Professional Documents
Culture Documents
Hardware Guide
60 Series
RSA enVision 4.0 Hardware Guide 60 Series Copyright 1996 - 2009 RSA Security Inc. enVision, Enterprise Dashboard, and Internet Protocol Database (IPDB) are trademarks of RSA Security Inc. LogSmart is a registered trademark of RSA Security Inc. All other trademarks, service marks, registered trademarks, registered service marks mentioned in this document are the property of their respective owners. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written permission of RSA Security Inc. RSA Security Inc. 200 Lowder Brook Drive, Suite 2000 Westwood, MA 02090 U.S.A. 781.375.9000
Contents
1. INTRODUCTION .................................................................................................... 1-1
Site Deployment......................................................................................................................................... 1-2
iii
Contents
iv
Preface
This guide contains information on setting up your RSA enVision appliance hardware. Use this guide in conjunction with the Configuration Guide.
Audience
The Hardware Guide is for system administrators who need to set up RSA enVision appliances for an enVision site.
Documentation Set
The enVision documentation set consists of the following:
Documentation Hardware Guide Description Instructions on setting up your RSA enVision appliances. Intended audience is the system administrator. Instructions on configuring your RSA enVision site. Intended audience is the system administrator. Instructions on migrating your data from a previous version of enVision to the current version. Comprehensive online guide to setting up enVision processing options and using enVision analysis tools.
Configuration Guide
Migration Guide
Online Help
Go to https://knowledge.rsasecurity.com and log into RSA SecurCare Online to download all product documentation.
Conventions
This guide uses the following conventions:
Item Literals (exact values that the user must type) Variables (adjustable values that the user must type) Fields, buttons, menu items, and so forth Formatting Bold font. Example: Type New Report. Bold, italicized font. Example: Type user-name. Bold font. (Note: Screen names are not bold.) Example: Type New Report in the Description field on the Report Setup window. Bold font. Example: Press Enter.
Preface
Contact RSA
Contact RSA at: 200 Lowder Brook Drive Suite 2000 Westwood, MA 02090 U.S.A. Telephone: 781.375.9000 Fax: 781.375.9100 World Wide Web: http://www.rsa.com
Sales
You can purchase enVision directly from RSAs dedicated team of sales professionals or through RSAs North American and international resellers. Call RSA at 781.375.9000.
vi
1. Introduction
RSA enVision is a feature-rich compliance and security application. It allows you to capture and analyze log information automatically from your network, security, application, operating and storage environments. The enVision LogSmart Internet Protocol Database (IPDB) provides the only architecture proven to collect and protect all the data automatically, from any network device, without filtering or agents. It gives you an accurate picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance. enVision is tightly coupled with its underlying appliance operating system and hardware, and together they comprise a highly scalable platform that provides guaranteed levels of performance. enVision is made up of three components: Application supports interactive users and runs the suite of analysis tools Collector captures incoming events Database manages access and retrieval of captured events
1-1
1. Introduction
Site Deployment
enVision is deployed on a site basis. The enVision components are deployed based on the type of site you have. The two types of sites are: Single appliance site. The ES series appliances are designed to operate in a stand-alone, nondistributed mode. They have all three enVision componentsApplication, Collector, and Databaseinstalled on one appliance. The single appliance is a site. Some single appliance sites have an external storage system. See Chapter 3 Single Appliance Site Hardware, for information on a single appliance site. Multiple appliance site. The LS series appliances are designed to operate in a distributed installation. Each enVision componentApplication, Collector, and Databaseis on its own appliance. The appliances together form a site. Distributed multiple appliance sites allow multiple installations of any of the three appliance types to be deployed to manage the variety of network infrastructures found in production environments. All multiple appliance sites have external storage systems. See Chapter 4 Multiple Appliance Site Hardware for information on a multiple appliance site. See Chapter 5 Remote Collector Site for information on connecting a Remote Collector site with a multiple appliance site.
1-2
2. Hardware Layout
The hardware layouts of the ES and LS series appliance hardware types are the same. This chapter describes the layout of the following: Front panel Hard-drive indicators Back panel Power indicators
The internal specification of the ES and LS series appliance hardware differ. See Appendix A Hardware Specifications for information on the hardware specifications.
Front Panel
Here is the front panel of the RSA enVision appliance:
Item
Icon
Description
Lights when the system power is on. The power button has been disabled for security purposes. Use to troubleshoot software and device driver errors when using certain operating systems. Use this button only if directed to do so by qualified support personnel or by the operating system's documentation.
Use to locate a particular system within a rack. When you push one of these buttons, the LCD panel on the front and the blue system status indicator on the back blink, so that you can easily locate the back of the appliance in a rack. The LCD panel and system status indicator blink until you push one of the buttons again.
2-1
2. Hardware Layout
Item
Icon
Description
Provides system ID, status information, and system error messages. The LCD lights during normal system operation. Both the systems management software and the identification buttons located on the front and back of the system can cause the LCD to flash blue to identify a particular system. The LCD lights amber when the system needs attention, and the LCD panel displays an error code followed by descriptive text. Note: If the system is connected to AC power and an error has been detected, the LCD lights amber regardless of whether the system has been powered on.
Video connector
2-2
2. Hardware Layout
Hard-Drive Indicators
The hard-drive carriers have two indicators: Drive-activity indicator Drive-status indicator
Item
1 2
2-3
2. Hardware Layout In RAID configurations, the drive-status indicator lights display different patterns as drive events occur in the system. The drive indicator patterns for RAID hard drives are as follows:
Condition Identify drive/preparing for removal Drive ready for insertion or removal Drive predicted failure Drive failed Drive rebuilding Drive online Rebuild aborted Drive-Status Indicator Pattern Blinks green two times per second
Off
Blinks green, amber, and off Blinks amber four times per second Blinks green slowly Steady green Blinks green three seconds, amber three seconds, and off six seconds
2-4
2. Hardware Layout
Back Panel
Here is the back panel of the RSA enVision appliance:
Item 1 2 3 4 5 6 7 8 9 10
Description Network interface card Power supplies (2) System identification button System status indicator System status indicator connector Network interface connectors USB connectors (2) Video connector Serial connector Remote access controller
2-5
2. Hardware Layout
Power Indicators
The power button on the front panel controls the power input to the system power supplies. The power indicator lights green when the system is on. The indicators on the redundant power supplies show whether power is present or whether a power fault has occurred. Here are the redundant power supply indicators:
Indicator 1 2 3
Function Power supply status. Green indicates that the power supply is operational. Power supply fault. Amber indicates a problem with the power supply. AC line status. Green indicates that a valid AC source is connected to the power supply.
2-6
There are different models within each of these types. The appliance model you use depends on your needs. See Chapter 2 Single Appliance Site in the Configuration Guide for information on configuring enVision on single appliance sites.
3-1
If your ES appliance has external storage, connect the storage system to the ES appliance.
5 6 7 8
Connect each of the power cords to a different power circuit for increased reliability and availability. Power on the storage appliance, if applicable. Wait 5 minutes before powering on the servers. Power on the ES appliance. Complete the enVision site configuration, using the enVision Configuration Wizard. See Chapter 2 Single Appliance Site in the Configuration Guide for complete information.
3-2
4-1
Ignore any warning messages you may receive about IP conflicts when you are making the physical connections to the LAN. Connect each of the rack power cords to a different power circuit for increased reliability and availability. Power on the storage system (refer to the storage system documentation for instructions). Wait five minutes before powering on the servers. Power on the network switch and LS appliances.
5 6
4-2
Task 8
Activity The LS Typing Wizard starts automatically on the appliances. Assign the LS appliance type to each appliance in the site, as follows: a. b. c. Connect to the appliance. Select the LS check box. Select the LS type for the appliance. The options are: AS1 (Application Server) AS2 (Application Server) AS3 (Application Server) DS1 (Database Server) RC (Remote Collector) LC1 (Local Collector) LC2 (Local Collector) LC3 (Local Collector) d. e. Click Next. The wizard displays the Review Page window. Verify that the information is correct. Click Finish. If the Review page is not correct, click Cancel. If you click Cancel at any time while using the wizard, you must restart the wizard to type the appliance. To restart the wizard, double-click the lsconfigurationwizard.exe file in the c:\windows\installations directory. f. Apply the appropriate labels for the appliance type to the front and back of the appliance to identify it.
Complete the enVision site configuration, using the enVision Configuration Wizard. See Chapter 3 Multiple Appliance Site in the Configuration Guide for complete information.
4-3
4-4
4. Multiple Appliance Site Hardware The following diagram is an example of a multiple appliance site with one Database Server (D-SRV), two Application Servers (A-SRV), and three Local Collectors (LC), delivered pre-cabled in its rack.
4-5
4-6
4 5 6
Connect the rack power cords to different power circuits for increased reliability and availability. Power on the network switch and RC appliance. Complete the enVision site configuration, using the enVision Configuration Wizard. See Chapter 4 Remote Collector Site in the Configuration Guide for complete information.
5-1
A-1
ES Appliance Specifications
The models of the ES appliance are as follows:
560-ES Sustained Performance Per Appliance (Events Per Second) Recommended Maximum Devices per Appliance Maximum Simultaneous Users Maximum Simultaneous Users (Event Explorer) Base Storage* Up to 500 EPS 1060-ES Up to 1,000 EPS 2560-ES Up to 2,500 EPS 5060-ES Up to 5,000 EPS 7560-ES Up to 7,500 EPS
Up to 100
Up to 200
Up to 400
Up to 750
Up to 1,250
Up to 6
Up to 8
Up to 10
Up to 12
Up to 14
Up to 2
Up to 3
Up to 4
Up to 5
Internal 300 GB
Internal 300 GB
Internal 300 GB
External 2.5 TB
External 2.5 TB
Data Protection
Hardware-accelerated RAID1 controller with autorebuild and battery-backed 256MB on-controller cache
Hardware-accelerated RAID5 controller with auto-rebuild, and battery-backed 256MB on-controller cache
Appliance Power Options Operating Environment Application Software Regulatory Approvals Hardware Warranty Software Warranty
Security-hardened, embedded operating system featuring real-time data encryption to protect sensitive event data RSA enVision with two-phase Real-Time Data Compression (RTDC)
UL 1950, CSA22.2 no 950, EN 60950, FCC Part 15 - Class A, ICES-003 EN55024:1998, EIN55022:1998, EN50082-1, VCCI V-3/2000.4, AS/NZS 3548 90-day hardware warranty, during which time RSA will remedy, replace, or provide a refund
90-day access to technical support for application setup assistance and bug fixes
*Base storage of 300 GB is raw storage. Data storage for events is 220 GB, once you take out formatting, OS partition, and temp nugget partition.
A-2
LS Appliance Specifications
The four models of collection (LC and RC) appliances are: NIE-RC01-LS, NIE-RC02-LS, NIE-LC05-LS, and NIE-LC10-LS. The model of application appliance (A-SRV) is NIE-A-SRV. The model of database appliance (D-SRV) is NIE-D-SRV.
RC1 Description Remote Collector 1,000 EPS Up to 1,000 EPS RC2 Remote Collector 2,000 EPS Up to 2,000 EPS LC5 Local Collector 5,000 EPS Up to 5,000 EPS LC10 Local Collector 10,000 EPS Up to 10,000 EPS A-SRV enVision Application Server NA D-SRV LogSmart Database Server Up to 30,000 EPS (from Collectors)
Sustained Performance Per Appliance (Events Per Second) Maximum Devices Possible Maximum Simultaneous Users Maximum Simultaneous Users (Event Explorer) Operating Environment Base Storage Data Protection Application Software Regulatory Approvals Hardware Warranty Software Warranty
512
512
1,500
2,048
NA
NA
NA
NA
NA
Up to 16
NA
NA
NA
NA
Up to 15
NA
Security-hardened, embedded operating system featuring real-time data encryption to protect sensitive event data 3500 GB with NAS-3500 Hardware-accelerated RAID5 controller with auto-rebuild and battery-backed 4GB on-controller cache enVision with two-phase Real-Time Data Compression (RTDC) UL 1950, CSA22.2 no 950, EN 60950, FCC Part 15 - Class A, ICES-003 EN55024:1998, EIN55022:1998, EN50082-1, VCCI V-3/2000.4, AS/NZS 3548 90-day hardware warranty, during which time RSA will remedy, replace, or provide a refund 90-day access to technical support for application setup assistance and bug fixes
* Current licensing of the 60 series LS Data Server restricts the number of devices that can be monitored by an LS Site to 3072. This may be lower than the cumulative device count license if the site has more than one 60 Series Local Collector. Pending resolution of this licensing issue, updated license keys will be issued. Updated license keys will be issued for all 60 series Data Servers at no additional cost to allow for the management of the full device count of up to three Local Collectors per Data Server.
A-3
Two Power cables 2697 Btu per hour maximum CR 2032 3.0 V lithium-ion coin cell 4.1 V lithium-ion
A-4
Dimensions
3.4 in (8.656 cm) 17.6 in (44.7 cm) 29.79 in (75.68 cm) 59 lb (26.76 kg) 10 to 35 C (50 to 95 F) with a maximum temperature gradation of 10 C per hour -40 to 65 C (-40 to 149 F) with a maximum temperature gradation of 20 C per hour 20% to 80% (noncondensing) with a maximum humidity gradation of 10% per hour 5% to 95% (noncondensing) with a maximum humidity gradation of 10% per hour 0.25 G at 3200 Hz for 15 min 0.5 G at 3200 Hz for 15 min One shock pulse in the positive z axis (one pulse on each side of the system) of 41 G for up to 2 ms Six consecutively executed shock pulses in the positive and negative x, y, and z axes (one pulse on each side of the system) of 71 G for up to 2 ms -16 to 3048 m (-50 to 10,000 ft) -16 to 10,600 m (-50 to 35,000 ft)
Temperature
Operating
Storage
Relative Humidity
Operating
Storage
Maximum Vibration
Operating Storage
Maximum Shock
Operating
Storage
Altitude
Operating Storage
A-5
ES Storage Array
The ES single appliance site with external storage uses the EMC CLARiiON storage array. See the EMC CLARiiON documentation for complete information on the storage array. This section contains specification information.
Storage connection Dimensions Height Width Depth Gross Weight Operating Environment Temperature Temperature gradient Relative humidity Altitude iSCSI 3.5 in (8.89 cm) 17.5 in (44.45 cm) 20 in (50.8 cm) 57 lb (25.86 kg)
8,000 ft (2438.4 m) at 104 F (40 C) maximum 10,000 ft (3048 m) at 98.6 F (37 C) maximum
Power
Power supplies per Array Frequency AC voltage Power factor Power consumption Heat dissipation Protection AC circuits Inlet type
12 A, internally fused (each supply) Redundant, external AC circuits Dual inlet, rack-mount: IE320-C14 appliance coupler
A-6
LS Storage Array
The LS multiple appliance site uses the NAS 3500 (NS22) storage array. See the EMC Celerra documentation for complete information on the storage array. This section contains specification information.
Temperature gradient
A-7
100 240 VAC +10%, single phase 4763 Hz, full auto-ranging 14A A maximum at 100 V (configured with 15 disks) 7.5A A maximum at 200 V (configured with 15 disks) 1,229 VA (1,168 W) maximum (configured with 15 disks) 59A peak (configured with 15 disks) at any line voltage 0.98 minimum at full load, 100 VAC 3,422 KJ per hour (3,236 Btu per hour) estimate configured with 15 disks 116A peak estimate for line cycle per power supply @ 240 VAC 65A peak estimate for line cycle per power supply @ 120 VAC 10A internal fuse (non-serviceable) IEC320-C14 appliance coupler 30 ms minimum at full load 60% maximum, 40% minimum between power supplies
In-rush current
A-8
Network Switch
The multiple-appliance site uses a network switch. See the vendor documentation for complete information on the network switch. This section contains the requirements for the network switch.
Dimensions Height Width Depth Gross Weight Operating Environment Operating Temperature Operating Humidity AC Power Line voltage 1.73 in (4.4 cm) 17.24 in (43.8 cm) 7.24 in (18.4 cm) 7.94 lb (3.60 kg) 0 to 40 C (32 to 104 F) 5% to 8% 220/110V AC 50/60 Hz
A-9
Rack
See the vendor documentation for complete information on the rack. This section contains the requirements for a rack.
Dimensions Height Width Depth Gross Weight (empty) AC Power Operating Voltage/Frequency Power Cord Connector 75.0 in (190.8 cm) 24.0 in (61.1 cm) 36.0 in (91.6 cm) 300 lb (136 kg)
Service Type
A-10
WARNING: Electronic components are sensitive to damage from Electrostatic Discharge (ESD). Observe appropriate precautions at all times when handling the RSA enVision appliance and EMC Celerra or its subcomponents.
CAUTION: Do not attempt to connect an Ethernet cable, regular or cross-over, between the EMC Celerra and the RSA enVision appliance. Connect the EMC Celerra through a GigE switch, the same as any other networked device.
CAUTION: When installing disk shelves and a storage system into a movable cabinet or rack, install from the bottom up for best stability.
WARNING: To reduce the risk of personal injury or equipment damage, allow internal components time to cool before touching them and ensure that the equipment is properly supported or braced when installing options.
WARNING: This equipment is designed for connection to a grounded outlet. The grounding type plug is an important safety feature. To avoid the risk of electrical shock or damage to the equipment, do not disable this feature.
WARNING: This equipment has one or more replaceable batteries. There is danger of explosion if the battery is incorrectly replaced. During the hardware warranty period the batteries can only be replaced by RSA. Dispose of used batteries according to the manufacturers instructions.
WARNING: If your storage system or disk shelf has more than one power supply cord, disconnect all power supply cords before servicing to reduce the risk of electrical shock.
A-11
B-1
To prevent this problem from occurring, do one of the following: Keep the units plugged in at all times. This option has the following advantages: The units are always ready to be used to replace failed units. You can periodically, (for example, once a month) power up the unit and verify that it initializes without a problem and that it is in prime status to replace any failed unit.
Forty-eight hours before a new installation, plug the unit into the power without powering up the appliance, to ensure the RAID battery is fully charged.
B-2
The audience for this appendix is anyone who specifies storage requirements for RSA enVision log storage, and engineers performing installation and configuration of servers.
C-1
You must connect NAS to the enVision storage network switch and configure NAS before configuring enVision.
NAS Requirements
For each multiple appliance site, the minimum requirements for NAS hardware to function as enVision storage are: Minimum number of active Data Movers: 1 (dedicated to enVision storage). Recommended number of failover Data Movers: 1. Minimum of 15 FC HDDs: 15 for 3,000 devices, 30 for 6,000 devices. Note: The I/O workload generated by enVision consists of simultaneous reads and writes. For the most part, the reads are random. Because of the random nature of the workload, you should use Fibre Channel drives. The workload is not suitable for ATA drives. One dedicated 1GB network interface for each Data Mover.
C-2
Network Configuration
To set up the appropriate network connections between enVision and the NAS: 1. 2. Connect the primary Data Mover to the storage network switch. If you are using a failover Data Mover, connect it to the storage network switch. RSA recommends this connection to increase data availability.
3.
Set up the network connections to the enVision appliance according to the enVision documentation. The following diagram shows how to connect the enVision appliance to the customer LAN and storage network switch:
C-3
NAS Configuration
To configure network attached storage, you set up a CIFS Server, local users, and file systems/CIFS shares combinations. CIFS Server Use the following parameters to create the CIFS server: IP address: 10.203.2.101 (Must be connected to the private switch) Subnet: 255.255.255.0 DNS Server: 10.203.2.11 (D-SRV IP address) CIFS Server authentication: Local users NTP Server: 10.203.2.11 (D-SRV IP address) Note: You must have time synchronization between NAS and the RSA enVision appliances. This time synchronization is essential for CIFS. Local Users You need local user authentication to ensure that the RSA enVision local collectors can authenticate through to NAS when the Window domain controller is not available; otherwise data collection may be interrupted.
Username NIC_System Master NIC_sshd NIC_sftp Password n!0A6y_7tbE9z3 themaster01 1937Partanna1985 1937Partanna1985
C-4
File Systems/CIFS Shares Combinations The minimum requirement for enVision is the vol0 and vol1 file systems/CIFS shares combinations (for enVision D-SRV and LC1 respectively). If you use additional Local Collectors, you must create the vol2 and vol3 file systems/CIFS shares combinations. The following table contains an example of the file systems/CIFS shares combinations you must set up if you use additional Local Collectors.
File system name vol0 vol1 vol2 vol3 CIFS share name vol0 vol1 vol2 vol3
For RSA enVision 3.5.0 and later, the number of files created has been significantly reduced and only a single file system is needed for all three Local Collectors. Note: For RSA enVision 3.5.0 and later, a maximum of 10,240 files per day per Local Collector are created.
C-5
Enhanced Availability
Within enVision, you can configure Enhanced Availability (EA) for the Local Collector appliances. For EA, data storage continues to use the CIFS protocol. In addition, you must fulfill an iSCSI LUN storage requirement. Note: EA is supported in RSA enVision 3.5.0 and later. Complete the following tasks to configure NAS to support iSCSI for the enVision EA system. (See the NAS documentation for detailed instructions.) 1. 2. 3. 4. 5. 6. Configure the iSCSI service to run over the same IP address as CIFS. Configure NAS to have one iSCSI volume of 1024 MB. Configure the iSCSI volume to have one target, at LUN 0. Configure the iSCSI service to support discovery on port 3260. Configure the iSCSI service to support multiple logins. Add the following IQN names to allow them access to the iSCSI LUN 0: iqn.2006-01.nic.niceacluster:CA1.niceacluster.nic iqn.2006-01.nic.niceacluster:CA2.niceacluster.nic iqn.2006-01.nic.niceacluster:CA3.niceacluster.nic iqn.2006-01.nic.niceacluster:CA4.niceacluster.nic iqn.2006-01.nic.niceacluster:CA5.niceacluster.nic iqn.2006-01.nic.niceacluster:CA6.niceacluster.nic iqn.2006-01.nic.niceacluster:CA7.niceacluster.nic iqn.2006-01.nic.niceacluster:CA8.niceacluster.nic iqn.2006-01.nic.niceacluster:DS1.niceacluster.nic iqn.2006-01.nic.niceacluster:DS2.niceacluster.nic
C-6
C-7
Hardware Requirements
The minimum requirements for NetApp FAS to function as an enVision log storage location, in an enVision multiple appliance site, are as follows:
Hardware NetApp FAS Minimum Requirements (for each enVision multiple appliance site) Minimum NetApp Filer: 1 active NetApp FAS270 or equivalent (dedicated to enVision storage). Recommended: 1 failover NetApp FAS270 or equivalent. One dedicated 1GB network interface for each NetApp Filer. Disk drive requirements for each NetApp Filer. o Minimum of 15 FC drives (number and capacity of drives can be increased per customer data retention requirements). RAID DP.
o Network Switch
Layer 2 GbE network switch: o o 1 GbE port for each enVision appliance. 1 GbE port for each NetApp Filer.
These minimum hardware requirements have been certified for RSA enVision data storage up to 30,000 EPS.
C-8
Setup Requirements
Here are the setup requirements for the NetApp FAS: NetApp Filer IP address: 10.203.2.101. Time: Time synchronization between the NetApp Filer and enVision appliances is required for CIFS. CIFS: The following CIFS Shares must be created on the NetApp Filer, each on a separate file system, one for each enVision collector: vol0 (used for Common Storage Directory, CSD) vol1 (used for enVision Local Collector 1) vol2 (used for enVision Local Collector 2) vol3 (used for enVision Local Collector 3)
C-9
To connect the enVision appliances to the NetApp FAS: 1. 2. Connect network cables from the enVision appliances to the switch and from the storage array to the switch. Connect the network connection from the enVision appliance through the network interface named SWITCH.
C-10
Appendix C. Customer-Provided Storage The IP addresses on the SWITCH network interface are based on the appliance type.
Appliance D-SRV A-SRV1 A-SRV2 LC1 LC2 LC3 IP Address 10.203.2.11 10.203.2.21 10.203.2.22 10.203.2.31 10.203.2.32 10.203.2.33
C-11
Local User Authentication Using Existing enVision Users The enVision appliance ships with four users that enVision needs to run: Master NIC_System user NIC_sshd NIC_sftp
If you create these users on the NetApp FAS with the same password as stored in the enVision systems, Windows ensures that the local user has the rights to storage. If the password changes on the enVision appliances, you must reset the password on the NetApp FAS. RSA recommends this authentication method. To authenticate the NetApp FAS to the enVision appliance using existing enVision users: 1. Add the following four existing users to the EMC Celerra NS22 CIFS server: Username Master NIC_System NIC_sshd NIC_sftp 2. Password themaster01 n!0A6y_7tbE9z3 1937Partanna1985 1937Partanna1985
Ensure that these four users have full control to the appropriate CIFS share.
NetApp Multistore Authentication NetApp Multistore allows a single NetApp appliance to authenticate and share multiple domains. Multistore allows the creation of separate private logical partitions in the filer network and storage resource. Each virtual storage partition maintains absolute separation from every other storage partition. This separation allows multiple domains to exist on a single NetApp Filer. Call your NetApp sales representative for details on using the NetApp Multistore product.
C-12
Authentication By Adding the NetApp FAS to the RSA enVision Windows Domain You can authenticate the NetApp FAS to the enVision appliance by adding the NetApp FAS to the enVision Windows Domain. RSA does not recommend this method because you may experience unknown side effects when you add the NetApp into the enVision Windows domain. Warning: Unknown side effects may occur if you use this method. The domain must first exist before you can add the NetApp FAS to the enVision Windows Domain. To authenticate the NetApp FAS to the enVision appliance by adding the NetApp FAS to the enVision Windows domain: 1. 2. Set IiWaitForCelerraConfiguration=YES in the lsconfigurationwizard.cfg file. Run the lsconfigurationwizard.exe enVision configuration wizard. The wizard: 3. 4. 5. Creates the Windows domain Restarts the appliances Displays the message: The Celerra configuration flag has been set. Configure your Celerra device now and then click OK to proceed.
Use the NetApp FAS Control Station to add the previously created CIFS Server to the enVision Windows domain. Complete the enVision configuration wizard. Reconfigure the enVision NIC Packager and NIC Collector services so that they operate with the network attached storage. By default, the NIC Packager Service is run by a local user account which you must reconfigure to be run by a domain user account. Perform the following steps on each Local Collector (LC) appliance: a. b. In the Start menu select Run, type services.msc and click OK. Complete the following for the NIC Packager Service: i. Right-click on NIC Packager Service and select Properties. ii. In the NIC Packager Properties window, click the Log On tab. iii. Under the This Account, parameter, replace .\NIC_System with enVision Windows domain name\NIC_System. For example, if testemc.nic is the Windows domain name of the enVision appliances, you would enter testemc.nic\NIC_System. iv. Type n!0A6y_7tbE9z3 in the Password and Confirm password fields. Click OK. v. Stop and start the NIC Packager Service.
6.
C-13
Appendix C. Customer-Provided Storage c. Complete the following for the NIC Collector Service: i. Right-click on NIC Collector Service and select Properties. ii. In the NIC Collector Properties window, click the Log On tab. iii. Under the This Account parameter replace .\NIC_System with enVision Windows domain name\NIC_System. For example, if testemc.nic is the Windows domain name of the enVision appliances, you would enter testemc.nic\NIC_System. iv. Type n!0A6y_7tbE9z3 in the Password and Confirm password fields. Click OK. v. Stop and start the NIC Collector Service.
C-14
Appendix C. Customer-Provided Storage Your filer does not have WINS configured and is visible only to clients on the same subnet. Do you want to make the system visible through WINS? [n]: n. This filer is currently configured as an NTFS-only filer Would you like to reconfigure this filer to be a multiprotocol filer? [n]: n The default name for this CIFS server is NIAPPSTOR. Would you like to change this name? [n]: n 10. Data ONTAP CIFS services support four styles of user authentication. Type the style number from the list below that best suits your situation. (In this example, the user chose 1.) (1) Active Directory domain authentication (Active Directory domains only) (2) Windows NT 4 domain authentication (Windows NT or Active Directory domains) (3) Windows Workgroup authentication using the filers local user accounts (4) /etc/passwd and/or NIS/LDAP authentication Selection (1-4)? [1]: 1 11. Type the responses shown in bold to the following series of prompts. (Type ? for help at any prompt and Ctrl-C to exit without saving changes.) Do you want to configure the filers DNS resolver service? [y]: y Note: To operate correctly within an Active Directory-based Windows domain, CIFS must use the DNS resolver service. That service is currently not configured on the filer. You must either configure DNS resolver services or choose a different authentication style. What is the filers DNS domain name? [ENVISION.nic]: unique NIC domain name What are the IPv4 address(es) of your authoritative DNS name server(s)?: 10.203.2.50 Would you like to specify additional DNS name servers? [n]: n What is the name of the Active Directory domain? [ENVISION.NIC]: unique domain name 12. Press Enter to accept the default, which is your unique domain. Note: To create an Active Directory machine account for the filer, you must supply the name and password of a Windows account with sufficient privileges to add computers to the ENVISION.NIC domain. 13. Type the responses shown in bold text in response to the following series of prompts. (Type ? for help at any prompt and Ctrl-C to exit without saving changes.) Enter the name of the Windows user [Administrator@ENVISION.NIC]: master Password for master: your unique master username password
C-15
Appendix C. Customer-Provided Storage The system displays: CIFS - Logged in as master@ENVISION.NIC. The user that you specified has permission to create the filers machine account in several (x) containers. 14. Choose where you would like this account to be created. (1) CN=computers (2) OU=Domain Controllers (3) None of the above Selection (1-3)? [1]: 1 The system displays the following message: CIFS - Starting SMB protocol... Welcome to the ENVSION.NIC (ENVISION) Active Directory(R) domain. CIFS local server is running. 15. At the NIappStor prompt press ctrl-d.
C-16
New passwords must: Not contain more than two consecutive characters of the users account name or parts of the users full name. Be at least ten characters in length. Contain at least one uppercase letter. Contain at least one number.
D-1
Log in to all D-SRVs and stop the packager service: a. b. Click StartRun. Type services.msc and click OK. The system displays the Services (Local) window. c. Stop the service named NIC Packager.
D-2
Appendix D. Changing Passwords on RSA enVision Appliances 3. From the D-SRV, perform a [Ctrl] [Alt] [Del]. The system displays the Windows Security screen:
4.
Click Change Password. The system displays the Change Password window.
5.
Complete this window according to the following table and click OK.
In this field Username: Log on to: New Password: Enter username CIFS-server-IP-address password Description Username that you want to change. CIFS server IP address (for example, 10.203.2.101). Password you used for the user in the steps for changing the password on the LS site. Re-enter the new password to confirm it.
password
After the system changes the password, it displays a confirmation indicating you have successfully changed the password. 6. Click Cancel to exit the Windows security window.
D-3
Appendix D. Changing Passwords on RSA enVision Appliances 7. 8. 9. Repeat Steps 3 through 6 for each additional users password that you want to change. Start the Packager Service on all D-SRVs. Start the Packager and the Collector services on all collectors.
10. Log into the collector. 11. Click StartRun, type \\10.203.2.101 and click OK. The system displays a window that shows the NAS storage mount points (vol0, vol1, vol2, vol3). 12. Double-click on vol0. 13. In the right pane, right-click and select NewText Document. This ensures that the collector has the correct privileges to read and write data to the NAS. 14. Delete the newly created text document and close the window. 15. Repeat steps 11 through 14 for vol1, vol2, and vol3. 16. Log out of the collector. 17. Repeat steps 10 through 16 for all collectors in the site. 18. Log into the A-SRV.
D-4
Appendix D. Changing Passwords on RSA enVision Appliances 19. Click StartRun, type \\10.203.2.101 and click OK. The system displays a window that shows the NAS storage mount points (vol0, vol1, vol2, vol3). 20. Double-click on vol0. 21. In the right pane, right-click and select NewText Document. This ensures that the collector has the correct privileges to read and write data to the NAS. 22. Delete the newly created text document and close the window. 23. Repeat steps 19 through 22 for vol1, vol2, and vol3. 24. Log out of the A-SRV.
D-5