Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S...

Page 1 of 5

LESSON 1: MANAGE AND ADMINISTER - GETTING STARTED WITH STORAGE FOUNDATION MANAGER (SFM)
PRINT DOCUMENT

Lesson 1 Getting Started with Storage Foundation Manager

Welcome to Lesson 1, Getting Started with Storage Foundation Manager.
Lesson topics and objectives
In this lesson, we'll take a look at Storage Foundation Manager or as some may call it, Storage Foundation Management Server. We'll
talk about installing the Storage Foundation Management Server, how to manage hosts related to the Storage Foundation
Management Server, and administering users in the central management server as a part of SFM.
Storage Foundation Manager overview
Storage Foundation Management Server is going to be the main graphical user interface for this product going forward.
Challenges in storage management
VEA, Veritas Enterprise Administrator, the Java-based GUI is still currently available for Storage Foundation 5.1, but it is no longer
installed as part of the recommended package set when you install the product. You have to download it separately. Storage
Foundation Manager right now is available for Storage Foundation 5.1 at no additional cost and no additional license. It is also
downloadable from our public website as an archive, and it can run on a Windows box or a Unix box. It can manage hosts running
Storage Foundation 4.0 or later, and it can manage hosts running 4.0 or later in multiple operating system environments. So
questions that you see on your slide here can hopefully be answered through the use of Storage Foundation Manager. Storage
Foundation Manager allows you to dynamically run tasks on any of those managed hosts connected to SAN Volume Manager based
storage.
Symantec solutions for storage
It also supports secure connections between those managed hosts and the Storage Foundation Management Server system. So it
gives you end-to-end visibility, centralized monitoring, heterogeneous reporting on the various storage farms and the other OSs, and
you can also access DMP pass-through it, and you can also thin provision storage and reclaim that thin provision storage if your
arrays that you manage support thin reclaim. Other Symantec solutions for storage include Command Central Storage, and of course,
the Storage Foundation Enterprise license, which involves things like dynamic multi-pathing, disk group split, join, and move, copy,
snapshotting, and stuff that we've already talked about. So here, we now have a much greater and more powerful reporting tool with
Storage Foundation Manager through a web browser based interface that can be used on secure connections or non-secure
connections.
Storage Foundation Manager benefits
Storage Foundation Manager benefits relatively three different areas. Reporting, which we just mentioned. Risk mitigation, so that if
you are on a secure connection and you have a server availability issue or a storage availability issue, you can manage and get
around or work around or fix that storage from one central point where the Storage Foundation Management Server is running. And
finally, automation, so you can automate day-to-day tasks, you can schedule tasks, and you can be very much more efficient about
how your storage is claimed and reclaimed. Let's talk about each one of these areas in more detail.
Reporting
So here we have a slide depicting some of the reporting screen shots and commands and items that you can report on in your
storage environment. All of these are accessible and reportable through Storage Foundation Manager. Your Storage Foundation
Management Server system where you install SFM does not have to be directly attached or locally attached to your storage. It's the
managed hosts for an icon you see in the slide, those managed hosts or other systems running Volume Manager and file system or
Storage Foundation, those have to be connected somehow to your SAN storage. But you can manage and operate on the SAN
storage through Storage Foundation Manager connections to those managed hosts.
Risk mitigation
We offer updated and effective risk mitigation in the form of things like license deployment reporting. If you remember from earlier
lessons, one of the new features in Storage Foundation 5.1 is keyless licensing. This is a good way -- if you do use keyless licensing,
this is a good way to track which systems have the keyless license and when that keyless license is going to expire and going to
nagware mode. It also offers you the opportunity to run what's called a health check on the system with respect to Volume Manager
and file system and some of our other products. This is very similar to the VIAS or Veritas Installation Assessment Service that I
talked about in the earlier lessons, and it can actually link you to that site, and run the check directly from that site, but it also
provides additional reporting capabilities through Storage Foundation Manager. Now these two things are designated as add-ons,
which means they are not typically installed by default with the Storage Foundation Manager archive, but they are available as

http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011

Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 2 of 5

separate fully free and unlicensed add-on packages that you can add once you have Storage Foundation Manager 2.0 or later running
on your system. The latest current version of Storage Foundation Manager at the time of this recording is Storage Foundation
Manager 2.1, but we also support 2.0 along with those same storage foundation target managed hosts versions of Storage
Foundation 4.0 and later.
Automation
We can also automate many more tasks now from the same Storage Foundation Manager web browser environment. We can do
volume migration. We can do snapshots mirroring, DMP state management, disabling, enabling paths for DMP. And you can be using
multiple different OS versions as long as you have Storage Foundation 4.0 or later, and the storage is being used under volume
manager and file system, then you can manage any of these hosts report and automate anything on those hosts related to Storage
Foundation. You can even get storage reclamation reports of how much storage has been provisioned, how much storage has been
reclaimed if your array supports those technologies.
Storage Foundation Manager architecture
Here is a look at the architecture of Storage Foundation Manager. Now, if you notice, the three components on the top of the slide do
not have to be directly or locally attached to any storage at all. Only the managed hosts at the bottom part of your slide need to be
connected to the storage, and notice that you can view and manage 4.x managed hosts as well as 5.x managed hosts. The central
management server, the CMS, at the top of your slide is where you need to install the Storage Foundation Manager archive. You are
also going to have to install agents on each of the managed hosts that SFM wants to manage. On the central management web
console, you really don't need to install much of anything because that would be used just as a web browser session or a connection
into the CMS or Central Management Server. And the central management web console can, if you want to have it, be a windows
box. There is also an option to provide an authentication server. This is, if you need to have a secure environment and maintain a
secure environment, and the CMS or the web console are not considered secure or authenticated systems. In that case, you need
some kind of an authentication server to make sure the system knows who is logging in and can prove that that is a person logging
in that system, but you don't need to have an authentication server if you have an authentication broker already in your environment.
Central Management Server (CMS) architecture
So let's talk a little bit more about the central management server and its authentication. We support, at the top of your slide, you
have that first bullet there, security infrastructure. We support the various different types of OS-based user authentication such as
LDAP, active directory, Unix password, PIM, which is especially important for Linux systems, NIS, and NIS+. Our security, if we are
going to use security connections is integrated through PKI/SSL, and we use these TCP ports that you see in your slide. 5634 is used
to communicate with managed hosts. 14161 is for the web console. 14545 is used when you are adding managed hosts dynamically,
which by the way, you can do any time you want. You can also remove managed hosts too, and these ports are changeable if those
original ports are unavailable. We also have permissions you can see there. Users can be various different levels of permissions,
which govern how much they can do and change on the managed hosts and the managed host storage. The users will be either
domain admins, admins or read-only. Communications indicate that typically we use secure connections with Storage Foundation
Manager. The idea being that if this is a web browser based interface, most of the time we are not going to be logging in directly to a
system with a secure connection. We might be outside the WAN or outside the domain, and so we need a web console server to
securely connect to the CMS, and then, from there, get into our managed storage. That hence the need for the HTTPS connection
with SLL. So just be aware that if you do not have a secure connection, you are going to need to securely access the CMS through
HTTPS from the web console system. We also have trigger-based object discovery. We are very compatible with other Symantec
products, so if you are running Veritas Cluster Server or VCS like the bottom of your slide indicates, and you are using secure
clusters, and VxAT, which is VCS's authentication, we totally support that in Storage Foundation Manager, and we will maintain that
encryption and authentication that you are using for VCS in that case.
Installing Storage Foundation Central Management Server
Here is a matrix indicating the supportability for Storage Foundation Manager 2.1.
SFM platform support with 2.1
As you can see from the matrix, we support all the latest and greatest major operating systems and Windows by the way for the CMS
and also for the managed hosts. So we have a truly heterogeneous environment, OS autonomous environment where you can
manage any of these hosts from any type of Central Management Server.
Installing the Central Management Server
You can even install the CMS on a virtual machine such as VMware, but for larger environments, a physical machine is recommended
to avoid some confusion between which machine is virtual and which machine is physical. This is the next bullet on your slide number
one there indicating the bin file or the binary, which is the archive for where SFM 2.1 is going to be found, and there is a site on our
public website where you can find that. You also have to be conscious about the platform and the file name because we have
different binary file names for each OS platform for CMS. Once you've installed and set up the Storage Foundation Management and
the CMS, you can then use a web browser, either on the same system or a different connectible system and open up that web
browser and browse to https://systemname or IP address:5634, which is the default port. Now we connect you to the CMS server
and allow you to login.

http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011

Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 3 of 5

Input required for initial configuration of the CMS

If you are prompted for additional certificate, go ahead and accept it, and you are going to have to be the root user or at least super
user access to get into the CMS. Then, what you do is you provide a user-defined password for the domain for security configuration,
and this should already be set up by whoever is the administrator for that domain. What SFM does is it records changes and tracks
changes to storage objects through a database that is located in this directory that is next to the number four in your slide.
So /opt/vrtsmfcs/db. If for some reason, you don't want that database on that boot disk, which is where it is right now or you want
to have some shared disk location, that's perfectly legal and possible, but you have to change this path name and the file to the place
where you want the database to be kept. And in case, you are wondering can you cluster the CMS server together with another
system, maybe, with Veritas Cluster Server, the answer is yes, you can, and it's also a good best practice to do in case your CMS
server goes down. You'll still be able to get to your managed host from the other server. Then, you have to either enable or disable
analytics gathering and click finish.
Connecting to the CMS
Now to connect to the CMS directly, you are going to use port 14161 as you see in your slide, you are going to click the web console
link, you are going to put in your username and password, and you would be logged in. And immediately, you'll see this bottom part
of the slide here on the splash page for SFM that shows the status of your applications, servers, and storage. Notice how you can see
if any servers are faulted or if any servers are at risk or which servers are healthy. At risk refers to maybe a volume that has now
been unmirrored because of the result of a single disk failure in the volume or it could also be because you have a path name fail or
something like that.
Installing the active management add-on for UNIX/Linux managed hosts
I also mentioned that you will need to install an agent on the managed host that are managed by SFM. So this directory on our public
website has a .SFA file, which represents that agent, and you have to download that and put that in as an add-on, also on the
managed hosts.
Installing the active management add-on (continued)
So the rest of the steps kind of outline what you need to do to get the managed host setup and also the CMS. We also have specific
product documentation that's downloadable from our support.symantec.com website free of charge in PDF format any time you want
specifically for Storage Foundation Management 2.1. We have an install guide, admin guide, release notes, all the usual types of
product docs should be available now for 2.1. So here is the methodology for installing the add-on to that system. Notice how you
have to download the add-on, install it, and then deploy it; three separate actions. And then, finally, you have to restart the web
server here in step 8 on Central Management Server by using SFMW restart.
Changing an SF server to a managed host
Okay, let's take a look at changing an SF server to a managed host.
Adding the SF server to the CMS
So in this case, we are taking a system that's running Storage Foundation 4.0 or later with Connected Storage, and we are bringing
this into the Central Management Server environment. It is going to be now a managed host. So these steps kind of outline the
procedure, processes, file names, scripts, and browsers, and the ports that you have to be aware of to be able to do this.
Adding multiple managed hosts at the same time
If you decide you want to add several managed hosts at the same time, making all of these system managed hosts, you can do that,
enter the host name, user name, password for the administrative user on the managed host. So, yes, you have to be root or super
user access on the managed host to make them a managed host in CMS. So in this case, we are adding train 1, train 2, and we are
just about to add train 9. When you have all the systems you want to add as managed hosts, ready to go, you click submit, and then,
you can go to operation status in the CMS server here and view the task progress.
Administering managed UNIX hosts
And then, what should happen is the system should show up in the CMS output as a managed host, and you should be able to see all
the stuff about that server that relates to Storage Foundation 4.0, 4.1, 5.0, 5.1 depending on what it's running. You can also drill
down as this slide is doing into one of the systems that's managed, and you can see disk groups, volumes, plexes, subdisks,
enclosures, arrays, file systems, and you can even do a set of common tasks. So you can actually run the same tasks that we have
been talking about the lessons all along in our course here, but now you can do them through the Storage Foundation Management
Web Browser even though you don't have a local connection to that server that's managed, but you have a connection through the
SFM.
Changing back to an unmanaged SF server

http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011

Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 4 of 5

Now if you decide you want to downgrade that system and release it from the Storage Foundation Managed Server pool, this is how
to do that. This does not change any data on the server, any volume manager objects on the server or anything else in that server
itself. It simply removes it from the realm of a Storage Foundation Management Server's domain, and it basically stops the agent on
it, and makes it back to the Storage Foundation Server that's not managed by the CMS.
Administering users in the Central Management Server
I mentioned earlier that you have different user levels of ability to do things on the CMS. Sometimes, you don't want everybody to do
everything on the CMS. You want to provide some restrictions, especially for administrators that may not be familiar yet with storage
foundation as a product or some of the tasks related Storage Foundation.
User authentication
So, those users you probably want to make as read-only type users. This slide also talks a little bit about user authentication, and if
you look at the right part of the slide, you can see the fully qualified domain name and the UNIX password and PIM are the domain
types, so the domain types of authentication we are using on each system. And you can also see at the top of that slide what's
known as an authentication broker. And the port number that's being used for the authentication broker is 14545. Now, the job of the
authentication broker is to simply authenticate the systems that the SFM is going to manage, so that we know who is logging into the
SFM, and that account can prove who it really is. The CMS server is typically the primary authentication broker when you install SFM
2.0 or later. That means usually you don't need an additional system to be an authentication broker; however, as we saw in an earlier
slide, there is an option to provide another authentication broker or if you don't want the SFM server to be that broker and you want
a different one to do it, you can do that too, possibly even the domain controller in a Windows-type of environment. In either
environment though, UNIX or Windows, you can have, if you want, more than one authentication broker depending on your
authentication methods and level of authentication, and the number of domains which we are using. Once you have the server setup
as managed hosts and once you are able to do things from Storage Foundation Management Server on the storage
Application groups and security groups
managed by those managed hosts, it's a good idea to set up things called application groups and security groups. Now, an application
group is kind of a fancy name for a group of storage that's going to be connected to one or more of your managed servers, but only
used by one particular application. And usually, it's a large application that is going to be used while globally or maybe even at
different sites. So, an application group is set up by you the administrator logging into the CMS server, identifying storage whether it
is full enclosure or specific disks inside an enclosure, grouping them together, and then, giving that application group a name. This is
kind of one method of dynamic storage tiering. Now, we can also set up similar groups called security groups. These are public
domain user groups assigned a security role, and you can associate security with one or more application groups you've already
created. The idea being that you might only want certain users accessing that application group, and the group of users that you
want to access that application group are defined in your security group. So security group is almost like an access control list to a
file. You have a group of users, and their permission levels that can access a particular application group. So at the bottom of your
slide, here is an example of that. You have an application group called billing group. On that domain, with UNIX password as the
domain type authentication, and this particular role here as admin, we are allowing administrative access for an application group
called billing to all the users in that domain that can access SFM.
Security roles
You could also, if you look at this slide, set lower or higher levels of accessibility to those application groups or SFM itself. So there
are domain admins, which have the highest level of access. Then, there is admins, which is what we've been talking about. You also
have guests, which can only access read-only, which means they can't change anything related to the storage or the CMS server.
Adding a new application group
So these slides outline the process for adding a new application group. And once you've added the application group, you should see
the system, the IP address, the architecture, the family,
Adding a new application group (continued)
and the platform in that window where you are adding the application group. You also see at the bottom of this slide, you can do
something called auto-inherit dependent objects. What that is, is if that system is running specific types of applications, specific types
of other products from Symantec like maybe Veritas Cluster Server or Replicator, and it has cluster objects like service groups and
resources, you could tell SFM and that application group to inherit the permissions on some of those objects as well. And then, what
happens is those objects take on some of the same characteristics to avoid you having to set the same parameters to all those
objects manually. So when you click finish, the application group is created with the permissions for those groups and those users
with all the inheritance.
Adding a new security group
Here is an example for adding a new security group, very similar to adding an application group, but in this case, we are picking out
users and their permissions related to that application group.

http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011

Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 5 of 5

Lesson summary
And that concludes this Lesson 1, Storage Foundation Manager.

http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011