrators, security administrators, and any other administrators as are appropriate to your solution:

◆ Prepare the site for installation. This includes:

• Gateway server hardware and operating system• Policy Manager server hardware and operating system• Placement of the servers in your IP network according to

specifications described in the site planning guide• Antivirus and other applicable security software

◆ Preparation and configuration of network, proxy server, and firewall

◆ File system backup and restoration

◆ Continuing maintenance including security and operating system updates

◆ Physical security of the hardware

◆ Protection of all files on the Gateway and Policy Manager servers, including the SSL certificate, if applicable

◆ Configuring, administering, and updating policy management, policies and accounts on the Policy Manager

EMC Global Services

EMC Global Services personnel:

◆ Install Gateway solution software: • Gateway server software • Policy Manager software

◆ Configure and deploy EMC product managed devices.

◆ Updates to the Gateway server and Policy Manager software.

Note: Maintenance of the operating system (updates, upgrades) on the Gateway and Policy Manager servers is a customer responsibility.

Responsibilities for the ESRS Gateway components 23

24

Introduction

ESRS Gateway componentsThis section describes the components of the Secure Remote Support Gateway solution.

Gateway server A Gateway server can be implemented in one of several configurations to meet the customer’s network and security requirements.

There are no technical restrictions on the network location of the Gateway server, other than its connectivity to the customer’s devices and Policy Manager as well as to the EMC DRM. EMC strongly recommends the use of a firewall to block network ports not required by the Gateway solution.

VMware support Secure Remote Support Gateway is qualified to run in a VMware virtual machine. VMware support allows customers to leverage their existing VMware infrastructure to benefit from the security features of the Gateway without adding hardware. VMware VMotion functionality also allows the Policy Manager, when installed in a virtual machine, to be moved from one physical server to another with no impact to remote support.

The following are the minimum requirements for VMware support:

◆ VMware ESX 2.5.2 or later

◆ 15 GB partition

◆ 2.2 GHz virtual CPU

◆ 512 MB memory allocated

◆ SMB modules optional

◆ VMotion functionality optional

High-availabilityGateway

configuration

To enable maximum remote access availability, EMC recommends that the customer eliminate single point of failure by deploying a high-availability Gateway configuration which employs two Gateway servers.

Gateway servers in this configuration are active peers that manage the same set of devices without awareness of or contention with the other. There is no direct communication between the peer nodes. In the high-availability configuration the Policy Manager software cannot be co-located on a Gateway server and must be installed on a


Introduction

separate server. Gateway high-availability configurations are limited to two active nodes.

Synchronization ofGateway peers

Gateway server device management is synchronized through the EMC DRM during polling cycles so that changes to the configuration on one peer are automatically propagated to the other peer. When the customer adds, removes, or edits devices on the managed devices list for either Gateway server in a high-availability configuration, the Deployment Utility sends a message through the Gateway agent to the DRM. The EMC DRM application looks up the serial number of the peer node and creates a transaction for the device information to be relayed to the peer node upon receipt of the next polling message. When the peer Gateway server receives the device management transaction information, it updates its Gateway agent's list of managed devices. In the event that the peer Gateway server is unavailable, the DRM application queues the transaction, and synchronization occurs upon the next successful poll message received from the Gateway server.

Policy Manager Using the Policy Manager, you control the authorization requirements for remote access connections, file transfers, service notification processes, diagnostic script executions, and other Gateway-related activities, as shown in Figure 5 on page 26. The Policy Manager allows you to set authorization permissions for target devices or groups of target devices being managed by the Gateway system and provides these permissions to the Gateway system during polling by the Gateway server, and records all requests and actions in local log files. When a request arrives at the Gateway server for remote device access, the access is controlled by the Gateway enforcing the policy from the Policy Manager.

Policy Manager permissions can be assigned in a hierarchical system, establishing policies based on model and product groups. If required, you can override group-level permissions down to the individual device level.

ESRS Gateway components 25

26

Introduction

The Policy Manager provides three options for assigning policy manager rule permissions for every action that the Gateway agent can perform on a device or group of devices:

◆ Always Allow — You always allow the action.

◆ Never Allow — You always deny the action.

◆ Ask for Approval — You must approve the request (provide authorization).

Figure 5 Policy Management settings

When you set an authorization rule to Ask for Approval, the Policy Manager sends an email message to your designated address upon each action request, per transaction. This email message contains the action request itself and the user ID of the EMC Customer Service representative requesting permission to perform the action. You use the Policy Manager interface to accept or deny the requested action. Figure 6 on page 27 provides an example.


Introduction

Figure 6 Pending request

As with the Gateway agent and DRM communication behavior, the Policy Manager only responds to requests from the Gateway agent. Since the Gateway agent caches the Policy Manager's permission rules at startup, the agent must poll the Policy Manager for configuration updates. In this way, the Gateway agent captures any change to the Policy Manager rule set after its next polling cycle.The Policy Manager agent is an HTTP listener, which must be configured to receive messages on an agreed-upon port. The default port is 8090, but if necessary, you can specify a different port during your Policy Manager installation.

The Policy Manager uses the Apache Jakarta Tomcat engine and a 100% compliant local JDBC relational database to provide a secure web-based user interface for permission management.

Logging The Policy Manager logs all remote support events. Remote access connections, diagnostic script executions, and support file transfer operations are stored in the audit log files. The Policy Manager also logs all authorization activity and policy changes. The audit log files can be viewed through the Policy Manager interface. All log files are controlled and managed by you to enable auditing of remote support connections executed by EMC. Figure 7 on page 28 provides a sample audit log.

ESRS Gateway components 27

28

Introduction

Figure 7 Audit log sample

Device control The Gateway solution proactively monitors, alerts, and notifies the EMC Customer Support Center when the Gateway server or any Gateway-managed device fails to communicate back to EMC regularly. EMC alerts you of potential failures or issues that may affect EMC's ability to provide timely support. As an EMC customer, you are in complete control over which devices are included in your Gateway device management system, and you can phase them in by product line. EMC provides applications to assist you in automating the addition of new devices to the Gateway management. All device management operations are logged and must be performed by authorized EMC Customer Service professionals using EMC-issued RSA SecurID Authenticators.


Introduction

ESRS Gateway installationThis section provides an overview of the installation of ESRS Gateway.

High-availability installation

During your Gateway server installation, your EMC Customer Service representative assigns a system name to the servers in the Gateway peer server pair. During the installation of the primary Gateway server, which is the first server configured in the pair, the Gateway installation program automatically assigns a base system name. This system name acts as the identification handle for all of the Gateway servers installed at your site.

This is the generic syntax of a generated base system name:

ESRS_SiteID_SiteName_TimeStamp

Since you may have multiple Gateway high-availability server pairs or Single Gateway HA-ready pairs per site, your EMC Customer Service representative uses an additional string value that uniquely identifies the high-availability pairs currently being installed. This string value becomes the subsystem name. In the previous example, if you have one pair for managing only Symmetrix® devices, and one pair for managing the heterogeneous storage arrays used to support manufacturing applications, the EMC Customer Service representative may use product-based subsystem names to uniquely identify each high-availability pair:

ESRS_12345_ExampleCo_051104104649_SymmESRS_12345_ExampleCo_051104115309_Mfg

During the installation of the second Gateway server for recovery from a hardware failure that requires re-installation of the Gateway application, the installation program provides a drop-down list of all the subsystem names at the site. Your EMC Customer Service representative then selects the appropriate subsystem name previously assigned to a primary server. The installation program registers this information in the Gateway system's DRM database at EMC.

Deployment Utility The Deployment Utility is a client-based application that is used to configure and manage the Gateway and identify EMC storage devices and switches. The term manage means that a device is monitored and can use the Gateway system to establish remote access

ESRS Gateway installation 29

30

Introduction

connections. The Gateway agent proxies all Deployment Utility requests to the EMC DRM. The Gateway agent is the only application with which the utility communicates. The Gateway installation program automatically installs the Deployment Utility with the Gateway agent.

The Deployment Utility is a Java-based GUI application that authenticates with the Gateway agent upon startup. This secure protocol ensures that only the Deployment Utility can interface with the agent. Here is a listing of the configuration menu items available through the Deployment Utility:

◆ Base Configuration — Gateway model and serial number. The Gateway installation program automatically generates these values for you. You should change these values only upon request from EMC Customer Service.

◆ EMC DRM Configuration — EMC primary and secondary DRM addresses, proxy server configuration, and SSL options. The Gateway installation program automatically generates these values and captures them. You should change these values only upon request from EMC support personnel.

◆ Policy Manager Configuration — DNS/IP address of Policy Manager server. The Gateway installation program automatically captures these values. You should change these values only upon request from EMC support personnel.

◆ Customer Location — Your organization name, address and contact information.

◆ Manage Devices — Allows you to view the list of currently managed devices. Any additions, edits or removals of devices must be performed by an EMC Customer Service professional. One can use the Deployment Utility to manually add a single device or use the automated batch processing of Gateway Device Extract configuration files to add multiple devices at the same time.

Gateway Extract utility (GWExt)

To configure a device for management, the EMC Customer Service representative on site must know the following for each managed device: serial number, EMC site identification number, product type, and an IP address that can be used to access the device. The Gateway Device Extract utility (GWExt.exe), when run on the EMC device, automates the collection of this information and transports it to the Gateway server. EMC supplies three versions of the GWExt utility


Introduction

with the Gateway server installer to support Windows, Linux and Solaris clients.

Your EMC Customer Service professional copies the GWExt utility from the installation CD or the Gateway server to the managed device.

Note: The GWExt utility cannot be run on Cisco switches, Brocade-B switches, EDL, Centera, Invista CPCs, or CLARiiON service processors.

When running the GWExt utility, the GWExt utility first requests the Gateway server IP address and EMC site identification number. It then extracts the serial number and local IP address from the target, creates a configuration file, and FTPs the file back to the Gateway server.

The configuration files, for all devices that have used the GWext utility, reside on the Gateway server until processed through the Deployment Utility's Managed Devices option.

Target device management

Devices are added to the list of managed target devices (EMC storage products and select switches) in the Gateway system by using the Deployment Utility.

Note: Use of the Deployment Utility for device deployment, undeployment, and editing is restricted to authorized EMC Customer Service personnel. A Customer is allowed to use the Deployment Utility only yo view configurations.

The managed device registration process is similar whether devices are manually added or added with the Gateway Extract Utility (GWExt) which enables batch processing of configuration files. Device registration requires the input of a serial number, IP address, model (product type), and site ID number.

When attempting to manage (or unmanage) a device EMC GLobal Services is prompted for their EMC-issued RSA SecurID Authenticator pass code. This information is then forwarded immediately to EMC servers for an authentication reply. No pass codes are kept on your Gateway server or in the EMC Gateway DRM database. All communications from the Deployment Utility are routed through the SSL tunnel to maximize data security.

EMC Customer Service personnel must verify with your network administrators that the IP address of the target device is accessible


32

Introduction

from the Gateway server and is not translated (NAT'd). For example, the local IP address of a device is 144.10.10.3, and is only on your internal network. Also, you are using NAT (or a NAT device) that maps the device IP (144.10.10.3) to IP 10.10.44.22 so that the device can be reached from within your DMZ. In this case, EMC must use the NAT IP address of 10.10.44.22 to reach the device, and in the Deployment Utility the IP address field must be changed to 10.10.44.22.

The final portion of the deployment process requires a validation that a device is successfully added to the configuration in the EMC DRM system. The Deployment Utility adds the matched device to the current managed device list and makes the device available for remote access. If the serial number or Party ID for a newly integrated device does not match the EMC Customer Service registered device lists for your site, the Deployment Utility catalogues the device under a UI tab labeled unresolved. This indicates that the device failed registration, and it needs to be reconciled with the serial number of the device on record with EMC Customer Service. Until full reconciliation is achieved, the device is not accessible for remote support by the Gateway. The Deployment Utility is also used to edit the IP address of a device if it has been changed.

In the event you want to unmanage a device or otherwise no longer require it to be accessible, it can be removed from the list of managed devices by an authorized EMC Customer Service representative through the device management menu within the Deployment Utility. This menu selection sends a message to the EMC DRM system to logically disassociate this serial number from your Gateway system.

Digital CertificateManagement (DCM)

During the site Gateway server installation, digital certificates are registered on the server. This procedure can only be performed by EMC Customer Service professionals using EMC-issued RSA SecurID Authenticators. All certificate usage is protected by unique password encryption. Any message received by the Gateway server, whether pre- or post-registration, requires entity-validation authentication.

DCM automates Gateway digital certificate enrollment by taking advantage of EMC's existing network authentication systems, which use the RSA SecurID Authenticator and the EMC local certificate authority (CA). Working with EMC systems and data sources, DCM aids in programmatically generating and authenticating each


Introduction

certificate request, as well as issuing and installing each certificate on the Gateway.

The Gateway system DCM provides proof-of-identity of your Gateway server host. This digital document binds the identity of the Gateway host to a key pair that can be used to encrypt and authenticate communication back to EMC. Because of its role in creating these certificates, the EMC certificate authority is the central repository for the EMC Secure Remote Support Gateway key infrastructure.

The CA requires full authentication of a certificate requester before it issues the requested certificate to the Gateway server. Not only must the CA verify that the information contained in the certificate request be accurate, it must also verify that the EMC Customer Service professional making the request is authenticated, and that this person belongs to the EMC Customer Service group that is allowed to request a certificate for the customer site at which the Gateway certificate is to be issued.

The EMC Customer Service professional requests a certificate by first authenticating himself or herself using an EMC-issued RSA SecurID Authenticator. Once authentication is complete, the Gateway installation program locally generates all the information required for the certificate on your Gateway server. It then enters the information on the certificate request, ensures accuracy and completeness of the information, and generates a random private key password with encryption. The installation program then submits the request, and after the certificate is issued, the installation program completes the certificate installation the Gateway server automatically.

Device access control The Gateway solution achieves remote application access to a server process running on an EMC storage device by using a strict IP and application port-mapping process. You have complete control over which ports and IP addresses are opened on your internal firewall to allow connectivity. The remote access session connections are initiated by an EMC Customer Service request at the EMC access server and through a pull connection to the Gateway server. EMC never initiates a connection to your Gateway server or network. Your policies determine if and how a connection is established.

Device configurationaccess control

Once your devices are configured for Gateway solution management, it is imperative that any changes to the configuration of the managed device are carefully controlled and monitored. For example, changing the configured IP address in the Gateway system or changing the IP


34

Introduction

address of the storage device disables EMC's ability to perform remote service on that device as well as the devices’s call home capabilities. For this reason, the Gateway solution's Deployment Utility requires that only authorized EMC Customer Service professionals are allowed to alter the configuration of a managed device. Each device modification, as well as the user ID of the EMC Customer Service professional who performed the change, is tracked in the Policy Manager and EMC DRM audit logs.

EMC enterpriseaccess control

Several security features are incorporated into the EMC DRM system. The Gateway infrastructure is isolated from the rest of EMC's internal networks. EMC Customer Service professionals must be logged into the EMC corporate network system to access the DRM system. Only authorized EMC personnel can access the DRM system, and only those employees that have authorization approval from EMC Customer Service can use it.

In addition, only those EMC Customer Service professionals that are approved to access your specific devices can initiate remote connection sessions with those devices.


PART 1

Prior to the installation of the ESRS Gateway software on your servers, there are tasks you must perform, as described in these chapters.

Chapter 2, “Preparation for Standard Installation”

Provides steps necessary to prepare the Gateway server when you are using the standard system ‘C:’ drive as the install drive.

Chapter 3, “Preparation for a Non-Standard Installation”

Provides steps necessary to prepare the Gateway server when you are using a non-standard system other than ‘C:’ drive as the install drive.

Chapter 4, “GatewayCheck Utility”

Describes how to run the GatewayCheck utility to verify your systems are ready for the installation of the ESRS Gateway software.

Pre-Installation Tasks

2Invisible Body Tag

This chapter provides information to assist you in preparing the Gateway server for a standard installation on the Gateway server’s system drive ‘C:’.

Note: We define system drive as the drive where the operating system in installed.

For non-standard installations (a system drive other than ‘C:’), go to Chapter 3, ”Preparation for a Non-Standard Installation.”

Topics in this chapter include:

◆ Overview............................................................................................. 38◆ Internet Information Services (IIS) deployment............................ 42

Preparation forStandard Installation

Preparation for Standard Installation 37

38

Preparation for Standard Installation

OverviewThe primary task in preparation of the Gateway server prior to the installation of the Gateway solution is preparing the Operating System. This includes installing the Microsoft Internet Information Services (IIS) on the system drive. Additional tasks discussed within this chapter include setting up the FTP and SMTP servers on the system drive.

If using a domain environment, EMC recommends beginning the OS installation in a workgroup, then joining a domain after the installation. You must also verify that after joining the domain all connections are active.

To prepare the required OS configuration for a standard system drive ‘C:’ Gateway installation, perform the following steps for each intended server:

Note: You must verify that Domain Policies have not inhibited the functions necessary for the Gateway to function properly. In other words, verify that services have not been removed or disabled by Domain Group Policies.

◆ Install the Windows OS and any applicable updates:

• Install Windows Server 2003 SP1 or SP2 (English only, 32-bit or 64-bit versions).

• Install and configure any device drivers required by the OS and the hardware.

• Apply any service packs and security fixes as required by your corporate policies, including antivirus software.

• Set the Windows Time Zone to the correct time zone for the Gateway server’s physical location.

Note: Having the Windows Time Zone set to a setting other than the local time zone may adversely affect remote support tool performance.

◆ Load .NET Framework versions 1.1 and 2.0. Both versions must be loaded for complete functionality. Both versions may co-exist on the same server without interfering with or overwriting each other. Instructions are included in Section ”.NET Framework” on page 41.



◆ Install, configure, and test Microsoft IIS according to the instructions in this chapter: Start with “Internet Information Services (IIS) deployment” on page 42.

◆ When the configuration is complete, run the GatewayCheck utility to verify the system configuration and connectivity to EMC target devices. Go to Chapter 4, ”GatewayCheck Utility.”

Overview 39

40


Server settings summary

Prior to having Gateway software installed, you must configure its server operating system with the settings shown in Table 1 on page 40. The procedure to establish these IIS settings is provided in “Internet Information Services (IIS) deployment” on page 42.

Table 1 Gateway server standard configuration requirements

Category Variable ValueInternet Information Services (IIS) Startup type Manual

State Started

Note: The following settings describe the FTP services and directory structure required for Gateway server installation. Once the server has been installed, the FTP or SMTP service may be disabled, but not both—however, the FTP directory structure must remain in place.

Default FTP Sitea > PropertiesFTP Site Description ESRS Gateway FTP Site

IP address Local/Internal IPTCP port 21

Security Accounts Allow anonymous connections No (unchecked)Home Directory Local path C:\inetpub\ftproot

Read Yes (checked)Write Yes (checked)Log visits Yes (checked)User Isolation Yes

Default SMTP Virtual Server > PropertiesDescription ESRS Gateway SMTP SiteDomain emc.comDrop directory C:\inetpub\mailroot\dropE-mail message maximum size of 15 MB

Local Users and Groups > New User Default User Group YesNew User (1) User name OnAlert

Password EMCCONNECT (case sensitive)User cannot change password Yes (checked)Password never expires Yes (checked)

New User (2) User name ESRSConfigPassword esrsconfig (case sensitive)User cannot change password Yes (checked)Password never expires Yes (checked)

New directories C:\inetpub\ftproot\LocalUserC:\inetpub\ftproot\LocalUser\OnAlertC:\Inetpub\ftproot\LocalUser\OnAlert\incomingC:\inetpub\ftproot\LocalUser\ESRSConfig

a. These settings describe the FTP services and directory structure required for Gateway server installation. Once the server has been installed, these FTP services may be disabled—however, the FTP directory structure must remain in place on the system drive.



.NET FrameworkTwo versions of Microsoft .NET Framework are required for full functionality of the Gateway server and its utilities: 1.1 and 2.0. Both version may co-exist on the same server without interfering with or overwriting each other.

Note: The .NET Framework runs as a 32-bit application.

Version 1.1 Version 1.1 is required for the GatewayCheck Utility.

◆ For 32-bit Windows Server 2003, the .NET Framework is integrated with the OS, and should be loaded and running. You can verify this by going to the Control Panel and running Add or Remove Programs and verifying that “Microsoft .NET Framework 1.1“ is installed.

If you need to install the .NET Framework, use Windows Update or navigate to Microsoft .NET Framework 1.1 Service Pack 1 at the Microsoft Download Center website.

◆ For 64-bit Windows Server 2003, you must download and install the .NET Framework (minimum rev. 1.1) from the Microsoft website. Use Windows Update and select the .NET Framework 1.1 package or navigate to the Microsoft .NET Framework Version 1.1 Redistributable Package at the Microsoft Download Center website.

Version 2.0 Version 2.0 is required for the Gateway server application.

You must download and install the .NET Framework (version 2.0) from the Microsoft website. Use Windows Update and select the .NET Framework 2.0 package or navigate to the Microsoft .NET Framework Version 2.0 at the Microsoft Download Center website:

Microsoft .NET Framework 2.0 Service Pack 1 (x86)

-or-


.NET Framework 41

http://www.microsoft.com/downloads/details.aspx?familyid=A8F5654F-088E-40B2-BBDB-A83353618B38&displaylang=en


42


Internet Information Services (IIS) deploymentInstall Microsoft Windows Internet Information Services (IIS) and enable FTP and SMTP services on the system drive.

Install IIS To install IIS:

1. Open the Control Panel, and from there open Add/Remove Programs.

2. Select Add/Remove Windows Components.

3. Highlight Application Server and click Details.

4. Highlight Internet Information Services (IIS) and click Details.

5. Select the File Transfer Protocol (FTP) and SMTP Service checkboxes. (Leave the Common Files and Internet Information Services Manager checkboxes enabled, as per the default settings.)

6. Click OK to exit the Internet Information Services (IIS) setup.

7. Click OK to exit the Application Server setup.

8. Click Next at the bottom of the Add/Remove Windows Components setup page.

9. If prompted, insert the Windows Server 2003 installation CD into the CD-ROM drive, or provide the path to the i386 directory on the CD or network share drive.

Example: Enter D:\i386 if ‘D’ is the CD-ROM drive designation.

Configure OS to accommodate IISThis section details how to configure the OS to accommodate IIS.

OnAlert user accountsetup

Use this procedure to set up OnAlert user accounts:

1. Right-click My Computer on the desktop, and select Manage from the pop-up menu.

2. Double-click Local Users and Groups.

3. Right-click Users and select New User from the pop-up menu.

4. Enter OnAlert in the User Name field.



5. Enter EMCCONNECT (case sensitive) in the Password field.

6. Re-enter EMCCONNECT (case sensitive) in the Confirm Password field.

7. Deselect the User must change password at next logon checkbox.

8. Select the Password Never Expires checkbox.

9. Select User cannot change password.

10. Click Create.

ESRSConfig useraccount setup

Use this procedure to set up ESRSConfig user accounts:

1. Right-click Users and select New User from the pop-up menu.

2. Enter ESRSConfig in the User Name field.

3. Enter esrsconfig (case sensitive) in the Password field.

4. Re-enter esrsconfig (case sensitive) in the Confirm Password field.

5. Deselect the User must change password at next logon checkbox.

6. Select the Password Never Expires checkbox.

7. Select User cannot change password.

8. Click Create, and then click Close.

9. Exit the Computer Management application.

Account folderscreation

Create the folders in the following list:

IMPORTANT!The folders in the following list must be created on the same drive where IIS is installed.

C:\Inetpub\ftproot\LocalUserC:\Inetpub\ftproot\LocalUser\OnAlertC:\Inetpub\ftproot\LocalUser\OnAlert\incomingC:\Inetpub\ftproot\LocalUser\ESRSConfig

Internet Information Services (IIS) deployment 43

44


Configure IIS This section provides details on how to configure IIS.

FTP server setup To set up the FTP server:

1. Open the Internet Information Services (IIS) Manager: Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager

2. In the left pane of the Internet Information Services (IIS) Manager window, highlight Default FTP Site.

3. Right-click Default FTP Site, select Delete from the pop-up menu, and click Yes to confirm the deletion.

4. Right-click FTP Sites and select New FTP Site from the pop-up menu.

5. Click Next at the Welcome screen.

6. Enter the description ESRS Gateway FTP, and click Next.

7. Enter the IP address being used for the FTP server.

Note: On a Multihomed Server the IP adress is the internal IP address that connects to the devices.

(Do not change the default TCP port 21.) Click Next.

8. Select Isolate users, and click Next.

9. Browse to C:\Inetpub\ftproot, click OK, then click Next.

10. Select the Read and Write checkboxes, and click Next.

11. Click Finish.

12. In the Internet Information Services (IIS) Manager, right-click on the FTP site ESRS Gateway FTP and select Properties from the pop-up menu.

13. Click Security Accounts and deselect Allow anonymous connections.

14. At the alert, continue anyway?, click Yes.

15. Click Messages.

16. In the Welcome field, type a welcome message.

For example: Welcome to the name_of_your_FTP_server FTP server



17. In the Exit field, type an exit message.

For example: You are leaving the name_of_your_FTP_server FTP server. Goodbye!

18. Click Home Directory.

19. Enter C:\Inetpub\ftproot in the Local Path field.

20. Select the Read, Write, and Log visits checkboxes.

21. Click OK to exit.

SMTP server setup To set up the SMTP server:

1. In the left pane of the Internet Information Services (IIS) Manager window, right-click Default SMTP Virtual Server, and select Rename from the pop-up menu.

2. Type the new SMTP virtual server name ESRS Gateway SMTP Server.

3. Double-click ESRS Gateway SMTP Server.

4. Double-click Domains.

5. On the right side of the Domains window, highlight the domain name.

6. Right-click on the domain name and select Rename from the pop-up menu.

7. Type the name emc.com, and click Done.

Configure and teste-mail

You must set the e-mail message size to 15 MB:

1. In the left pane of the Internet Information Services (IIS) Manager window, right-click Default SMTP Virtual Server and select Properties, as shown in Figure 8 on page 46.


46


Figure 8 Default SMTP Properties

2. Click Messages, as shown in Figure 9 on page 46.

Figure 9 Default SMTP Message tab

3. Change the Limit message size to 15000.



4. Change the Limit session size to 30000.

5. Click OK.

6. In the left pane of the Internet Information Services (IIS) Manager window, click on Domain under Default SMTP Virtual Server.

7. Right-click on emc.com and select Properties. See Figure 10 on page 47.

Figure 10 E-mail server specification

8. Point to the maildrop directory on the C: drive (C:\inetpub\mailroot\Drop), as shown in Figure 11 on page 48.


48


Figure 11 Mail drop specification

9. Test e-mail server and verify mail is in proper directory (Figure 12 on page 49).

Note: This is Primus solution emc136619



Figure 12 E-mail server test

Command that you enter [bold]Response that you receive [plain]

telnet ip_address 25

220 jerry.lab.pvt.dns Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 25 Jan 2007 15:20:31 -0500

vrfy onalert

252 2.1.5 Cannot VRFY user, but will take message for <[email protected]>

helo

250 jerry.lab.pvt.dns Hello [192.1.7.203]

mail from:[email protected]

250 2.1.0 [email protected] OK

rcpt to:[email protected]

250 2.1.5 [email protected]

data

354 Start mail input; end with <CRLF>.<CRLF>

subject:testemailserver<CR>This is a test of the email server<CR>.<CR>

250 2.6.0 <[email protected]> Queued mail for delivery


50


10. Return to \\inetpub\mailroot\drop directory.

Figure 13 Mail drop directory messages

11. Right-click on one of the listed mail messages.

12. Open the mail using Notepad.

You see contents similar to that in Figure 14 on page 51.



Figure 14 Sample e-mail

13. Close and delete all e-mail from the directory.

This completes the installation and configuration of the base OS. At this point:

◆ All devices should be properly installed and functioning, including appropriate Service Pack and patches

◆ AV should be installed and configured

◆ OS hardened according to your specifications

◆ Run the GatewayCheck utility to verify the system configuration and connectivity to EMC target devices. Go to Chapter 4, ”GatewayCheck Utility.”


52



3Invisible Body Tag

This chapter provides information to assist you in preparing the Gateway server for a non-standard installation on a drive other than the server’s system drive ‘C:’.

Note: We define system drive as the drive where the operating system in installed.

For standard installations (default system drive ‘C:’), go to Chapter 2, ”Preparation for Standard Installation.”

Topics in this chapter include:

◆ Overview............................................................................................. 54◆ .NET Framework................................................................................ 56◆ Post-installation configuration......................................................... 70

Preparation for aNon-Standard

Installation

Preparation for a Non-Standard Installation 53

54

Preparation for a Non-Standard Installation

OverviewThe primary task in preparation of the Gateway server prior to the installation of the Gateway solution is preparing the Operating System. This includes installing the Microsoft Internet Information Services (IIS) on the same drive to be used for the OS and Gateway software. Additional tasks discussed within this chapter include setting up the FTP and SMTP servers on this drive.

If using a domain environment, EMC recommends beginning the OS installation in a workgroup, then joining a domain after the installation. You must also verify that after joining the domain all connections are active.

To prepare the required OS configuration for a non-standard system drive (non-‘C:’) Gateway installation, perform the following steps for each intended server:

◆ Install the Windows OS and any applicable updates:

• Install Windows Server 2003 SP1 or SP2 (English only, 32-bit or 64-bit versions).

Note: You must verify that Domain Policies have not inhibited the functions necessary for the Gateway to function properly. In other words, verify that services have not been removed or disabled by Domain Group Policies.

• Install and configure any device drivers required by the OS and the hardware.

• Apply any service packs and security fixes as required by your corporate policies, including antivirus software.

• Set the Windows Time Zone to the correct time zone for the Gateway server’s physical location.

Note: Having the Windows Time Zone set to a setting other than the local time zone may adversely affect remote support tool performance.

◆ Load .NET Framework versions 1.1 and 2.0. Both versions must be loaded for complete functionality. Both versions may co-exist on the same server without interfering with or overwriting each other. Instructions are included in Section ”.NET Framework” on page 56.



◆ Install, configure, and test Microsoft IIS according to the instructions in this chapter: Start with “.NET Framework” on page 56.

◆ When the configuration is complete, run the GatewayCheck utility to verify the system configuration and connectivity to EMC target devices. Go to Chapter 4, ”GatewayCheck Utility.”

Overview 55

56


.NET FrameworkTwo versions of Microsoft .NET Framework are required for full functionality of the Gateway server and its utilities: 1.1 and 2.0. Both version may co-exist on the same server without interfering with or overwriting each other.

Note: The .NET Framework runs as a 32-bit application.

Version 1.1 Version 1.1 is required for the GatewayCheck Utility.

◆ For 32-bit Windows Server 2003, the .NET Framework is integrated with the OS, and should be loaded and running. You can verify this by going to the Control Panel and running Add or Remove Programs and verifying that “Microsoft .NET Framework 1.1“ is installed.

If you need to install the .NET Framework, use Windows Update or navigate to Microsoft .NET Framework 1.1 Service Pack 1 at the Microsoft Download Center website.

◆ For 64-bit Windows Server 2003, you must download and install the .NET Framework (minimum rev. 1.1) from the Microsoft website. Use Windows Update and select the .NET Framework 1.1 package or navigate to the Microsoft .NET Framework Version 1.1 Redistributable Package at the Microsoft Download Center website.

Version 2.0 Version 2.0 is required for the Gateway server application.

You must download and install the .NET Framework (version 2.0) from the Microsoft website. Use Windows Update and select the .NET Framework 2.0 package or navigate to the Microsoft .NET Framework Version 2.0 at the Microsoft Download Center website:


-or-






Internet Information Services (IIS) deploymentThis section provides details on deploying IIS.

Install IIS To install IIS:

1. Open the Control Panel and select Add/Remove Programs.

2. On the left panel of the new window, click Add or Remove Windows Programs.

3. Select Application Server, and click Details.

4. Select Internet Information Services Manager, and click Details.

5. Select:

• FTP Service • IIS Manager • SMTP Services

6. Click OK.

7. Click OK.

8. Click Next.

The screen in Figure 15 on page 57 appears.

Figure 15 Windows Component Wizard


58


9. Point to the location of the I386 directory in the installation media, or other applicable location. If Insert disk appears, click OK.

10. Browse to location.

11. Click Open.

12. Click OK.

Note: You may need to browse again then click Open.

Figure 16 Files Needed dialog box

13. Click Finish.

14. Close Add or remove programs window.

IIS installs Common Files, and FTP and SMTP services in the OS system drive.

15. Open Windows Explorer.

16. Find the inetpub directory.



17. Copy (DO NOT MOVE) the inetpub directory to the non-C: drive used for the OS installation. In the example in Figure 17 on page 59, this is drive E:.

Figure 17 Inetpub directory

18. Build a directory structure according to the format specified in the Site Planning Guide, as shown in Figure 18 on page 60.

19. Verify that mailroot and its subdirectories were included in copying the inetpub directory from the C: drive to the new drive.

Configure IIS Configure IIS according to the directions in Chapter 2, ”Preparation for Standard Installation,” substituting the non-C: drive in the directory paths (E: in this case).

IMPORTANT!You must also keep the directory structure for the inetpub directory on the C: drive. See Figure 18 on page 60


60


Figure 18 Directory structure

FTP server To set up the FTP server:

1. Right-click My Computer, and select Manage, as shown in Figure 19 on page 60.

Figure 19 My Computer > Manage



2. Double-click Services and Applications as shown in Figure 20 on page 61.

Figure 20 Computer Management > Services and Applications

3. Double-click Internet Information Services.

4. Double-click FTP Sites.

5. Select Default FTP Sites.

6. Right-click Properties.

7. Change the description line in the Default FTP Site Properties window from Default FTP Site to ESRS Gateway as shown in Figure 21 on page 62.


62


Figure 21 Rename FTP site

8. Select the proper IP address (if multi-homed, this is the internal IP address) (Figure 22 on page 62).

Figure 22 FTP Site IP address selection

9. Click Security Accounts and clear the Allow anonymous connections checkbox (Figure 23 on page 62).

Figure 23 Allow anonymous connections checkbox cleared

Remove this check mark



10. Click Yes in warning message dialog box (Figure 24 on page 63).

Figure 24 IIS Manager data encryption warning

11. Click Apply.

12. Click Messages.

13. Fill in appropriate information for Messages, and click Apply (Figure 25 on page 63).

Figure 25 Messages tab


64


14. Under the Home Directory tab, point to the home directory structure on the non-system drive ('E:', in this case. or E:\Inetpub\ftproot\) (Figure 26 on page 64).

Figure 26 Inetpub path

15. Click OK.

16. Check both the Read and Write options.

17. Click Apply.

18. Click OK.

Configure and testemail

You must set the email message size to 15 MB.

1. In the left pane of the Internet Information Services (IIS) Manager window, right-click Default SMTP Virtual Server and select Properties, as shown in Figure 27 on page 65.



Figure 27 Default SMTP Properties

2. Click Messages as shown in Figure 28 on page 65.

Figure 28 Default SMTP Message Tab

3. Change the Limit message size to 15000.


66


4. Change the Limit session size to 30000.

5. Click OK.

6. In the left pane of the Internet Information Services (IIS) Manager window, click on Domain under Default SMTP Virtual Server.

7. Right-click on emc.com and select Properties. See Figure 29 on page 66.

Figure 29 Email server specification

8. Point to the maildrop directory on the installation drive (in this case, E:\inetpub\mailroot\Drop), as shown in Figure 30 on page 66.

Figure 30 Mail drop specification



9. Test email server and verify mail is in proper directory (Figure 31 on page 67).

Note: This is Primus solution emc136619.

Figure 31 Email server test

Command that you enter [bold]Response that you receive [plain]

telnet ip_address 25

220 jerry.lab.pvt.dns Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 25 Jan 2007 15:20:31 -0500

vrfy onalert

252 2.1.5 Cannot VRFY user, but will take message for <[email protected]>

helo

250 jerry.lab.pvt.dns Hello [192.1.7.203]

mail from:[email protected]

250 2.1.0 [email protected] OK

rcpt to:[email protected]

250 2.1.5 [email protected]

data

354 Start mail input; end with <CRLF>.<CRLF>

subject:testemailserver<CR>This is a test of the email server<CR>.<CR>

250 2.6.0 <[email protected]> Queued mail for delivery


68


10. Return to \\inetpub\mailroot\drop directory.

Figure 32 Mail drop directory messages

11. Right-click on one of the listed mail messages.

12. Open the mail using Notepad.

You see contents similar to that in Figure 33 on page 69.



Figure 33 Sample email

13. Close and delete all email from the directory.

This completes the installation and configuration of the base OS. At this point:

◆ All devices should be properly installed and functioning, including appropriate Service Pack and patches

◆ AV should be installed and configured

◆ OS hardened according to your specifications

◆ Follow instructions in Section ”Post-installation configuration” on page 70.

◆ Run the GatewayCheck utility to verify the system configuration and connectivity to EMC target devices. Go to Chapter 4, ”GatewayCheck Utility.”


70


Post-installation configurationThis section provides instructions for tasks following server software installation.

Gateway server After the finishing the Gateway server software installation, complete the instructions in the following sections (from Primus emc141688).

Edit registry When the system has been rebooted after installation:

1. Open a Command Prompt window.

2. Run the following command:

C:\Inetpub\AdminScripts> CScript.exe adsutil.vbs get/MSFTPSVC/PassivePortRange

Note: Specification of “C:” drive may or may not be correct—it depends upon on the directory where IIS is installed.

You see the following output:

Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

PassivePortRange : (STRING) "5400-5413"

3. If you do not see the previous response, run the following command on the Gateway:

C:\Inetpub\AdminScripts> CScript.exe adsutil.vbs set/MSFTPSVC/PassivePortRange "5400-5413"

4. Now run the following command:

C:\Inetpub\AdminScripts>iisreset /restart

You see the following output:

Attempting stop...Internet services successfully stoppedAttempting start...Internet services successfully restarted


5. Using Notepad, edit the file:

<Install_Drive>:\EMC\Gateway\ESRS\Gateway Device\xgFileWatch.xml

so that the paths reflect the proper drive letter.

Note: There are multiple entries in the file. Verify and edit all paths as necessary.

See following example for one instance of a path to edit.

Example ~ filewatchschemaname="ESRS Connect Home FTP"action="upload"transient="yes"initialaction="no"method="timesize"changenotify="none"missingnotify="none"hint="ESRSFTP"missingseverity="10"changeseverity="10"delay="15">  <directoryname="[install_drive]:\Inetpub\ftproot\LocalUser\onalert\incoming"pattern="*.*" recursive="no"/></filewatchschema><filewatchschemaname="ESRS Connect Home SMTP"action="upload"transient="yes" ~

Post-installation configuration 71

72


Policy Manager After the Policy Manager server software installation is complete, edit the FileUpload attributes of all Policies on the Policy Manager Global group to reflect the correct paths of the file locations on the Gateway server. We recommend that you first copy all applicable policies and then make edits to one set, leaving the original policies with the original locations. Figure 34 on page 72 shows edits that must be made to the policies.

Figure 34 Policy Manager disk changes

1. Click on the link for the permission as shown in Figure 35 on page 72.

Figure 35 Permissions link

2. A screen appears for editing the File Upload permissions. Click Next as shown in Figure 36 on page 72.

Figure 36 Editing File Upload permissions



3. The edit parameters screen appears. In the File: field, enter the correct drive and path for the directory listed in the Parameters field, and click Add as shown in Figure 37 on page 73.

Figure 37 Adding updated drive and path

4. Check the path now listed with the original. If listed correctly, click Finish, as shown in Figure 38 on page 73.

Figure 38 Checking entry and clicking Finish

5. The screen now returns to the Global group permissions. The Parameters field now shows the drive and path you entered for the associated permission, as shown in Figure 39 on page 74.

Post-installation configuration 73

74


Figure 39 Updated Parameter listing

6. Repeat step 1 on page 72 through step 5 on page 73 for each File Upload action.


4Invisible Body Tag

This chapter provides instructions on installing and running the GatewayCheck utility (GatewayCheck.exe), which verifies that a candidate server meets the hardware, software, and network configuration requirements for successful Gateway and Policy Manager software installation. Topics include:

◆ Overview............................................................................................. 76◆ GatewayCheck system requirements.............................................. 77◆ Installation........................................................................................... 78◆ Operation ............................................................................................ 79◆ Required test failure resolution........................................................ 94◆ Version information ........................................................................... 96

GatewayCheck Utility

GatewayCheck Utility 75

76


OverviewThe EMC Secure Remote Support Gateway solution has specific requirements for the hardware, software, and network configurations of the customer-supplied Gateway and Policy Manager servers. If a Gateway or Policy Manager server does not meet one or more of the requirements (listed in Table 2 on page 77), various problems may occur both during and after Gateway software installation.

The GatewayCheck utility tests candidate Gateway and Policy Manager servers to verify that each server meets all the configuration requirements necessary for successful Gateway software installation.

When you run the GatewayCheck utility on a candidate server, the utility performs a full series of automated system requirement tests on the server. Each test verifies the server’s compliance with a specific system requirement, and GatewayCheck assigns a Passed or Failed status to each test result.

Each time you run a new series of tests, the GatewayCheck utility creates a new report file and stores all the test results in that file. You can then use the GatewayCheck application (or Notepad or WordPad) to view the report files for all the test series that you have run on a server.

Note: You must install and run this application on every Gateway and Policy Manager server, verifying that each server passes the required GatewayCheck tests before your Gateway installation date.

.NET Framework 1.1 needs to be installed and functioning for the GatewayCheck Utility to function correctly.

Some ports may fail the connectivity test. This is due to the existence of secondary connections, and does not effect the overall test result.

You will need to supply a copy of the test results to EMC Global Services before the Gateway software installation is performed.



GatewayCheck system requirementsGatewayCheck checks that your server and its environment meet requirements. These requirements are listed in Table 2 on page 77.

Table 2 GatewayCheck system requirements

Item Requirement

Operating system Microsoft Windows Server 2003 SP1 or laterMicrosoft .NET Framework 1.1

Storage 0.5 GB disk space available

Memory 512 MB RAM (1024 MB RAM preferred)

Minimum single 10/100 Ethernet adapter, preferred Gigabit Ethernet adapters, optional additional NIC for data backups

Network connectivity to devices Network connections open between server and devices

Internet access Internet connection open on server

GatewayCheck system requirements 77

78


InstallationTo install the GatewayCheck utility:

1. On the targeted Gateway or Policy Manager server, create a directory called GatewayCheck.

Note: For best results, you should create the GatewayCheck directory on the drive where you intend to install the Gateway and Policy Manager software on the server, but this is not a requirement.

2. Do one of the following:

• Follow EMC Customer Support instructions to open or download the latest version of the GatewayCheck utility from the EMC Powerlink web site (http://Powerlink.EMC.com) to a staging location or removable disk.

• Insert the Gateway software installation CD. Then use Microsoft Windows Explorer to open the following directory on the CD:

Utilities\ESRS Site Validation Tool

3. Copy the three files identified in Table 3 on page 78 to the new GatewayCheck directory on the target server.

Table 3 GatewayCheck installed files

Filename Description

GatewayCheck.exe Application

GatewayCheck.exe.config Application configuration file

TextMask.dll Custom edit control for text field validation


http://powerlink.emc.com


OperationThe GatewayCheck utility provides a suite of tests that you can run on a candidate Gateway or Policy Manager server in order to verify that the target server meets the hardware, software, and network configuration requirements for successful installation of the Gateway and Policy Manager software:

There are tests specific to Gateway servers and to Policy Manager servers.

◆ If you plan to run the Gateway and Policy Manager applications on the same server, you should run all available tests on that server.

◆ If you plan to run the Gateway and Policy Manager applications on separate servers, you should run the Gateway-related tests only on the Gateway server, and you should run the Policy Manager tests only on the Policy Manager server.

To run a series of tests using the GatewayCheck application:

1. Launch the GatewayCheck application.

2. Enter your customer site and contact information.

3. Select the tests you want to run.

4. Set the configuration parameters for each test.

5. Execute the test run.

6. View the test results.

7. Save the test results to a log file in the GatewayCheck directory.

8. Exit the GatewayCheck application.

Launching the application

To launch the GatewayCheck application:

1. Use Microsoft Windows Explorer to open the GatewayCheck directory, and then double-click the GatewayCheck.exe program file.

The EMC Secure Remote Support Gateway Installation Check window appears, displaying a blank white application screen, as shown in Figure 40 on page 80. This is the main GatewayCheck application window.

Operation 79

80


Figure 40 Main GatewayCheck application window

2. The GatewayCheck utility creates the following three directories within the GatewayCheck installation root directory:

[INSTALL_ROOT]LOGS

ERRORTRACE

• The LOGS directory contains the report files in which GatewayCheck stores the test results for each test series that you run.

• The ERROR directory contains the GatewayCheck application’s runtime error messages.

• The TRACE directory contains the GatewayCheck application’s program execution logs.

IMPORTANT!If you encounter a problem with the GatewayCheck application, you must forward the contents of all three directories to your EMC Global Services Representatives so that they can assist you in solving the problem.



Entering customer information

You must register your customer site and contact information with the GatewayCheck application before you can select and run any tests on your server. To enter your information:

1. From the main GatewayCheck application menu, select Edit, Gateway Customer Info.

A new window appears, displaying the Customer Information form shown in Figure 41 on page 81.

Figure 41 GatewayCheck customer information form

2. Complete all text fields, as shown in Figure 41, and click OK.

The Test Selection screen appears, as shown in Figure 42 on page 82.

Operation 81

82


Selecting tests to be run

After you have entered your site and contact information in the Customer Information form, you can select the specific tests to be performed during the test run. To do this:

1. From the main application menu, select Tests > EMC Secure Remote Support Install Checks:

• If you did not yet enter your site and contact information, the utility prompts you to do so. When you click OK from the prompt, the Customer Information form appears, as shown in Figure 41 on page 81. You must enter your customer information before you can select and run any tests.

• If you have entered your customer site and contact information, a new window appears, showing the Test Selection screen with all test options selected by default, as shown in Figure 42 on page 82.

Figure 42 GatewayCheck test selection screen

2. Decide which tests you want to include in this run.



The Test Selection screen lets you select options from any of the following four test groups:

• Gateway Environment Tests — Verify that the Gateway server hardware meets the minimum requirements and verify that Microsoft Windows Server 2003 SP1 is installed on the server.

• Policy Mgr Environment Tests — Verify that the Policy Manager server hardware meets the minimum requirements and verify that Microsoft Windows Server 2003 SP1 is installed on the server.

• Network Connectivity Tests — Verify that all required network connections have been configured properly, so that communications are enabled between the Gateway server and EMC and between the Gateway and Policy Manager servers.

• System Applications Tests — Verify that the Gateway server has Microsoft IIS installed, has FTP and SMTP services enabled and configured properly, has the required directory structure in place on the installation root drive, has the required user accounts configured properly, and has the proper ports open for communication with each application installed on each of its managed devices.

Different tests are designed to run on each type of server, as follows:

• Co-Located Gateway and Policy Manager — You should run all available tests. This is the default Test Selection screen setting, as shown in Figure 42 on page 82.

Note: If you select at least one test option in each of the Gateway and Policy Manager test groups, the GatewayCheck application assumes that the Gateway and Policy Manager servers are to be co-located. (GatewayCheck only tests the server on which it is installed.)

• Gateway Only — You should run all available tests except the four tests for the Policy Manager.

• Policy Manager Only — You should run only the four tests in the Policy Mgr Environment Tests group.

3. Using the checkboxes in the Test Selection screen shown in Figure 42 on page 82, choose the tests you want to run on this server. By default, all available test options are selected.

Operation 83

84


Note: GatewayCheck runs the selected tests only after you click Run Tests on the Test Results screen. “Executing the test run” on page 88 provides instructions for running the selected tests.

4. If you want to run the Free Disk Space test from the Gateway Environment Tests group, perform the following steps:

a. Check the box next to Free Disk Space:

b. Using the scroll bar, select the correct drive letter:

c. Highlight the drive letter with your mouse:

Note: If you do not highlight the drive letter, after step 5 on page 84, you are asked to select the install drive letter even though the correct letter is showing.

5. Click Next. Then:

• If, in the Test Selection screen, you selected:

– Any test option in the Policy Mgr Environment Tests group

– The Gateway to Policy Manager Connection test option in the Network Connectivity Tests group

– The EMC Registration Authority Connect HTTPS test option in the Network Connectivity Tests group

– The EMC Secure Remote Support Connect HTTPS test option in the Network Connectivity Tests group

– The Device Application Port Connection Test option in the System Applications Tests group

The Test Configuration Parameters screen appears, as shown in Figure 43 on page 85.

Go to “Setting test configuration parameters” on page 85 for instructions on using this screen.

• If you did not select any of the previous test options, the Test Results screen appears, as shown in Figure 44 on page 88.



Go to “Executing the test run” on page 88 for instructions on using the Test Results screen to run the selected tests and view the test results.

Setting test configuration parameters

If you have selected any of the tests listed in step 5 on page 84, when you click Next on the Test Selection screen, the Test Configuration Parameters screen appears, as shown in Figure 43 on page 85.

Figure 43 GatewayCheck Configuration Parameters screen

To go back to the Test Selection screen and choose different test options, click Previous.

Operation 85

86


To set the parameters for the tests you selected, enter the information required to perform the selected tests, as follows:

Note: If you wish to change the information in any text field on this screen, you must use the Backspace key to delete the existing information and then re-enter the correct information. You cannot highlight and overwrite existing text, and you cannot click to insert new text in an existing entry.

1. In the Policy Manager area (upper-left corner of screen):

a. In the Policy Mgr IP Address field, enter the Policy Manager server’s IP address.

b. If the Policy Manager is not yet installed on this server, select No to answer the Policy Mgr currently installed: question.

c. If the Policy Manager is installed, select Yes to answer the Policy Mgr currently installed: question, and select the Check if Policy Manager is Installed on Gateway checkbox if you have installed co-located Gateway and Policy Manager servers on this machine.

2. In the Proxy Server area (upper-right corner of screen):

a. If a proxy server routes outbound Internet traffic from the Gateway server, select Yes to answer the Gateway using Proxy Server: question.

b. If they are active, complete the four proxy server information fields:

– Proxy IP Address — Proxy server IP address– Proxy Port — Port over which proxy server communicates

with Gateway server– User Name — User name for an authorized proxy server

user account– Password — Password for previously-named proxy server

user account (valid characters do not include %, &, <, and >)

Note: If the password field is not filled in, you receive warning message. You may continue with the installation.



3. In the Device area (middle section of screen), if you are running GatewayCheck on a Gateway server in the DMZ, and you wish to ensure that the internal firewall rules allow network connections between the Gateway server and the targeted EMC devices, using the required application-specific ports, then for each device:

a. Click to select the Product Type from the scrolling list. (Symmetrix is selected by default.)

b. Click to select the Applications to be tested on the device. (Press and hold the Ctrl key and click to select multiple applications.)

c. Enter the device’s IP address.

d. Click Add to add the device to the Device List at the bottom of the screen.

To remove a device from the Device List:

a. Click the box to the left of a Device ID to select the row. (You can also press and hold the Ctrl key and click to select multiple rows.)

b. Click Remove.

4. If you have added any devices to the Device List, click Save Cfg.

GatewayCheck creates one test record for each application selected. If an application requires more than one port, GatewayCheck tests the ports for that application one at a time until either one port fails, causing the application test to fail, or all ports pass, causing the application test to pass.

5. When you have completed all available fields in the Policy Manager and Proxy Server areas, and you have added all the devices that you want to test to the Device List, click Next.

The Test Results screen appears, as shown in Figure 44 on page 88.

Operation 87

88


Figure 44 GatewayCheck Test Results screen before test run execution

Executing the test run

Once you have selected the tests you want to run and configured the parameters for those tests if necessary, the Test Results screen appears, as shown in Figure 44 on page 88.

To go back to the Test Configuration Parameters screen shown in Figure 43 on page 85 and reset your Policy Manager, proxy server, and device information, click Previous.

Note: If you wish to change the information in any text field on the Test Configuration Parameters screen, you must use the Backspace key to delete the existing information and then re-enter the correct information. You cannot highlight and overwrite existing text, and you cannot click to insert new text in an existing entry.



To go back to the Test Selection screen shown in Figure 42 on page 82 and select a different set of tests for this run, click Previous twice – first on the Test Results screen and then on the Test Configuration Parameters screen.

To use the Test Results screen to execute the test run and view results:

1. Click Run Tests.

2. GatewayCheck runs all selected tests, one at a time. As each test runs, the name of that test appears beneath a test progress bar in the middle of the application window. As each test completes, its progress bar disappears, and the progress bar for the next test appears instead.

Note: If you have selected many devices or applications to be tested, the test run may take some time. Please be patient.

3. When the tests are complete, the basic status of each test (Passed or Failed) appears in the Summary Test Results pane, and the detailed results of each test appear in the Detailed Test Notes pane. Figure 45 on page 90 shows some sample test results.

Operation 89

90


Figure 45 GatewayCheck Test Results screen at test run completion

Viewing test results This section describes how to view test results.

Test Results log files When the test names and results appear in the Test Results screen as shown in Figure 45 on page 90, you can use the Test Results screen to view each test result in detail. You can also use a text editor such as Notepad to view test results from the file system.

To view the detailed results of any test:

1. Select the desired test status (Passed or Failed) in the Summary Test Results pane. The selected test is marked by an arrow in the far-left column in the pane.

2. The Detailed Test Notes pane automatically shows the detailed results for the selected test:

• The system configuration values obtained from the test



• If the test status is Failed, available information about why the test failed

For example, in Figure 45 on page 90, you can see that the Gateway Server OS version Windows 2003 test failed because the server’s operating system is Microsoft Windows 2000 Professional.

3. When you have finished reviewing the test results, click Cancel.

The Test Results window closes, but the main application window remains, as shown in Figure 41 on page 81.

From the main GatewayCheck application window, you can view detailed test results for all the tests you have performed in any GatewayCheck test run that you have executed on this server. To do this:

1. From the menu bar, select View > Gateway Test Logs.

The Test Results Logs navigation window appears, as shown in Figure 46 on page 91.

Figure 46 GatewayCheck Test Results Logs navigation window

2. In the Files of type: drop-down list box, select Log files (*.log).

Operation 91

92


The Test Results Logs window displays the log files for every GatewayCheck test series that you have completed on this server.

3. Select the log file for the test results you want to view and click Open.

The Test Results Logs window closes, and the contents of the log file that you selected appear in the main GatewayCheck application window, as shown in Figure 47 on page 92.

Figure 47 Sample GatewayCheck Test Results log file contents

4. Use the View, Find option in main application window to search within the log file for specific text string values.

5. When you are finished viewing the log file, you can use the File, Close menu option to close the log file and leave the GatewayCheck application running.

Once you close the log file containing your test results, you can use the View, Gateway Test Logs menu option to reopen the Test Results Logs navigation window (shown in Figure 46 on page 91) to open and view the other log files that pertain to your run.



GatewayCheckapplication log files

Runtime error logsTo see the GatewayCheck application’s runtime error messages:

1. In the Test Results Logs navigation window, open the Error directory.

2. In the Files of type: drop-down list box, select Error files (*.err).The Test Results Logs window displays the application’s runtime error files for every GatewayCheck test series that you have completed on this server.

3. Select the error file for your test run and click Open.The Test Results Logs window closes, and the contents of the error file that you selected appear in the main GatewayCheck application window.

Program execution logsTo see the GatewayCheck application’s program execution logs:

1. In the Test Results Logs navigation window, open the Trace directory.

2. In the Files of type: drop-down list box, select Trace files (*.trace).The Test Results Logs window displays the application’s program execution logs for every GatewayCheck test series that you have completed on this server.

3. Select the trace file for your test run and click Open.

The Test Results Logs window closes, and the contents of the trace file that you selected appear in the main GatewayCheck application window.

Saving Test Results and exiting the application

When you have finished viewing all of your log files in the main application window, you can do any of the following:

◆ Close the log file, using the File > Close menu option, and use the main application window to start another test run or view another file.

◆ Save the log file in the current display window to a new filename, using the File > Save As menu option to open a standard Windows Save As dialog box.

◆ Exit the application, using the File > Exit menu option or the X button in the upper-right corner of the window to close the application window.

Operation 93

94


Required test failure resolutionTo successfully run the Gateway and Policy Manager software installation program, each target server must pass the tests required for its server type, as specified in Table 4 on page 94. If any required tests show a Failed status, you must resolve those failures before your Gateway installation date.

Note: If the Gateway and Policy Manager are to be co-located on a single server, the target server must pass the required tests for both server types.

Table 4 GatewayCheck test failure resolution (page 1 of 2)

Test name Notes

Gateway Environment Tests Required tests must pass on Gateway server

Memory Required: At least 512 MB RAM

Free Disk Space Required: At least 500 MB

Processor Speed Required: Each at least 2.1 GHz total speed (one or more processors)

Operating System Required: Windows Server 2003 SP1 or later 32-bit or 64 bit installed

Drive Required: Designated drive available

Policy Mgr Environment Tests Required tests must pass on Policy Manager server

Memory Required: At least 512 MB RAM

Free Disk Space Required: At least 1 GB

Processor Speed Required: Each at least 750 MHz total speed (one or more processors)

Operating System Required: Windows Server 2003 SP1 or later 32-bit or 64 bit installed

Network Connectivity Tests Required tests must pass on Gateway server

Note: The EMC Registration Authority Connect and EMC Secure Remote Support Connect tests can be performed using either the HTTPS protocol or a simple TCP/IP connection to the EMC application servers.

Required: Gateway server must pass both TCP/IP connection tests to proceed with Gateway software installation.

EMC Registration Authority Connect Required: Gateway server can connect to EMC servers over TCP port 443.

EMC Registration Authority Connect HTTPS HTTPS tests may fail for any of several reasons — for example, time-out and proxy configuration / authorization errors. You can test connections by using a local web browser to open the URLs provided in the detailed test results.

EMC Secure Remote Support Connect Required: Gateway server can connect to EMC servers over TCP port 443.

EMC Secure Remote Support Connect HTTPS HTTPS tests may fail for any of several reasons — for example, time-out and proxy configuration / authorization errors. You can test connections by using a local web browser to open the URLs provided in the detailed test results.



System Applications Tests Required tests must pass on Gateway server

IIS Administration Service Required: IIS installed on Gateway server

File Transfer Service Required: FTP enabled on Gateway server and configured as specified in Site Planning Guide

Simple Mail Transport Protocol Required: SMTP enabled on Gateway server and configured as specified in Site Planning Guide

Required Local User Accounts Required: OnAlert and ESRSConfig user accounts created on Gateway server and configured as specified in Site Planning Guide

Required Directories and Permissions Required: Directories created on Gateway server for use by FTP service, as specified in Site Planning Guide:

C:\Inetpub\ftproot\LocalUser\OnAlert\incoming C:\inetpub\ftproot\LocalUser\ESRSConfig

IIS and ESRS Installation Drive Check Required: IIS and Gateway software installed on the same local drive

Note: If EMC has not yet installed the Gateway software, this test has a Failed status. However, the detailed test results state that the failure is a warning, and identify the drive on which EMC should install the Gateway software.

Device Application Port Connection Test Required: Internal firewall rules must be updated to allow communication between the Gateway server and each of its managed devices, using the required ports for each remote support application, as specified in Site Planning Guide.

Note: GatewayCheck tests the required port connections only for the devices and applications that you specify in the Test Configuration Parameters screen shown in Figure 43 on page 85. You should test the port connections for every application on every device that you want to manage through the Gateway system.

Note: For devices not yet on the network, this test has a Failed status. For those devices, you should manually check the firewall rules to ensure that communication is allowed between the Gateway server and each device, using the required ports for each remote support application, as specified in Site Planning Guide.

Table 4 GatewayCheck test failure resolution (page 2 of 2)

Test name Notes

Required test failure resolution 95

96


Version informationYou can use the main GatewayCheck menu shown in Figure 40 on page 80 to get version and copyright information.

To get version and copyright information for the GatewayCheck application, select About from the main application menu.


PART 2

The Policy Manager enforces the rules for customer-controlled Gateway site access and activity.

Chapter 5, “Policy Manager Administration”

Provides instructions for setting up Policy Manager user accounts for policy administrators

.Chapter 6, “Policy Manager Configuration and Operation”

Provides explanations and procedures for policy configuration and storage array access control.

Policy Management

5

This chapter presents the initial Policy Manager server configuration procedures, including Tomcat web server administration. Your primary activity here is user account setup:

◆ Installation......................................................................................... 100◆ Startup/shutdown........................................................................... 101◆ Modifying the login banner............................................................ 103◆ Creating Policy Manager user accounts ....................................... 104◆ LDAP authentication....................................................................... 112

Policy ManagerAdministration

Policy Manager Administration 99

100

Policy Manager Administration

InstallationEMC Customer Service performs all installations of the Policy Manager software on a server that you provide and maintain at your site.

Note: The Policy Manager uses Apache Tomcat 5.0.x. Only Tomcat operations that are relevant to Policy Manager use are discussed here. For complete documentation on Apache Tomcat, refer to http://tomcat.apache.org

During Policy Manager installation, the EMC Customer Engineer specifies the following information:

◆ Root installation directory

◆ Port used by Policy Manager’s Tomcat web service (default: 8090)

◆ Tomcat administrator’s email address

◆ Notification email address

To change any of the previous information, you must contact EMC Customer Service.



Startup/shutdownUpon Policy Manager server startup, its web server automatically starts as a Windows service.

You can manually start or stop the Policy Manager from the Windows Services item, as described here:

1. Open the Control Panel in Windows.

2. Open Administrative Tools.

3. Open Services.

4. Select EMC Secure Remote Service Policy Manager as shown in step 48 on page 101.

Figure 48 Services listing

5. Click Stop to stop the service, as shown in step 49 on page 102.

Startup/shutdown 101

102


Figure 49 Stopping the service

6. Click Start to restart the Policy Manager service, as shown in step 50 on page 102.

Figure 50 Starting the service

7. Wait 10 seconds after starting the service to permit the Policy Manager to stabilize.



Modifying the login bannerYou have the option to change the text that displays in the disclaimer section of the Policy Manager login screen. To change the text:

1. Browse to: [install drive]:\EMC\Policy Manager\Tomcat5

\webapps\applications\apm\disclaimer

2. Using a text editor program (such as Notepad), edit the file named disclaimer.txt using any valid HTML text.

3. Save the file using the same file name (disclaimer.txt).

Modifying the login banner 103

104


Creating Policy Manager user accountsThis section provides details about users and user accounts.

About users You have the option of using your own Lightweight Directory Access Protocol (LDAP) authentication by following the procedure in “LDAP authentication” on page 112. The default authentication scheme is an Apache Tomcat file realm. This realm controls local user access to web server administration and Policy Manager application user interface pages.

Tomcat user authentication

With the Tomcat scheme, you administer the Policy Manager through a web interface.

Note: For complete documentation on Apache Tomcat, refer to http://tomcat.apache.org

To configure the Tomcat web server for use with the Policy Manager software, you must specify users at two access levels, represented by two roles, APMAdmin and APMUsers:

◆ APMAdmin — System administrators: log in to the Tomcat web server; configure server settings; add, configure, and delete user accounts; and add, configure, and delete roles and user groups; log in to the Policy Manager application; set permissions for all policies, devices, and device groups defined in the Policy Manager; define, configure, and delete policies, devices, and device groups; and view all Audit Log messages, approve remote access requests.

◆ APMUsers — Policy administrators: log in to the Policy Manager application; set permissions for all policies, devices, and device groups defined in the Policy Manager; define, configure, and delete policies, devices, and device groups; and view all Audit Log messages, approve remote access requests.

Passwords for Policy Manager accounts are stored encrypted.



Tomcat user account planning

The Tomcat web server, installed as a component of the Policy Manager, is installed with predefined roles and a predefined administrator user account.

These predefined settings include:

◆ Roles: APMAdmin and APMUsers

Note: You may also see additional listed roles: admin, manager, role1, tomcat. The only groups used by the Policy Manager are APMAdmin and APMUsers.

◆ User Groups: (None)

◆ Username: admin

• Roles assigned: APMAdmin, APMUsers

• Password assigned: EMCPMAdm7n

Note: Change the admin account password immediately to avoid the possibility of a targeted Denial of Service (DoS) attack that could target ESRS solutions that still contain the default password for the Tomcat web server administrative account. “Changing the Tomcat administrator password” on page 107 provides instructions.

Before you configure the Tomcat web server for the Policy Manager, you should record the following information for later entry into the Tomcat Web Server Administration Tool’s user interface:

◆ Full names of all new Policy Manager and Tomcat users

◆ Username and password to be assigned to each new user account

◆ Roles to be assigned to each new user account

◆ New password for default admin account

Creating Policy Manager user accounts 105

106


Logging into theTomcat server

Once you have recorded the information mentioned in the previous section, you can make configuration changes to the Tomcat and Policy Manager applications.

Note: You must restart the Policy Manager service after creating a user account.

1. Open a web browser, and type the Policy Manager server’s IP address or domain name and the port number that the Tomcat web server uses (8090 or the alternate port number designated at installation):

http://domain_name_or_IP_address:port_number/admin/for example:

http://server1.customer.com:8090/admin/-or-http://10.241.172.13:8090/admin/

If you open the web browser on the Policy Manager server itself, type:

http://localhost:port_number/admin/

for example:

http://localhost:8090/admin/

The Tomcat Web Server Administration Tool login page appears.

2. Type the username admin and the password EMCPMAdm7n.

The Tomcat Web Server Administration Tool home page appears, with the navigation tree in the left-hand pane and a blank dimmed screen in the right-hand pane, as shown in Figure 51 on page 107.



Figure 51 Tomcat navigation tree

Changing the Tomcatadministrator

password

To change the default admin password:

1. In the navigation tree, under User Definition, click Users. The Users List screen appears, as shown in Figure 52 on page 107.

Figure 52 Users List screen

Note: Three users are predefined by the Tomcat default configuration: both, role1, and tomcat. These are not used in Policy Manager.

2. In the Username column, click admin.

The Edit Existing User Properties screen appears, as shown in Figure 53 on page 108.


108


Figure 53 Edit Existing User Properties screen

3. Delete the default password, and carefully type the new admin user account password (that you chose earlier), and click Save.

Note: Do not use reserved UNIX or Windows characters for passwords or usernames. Username and password entries are case sensitive.

The Users List screen reappears, as shown in Figure 52 on page 107.

Creating a PolicyManage ruser

account

To create a new Policy Manager user account:

1. Log into the Tomcat server.

2. In the navigation tree, under User Definition, click Users.

3. From the User Actions list box, select Create New User, as shown in Figure 54 on page 108.

Figure 54 User Actions list box



The Create New User Properties screen appears, as shown in Figure 55 on page 109.

4. For the first new user account, type the Username, Password, and (optionally) the Full Name.

Note: The Username and Password entries are case-sensitive. Do not use reserved UNIX or Windows characters for passwords or usernames.

Figure 55 Create New User Properties screen

5. Scroll down until you can see the entire Role Name column in the Create New User Properties screen, and use the checkboxes to select the roles that you want to assign to the new user. For a particular user, you should select either or both of APMAdmin and APMUsers, as described in “About users” on page 104.

Note: Two roles are predefined in the Tomcat default configuration: role1 and tomcat. These are not used in Policy Manager.

You can assign both the APMAdmin and APMUsers roles to a single user, so that the user can access both the Tomcat Web Server Administration Tool and the Policy Manager application.

Note: For APMAdmin roles to be able to add, delete, or modify users the must also be assigned the admin role.

6. Click Save.


110


The Users List screen reappears, with the user account you have just created included in the list.

7. Repeat step 3 on page 108 through step 6 on page 109 for every new user account.

8. Click Commit Changes as shown in Figure 56 on page 110.

Figure 56 Commit Changes button

9. In the left pane, select User Databases, as shown in Figure 57 on page 110.

Figure 57 User Databases

10. In the right pane, again select User Databases.

11. When the pane expands, click Save, as shown in Figure 58 on page 111.



Figure 58 Saving changes

12. Click Commit Changes as shown in Figure 59 on page 111.

Figure 59 Commiting changes and logging out

13. Click Log Out.

14. Restart the Policy Manager service.

IMPORTANT!For changes to take effect, restart the Policy Manager service as described in “Startup/shutdown” on page 101.


112


LDAP authenticationIf you want to use your current domain accounts to manage access to the Policy Manager, thereby not having to use a shared account or configuring duplicate accounts in Policy Manager, you have the option to use your standard LDAP instead of the default Tomcat user list. For complete documentation on LDAP versions supported by Tomcat, refer to

http://tomcat.apache.org

Note: Customers are required to work with their own internal Security Team for LDAP configuration. Please be advised it is a very complex configuration. EMC is not responsible for the LDAP Policy Manager configuration.

Not having a shared account increases security as auditing can be used to determine who performed actions on the Policy Manager. Additionally, there are fewer chances of unauthorized access.

Configuring the Tomcat application server to use an LDAP server for user authentication is non-trivial and requires assistance from your IT department as well as some knowledge of configuring Tomcat.

Limiting the use of the Policy Manager to specific groups or individuals may require changes to your LDAP organization.

Note: Only a system administrator that with a high level of knowledge about LDAP should make the changes detailed in this procedure.

To change the authentication:

1. Download JNDI version 1.2.1 to get copy of the ldap.jar file by using the following steps:

a. Browse to the Sun Microsystems web site:

http://java.sun.com/products/jndi/downloads/index.html

b. Click associated with:

Download JNDI 1.2.1 & More

c. Open the file named ldap-1_2_4.zip

d. Extract the lib\ldap.jar file



2. Create a JNDI realm following the instructions provided in the online documentation at the Apache Tomcat website:

http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm

Note: Before editing the server.xml file, make copies of server.xml and tomcat-users.xml.

3. Remove the realm for authenticating users configured in tomcat-users.xml file:

a. Edit the file named:[install_drive]:\EMC\Policy Manager\conf\server.xml

b. Delete or comment out the line:<Realm className="org.apache.catalina.realm.MemoryRealm" debug="0" pathname="conf/tomcat-users.xml" validate="true" digest="SHA"/>

4. Save the server.xml file.

5. Restart the Policy Manager service as described in “Startup/shutdown” on page 101.

LDAP authentication 113

114



6

This chapter presents the main policy management interface for the Policy Manager. Remote user access and activity is initially specified, and then managed while the Gateway is operational, for particular devices and groups of devices:

◆ Setting policy .................................................................................... 116◆ Answering device access requests................................................. 133◆ Viewing the Audit Log.................................................................... 137

Policy ManagerConfiguration and

Operation

Policy Manager Configuration and Operation 115

116

Policy Manager Configuration and Operation

Setting policyIf you are unfamiliar with the Policy Manager interface, follow the tour outlined in these subsections:

◆ “Policy settings” on page 118

◆ “Access rights” on page 124

◆ “Notifications” on page 128

Log in to home page

Once your Policy Manager system administrator has assigned you a username and password, you can log into the Policy Manager application as follows:

1. Open a web browser, and type the Policy Manager server’s IP address or domain name and the port number that the Tomcat web server uses (8090 or the alternate port number designated at installation) in the URL shown here:

http://DomName_or_IPAddr:PortNumber/actions/index

for example:

http://server1.customer.com:8090/actions/index

If you open the web browser on the Policy Manager server itself, you can type:

http://localhost:port_number/actions/index

for example:

http://localhost:8090/actions/index

The Policy Manager Login screen appears as shown in Figure 60 on page 117. “Modifying the login banner” on page 103 describes how to configure the disclaimer section of this screen.



Figure 60 Policy Manager login screen

2. Type the username and password given to you by your system administrator and click Log in.

The Policy Manager home page appears, with links to the user-accessible features of the Policy Manager application, as shown in Figure 61 on page 117. Notice that the Policy Manager version number is displayed near the under the first heading.

Figure 61 Policy Manager home page

Setting policy 117

118


3. Access the main Policy Manager features by clicking on the tabs:

• Policy — Edit policy settings, as described in “Policy settings” on page 118. This is where you initially set or modify the policy settings for the Global group.

• Pending Requests — Review and edit currently active transactions, as described in “When a request is sent using the embedded web address, the policy administrator receiving the email has direct access to the Policy Manager interface to approve or deny the request.” on page 132.

• Audit Log — Review completed transactions, as described in “Viewing the Audit Log” on page 137.

• Configuration — Configure device groups (a single set of policies applies to all devices in a group), as described in “Notifications” on page 128.

Policy settings This section describes the global policy settings, group hierarchies, and device type settings.

Globalsettings page

For the Global settings:

1. Log in to the Policy Manager home page, following the procedure given in “Log in to home page” on page 116.

2. Click Policy to view settings for the top-level Global group.

Figure 62 on page 119 shows the Global group page.



Figure 62 Policy: Settings: Global

There are six fields that represent the policy record for a each permission. A permission is an action with defined parameters. The permission also has an access right setting that tells you whether it is allowed for that group. Table 5 on page 120 provided an explanation and example of the policy settings.

Setting policy 119

120


Scrolling the policy settings window shows all line-item Global action/permission records. Although a number of actions are available to the Gateway solution, only a subset are currently used in the Policy Manager (the grayed out text are the actions currently not used). The actions are listed in Table 6 on page 120.

Table 5 Policy settings

Action Permission Parameters Access right Inheritance LockBehavior regulated by Policy Manager

Specific version of an action

Defines a general action through the use of specified limits (permission)

Allows or denies permission: The value of the permission

Shows source level of access right, at or above current level

Can lock access right for lower levels

Listed in Table 6 on page 120 and Table 12 on page 176

See Tables 13 through 24 beginning on page 179

See Table 7 on page 124

ExampleRemote Application Celerra® Remote

Access Application - CelerraMgr

Remote Application Name: CelerraMgr

Always Allow[can choose from menu]

Celerra [optional]

Table 6 Actions (Global group default set)

Enable a Script Set Time Restart Agent

Register Script Package Execute

Disable a Script Alarms Remote Application

Run Script Events Remote Terminal

UnSchedule a Script Data Item Values Enable a Timer

Schedule a Script Emails Remove a Timer

Stop Script Modify Ping Update Rate Disable a Timer

UnRegister Script File Download Create a Timer

Set Data Item Values File Upload Stop Remote Session



Group hierarchypage

The Global group is the top-level parent providing default settings.

There is a group for each device type at the level lower than Global, such as CLARiiON® and Symmetrix, with its own set of rules. Global permissions and access rights are inherited by device type groups:

Select the Explore Device Groups link at upper right of the page.

This brings up the page shown in Figure 63 on page 121. It shows the hierarchy of preset groups as well as the devices registered with the Policy Manager. Examine the structure of the groups you see.

Figure 63 Policy: Explore Device Groups

Configure policysettings

Use the following procedure to configure policy settings:

1. Log in to the Policy Manager home page following the procedure given in “Log in to home page” on page 116.

2. Navigate to the correct policy settings page by clicking the Policy tab, then the Explore Device Groups link, and then a group (name) link.

This opens the policy settings page for the selected group.

3. For each action/permission line item desired, select the desired access right in the policy settings page.

4. Click Done at the bottom of the page, and click OK on the Update this policy? dialog box.

5. Repeat step 2 on page 121 through step 4 on page 121 for other groups desired.

Setting policy 121

122


Group hierarchy:Preset groups

Each policy group is designated by a line item that links to further information for each group. Your Policy Manager installation includes a default set of second-level groups:

• Celerra• EMC Centera®

• CLARiiON• Connectrix®

• EMC ControlCenter®

• EDL• Invista®

• Switch-Brocade-B• Switch-Cisco• Symmetrix

Note: You cannot alter these group names. EDM™ may also appear among the EMC products displayed, but is not supported in Gateway release 1.02.xx.

The following groups are also found under the Name column:

ESRS GatewayESRS_Site_ID_ …

…Gateway Device

ESRS_DEVICE_Site_ID_ …

The ESRS Gateway group represents the Gateway server, and contains policy you may want to edit as you would with the EMC product devices.

Note: The Gateway Device group should not be edited. It is used only to support internal processing of connect home operations.

From the top level, the default structure of policy settings groups reflects Device Types (EMC product families) and particular Devices:

Global [the sole top-level group]

Device Type [group named by product name]

Device [group named by product serial number]

To see the policy settings for a particular group, locate the group in the hierarchy and click on its name to open the corresponding policy settings page.



Device typesettings page

If you select Celerra from the group hierarchy, you see policy settings for Celerra, which are also the default settings for specific Celerra devices (the next lower level).

Settings for the Celerra group are identical to those for the Global group except that there are several additional Remote Application actions. (See example in Figure 64 on page 123.) When an EMC product (in this case Celerra) registers with the Policy Manager, its policy settings are initially supplied from the default set of permissions from the device (Celerra) template.

Among other things, this permission set identifies particular applications for which EMC Customer Service needs access. For example, if EMC Customer Support needs to work on a Celerra problem, a support engineer needs to remotely access these Celerra applications:

◆ CelerraMgr

◆ Telnet

◆ CLIviaSSH

Although other applications are denied access, those specific applications are set at Always Allow.

Figure 64 Policy: Celerra: Remote Application Permissions

Devicesettings page

From the group hierarchy, select the group for a particular (Celerra) device. It is represented below the device type name by a serial number — for example, ML2805000499.

You now see policy settings for that device only. Some may be inherited from the Global settings, some from the Celerra settings, and some may be specific to that device.

Setting policy 123

124


Access rights Policy settings are embodied in access rights. Each permission has an access right specifying whether it can be executed.

Identify defaultsettings

The policy for each new device registering with the Policy Manager is inherited from the device type. Device type policy is preset by EMC, but can be edited.

Policy for a particular group consists of a set of permissions (action-parameter combination), each with an associated access right. For a particular permission, one of three allowed access right options is set:

◆ Always Allow◆ Ask for Approval◆ Never Allow

These options are fully described in Table 7 on page 124.

Table 7 Access right descriptions

Name Description

Always Allow The Agent can execute these permissions without asking for approval or sending the action information to Policy Manager (the Agent does log an entry in the Policy Manager Audit log). To see which actions of Always allow rights were performed on a device, refer to the device’s log file.

Ask for Approval The Agent forwards the action and its parameters to Policy Manager for approval. When Policy Manager receives the action, it sends an email to the address specified for the device’s policy and then stores the action request in the Pending Requests queue. The action request remain shown in the Pending Request page until it is approve or denied, or it times out. (If timed out, the action is denied and needs to be requested again, if desired, and a message is logged to the Policy Manager Audit Log.)

If approved or denied, the action request is removed from the Pending Requests page. A message regarding the approval or denial is logged to the Policy Manager Audit Log. Policy Manager sends its response (accept or deny) to the Gateway server. If the action request was approved, the device processes the action.

Never Allow The Agent does not execute these permissions and sends information for these requests to Policy Manager only when Never Allow actions are requested from the Gateway server. To see which device-initiated actions of Never Allow rights were denied on a device, refer to the device’s log file.



Access right settings This section describes parent/child permissions and settings.

Set access rights Set (or reset) an access right by choosing from the list box menu provided for the particular permission, as shown in Figure 65 on page 125 for Default package permission.

Figure 65 Setting an access right

You can set all access rights for a group to a single value by using the checkbox Set All Permissions at the bottom left side of the page. For example, Set All Permissions: Never Allow can be used in emergencies to block all requests.

Figure 66 Set All Permissions

At the far right of each (unlocked) permission line item is the Lock checkbox (Figure 67 on page 125) allowing you to lock that permission. Selecting this box prevents the corresponding access right in any child group from being changed.

Figure 67 Access right lock

If an access right is locked in a parent group, then for any child group this right appears as uneditable text (no list box menu) and cannot be reset. The first three access rights listed in Figure 68 on page 125 are locked by a parent group.

Figure 68 Locked and unlocked access rights

Setting policy 125

126


Lock permission forchild

LockYou can force the inheritance of a permission’s access rights from a parent group or device to its child by locking the parent permission. Access rights that are locked in a parent’s policy appear as plain text, rather than a list box, in the child’s View or change the policy settings page.

To Lock Permission of Child — Navigate to the View or change the policy settings page under the Configuration tab. For each permission that you want to lock, select the Lock checkbox for the related permissions.

To Unlock a Permission — Navigate to the next parent (or higher) policy in which that permission is locked. If the parent permission has a selected Lock checkbox, clear it and click Done. If you do not find a checkbox on that permission at all, navigate to the next higher parent until you do, clear it and click Done.

Reset all permissionsto match parent’s

values

Reset to Parent’s PolicyYou can force the policy of a child group or device to match that of its parent, by clicking the Reset to Parent’s Policy button in the child’s View or change the policy settings page.

Note: The Reset to Parent’s Policy option does not appear in any device model (Connectrix, EMC Centera, and so on) policy settings page, where its use would not be practical.

Reset all permissionsto a single value

Set All PermissionsYou can force the access rights for all permissions in the current policy to the same setting. In the lower left corner of a View or change the policy settings page:

1. Choosing the desire access right

2. Select the Set All Permissions checkbox for a selected group

3. Click Done



Reverse Set All PermissionsThis option is reversible, and useful if, for example, you need to prevent the Gateway server from performing any actions for a period of time, perhaps while that device is in maintenance mode or you are troubleshooting a problem. When the devices for that policy are ready to resume normal policy management:

1. Clear the Set All Permissions checkbox for that policy

2. Click Done

The Access Right column shows the previously defined access rights for all permissions in that policy.

Figure 69 Set All Permissions Access Rights

Missing devices If a device is offline or not connected to the Gateway server, it may be enforcing an outdated policy. This could mean that the device is allowing actions that should be set to Never Allow or Ask for Permission, or denying actions that it should be allowing.

To determine if a device is offline to the Gateway server, use the View and remove missing devices page. Any devices shown in this page have missed their last contact (ping) with the Gateway and are now considered offline. See examples in Figure 70 on page 127.

Figure 70 Configuration: View and remove missing devices

Setting policy 127

128


Before removing a device from the Policy Manager, make sure that you know the true status of the device:

◆ Any devices you remove should also be undeployed by EMC Global Services.

◆ If you accidentally remove a device still in production, it will reregister when placed back online.

◆ Any devices on the missing list that have an unknown status need to be investigated. Contact EMC Global services for assistance.

Notifications If an access right is set to Ask for Approval, when an EMC support engineer requests a session. The Gateway server sends an action request to the Policy Manager for approval. The Policy Manager then sends an email notification to the individual or group alias specified in the notification configuration.

Setting notifications Notifications are specified for each device group. Each notification is sent with a message based on that group’s standard form. Any permission requested for a particular group thus uses the same notification form that is sent to the same person.

The Global group notification message template is set during installation.

Note: If you make no changes to any notification settings, all email is delivered with the same message form to the same original recipient.

To change the notification format for a group (and its children):

1. Click Configuration (from any Policy Manager page).

A group hierarchy appears, similar to that in Figure 71 on page 129.



Figure 71 Configuration tab

Notice that the Global group has an envelope icon associated with it, as does the Celerra group and the Celerra devices. The icon for the Global group is colored yellow, indicating that the original contents of the notification form has been overwritten. In the case of the Global group, the form was originally blank and then filled in during the Policy Manager installation with the default notification message and recipient.

The Celerra group icon is colored white, indicating that it is inheriting the contents of its parent group (Global). The Celerra devices show icons indicating that at least one field in their forms have been overwritten. Figure 72 on page 129 shows example icons of overwritten and inherited. Figure 71 on page 129 shows the icons in a complete list in the Configurations tab.

Figure 72 Notification form icons

2. From the hierarchy, click the name of a particular group.

= Overwritten content

= Inherited content

Setting policy 129

130


The group notification form opens for editing (the form may display as blank—you may have to copy contents from the global notification if you want to use the same addresses, subject, and body text). The notification fields and settings for the Global group are shown in Figure 73 on page 130. The full default Body is shown in Figure 74 on page 131.

Figure 73 Global group notification settings



Figure 74 Default notification email body

3. Fill in the notification information, then click Submit to save your settings and return to the group hierarchy window:

a. Notification information fields specify form and function for the email to be sent in an approval request.

Hello,Your current authorization policy manager rules require your approval for the following EMC support action: Date: <$TMST> Action: <$ACTN> Description: <$ACTD> Device Model:<$A_MN> Device Serial Number:<$A_SN> EMC Username:<$USRN>

Please click the URL link listed below to approve or deny this request.http://000.000.000.000:8090/actions/request/show_requests

This email was automatically generated by the EMC Secure Remote Support Policy Manager in response to the following permission settings: Model : <$A_MN> Permission Name: <$PR_N> Permission Description: <$PR_D> Permission Detail Setting : <$PRDT> Please note that details of the action request can be viewed in the Policy Manager Audit Log web pages. Please use your browser to log into the Policy Manager server to approve or deny this request. Thank You,EMC Customer Service

Link to accessauthorizationpage

To Single recipient email address.

Note: Multiple email recipients requires the use of an alias or group address.

From Single sender (return) email address. Multiple recipients require use of an alias or group address.

Note: The from address may need to be a registered user of your e-mail server for the notification feature to operate correctly.

Subject Any text. May include any substitution parameters identified in Table 8 on page 132.

Body Any text. May include substitution parameters identified in Table 8 on page 132, or a link to server.

Setting policy 131

132


b. Substitution parameters are also available to automate a custom message, listed in Table 8 on page 132.

A sample notification email is the default notification email body in Figure 74 on page 131.

Default notification formDuring Policy Manager installation, a default notification Body field for the Global group is created, as shown in Figure 74 on page 131.

Within this field, a line has been automatically inserted with the address of the Policy Manager access authorization page. In addition, several substitution parameters, shown in Table 8 on page 132, are used. When (manually) copied and pasted into the notification body for any other group, the contents of this field can be used as a notification form template.

When a request is sent using the embedded web address, the policy administrator receiving the email has direct access to the Policy Manager interface to approve or deny the request.

Table 8 Substitution parameters for notifications

Tag Description

<$A_MN> Gateway server model number

<$A_SN> Gateway server serial number

<$A_GN> Gateway server associated group name

<$A_GD> Gateway server associated group description

<$ACTN> Action name

<$ACTD> Action description

<$PR_N> Permission name

<$PR_D> Permission description

<$PRDT> Permission details (parameter names and values)

<$SMSG> SOAP message

<$TMST> Timestamp when action was forwarded from Gateway server

<$USRN> Username



Answering device access requestsDuring operation, the Policy Manager runs without manual intervention until an Ask for Approval permission is activated. These are called requests.

About requests If using the Ask for Approval policy when a Gateway-managed device needs approval to perform a requested action, it sends a request to the Gateway. The Gateway sends a message to the Policy Manager that it needs to get its approval (if the action is a request from the Gateway server), and then waits for the Policy Manager’s response.

When the Policy Manager receives the request, it sends an email notification, such as the message in Figure 74 on page 131, to the individual defined for that device’s policy (or device group’s policy), and then queues it for approval.

If the responsible individual does not accept the request within the period specified for that permission, the Policy Manager removes the action from the Pending Request queue and posts an entry to its Audit Log (see example message in Figure 77 on page 139). The device is sent a denied request due to time-out message. When a timeout occurs, a new request may be submitted.

Pending requests are shown in the Policy Manager’s Pending Requests tab, View all pending single or container1 requests for <selected> group. This is a list of all pending requests for a group. In this page you can accept or deny a single action request or a container of pending action requests or all actions shown.

1. A container is a grouping of requests containing multiple sub actions.

Answering device access requests 133

134


Accept/deny pending requests

This section provides details on how to accept or deny requests for the Ask for Approval setting. Figure 75 on page 135 shows the details for the following steps:

1. Click Pending Requests and the View all pending single or container requests for <selected> group page appears.

You can view all requests pending for all groups, for a selected group, or for a selected device.

2. From the line-item’s list box menu at right, choose Accept or Deny for any number of selected actions, or all actions shown.

3. Click Submit to apply all changes made to this page.

The Policy Manager notifies the Gateway server of all accepted or denied actions. The Gateway server then performs the accepted actions.

View request details View details, and accept or deny pending request You can view more information for a single permission before accepting or denying it. You cannot view more information on a container, which can contain multiple permissions. Click the name of the permission from the Name column in the View Pending Requests page, as shown in Figure 75 on page 135.



Figure 75 View Pending Requests and View Request Details

The View Request Details page appears showing further details about the action, including the time the action request was received by the Gateway server. This detail page is shown in Figure 75 on page 135.

Acceptance repetition time-outIf you Accept the action in the View Request Details page, another page appears in which you can specify the length of time for which the related Gateway server continues to Accept this action (for the specified permission). This is useful if you anticipate that the same permission may be sent to the Gateway server repeatedly for a period of time, and you want the device to continue to execute the action without requesting permission from the Policy Manager and approval from you.

Answering device access requests 135

136


Pending time-out When a request is made for a permission with an access right set to Ask for Approval, if an email reply is not received within the time-out period, the request expires. The Pending Time-out setting is an action parameter (Permissions of the same action have the same Pending Time-out). As part of the action configuration, you can specify a length of time (minutes) for a permission request to be granted.

Note: Changing the setting at a device level changes the global policy setting for all devices. Use with caution.

To change the time-out setting:

1. Click Policy.

2. Click the name of the desired action. The View or change details for <name> action page appears.

3. Type the desired value into Pending Time-out field.

4. Click Submit to record new setting and return to settings page.

When a device sends a request to the Policy Manager, the user specified for the policy has a limited amount time to permit the Gateway server to perform the action. This amount of time is defined as the Pending Time-out period.

Note: Recognize that if EMC is attempting a remote connection and you have your remote access settings set to Ask for Approval, but no one responds to the email within the time-out period (five minutes by default), the request is denied. This may prevent service on your devices from occurring within a reasonable time.



Viewing the Audit LogThe Audit Log displays the activity generated by the Policy Manager and the Gateway server during a 365 day log rollover period. Through the Policy Manager you can view global log entries (up to 1000 lines) or only those entries for selected groups or a selected device.

About log messages

Logs contain user interaction activity records for the Gateway server and Policy Manager.

The View audit log entries for Global group page shows audit log entries generated during the current rollover period. Logs from previous rollover periods (and logs larger than 1000 lines) are viewable within the file system using a text editor such as Notepad.

Audit log entries are stored to the server running the Policy Manager; by default, under the apm/audit directory. Each day a file is created and all audit log messages generated by the Policy Manager for that day are saved to the file. By default, the daily files are created with the following syntax:

ESRS_Audit_yyyy_mm_dd.txt

where yyyy is the current four-digit year, mm is the current month, and dd is the current day.

Note: There are no limits on how large these files can grow or how many files are stored on disk, so make sure to keep track of disk use and space, and archive the files as needed.

Failure to maintain sufficient free disk space will result in the Policy Manager failing to function and corruption of the Policy Manager Database.

Viewing the Audit Log 137

138


Audit Log To view the Audit log, click Audit Log tab. The View audit log entries for Global group page appears, as shown in Figure 76 on page 138.

Figure 76 Audit Log (Global)

Parametersrecorded

Logs record these types of parameters for log display:

◆ Group Name: The relevant policy level

◆ Username: The user prompting policy response

◆ Service Request: The corresponding EMC database device record, if any

◆ Date Message Posted: Time stamp

◆ Message: Description of policy management action performed:

• Type of action taken (nonbold text)

• Parameters of action (bold text)

Message examples are shown in Figure 77 on page 139.



Figure 77 Audit log message examples

Log scope examples To see Audit Logs for only certain groups, you can select logs for:

◆ any group-and-

◆ group (only) -or- group + all child groups

Activity of one device typeTo see a log—for example—of Symmetrix-related activity, you look at Symmetrix-level activity as well as the activity for specific devices:

Note: Callhome activities are only shown on the Gateway instance of the Policy Manager.

1. From any Audit Log view, click Explore Device Groups.

You see the group hierarchy.

2. Click Symmetrix.

This gives you to an audit log view, but now only entries for groups named Symmetrix and groups with Symmetrix serial number are shown. See the upper left of two screens in Figure 78 on page 141.

3. From the Audit Log: Symmetrix view, click Show audit log entries for the selected group only.

Processed request for device APM00062405681-2 to deny pending action: Action: Remote Application; Permission: ESRS Celerra Remote Access Application - CLIviaSSH; Parameters [Remote Application Name = CLIviaSSH] Device APM00062405681-2 successfully processed Action: Stop Remote Session: interfacename=CLIviaSSH; Device APM00062405681-2 did not process Action: Remote Application: Remote Application Name=Telnet; Permission was denied.Device APM00062405681-2 successfully processed Action: Remote Application: Remote Application Name=CLIviaSSH; Processed request for device APM00062405681-2 to accept pending action: Action: Remote Application; Permission: ESRS Celerra Remote Access Application - CLIviaSSH; Parameters [Remote Application Name = CLIviaSSH]


140


You see that the Group Name column on the left, now shows only Symmetrix entries, while the link you selected now toggled to Show all audit log entries for the selected group and subgroups. (Click that link if you want to return to the all-Symmetrix view.) See the lower right of two screens in Figure 78 on page 141.

Specific device-only activityTo see a log of only specific device activity, you need to return to the group hierarchy:

1. From any Audit Log view, click Explore Device Groups.

2. Click any serial number.



Note: If you leave the audit log to enter another tab such as Policy or Configuration and later return to the audit log tab, you see the previous log view.

Figure 78 Symmetrix group audit logs


142


Sources Activities from the following sources are recorded in the audit log:

Gateway:◆ Gateway registers with the Policy Manager,

◆ Gateway sends a request to perform an action with a permission access right of for example.

◆ Gateway performs an action defined for a permission access right of Always. The message sent to the Policy Manager Audit Log includes the name of the user who performed the action, the action performed, and the success or failure of executing the action.

◆ Gateway denies an action defined for a permission access right of Never Allow. The message sent to the Policy Manager audit log includes username of the person who attempted the action, information about the rejected action (specific to the type of action), and the policy permission that caused the action to be rejected.

◆ Gateway sends a Remote Session Disconnect message.

Policy Manager:All activity.


PART 3

This section describes necessary and recommended customer site operations for EMC Secure Remote Support Gateway:

Chapter 7, “Server Maintenance”

Gateway and Policy Manager server backup and other maintenance setup procedures are described here.

Gateway Maintenance

7Invisible Body Tag

EMC advises that you take advantage of the best practice of backing up data on the Gateway and Policy Manager servers. It is your responsibility to perform backups and ensure that the servers can be restored through the use of the backup data. Either image backup or data file backup is satisfactory. Topics in this chapter include:

◆ Power sequences .............................................................................. 146◆ Time Zone settings........................................................................... 147◆ Service preparation .......................................................................... 148◆ Policy Manager database management ........................................ 151◆ Backup guidelines and procedures ............................................... 155◆ Restoration methods........................................................................ 158

Server Maintenance

Server Maintenance 145

146

Server Maintenance

Power sequencesEMC's customers routinely perform maintenance tasks that include powering down and powering up their data centers based on scheduled timeframes. While these powerdown/powerup sequences are defined by the customers' internal processes, the presence of the EMC Secure Remote Support Gateway in customer environments can affect the sequence in which powerdown/powerup actions are carried out.

IMPORTANT!Improper shutdown procedures generate service requests. Be sure to notify your EMC Customer Engineer of any shutdown plans to avoid necessary service calls.

Typically, the order in which powerdown sequences take place is as follows:

1. Hosts—so that the data has a chance to destage to disk and be captured.

2. Arrays—to allow destaging time for any pending writes to get to the disks for storage last.

3. Networking devices—after all data has been transported to the arrays

4. Gateway and Policy Manager servers.

IMPORTANT!EMC recommends that the EMC Secure Remote Support Gateway server(s) and Policy Manager servers be the last devices powered down and the first devices powered up after maintenance is complete, to allow support level access to the EMC end devices at all stages in the power up/down sequence.


Server Maintenance

Time Zone settingsThe Windows Time Zone must be set to the correct time zone for the location of Gateway and Policy Manager servers.

Having the Windows Time Zone set to a setting other than the local time zone may adversely affect remote support tool performance.

Note: When changing the time zone on existing server installations, you must reboot the Gateway server after changing the setting.

Time Zone settings 147

148

Server Maintenance

Service preparationThis section describes steps that need to be taken prior to performing maintenance procedures on the Gateway and Policy Manager servers.

Gateway server Follow the procedures in this section before performing maintenance on the Gateway server.

Logging preparation Overwrite Events turned onTo prevent the Event Viewer log from locking and failing to record:

◆ Starting/stopping services◆ Logging in◆ Installing/uninstalling applications

in the Windows Event Viewer, set the Event Viewer log to overwrite as needed, for both system logs and security logs, as shown in Figure 79 on page 149:

1. Select Start > Settings > Control Panel > Administrative Tools > Event Viewer.

2. Right-click on System Log and then select Properties.

3. Select option Overwrite events as needed, and click OK under the tab General.

4. Repeat Step 2 and Step 3 to set properties for Security Logs.

Note: You or your system administrator may decide, instead or in addition, that other adjustments should be made; for example, the maximum log size should be increased if overwriting is not allowed by corporate policy.

IMPORTANT!If the Gateway disk becomes full, the Gateway server will fail to function properly for callhome messages, and possibly for support connections. If the problem is severe enough the server OS ceases to function.

It is the customer’s responsibility to monitor and manage disk utilization on both the Gateway and Policy Manager servers


Server Maintenance

Figure 79 Event Viewer System and Security Log settings

Policy Manager server

Follow the procedures in this section before performing maintenance on the Policy Manager server.

Backup preparation Windows Task Scheduler turned onFor automated daily backups of the Policy Manager database to occur, the Windows Task Scheduler must be running and unrestricted, allowing new tasks to be added.

Your company’s IT security policies determine if this has been set up on your server at the time the Policy Manager was installed by EMC.

Disk space for log filesYour Policy Manager server should be set up with a minimum of 1 GB available disk space. Monitor your log file usage and plan your archiving policy accordingly.

IMPORTANT!If the system runs out of disk space for log files, the Policy Manager database will become corrupted, needing to be reinstalled.

Service preparation 149

150

Server Maintenance

To maintian flat audit logs and conserve disk space, compress audit logs an copy them to a repository. Audit logs typically compress by greater the 85%.


Server Maintenance

Policy Manager database managementThe Policy Manager database is located at:

[install dive]:\EMC\Policy Manager\hsqldb

Figure 80 on page 151 shows an example database location.

Figure 80 Policy Manager database location

It is configured to run as in-process (or in standalone) mode.

For example, in a default installation the database is located in the following directory:

C:\EMC\Policy Manager\hsqldb\apm

Component files The data for each database consists of five files in the same directory apm. The endings are *.properties, *.script, *.data, *.backup, and *.log. All these files are essential and thus should never be deleted or allowed to get corrupted.

These files are identified in Table 9 on page 151.

Table 9 Policy Manager database files

File Description

apm.backup Zipped backup of the last known consistent state of the data file

apm.data Data for cached tables

apm.log Recent changes within the database

apm.properties General settings for the database

apm.scripts Definition of tables and other database objects, plus data for noncached tables

Policy Manager database management 151

152

Server Maintenance

Mode The default mode for the hsqldb is the In_Process mode (Standalone Mode).

Backup The five component files of the database are backed up together. There are three scripts in hsqldb\lib:

◆ apmbackup.vbs

◆ apmrestore.vbs

◆ schbackup.bat

Description for the scripts are given in Table 10 on page 152.

Table 10 Backup/Restore scripts

File Description

apmbackup.vbs Backs up the [install_drive]:\EMC\Policy Manager\hsqldb\apm folder. This must be installed in [install_drive]:\EMC\Policy Manager\hsqldb\lib. This script runs every day at 5:00 A.M., copying the apm folder to [install_drive]:\EMC\Policy Manager\hsqldb\backup. It maintains 31 days history of the apm database.

apmrestore.vbs Simple GUI script to help restore the desired backup image to [install_drive]:\EMC\Policy Manager\hsqldb\apm. This script must be installed in [install_drive]:\EMC\Policy Manager\hsqldb\lib. You must stop the Policy Manager service before you do a database restore. The original[install drive]:\EMC\Policy Manager\hsqldb\apm is moved to [install_drive]:\EMC\Policy Manager\hsqldb\apm_dateoftherestore

schbackup.bat Batch file to add the schedule command apmbackup.vbs to run every day at 5:00 A.M.


Server Maintenance

A view of the hsqldb\lib directory is shown in Figure 81 on page 153.

Figure 81 Location of Policy Manager scripts

Numbered directories and an index are accumulated in the backup directory. The directory numbering starts at 0 the day after Gateway is installed. An example is shown in Figure 82 on page 154. After 31 backups have occurred (0-30) the directories are reused and the previous backup in each directory is overwritten.

Policy Manager database management 153

154

Server Maintenance

Figure 82 Policy Manager backup directory


Server Maintenance

Backup guidelines and proceduresYou need to prepare backup procedures to protect Gateway servers and Policy Manager servers in case of hardware failure, software failure, or data corruption.

Specific procedures depend on your:

◆ Gateway site architecture

◆ Backup software

◆ Existing procedures

and possibly other conditions. Consult your system and network administrators.

Backup 1. Gateway or Policy Manager server image — See “Server image backup” on page 155 for recommended Gateway and Policy Manager server backup guidelines.

2. Policy Manager database — See “Policy Manager database automated backup” on page 156 for the recommended Policy Manager database backup procedure.

Restoration 3. Gateway or Policy Manager server — See “Restoration methods” on page 158 for recommended guidelines on restoring your server from image backup and, if applicable, the Policy Manager database.

Server image backup

Image backup is the preferred method for backing up a Gateway or Policy Manager server and data.

Initial setup At installation time:

For each Gateway and Policy Manager server:

1. Perform all needed installation stages—hardening, Gateway software installation, configuration, deployment—first.

2. Using your company’s approved procedure, create an image of the drive containing the installation root directory.

Additionally, for each Policy Manager server:

Backup guidelines and procedures 155

156

Server Maintenance

Set up the Policy Manager database for daily (or other periodic) automated database backup: If your EMC Customer Engineer has not done so already, perform the procedure outlined in “Policy Manager database automated backup” on page 156.

Note that the Policy Manager database includes Audit Log files as well as configuration settings.

Regularmaintenance

For the Policy Manager server:

Database backup should occur automatically if automation has been set up, described in “Policy Manager database automated backup” on page 156.

Optionally, for each Gateway and Policy Manager server:

To provide a more complete configuration and data match to your server, periodically create a new drive image.

Policy Manager database automated backup

If on the Pre-Site Checklist you had indicated that you wanted to set up Gateway’s automated Policy Manager database backup, this feature is ready to use.

Whether or not you have preset the automated backup, you may examine and possibly customize the script provided with your Policy Manager and activate it with the Windows Task Scheduler.

To configure and activate your backup tasks:

1. Check whether there is a backup task already scheduled by first, in Windows, opening Start > Settings > Control Panel > Scheduled Tasks.

a. If the automated backup has been activated by your EMC Customer Engineer, you find the scheduled task Policy Manager Database Backup listed. In this case your backup has been configured and activated—you are done.

b. However, if you are unsure of the location of the backup path, or if you want to change that path, you can also perform step 2 and then exit.

c. If there is no existing backup task, you first edit the backup script to specify the backup path, and then schedule the backup task—continue with the next step.


Server Maintenance

2. Edit the backup script:

Note: Unless you edit the script file to provide a pathname, the backup is created in the root directory of the Policy Manager application.

a. Decide where you want to put your backup files—preferably, on a different server or network share to ensure against complete loss of the server. Identify the absolute pathname or the pathname relative to the database location (inside [install_drive]:\EMC\Policy Manager\hsqldb\apm).

b. Navigate to:

[install_drive]:\EMC\Policy Manager\hsqldb\lib\

c. Make a backup copy of apmbackup.vbs.

d. Right-click on apmbackup.vbs, select Open with, and select Notepad.

Note: There are three instances of the text backup in this script file, indicating (by default) the relative location of the backup directory.

e. Substitute the pathname string inside quotes (default: ...\backup) with your preferred path for creating a backup directory. Recheck your edits before saving and closing this file.

3. Specify and schedule the backup task:

a. From the Scheduled Tasks window in step 1, double-click Add Scheduled Task to open the task creation wizard.

b. In the next window, select the script (task) to run by choosing Browse and navigating to:

[install drive]:\EMC\Policy Manager\hsqldb\lib

to see the scripts available, and select apmbackup.vbs

c. Select Daily, and click Next.

d. Specify the activation time of day, frequency, and start date, and click Next.

e. Type the domain, \, and username, and type and confirm the password, and click Next. Click Confirm on the next window.

Backup guidelines and procedures 157

158

Server Maintenance

Restoration methodsRestoration procedures differ based on the method of backup you are using.

Note: The Policy Manager service must be stopped before performing a restoration.

Server image backup restoration

For a Gateway or Policy Manager server:

Restore the disk drive by copying a backup image to that drive (use the most recent backup prior to the incident causing the problem).

Additionally, for a Policy Manager server:

Policy Manager database files are stored for up to 30 days. After 30 days, the most recent backup file overwrites the oldest backup file. Backup images are numbered 0 through 30, and are created by the automated Policy Manager backup script starting on the day after the Policy Manager install is completed.

For example, as shown in Figure 83 on page 159, the Policy Manager was installed on 3/06/08. The first backup was made to folder 0 on 3/07/08. On each successive day a new folder was created and the backup was written to that directory (the backup for 3/08/08 was written to folder 1; the backup for 3/09/08 was written to folder 2, and so on). The 31st backup occured on 4/05/08 and was written to folder 30. On 4/06/08 the backup was written to folder 0, replacing the original backup files that were written on 3/07/08. The date on the folder did not change, but the date on the backup files inside the folder did. (This backup process occurs every morning at 5 a.m. and is handled by the Windows Scheduler Applicaton.) (In earlier versions of the Policy Manager, this occurred at 3 a.m.)

Choose to restore the Policy Manager database with files that are more recent than those on the drive image but prior to the incident causing you to perform a restoration.


Server Maintenance

Figure 83 Backup folder

To restore a backup image:

1. Stop the Policy Manager service (Section “Startup/shutdown” on page 101).

2. Navigate to

[install_drive]:\EMC\Policy Manager\hsqldb\lib

as shown in Figure 84 on page 160.

3. Double click the script named apmrestore.vbs.

Restoration methods 159

160

Server Maintenance

Figure 84 Location of apmrestore.vbs script

4. You are prompted about which backup image you want to restore, similar to that shown in Figure 85 on page 161. To restore the Policy Manager database, you must have located the backup for the date from which you wish to restore. This is done by looking through the directories of the backups to locate the file with the proper date. Make note of the folder name (0 through 30).

Note that the date listed for each folder is the date the folder was created, and not necessarily the date the actual backup files were written.


Server Maintenance

Figure 85 Restore prompt

5. Type the proper backup folder number and click OK.

6. You are now prompted with a confirmation. Click OK.

The script completes the restoration.

7. Restart the Policy Manager service (Section “Startup/shutdown” on page 101).

Note: Audits occurring after the date of the restore date are not displayed in the audit history of the Policy Manager web interface. Any new audits are appended to the database as they occur. Even though the audits are not displayed in the web interface, they are viewable through the file system, located in the <install_drive>:\EMC\Policy Manager\Audit directory.

Restoration methods 161

162

Server Maintenance

Installation restoration

This section provides details on installation restoration.

IMPORTANT!If you need to restore a Policy Manager, start with a clean installation only if you have an recent database backup on a separate drive. Reinstall only the same software release version as that of the database backup.

For a Gateway or Policy Manager server:

With the assistance of your EMC Customer Engineer or the EMC Customer Service help desk, reinstall the server software.

Additionally, for a Policy Manager server:

Restore Policy Manager database files from a database backup located on a separate drive by using apmrestore.vbs as shown in step 1 on page 159 through step 6 on page 161 in the previous section.

IMPORTANT!If the Gateway disk becomes full, the Gateway server will fail to function properly for callhome messages, and possibly for support connections. If the problem is severe enough the server OS ceases to function.

It is the customer’s responsibility to monitor and manage disk utilization on both the Gateway and Policy Manager servers


PART 4

This section provides detailed site maintenance reference information.

Appendix A, “SSL communication between the Gateway and Policy Manager”

This appendix provides instructions on how to configure the communication path between the Gateway and Policy Manager to use a SSL certificate.

Appendix B, “Default Policy Values”

This appendix provides details about the Policy Manager GUI.

Appendix C, “Troubleshooting”

This appendix provides details about troubleshooting and repairing Policy Manager issues

Appendixes

A

This appendix contains information to enable SSL communication between the ESRS Gateway an the Policy Manager. The steps in this section are to be performed by an EMC Customer Engineer.

Topics include:

◆ Policy Manager configuration........................................................ 166◆ Gateway configuration.................................................................... 171◆ Disabling SSL communication ....................................................... 173

SSL communicationbetween the Gateway

and Policy Manager

SSL communication between the Gateway and Policy Manager 165

SSL communication between the Gateway and Policy Manager

166

Policy Manager configurationThis section describes the steps for making changes to Policy Manager configuration to support SSL communication.

Creating an SSL certificate to use for SSL communicationRefer to your security provider for SSL certificates. For additional information regarding creation of SSL certificates (an Identity Keystore File) for Tomcat, refer to:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Enabling SSL on Policy Manager Tomcat serverUse the following procedure for enabling SSL on Policy Manager Tomcat server:

1. Copy the Identity Keystore File (PMIdentityStore.jks) created in previous section to the <install_root>\EMC\Policy Manager\Tomcat5\bin directory.

2. Locate the <install_root>\EMC\Policy Manager\Tomcat5\conf\ server.xml file.

3. Make a copy of the server.xml file.Open server.xml file using a text editor such as Notepad.

4. Locate the <Connector> element inside the <Service name="Tomcat-Standalone"> element with theConnector port="8090" value and verify that the value for the redirectPort attribute is 8443, as shown in bold text.

<Service name="Tomcat-Standalone">

......

<Connector port="8090"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" redirectPort=”8443” acceptCount="100"

debug=”0” connectionTimeout=”20000”

disableUploadTimeout=”true”/>

......

</Service name="Tomcat-Standalone">


5. Locate and delete all the text between and including the <!-SSL and --> tags in the section inside the <Service name="Tomcat-Standalone"> element as shown in bold text.

6. Add a new <Connector> element inside the <Service name="Tomcat-Standalone"> element as shown in bold text (you can copy and paste text from the text box to the file).


......

......





......

......

<Connector port="8443" maxHttpHeaderSize="8192"


enableLookups="false" disableUploadTimeout="true"

acceptCount="100" debug=”0” connectionTimeout=”20000”

scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" keystorePass="PMStorePass1234"

keystoreFile="C:/EMC/Policy Manager/Tomcat5/bin/PMIdentityStore.jks"/>

......

......


Policy Manager configuration 167


168

Table 11 on page 168 lists the values and definitions for keystore.

7. Save the file with the updated configuration.

Table 11 Keystore attributes

Attribute Description

keystoreFile Add this attribute if the keystore file you created is not in the default location Tomcat uses (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable.

keystorePass Add this element if you used a keystore (and Certificate) password other than the default keystore password (changeit).

keystoreType Add this element if using a keystore type other than JKS.

keyAlias Add this element if your have more than one key in the KeyStore. If the element is not present the first key read in the KeyStore is used.



Enabling the Policy Manager application to use SSL for all communicationsUse the following procedure for enabling the Policy Manager to use SSL for all communications:

1. Locate the <install_root>\EMC\Policy Manager\Tomcat5\webapps\applications\apm\WEB-INF\web.xml file.

2. Create a copy of the web.xml file and rename it web.xml.bak.

3. Replace the web.xml file with the file attached to this document (see pane at bottom of window), or manually edit the existing file as shown in the following steps.

4. Open web.xml file using a text editor such as Notepad.

5. Find the <security-constraint> with any web-resource-name and modify a portion of it to include the <user-data-constraint> element as shown in bold text.

<web-app>............<security-constraint>

<web-resource-collection><web-resource-name>anything</web-resource-name>......</web-resource-collection>......<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>......

</security-constraint>......

</web-app>

Policy Manager configuration 169


170

6. Also add a new <security-constraint > element inside the <web-app> element as shown in the bold text.

<web-app>............<security-constraint>

<web-resource-collection><web-resource-name>Message Servlet</web-resource-name><url-pattern>/message</url-pattern> </web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>

</security-constraint></web-app>


8. Restart the Policy Manger service.



Gateway configurationThis section describes the steps for making changes to Gateway configuration to support SSL communication:

1. Locate the <install_root>\EMC\ EMC\Gateway\ xgAPMProxy.xml file.

2. Create a copy of the xgAPMProxy.xml file and rename it xgAPMProxy.xml.bak.

3. Open the xgAPMProxy.xml file using a text editor such as Notepad.

4. Add the following <Encryption> element inside the <APMProxyConfig> element as shown in bold text.

<APMProxyConfig>............

<Encryption>

<Bits>128</Bits><Validate>false</Validate>

</Encryption>

</APMProxyConfig>

Note: The value of the Bits element denotes the strength (in bits) of the SSL certificate used in the Policy Manager.

5. Change the value of the <Port> element from the default value of 8090 to 8443 (or to the value which is chosen for SSL port) as shown in bold text.

<APMProxyConfig>

......

......<Port>8443</Port >

</APMProxyConfig>

6. Save the file with the updated configuration and restart the Gateway service.

7. Launch the EMC Secure Remote Support Deployment Utility from Start > Programs > ESRS > Deployment Utility.

8. Connect to the Gateway for which the configuration is modified.

Gateway configuration 171


172

9. In the left pane on the Deployment Utility (Figure 86 on page 172), click on the Policy Manager link.

10. In the right pane of the deployment utility, verify that a green check displays below the Host name field along with the following text:

The Agent is currently connected to this Policy Manager.

11. If a red cross displays in the right pane, update the following fields with the specified values to reset the cache:

• Port = 8443 (or the value specified for SSL port in server.xml)

• Enable SSL = Checked

• Strength = 128 bits (or the strength of SSL used)

Figure 86 Deployment Utility screen

12. Click Deploy on the top level menu to update the changes to the Gateway.



<web-app>

......

......<security-constraint>

<web-resource-collection><web-resource-name>Message Servlet</web-resource-name><url-pattern>/message</url-pattern> </web-resource-collection><user-data-constraint><transport-guarantee>SSL_ENABLE-NONE</transport-guarantee></user-data-constraint>

</security-constraint></web-app>

Disabling SSL communicationThis section describes how to disable SSL communication on the Policy Manager and Gateway.

Policy Manager configuration

To configure the Policy Manager:

1. Locate the <install_root>\EMC\Policy Manager\Tomcat5 \webapps\applications\apm\WEB-INF\web.xml file.

2. Create a copy of the web.xml file and rename it web..xml.bak.

3. Open the web.xml file using a text editor such as Notepad.

4. Find <security-constraint> and modify a portion of it that includes the <transport-guarantee> element as shown in bold text

to include SSL-ENABLE-NONE to disable communications, and CONFIDENTIAL to enable communications:


6. Restart the Policy Manger service.

Gateway configuration

To configure the Gateway:

1. Locate the <install_root>\EMC\ EMC\Gateway\ xgAPMProxy.xml file.

2. Create a copy of the xgAPMProxy.xml file and rename it xgAPMProxy.xml.bak.

Disabling SSL communication 173


174

3. Open the xgAPMProxy.xml file using a text editor such as Notepad.

4. Find <Encryption> and modify a portion of it that includes the <Bits> element as shown in bold text to include PM_BITS to disable communications, and 128 to enable communications.

<APMProxyConfig>............

<Encryption>

<Bits>PM_BITS</Bits><Validate>false</Validate>

</Encryption>

</APMProxyConfig>

5. Save the file with the updated configuration and restart the Gateway service.


BInvisible Body Tag

This reference provides additional details on the Policy Manager default policy values:

◆ Actions............................................................................................... 176◆ Default permissions......................................................................... 178

Default Policy Values

Default Policy Values 175

176


ActionsTable 12 on page 176 provides descriptions for the available Actions used in the Gateway solution.

Although a number of Actions are defined by the Gateway solution, only a subset are currently used. You see all Actions defined for a particular Group when you examine that Group’s policy settings. (For example, see Figure 62 on page 119.)

In Table 12 on page 176 through Table 24 on page 191, Actions and Permissions defined, but not currently used, are shown dimmed.

IMPORTANT!Change only the Access Rights for group or device Remote Application actions.

Do not edit the Global Permissions in any way without assistance from EMC Customer Service; you may experience unexpected behavior.

Table 12 Actions defined by Gateway solution (page 1 of 2)

Action Used by Description

Register Script Gateway Device only

Determines whether or not the Agent can register a script on the device as requested, or needs to receive approval for the permission first. Permission parameters: name of the script to register.

Run Script Gateway Device only

Determines whether or not the Agent can run a script, or needs to receive approval for the permission first. Permission parameters: name of the script to run.

Schedule a Script Gateway Device only

Determines whether or not the Agent can schedule a script for operation on the device as requested, or needs to receive approval for the permission first. This action has no specific parameters.

Set Data Item Values

All except Gateway Device

Controls whether or not the Agent can write values to its data items as requested, or needs to receive approval for the permission first. This action has no specific parameters.



Package Gateway Device only (Can be modified)

Determines whether or not the Agent accepts a package, or needs to receive approval for the permission first. Permission parameters: Name and version number of the package to execute on the device. All contents of a package are included in the permission. (Packages are handled differently than other permissions; check with EMC Customer Service.)

Data Item Values All except Gateway Device

Determines whether or not the Agent can send data item values, or needs to receive approval for the permission first. (This does not affect data item values sent as the result of a Write Data Item action, configured in a logic schema.) For this release, only one permission can be set for all data items, meaning all data items are included in the action.

File Download Gateway Device only (Can be modified)

Determines whether or not the Agent can accept files downloaded to it from the DRM, or needs to receive approval for the permission first. Permission parameters: Fully-qualified path of the file(s) to download to the device. The name(s) of the file(s) and path(s) may be explicit (for example, “c:\error.log” or include wildcards (for example, “c:\*.log” or “c:\*.*”).

File Upload Gateway Device only

Determines whether or not the Agent can upload files to the DRM (whether an DRM-based request or Agent-initiated process), or needs to receive approval for the permission first. Permission parameters: Fully-qualified path of the file(s) to upload to the DRM. The pathname on the device can be explicit or relative (which the Agent interprets to be the root of the Agent installation). File names can be explicit (for example, “error.log” or include wildcards (for example, “*.log” or “*.*”). Gateway defines File Upload permissions for connect home device configuration, FTP, and SMTP.

Restart Agent Gateway Device only (Can be modified)

Determines whether or not the Agent can restart itself as requested, or needs to receive approval for the permission first. This action has no specific parameters.

Remote Application

A different set of instances is used by each device model

Determines whether the Agent can start a remote application session as requested, or needs to receive approval for the permission first. Although applications are in general denied access,permissions for specific applications are set at “Always Allow.” Permission Parameters: name of the remote application interface.

Table 12 Actions defined by Gateway solution (page 2 of 2)

Action Used by Description

177

178


Default permissionsThe following tables identify the permission and access right settings provided with the default Policy Manager installation:

◆ Table 13 on page 179 provides descriptions for the available permissions for the Gateway group, as well as the default access right values.

◆ Table 14 on page 180 provide descriptions for the available permissions for the Gateway Device server group, as well as the default access right values.

◆ Tables 18 through 23, page 185 though page 190, provide descriptions for the available permissions for the various EMC models or device types supported, as well as the default access right values.

When a new device registers with the Gateway for the Policy Manager, it copies the default settings for its particular device type.

IMPORTANT!Change only the Access Rights for group or device Remote Application actions.

Do not edit the Global Permissions in any way without assistance from EMC Customer Service; you may experience unexpected behavior.



Table 13 Gateway default permissions

Action Permission Parameters Access RightEnable a Script Default enable a script permission Script name : * Never AllowRegister Script Default register script permission Script Name : * Always AllowDisable a Script Default disable a script permission Script name : * Always AllowRun Script Default run script permission Script Name : * Always AllowUnSchedule a Script Default permission for unscheduling a

scriptScript name : * Never Allow

Schedule a Script Default permission for scheduling a script Script name : * Always AllowStop Script Default stop script permission Script Name : * Always AllowUnRegister Script Default unregister script permission Script Name : * Always AllowSet Data Item Values Permission for All Data Items Data Item Name : * Always AllowSet Time Default set time permission Time : * Never AllowPackage Default package permission Name : *

Version : *Ask for Approval

Alarms Permission for All Alarms Alarm Name : * Never AllowEvents Permission for All Events Event Name : * Never AllowData Item Values Permission for All Data Items Data Item Name : * Always AllowEmails Permission for All Emails Email to : * Never AllowModify Ping Update Rate

Default ping rate permission Update Rate : * Never Allow

File Download Default file download permission File : * Ask for ApprovalFile Upload ESRS Connect Home File Upload -

Device ConfigFile : C:\Inetpub\ftproot\LocalUser\esrsconfig

Always Allow

File Upload Default file upload permission File : * Always AllowFile Upload ESRS Connect HomeFile Upload - FTP File :

C:\Inetpub\ftproot\LocalUser\onalert\incomingAlways Allow

File Upload ESRS Connect Home File Upload - SMTP

File : C:\Inetpub\mailroot\drop

Always Allow

Restart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalRemote Application Default application permission Remote Application Name : * Always AllowRemote Terminal Default terminal permission Remote Interface Name : * Never AllowEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never Allow

179

180


Table 14 Gateway Device default permissions (page 1 of 2)

Action Permission Parameters Access RightEnable a Script

Default enable a script permission Script name : * Never Allow

Register Script

Default register script permission Script Name : * Always Allow

Disable a Script

Default disable a script permission Script name : * Always Allow

Run Script Default run script permission Script Name : * Always AllowRun Script ESRS GW Network Information Script Name : ESRS GW Diags - Network

InformationAlways Allow

Run Script EMC ESRS ConnectHome Directory File Count Script Name : ESRS GW Diags - Get File Counts

Always Allow

Run Script ESRS Gateway Diags - Device Certificate Manager Script Name : ESRS GW Diags - DCM Log Always AllowRun Script ESRS GW Diags - Get Configuration Files Script Name : ESRS GW Diags - Get

Configuration FilesAlways Allow

Run Script ESRS Gateway Diags - FTP Log Script Name : ESRS GW Diags - FTP Log Always AllowRun Script ESRS Gateway - Obtain Operating System

InformationScript Name : ESRS GW Diags - Operating System

Always Allow

Run Script ESRS Gateway Diags Services Info Script Name : ESRS GW Diags - Services Info Always AllowRun Script ESRS Gateway Diags SMTP Mail service log file Script Name : ESRS GW Diags - SMTP Log Always AllowRun Script ESRS Gateway Scripts Execution Log File Script Name : ESRS GW Diags - Scripts Log Always AllowRun Script ESRS Gateway Diagnostics WatchDog Log Script Name : ESRS GW Diags - WatchDog Log Always AllowRun Script ESRS Gateway Diagnostics GW Agent Log File Script Name : ESRS GW Diags - Gateway Log

FileAlways Allow

Run Script ESRS Gateway Diags - Collect Windows Event Log Script Name : ESRS GW Diags - Events Log Always AllowUnSchedule a Script

Default permission for unscheduling a script Script name : * Never Allow

Schedule a Script

Default permission for scheduling a script Script name : * Always Allow

Stop Script Default stop script permission Script Name : * Always AllowUnRegister Script

Default unregister script permission Script Name : * Always Allow

Set Data Item Values

Permission for All Data Items Data Item Name : * Always Allow

Set Time Default set time permission Time : * Never AllowPackage Default package permission Name : *


Alarms Permission for All Alarms Alarm Name : * Never AllowEvents Permission for All Events Event Name : * Never AllowData Item Values

Permission for All Data Items Data Item Name : * Always Allow

Emails Permission for All Emails Email to : * Never AllowModify Ping Update Rate




File Download

Default file download permission File : * Ask for Approval

File Upload ESRS Connect Home File Upload - Device Config File : C:\Inetpub\ftproot\LocalUser\esrsconfig

Always Allow



File Upload ESRS Connect Home File Upload - SMTP File : C:\Inetpub\mailroot\drop

Always Allow

Restart Agent

Default restart permission Hard restart : * Always Allow

Execute Default execute permission Application : * Ask for Approval

Remote Application

Default application permission Remote Application Name: DEFAULT Never Allow

Remote Application

Remote_Desktop Remote Application Name: Remote_Desktop Ask for Approval

Remote Terminal

Default terminal permission Remote Interface Name : * Never Allow

Enable a Timer

Default enable timer permission Timer name : * Never Allow

Remove a Timer

Default remove timer permission Timer name : * Never Allow

Disable a Timer

Default disable timer permission Timer name : * Never Allow

Create a Timer

Default create timer permission Timer name : * Never Allow

Table 14 Gateway Device default permissions (page 2 of 2)

Action Permission Parameters Access Right

181

182


Table 15 Celerra default permissions

Action Permission Parameters Access RightEnable a Script Default enable a script permission Script name : * Never AllowRegister Script Default register script permission Script Name : * Always AllowDisable a Script Default disable a script permission Script name : * Always AllowRun Script Default run script permission Script Name : * Always AllowUnSchedule a Script Default permission for unscheduling a script Script name : * Never AllowSchedule a Script Default permission for scheduling a script Script name : * Always AllowStop Script Default stop script permission Script Name : * Always AllowUnRegister Script Default unregister script permission Script Name : * Always AllowSet Data Item Values Permission for All Data Items Data Item Name : * Always AllowSet Time Default set time permission Time : * Always AllowAlarms Permission for All Alarms Alarm Name : * Never AllowEvents Permission for All Events Event Name : * Never AllowData Item Values Permission for All Data Items Data Item Name : * Always AllowEmails Permission for All Emails Email to : * Never AllowPackage Default package permission Name : *


Modify Ping Update Rate


File Download Default file download permission File : * Ask for ApprovalFile Upload ESRS Connect Home File Upload - Device

ConfigFile : C:\Inetpub\ftproot\LocalUser\esrsconfig

Always Allow

File Upload Default file upload permission File : * Always AllowFile Upload ESRS Connect HomeFile Upload - FTP File : C:\Inetpub\ftproot\LocalUser

\onalert\incomingAlways Allow

File Upload ESRS Connect Home File Upload - SMTP File: C:\Inetpub\mailroot\drop Always AllowRestart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name:

Remote_DesktopAsk for Approval

Remote Application Default application permission Remote Application Name: DEFAULT Always AllowRemote Application EMC Celerra Remote Access Application -

CelerraMgrRemote Application Name: CelerraMgr Always Allow

Remote Application EMC Celerra Remote Access Application - Telnet Remote Application Name: Telnet Always AllowRemote Application EMC Celerra Remote Access Application -

CLIviaSSHRemote Application Name: CLIviaSSH Always Allow

Remote Terminal Default terminal permission Remote Interface Name : * Never Allow



Table 16 EMC Centera default permissions






ConfigFile: C:\Inetpub\ftproot\LocalUser\esrsconfig

Always Allow

File Upload Default file upload permission File : * Always AllowFile Upload ESRS Connect HomeFile Upload - FTP File: C:\Inetpub\ftproot\LocalUser

\onalert\incomingAlways Allow

File Upload ESRS Connect Home File Upload - SMTP File : C:\Inetpub\mailroot\drop Always AllowRestart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name: Remote_Desktop Ask for ApprovalRemote Application Default application permission Remote Application Name: DEFAULT Always AllowRemote Application EMC Centera Remote App - Control Center Remote Application Name: CtrlCenter Always AllowRemote Application EMC Centera Remote App - CLI via SSH Remote Application Name: CLIviaSSH Always AllowRemote Application EMC Centera Remote App - Centera Viewer Remote Application Name: CV Always AllowRemote Terminal Default terminal permission Remote Interface Name : * Never Allow

183

184


Table 17 CLARiiON default permissions



Schedule a Script Default permission for scheduling a script Script name : * Always AllowStop Script Default stop script permission Script Name : * Always AllowUnRegister Script Default unregister script permission Script Name : * Always AllowSet Data Item Values Permission for All Data Items Data Item Name : * Always AllowSet Time Default set time permission Time : * Always AllowAlarms Permission for All Alarms Alarm Name : * Never AllowEvents Permission for All Events Event Name : * Never AllowData Item Values Permission for All Data Items Data Item Name : * Always AllowEmails Permission for All Emails Email to : * Never AllowPackage Default package permission Name : *






Always Allow

File Upload Default file upload permission File : * Always AllowFile Upload ESRS Connect HomeFile Upload - FTP File : C:\Inetpub\ftproot\LocalUser\onalert

\incomingAlways Allow

File Upload ESRS Connect Home File Upload - SMTP File: C:\Inetpub\mailroot\drop Always AllowRestart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name: Remote_Desktop Ask for ApprovalRemote Application Default application permission Remote Application Name: DEFAULT Always AllowRemote Application EMC CLARiiON Remote App - Navisphere

Mgr / NaviSecureCLIRemote Application Name: NaviMgr/NaviSecureCLI

Always Allow

Remote Application EMC CLARiiON Remote App - RemoteDiagAgent

Remote Application Name: RemoteDiagAgent

Always Allow

Remote Application EMC CLARiiON Remote App - EMCRemote

Remote Application Name: EMCRemote Always Allow

Remote Application EMC CLARiiON Remote App - KTCONS Remote Application Name: KTCONS Always AllowRemote Application EMC CLARiiON Remote App - Navi

Command LineRemote Application Name: NaviCLI Always Allow




Table 18 Connectrix default permissions







Always Allow

File Upload Default file upload permission File : * Always AllowFile Upload ESRS Connect HomeFile Upload - FTP File :C:\Inetpub\ftproot\LocalUser\onalert

\incomingAlways Allow

File Upload ESRS Connect Home File Upload - SMTP File: C:\Inetpub\mailroot\drop Always AllowRestart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name:


Remote Application Default application permission Remote Application Name: DEFAULT Always AllowRemote Application EMC Connectrix Remote App - EMCRemote Remote Application Name: EMCRemote Always AllowRemote Terminal Default terminal permission Remote Interface Name : * Never Allow

185

186


Table 19 ControlCenter default permissions







File Download Default file download permission File: * Ask for ApprovalFile Upload ESRS Connect Home File Upload - Device

ConfigFile: C:\Inetpub\ftproot\LocalUser\esrsconfig

Always Allow

File Upload Default file upload permission File : * Always AllowFile Upload ESRS Connect HomeFile Upload - FTP File:


File Upload ESRS Connect Home File Upload - SMTP File: C:\Inetpub\mailroot\drop Always AllowRestart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name: Remote_Desktop Ask for ApprovalRemote Application Default application permission Remote Application Name: DEFAULT Never AllowRemote Application ESRS Control Center Remote App -

EMCRemoteRemote Application Name: EMCRemote Always Allow




Table 20 EDL default permissions







Always Allow


C:\Inetpub\ftproot\LocalUser\onalert\incoming

Always Allow

File Upload ESRS Connect Home File Upload - SMTP File : C:\Inetpub\mailroot\drop

Always Allow

Restart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name: Remote_Desktop Ask for ApprovalRemote Application Default application permission Remote Application Name: DEFAULT Always AllowRemote Application EDL Remote App - CLIviaSSH Remote Application Name: CLIviaSSH Always AllowRemote Application EDL Remote App - EDL Management

ConsoleRemote Application Name: EDL Management Console

Always Allow

Remote Terminal Default terminal permission Remote Interface Name : * Never AllowStop Remote Session

Default permission interface Name : * Ask for Approval

187

188


Table 21 Invista default permissions









Always Allow



Always Allow



Always Allow

Restart Agent Default restart permission Hard restart : * Always AllowExecute Default execute permission Application : * Ask for ApprovalEnable a Timer Default enable timer permission Timer name : * Never AllowRemove a Timer Default remove timer permission Timer name : * Never AllowDisable a Timer Default disable timer permission Timer name : * Never AllowCreate a Timer Default create timer permission Timer name : * Never AllowRemote Application Remote_Desktop Remote Application Name:


Remote Application Default application permission Remote Application Name: DEFAULT

Always Allow

Remote Application ESRS Invista Remote App - Element Manager

Remote Application Name: Element Manager

Always Allow

Remote Application ESRS Invista Remote App - EMCRemote Remote Application Name: EMCRemote

Always Allow

Remote Application ESRS Invista Remote App - Invista CLI Remote Application Name: Invista CLI

Always Allow

Remote Terminal Default terminal permission Remote Interface Name : * Never AllowStop Remote Session Default permission interface Name : * Ask for Approval



Table 22 Switch-Brocade-B default permissions









Always Allow



Always Allow



Always Allow




Always Allow

Remote Application ESRS Switch-Brocade-B Remote App - CLIviaSSH

Remote Application Name: CLIviaSSH

Always Allow

Remote Application ESRS Switch-Brocade-B Remote App - Web Tools

Remote Application Name: Web-Tools

Always Allow

Remote Application ESRS Switch-Brocade-B Remote App - telnet

Remote Application Name: Telnet

Always Allow


189

190


Table 23 Switch-Cisco default permissions









Always Allow



Always Allow



Always Allow




Always Allow

Remote Application ESRS Switch-Cisco Remote App - CLIviaSSH

Remote Application Name: CLIviaSSH

Always Allow

Remote Application ESRS Switch-Cisco Remote App - Web Tools

Remote Application Name: Web-Tools

Always Allow

Remote Application ESRS Switch-Cisco Remote App - telnet Remote Application Name: Telnet

Always Allow




Table 24 Symmetrix default permissions









Always Allow



Always Allow



Always Allow




Always Allow

Remote Application EMC Symmetrix Remote Access App - SWUCH

Remote Application Name: SWUCH

Always Allow

Remote Application EMC Symmetrix Remote Access App - EMCRemote

Remote Application Name: EMCRemote

Always Allow

Remote Application EMC Symmetrix Remote Access App - Remote Browser

Remote Application Name: Remote Browser

Always Allow

Remote Application EMC Symmetrix Remote Access App - SGDB

Remote Application Name: SGDB

Always Allow


191

192



CInvisible Body Tag

You are responsible for backing up Gateway and Policy Manager server data. In the event of any data loss, this ensures that the server can be restored with minimal reconstruction. Either image backup, full file system backup, or application directory backup is satisfactory:

◆ Symptoms.......................................................................................... 194

Troubleshooting

Troubleshooting 193

194

Troubleshooting

SymptomsUse the symptoms of a problem to narrow down the troubleshooting procedures.

Service behavior This section describes symptoms related to Gateway or Policy Manager service behavior.

Servicemalfunction

If the Gateway or Policy Manager service appears to malfunction, try first to reboot and restart services.

Service does notstart up

If the Gateway or Policy Manager service is down and fails to manually start up from the Services window, it is likely from one of these causes:

◆ Missing (inadvertently deleted or moved) files:

1. Examine the server log file to confirm missing-file errors.

2. Attempt restoration from image backup, or possibly reinstallation if image backup is not available. See “Restoration methods” on page 158 .

◆ Virus damage (corrupted files):

1. Run virus checker program to confirm presence of virus, and if so, attempt virus checker repair.

2. If virus repair is not possible, you may be able to attempt a reinstallation, as described in “Restoration methods” on page 158.

OS and hardware failures

If the server failure is clearly occurring at a more basic level than the Gateway or Policy Manager service, you may want to perform a reinstallation, as described in “Restoration methods” on page 158.


Index

Symbols.NET Framework 38, 54, 77

Aaccepting requests 134access requests 133access rights 124

setting 125APMAdmin 104APMUsers 104Approval email notifications

changing settings 128architecture 18audit log 137

global 138parameters 138sources 142

authenitcationLDAP 112

Bbackup

configuring 156preparation 149procedure 155restoration 155

Ccustomer responsibilities 23

DDCM 32denying requests 134Deployment Utility 29device access control 33device configuration access control 33device management 19, 31digital certificate 19Digital Certificate Management 32

Eemail

configuring 45, 64testing 64

EMC access control 34EMC responsibilites 23ESRSConfig user account 43

Ffile transfer 19FileUpload attributes 72FTP

server setup 44

GGateway

acrhitecture 18components 24Deployment Utility 29Device Extract Utility 30device management 31high-availability 29


196

Index

server agent 19Gateway server installation 37GatewayCheck

configuring 85failure resolution 94installation 78logs 90operation 79registering 81saving results 93starting 79

GatewayCheck utility 75GWExt 30

Hhardware failure 194heartbeat 19, 20high availablility 24

IIdentiry Keystore File 166IIS 39, 55Internet Information Services 57

JJNDI realm 113

Kkeystore attributes 168

LLDAP authentication 112ldap.jar 112Lock

checkbox 126same permission in child’s policy 126unlock a locked permission 126

Mmaildrop 47Microsoft IIS 39, 55

Nnon-standard installation 53notifications

default 132setting 128

OOnAlert 42operating system 38, 54OS 38, 54OS failure 194

PPassword

APMAdmin 105APMUsers 105proxy server 86

passwordESRSConfig 40OnAlert 40

Permissionsmatch parent 126parent vs child 126set all to single value 126

Policy Maangerrestsart service 101

Policy Managerdevice control 28installation 100introduction 25logging 27maintenance 147permissions 25rules 26shutdown 101startup 101stopping/restarting service 111user accounts 104

policy settingsdefault settings 124global 118preset groups 122

power sequences 146preparing a server 37


Index

Rregistry editing 70remote access 21remote notification 20requests 133

accepting/denying 134requirement

Internet access 77memory 77network connectivity 77operating system 77storage 77

restart service 101, 111restoration 158

Sserver agent 19server installation 37server settings 40service restart 101Setting Notifications 128shutdown 101SMTP

server setup 45SSL communication

disabling 173enabling 166

standard installation 37

startup 101stop service 111syncronization 25

Ttime zone 38, 54, 147time-out 135Tomcat 166

Uuser account

configuration 106, 108planning 105

user account folders 43user accounts 104user authentication 19username

Policy Manager 105, 116

Vversion number 117VMotion 24VMware support 24

WWindows Server 2003 38, 54


198

Index


gateway operations guide

Documents

emc software

emc powerlink

emc communication

emc corporation trademarks

esrs gateway installation

emc global services

esrs gateway components

gateway server agent