Professional Documents
Culture Documents
Page 1 of 5
LESSON 1: MANAGE AND ADMINISTER - GETTING STARTED WITH STORAGE FOUNDATION MANAGER (SFM)
PRINT DOCUMENT
http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011
Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 2 of 5
separate fully free and unlicensed add-on packages that you can add once you have Storage Foundation Manager 2.0 or later running
on your system. The latest current version of Storage Foundation Manager at the time of this recording is Storage Foundation
Manager 2.1, but we also support 2.0 along with those same storage foundation target managed hosts versions of Storage
Foundation 4.0 and later.
Automation
We can also automate many more tasks now from the same Storage Foundation Manager web browser environment. We can do
volume migration. We can do snapshots mirroring, DMP state management, disabling, enabling paths for DMP. And you can be using
multiple different OS versions as long as you have Storage Foundation 4.0 or later, and the storage is being used under volume
manager and file system, then you can manage any of these hosts report and automate anything on those hosts related to Storage
Foundation. You can even get storage reclamation reports of how much storage has been provisioned, how much storage has been
reclaimed if your array supports those technologies.
Storage Foundation Manager architecture
Here is a look at the architecture of Storage Foundation Manager. Now, if you notice, the three components on the top of the slide do
not have to be directly or locally attached to any storage at all. Only the managed hosts at the bottom part of your slide need to be
connected to the storage, and notice that you can view and manage 4.x managed hosts as well as 5.x managed hosts. The central
management server, the CMS, at the top of your slide is where you need to install the Storage Foundation Manager archive. You are
also going to have to install agents on each of the managed hosts that SFM wants to manage. On the central management web
console, you really don't need to install much of anything because that would be used just as a web browser session or a connection
into the CMS or Central Management Server. And the central management web console can, if you want to have it, be a windows
box. There is also an option to provide an authentication server. This is, if you need to have a secure environment and maintain a
secure environment, and the CMS or the web console are not considered secure or authenticated systems. In that case, you need
some kind of an authentication server to make sure the system knows who is logging in and can prove that that is a person logging
in that system, but you don't need to have an authentication server if you have an authentication broker already in your environment.
Central Management Server (CMS) architecture
So let's talk a little bit more about the central management server and its authentication. We support, at the top of your slide, you
have that first bullet there, security infrastructure. We support the various different types of OS-based user authentication such as
LDAP, active directory, Unix password, PIM, which is especially important for Linux systems, NIS, and NIS+. Our security, if we are
going to use security connections is integrated through PKI/SSL, and we use these TCP ports that you see in your slide. 5634 is used
to communicate with managed hosts. 14161 is for the web console. 14545 is used when you are adding managed hosts dynamically,
which by the way, you can do any time you want. You can also remove managed hosts too, and these ports are changeable if those
original ports are unavailable. We also have permissions you can see there. Users can be various different levels of permissions,
which govern how much they can do and change on the managed hosts and the managed host storage. The users will be either
domain admins, admins or read-only. Communications indicate that typically we use secure connections with Storage Foundation
Manager. The idea being that if this is a web browser based interface, most of the time we are not going to be logging in directly to a
system with a secure connection. We might be outside the WAN or outside the domain, and so we need a web console server to
securely connect to the CMS, and then, from there, get into our managed storage. That hence the need for the HTTPS connection
with SLL. So just be aware that if you do not have a secure connection, you are going to need to securely access the CMS through
HTTPS from the web console system. We also have trigger-based object discovery. We are very compatible with other Symantec
products, so if you are running Veritas Cluster Server or VCS like the bottom of your slide indicates, and you are using secure
clusters, and VxAT, which is VCS's authentication, we totally support that in Storage Foundation Manager, and we will maintain that
encryption and authentication that you are using for VCS in that case.
Installing Storage Foundation Central Management Server
Here is a matrix indicating the supportability for Storage Foundation Manager 2.1.
SFM platform support with 2.1
As you can see from the matrix, we support all the latest and greatest major operating systems and Windows by the way for the CMS
and also for the managed hosts. So we have a truly heterogeneous environment, OS autonomous environment where you can
manage any of these hosts from any type of Central Management Server.
Installing the Central Management Server
You can even install the CMS on a virtual machine such as VMware, but for larger environments, a physical machine is recommended
to avoid some confusion between which machine is virtual and which machine is physical. This is the next bullet on your slide number
one there indicating the bin file or the binary, which is the archive for where SFM 2.1 is going to be found, and there is a site on our
public website where you can find that. You also have to be conscious about the platform and the file name because we have
different binary file names for each OS platform for CMS. Once you've installed and set up the Storage Foundation Management and
the CMS, you can then use a web browser, either on the same system or a different connectible system and open up that web
browser and browse to https://systemname or IP address:5634, which is the default port. Now we connect you to the CMS server
and allow you to login.
http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011
Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 3 of 5
http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011
Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 4 of 5
Now if you decide you want to downgrade that system and release it from the Storage Foundation Managed Server pool, this is how
to do that. This does not change any data on the server, any volume manager objects on the server or anything else in that server
itself. It simply removes it from the realm of a Storage Foundation Management Server's domain, and it basically stops the agent on
it, and makes it back to the Storage Foundation Server that's not managed by the CMS.
Administering users in the Central Management Server
I mentioned earlier that you have different user levels of ability to do things on the CMS. Sometimes, you don't want everybody to do
everything on the CMS. You want to provide some restrictions, especially for administrators that may not be familiar yet with storage
foundation as a product or some of the tasks related Storage Foundation.
User authentication
So, those users you probably want to make as read-only type users. This slide also talks a little bit about user authentication, and if
you look at the right part of the slide, you can see the fully qualified domain name and the UNIX password and PIM are the domain
types, so the domain types of authentication we are using on each system. And you can also see at the top of that slide what's
known as an authentication broker. And the port number that's being used for the authentication broker is 14545. Now, the job of the
authentication broker is to simply authenticate the systems that the SFM is going to manage, so that we know who is logging into the
SFM, and that account can prove who it really is. The CMS server is typically the primary authentication broker when you install SFM
2.0 or later. That means usually you don't need an additional system to be an authentication broker; however, as we saw in an earlier
slide, there is an option to provide another authentication broker or if you don't want the SFM server to be that broker and you want
a different one to do it, you can do that too, possibly even the domain controller in a Windows-type of environment. In either
environment though, UNIX or Windows, you can have, if you want, more than one authentication broker depending on your
authentication methods and level of authentication, and the number of domains which we are using. Once you have the server setup
as managed hosts and once you are able to do things from Storage Foundation Management Server on the storage
Application groups and security groups
managed by those managed hosts, it's a good idea to set up things called application groups and security groups. Now, an application
group is kind of a fancy name for a group of storage that's going to be connected to one or more of your managed servers, but only
used by one particular application. And usually, it's a large application that is going to be used while globally or maybe even at
different sites. So, an application group is set up by you the administrator logging into the CMS server, identifying storage whether it
is full enclosure or specific disks inside an enclosure, grouping them together, and then, giving that application group a name. This is
kind of one method of dynamic storage tiering. Now, we can also set up similar groups called security groups. These are public
domain user groups assigned a security role, and you can associate security with one or more application groups you've already
created. The idea being that you might only want certain users accessing that application group, and the group of users that you
want to access that application group are defined in your security group. So security group is almost like an access control list to a
file. You have a group of users, and their permission levels that can access a particular application group. So at the bottom of your
slide, here is an example of that. You have an application group called billing group. On that domain, with UNIX password as the
domain type authentication, and this particular role here as admin, we are allowing administrative access for an application group
called billing to all the users in that domain that can access SFM.
Security roles
You could also, if you look at this slide, set lower or higher levels of accessibility to those application groups or SFM itself. So there
are domain admins, which have the highest level of access. Then, there is admins, which is what we've been talking about. You also
have guests, which can only access read-only, which means they can't change anything related to the storage or the CMS server.
Adding a new application group
So these slides outline the process for adding a new application group. And once you've added the application group, you should see
the system, the IP address, the architecture, the family,
Adding a new application group (continued)
and the platform in that window where you are adding the application group. You also see at the bottom of this slide, you can do
something called auto-inherit dependent objects. What that is, is if that system is running specific types of applications, specific types
of other products from Symantec like maybe Veritas Cluster Server or Replicator, and it has cluster objects like service groups and
resources, you could tell SFM and that application group to inherit the permissions on some of those objects as well. And then, what
happens is those objects take on some of the same characteristics to avoid you having to set the same parameters to all those
objects manually. So when you click finish, the application group is created with the permissions for those groups and those users
with all the inheritance.
Adding a new security group
Here is an example for adding a new security group, very similar to adding an application group, but in this case, we are picking out
users and their permissions related to that application group.
http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011
Lesson 1: Manage and Administer - Getting Started with Storage Foundation Manager (S... Page 5 of 5
Lesson summary
And that concludes this Lesson 1, Storage Foundation Manager.
http://symantecpartners.vportal.net/media/symantecpartners/media/_generated/transcripts/t... 8/23/2011